From a7dd95d394e76b556197c53eec801476e91aabcf Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 23 Jan 2011 09:43:35 -0800
Subject: [PATCH] Add some info about mis-using Vserver zones

---
 docs/Shorewall_and_Aliased_Interfaces.xml | 10 ++++++++++
 docs/Vserver.xml                          |  5 +++++
 2 files changed, 15 insertions(+)

diff --git a/docs/Shorewall_and_Aliased_Interfaces.xml b/docs/Shorewall_and_Aliased_Interfaces.xml
index a137f75d3..7f0e82afa 100644
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -338,5 +338,15 @@ loc2         eth1:192.168.20.0/24</programlisting>
         Interface</emphasis></ulink>.</para>
       </example>
     </section>
+
+    <section>
+      <title>Defining a Zone-per-Address</title>
+
+      <para><ulink url="Vserver.html">Shorewall's support for Linux
+      Vservers</ulink> can (miss-)used to create a separate zone per alias.
+      Note that this results in a <emphasis>partitioning of the firewall
+      zone</emphasis>. Be sure that you define an ACCEPT policy between your
+      vserver zones and $FW.</para>
+    </section>
   </section>
 </article>
diff --git a/docs/Vserver.xml b/docs/Vserver.xml
index 46ebccdb4..5d5295523 100644
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -65,6 +65,11 @@
       </listitem>
     </itemizedlist>
 
+    <para>Note that you don't need to run Vservers to use vserver zones; they
+    may also be used to create a firewall sub-zone for each <ulink
+    url="Shorewall_and_Aliased_Interfaces.html">aliased
+    interface</ulink>.</para>
+
     <para>If you use these zones, keep in mind that Linux-vserver implements a
     very weak form of network virtualization:</para>