From c08655e0bc93759a80f9f511412450a655fb1691 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 1 Feb 2014 09:40:39 -0800 Subject: [PATCH] Document ipset use in tcfilters Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-tcfilters.xml | 26 ++++++++++++++------ Shorewall6/manpages/shorewall6-tcfilters.xml | 26 ++++++++++++++------ 2 files changed, 38 insertions(+), 14 deletions(-) diff --git a/Shorewall/manpages/shorewall-tcfilters.xml b/Shorewall/manpages/shorewall-tcfilters.xml index 8929c2012..26242660a 100644 --- a/Shorewall/manpages/shorewall-tcfilters.xml +++ b/Shorewall/manpages/shorewall-tcfilters.xml @@ -13,7 +13,7 @@ tcfilters - Shorewall u32 classifier rules file + Shorewall u32/basic classifier rules file @@ -81,23 +81,35 @@ SOURCE - {-|address} + role="bold">-|address|+ipset} Source of the packet. May be a host or network - address. DNS names are not - allowed. + address. DNS names are not allowed. + Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') + may be used if your kernel and ip6tables have the Basic + Ematchcapability. The ipset name may optionally be + followed by a number or a comma separated list of src and/or dst + enclosed in square brackets ([...]). See shorewall-ipsets(5) for + details. DEST - {-|address}} + role="bold">-|address|+ipset} Destination of the packet. May be a host or network - address. DNS names are not - allowed. + address. DNS names are not allowed. + Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') + may be used if your kernel and ip6tables have the Basic + Ematchcapability. The ipset name may optionally be + followed by a number or a comma separated list of src and/or dst + enclosed in square brackets ([...]). See shorewall-ipsets(5) for + details. You may exclude certain hosts from the set already defined through use of an exclusion (see tcfilters - shorewall6 u32 classifier rules file + shorewall6 u32/basic classifier rules file @@ -81,23 +81,35 @@ SOURCE - {-|address} + role="bold">-|address|+ipset} Source of the packet. May be a host or network - address. DNS names are not - allowed. + address. DNS names are not allowed. + Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') + may be used if your kernel and ip6tables have the Basic + Ematch capability. The ipset name may optionally be + followed by a number or a comma separated list of src and/or dst + enclosed in square brackets ([...]). See shorewall6-ipsets(5) for + details. DEST - {-|address}} + role="bold">-|address|+ipset} Destination of the packet. May be a host or network - address. DNS names are not - allowed. + address. DNS names are not allowed. + Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') + may be used if your kernel and ip6tables have the Basic + Ematchcapability. The ipset name may optionally be + followed by a number or a comma separated list of src and/or dst + enclosed in square brackets ([...]). See shorewall6-ipsets(5) for + details.