More SOURCE/DEST manpage updates

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-12-10 14:41:08 -08:00 · 2016-12-10 14:41:08 -08:00 · b756c63b1e
commit b756c63b1e
parent eea9882953
3 changed files with 227 additions and 6 deletions
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@ -380,7 +380,7 @@
      </varlistentry>

      <varlistentry>
-        <term>SOURCE (format 3) ‒
+        <term>SOURCE (format 3 prior to Shorewall 5.1.0) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@ -394,7 +394,91 @@
      </varlistentry>

      <varlistentry>
-        <term>DEST ‒
+        <term><emphasis role="bold">SOURCE (format 3 on Shorewall 5.1.0 and
+        later) -
+        {-|[<replaceable>source-spec</replaceable>[,...]]}</emphasis></term>
+
+        <listitem>
+          <para>where <replaceable>source-spec</replaceable> is one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Where interface is the logical name of an interface
+                defined in <ulink
+                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> may be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>A host or network IP address.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A MAC address in Shorewall format (preceded by a
+                    tilde ("~") and using dash ("-") as a separator.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The name of an ipset preceded by a plus sign ("+").
+                    See <ulink
+                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para><replaceable>exclusion</replaceable> is described in
+                <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>This form combines the preceding two and requires that
+                both the incoming interace and source address match.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>See <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
+                (5)</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple
+          <replaceable>source-spec</replaceable>s separated by commas may be
+          specified provided that the following alternative forms are
+          used:</para>
+
+          <blockquote>
+            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para>(<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DEST (Prior to Shorewall 5.1.0) ‒
        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
@ -406,6 +490,89 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">DEST (Shorewall 5.1.0 and later) -
+        {-|<replaceable>dest-spec</replaceable>[,...]}</emphasis></term>
+
+        <listitem>
+          <para>where <replaceable>dest-spec</replaceable> is one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Where interface is the logical name of an interface
+                defined in <ulink
+                url="shorewall-interfaces.html">shorewall-interface</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>where <replaceable>address</replaceable> may be:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>A host or network IP address.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>A MAC address in Shorewall format (preceded by a
+                    tilde ("~") and using dash ("-") as a separator.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The name of an ipset preceded by a plus sign ("+").
+                    See <ulink
+                    url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+
+                <para><replaceable>exclusion</replaceable> is described in
+                <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>]</term>
+
+              <listitem>
+                <para>This form combines the preceding two and requires that
+                both the outgoing interace and destination address
+                match.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>See <ulink
+                url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ulink>
+                (5)</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>Beginning with Shorewall 5.1.0, multiple source-specs
+          separated by commas may be specified provided that the following
+          alternative forms are used:</para>
+
+          <blockquote>
+            <para>(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para><replaceable>interface</replaceable>:(<replaceable>address</replaceable>[,...][<replaceable>exclusion</replaceable>])</para>
+
+            <para>(<replaceable>exclusion</replaceable>)</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable>[,...]</term>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@ -1054,7 +1054,7 @@
            </varlistentry>

            <varlistentry>
-              <term>zone:interface:address[,...]</term>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>

              <listitem>
                <para>This form combines the preceding two and requires that
@ -1071,6 +1071,18 @@
                url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches packets from the named
+                <replaceable>zone</replaceable> entering through the specified
+                <replaceable>interface</replaceable> where the source address
+                does not match any entry in the
+                <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>

          <para>Beginning with Shorewall 5.1.0, multiple
@ -1085,6 +1097,8 @@
            <para>zone:(interface:address[,...])</para>

            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
          </blockquote>

          <para>Examples:</para>
@ -1342,7 +1356,7 @@
            </varlistentry>

            <varlistentry>
-              <term>zone:interface:address[,...]</term>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>

              <listitem>
                <para>This form combines the preceding two and requires that
@ -1361,6 +1375,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches packets to the named
+                <replaceable>zone</replaceable> leaving through the specified
+                <replaceable>interface</replaceable> where the destination
+                address does not match any entry in the
+                <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>

@ -1445,6 +1471,8 @@
            <para>zone:(interface:address[,...])</para>

            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
          </blockquote>

          <para>Multiple <replaceable>dest-spec</replaceable>s are not
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@ -1017,7 +1017,7 @@
            </varlistentry>

            <varlistentry>
-              <term>zone:interface:address[,...]</term>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>

              <listitem>
                <para>This form combines the preceding two and requires that
@ -1034,6 +1034,18 @@
                url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches packets from the named
+                <replaceable>zone</replaceable> entering through the specified
+                <replaceable>interface</replaceable> where the source address
+                does not match any entry in the
+                <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>

          <para>Beginning with Shorewall 5.1.0, multiple
@ -1048,6 +1060,8 @@
            <para>zone:(interface:address[,...])</para>

            <para><replaceable>zone</replaceable>:(<replaceable>exclusion</replaceable>)</para>
+
+            <para><replaceable>zone</replaceable>:(<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable>)</para>
          </blockquote>

          <para>Examples:</para>
@ -1251,7 +1265,7 @@
            </varlistentry>

            <varlistentry>
-              <term>zone:interface:address[,...]</term>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>address</replaceable>[,...]</term>

              <listitem>
                <para>This form combines the preceding two and requires that
@ -1270,6 +1284,18 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><replaceable>zone</replaceable>:<replaceable>interface</replaceable>:<replaceable>exclusion</replaceable></term>
+
+              <listitem>
+                <para>This form matches packets to the named
+                <replaceable>zone</replaceable> leaving through the specified
+                <replaceable>interface</replaceable> where the destination
+                address does not match any entry in the
+                <replaceable>exclusion</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>[<replaceable>zone</replaceable>]:[<replaceable>server-IP</replaceable>][:<replaceable>port-or-port-range</replaceable>[:random]]</term>