From c8b48a9bbd9ddec4ec8921e4511f0e4a41064bd1 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 8 Apr 2009 22:45:51 +0000
Subject: [PATCH] Update man pages to allow interface name in DEST column of
 notrack file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9832 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 manpages/shorewall-notrack.xml   | 33 +++++++++++++++++++++++++++++---
 manpages6/shorewall6-notrack.xml | 22 +++++++++++++++++++--
 2 files changed, 50 insertions(+), 5 deletions(-)

diff --git a/manpages/shorewall-notrack.xml b/manpages/shorewall-notrack.xml
index 49edcff23..af1821173 100644
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@@ -56,13 +56,40 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST ‒ [<replaceable>address-list</replaceable>]</term>
+        <term>DEST ‒
+        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
 
         <listitem>
-          <para>where <replaceable>address-list</replaceable> is a
+          <para>where <replaceable>interface</replaceable> is the name of a
+          network interface and <replaceable>address-list</replaceable> is a
           comma-separated list of addresses (may contain exclusion - see
           <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
-          (5)).</para>
+          (5)). If an interface is given:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>It must be up and configured with an IPv4 address when
+              Shorewall is started or restarted.</para>
+            </listitem>
+
+            <listitem>
+              <para>All routes out of the interface must be configured when
+              Shorewall is started or restarted.</para>
+            </listitem>
+
+            <listitem>
+              <para>Default routes out of the interface will result in a
+              warning message and will be ignored.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>These restrictions are because Netfilter doesn't support
+          NOTRACK rules that specify a destination interface (these rules are
+          applied before packets are routed and hence the destination
+          interface is unknown). Shorewall uses the routes out of the
+          interface to replace the interface with an address list
+          corresponding to the networks routed out of the named
+          interface.</para>
         </listitem>
       </varlistentry>
 
diff --git a/manpages6/shorewall6-notrack.xml b/manpages6/shorewall6-notrack.xml
index 91e6a2f2f..8cdc24aa8 100644
--- a/manpages6/shorewall6-notrack.xml
+++ b/manpages6/shorewall6-notrack.xml
@@ -48,13 +48,31 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST ‒ [<replaceable>address-list</replaceable>]</term>
+        <term>DEST ‒
+        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
 
         <listitem>
           <para>where <replaceable>address-list</replaceable> is a
           comma-separated list of addresses (may contain exclusion - see
           <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
-          (5)).</para>
+          (5)). If an interface is given:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>It must be up and configured with an IPv6 address when
+              Shorewall is started or restarted.</para>
+            </listitem>
+
+            <listitem>
+              <para>All routes out of the interface must be configured when
+              Shorewall is started or restarted.</para>
+            </listitem>
+
+            <listitem>
+              <para>Default routes out of the interface will result in a
+              warning message and will be ignored.</para>
+            </listitem>
+          </itemizedlist>
         </listitem>
       </varlistentry>