From b756c63b1ea56ed24dc837879e98c25d26296884 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 10 Dec 2016 14:41:08 -0800 Subject: [PATCH] More SOURCE/DEST manpage updates Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-conntrack.xml | 171 ++++++++++++++++++++- Shorewall/manpages/shorewall-rules.xml | 32 +++- Shorewall6/manpages/shorewall6-rules.xml | 30 +++- 3 files changed, 227 insertions(+), 6 deletions(-) diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index dd6c40264..746435796 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -380,7 +380,7 @@ - SOURCE (format 3) ‒ + SOURCE (format 3 prior to Shorewall 5.1.0) ‒ {-|interface[:address-list]|address-list} @@ -394,7 +394,91 @@ - DEST ‒ + SOURCE (format 3 on Shorewall 5.1.0 and + later) - + {-|[source-spec[,...]]} + + + where source-spec is one of the + following: + + + + interface + + + Where interface is the logical name of an interface + defined in shorewall-interface(5). + + + + + address[,...][exclusion] + + + where address may be: + + + + A host or network IP address. + + + + A MAC address in Shorewall format (preceded by a + tilde ("~") and using dash ("-") as a separator. + + + + The name of an ipset preceded by a plus sign ("+"). + See shorewall-ipsets(5). + + + + exclusion is described in + shorewall-exclusion(5). + + + + + interface:address[,...][exclusion] + + + This form combines the preceding two and requires that + both the incoming interace and source address match. + + + + + exclusion + + + See shorewall-exclusion + (5) + + + + + Beginning with Shorewall 5.1.0, multiple + source-specs separated by commas may be + specified provided that the following alternative forms are + used: + +
+ (address[,...][exclusion]) + + interface:(address[,...][exclusion]) + + (exclusion) +
+ + + + + DEST (Prior to Shorewall 5.1.0) ‒ {-|interface[:address-list]|address-list} @@ -406,6 +490,89 @@ + + DEST (Shorewall 5.1.0 and later) - + {-|dest-spec[,...]} + + + where dest-spec is one of the + following: + + + + interface + + + Where interface is the logical name of an interface + defined in shorewall-interface(5). + + + + + address[,...][exclusion] + + + where address may be: + + + + A host or network IP address. + + + + A MAC address in Shorewall format (preceded by a + tilde ("~") and using dash ("-") as a separator. + + + + The name of an ipset preceded by a plus sign ("+"). + See shorewall-ipsets(5). + + + + exclusion is described in + shorewall-exclusion(5). + + + + + interface:address[,...][exclusion] + + + This form combines the preceding two and requires that + both the outgoing interace and destination address + match. + + + + + exclusion + + + See shorewall-exclusion + (5) + + + + + Beginning with Shorewall 5.1.0, multiple source-specs + separated by commas may be specified provided that the following + alternative forms are used: + +
+ (address[,...][exclusion]) + + interface:(address[,...][exclusion]) + + (exclusion) +
+ + + PROTO ‒ protocol-name-or-number[,...] diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index dcd746ae8..91eef335e 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -1054,7 +1054,7 @@ - zone:interface:address[,...] + zone:interface:address[,...] This form combines the preceding two and requires that @@ -1071,6 +1071,18 @@ url="shorewall-exclusion.html">shorewall-exclusion(5)). + + + zone:interface:exclusion + + + This form matches packets from the named + zone entering through the specified + interface where the source address + does not match any entry in the + exclusion. + + Beginning with Shorewall 5.1.0, multiple @@ -1085,6 +1097,8 @@ zone:(interface:address[,...]) zone:(exclusion) + + zone:(interface:exclusion) Examples: @@ -1342,7 +1356,7 @@ - zone:interface:address[,...] + zone:interface:address[,...] This form combines the preceding two and requires that @@ -1361,6 +1375,18 @@ + + zone:interface:exclusion + + + This form matches packets to the named + zone leaving through the specified + interface where the destination + address does not match any entry in the + exclusion. + + + [zone]:[server-IP][:port-or-port-range[:random]] @@ -1445,6 +1471,8 @@ zone:(interface:address[,...]) zone:(exclusion) + + zone:(interface:exclusion) Multiple dest-specs are not diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index a64bed445..c33573431 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -1017,7 +1017,7 @@ - zone:interface:address[,...] + zone:interface:address[,...] This form combines the preceding two and requires that @@ -1034,6 +1034,18 @@ url="shorewall6-exclusion.html">shorewall6-exclusion(5)). + + + zone:interface:exclusion + + + This form matches packets from the named + zone entering through the specified + interface where the source address + does not match any entry in the + exclusion. + + Beginning with Shorewall 5.1.0, multiple @@ -1048,6 +1060,8 @@ zone:(interface:address[,...]) zone:(exclusion) + + zone:(interface:exclusion) Examples: @@ -1251,7 +1265,7 @@ - zone:interface:address[,...] + zone:interface:address[,...] This form combines the preceding two and requires that @@ -1270,6 +1284,18 @@ + + zone:interface:exclusion + + + This form matches packets to the named + zone leaving through the specified + interface where the destination + address does not match any entry in the + exclusion. + + + [zone]:[server-IP][:port-or-port-range[:random]]