Documentation updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7825 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/releasenotes.txt

@@ -86,13 +86,28 @@ Other changes in Shorewall 4.1.2.
 
     Messages in the log are always timestamped.
 
+    This change implemented two new options to the Shorewall-perl
+    compiler (/usr/share/shorewall-perl/compiler.pl).
+
+    --log=<logfile>
+    --log_verbosity={-1|0-2}
+
+    The --log option is ignored when --log_verbosity is not supplied or
+    is supplied with value -1.
+
+2)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
+    mark values < 256 to be assigned in the OUTPUT chain. This has been
+    changed so that only high mark values may be assigned
+    there. Packet marking rules for traffic shaping of packets
+    originating on the firewall must be coded in the POSTROUTING table.
+
 Migration Issues.
 
-1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed mark
-    values < 256 to be assigned in the OUTPUT chain. This has been
+1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
+    mark values < 256 to be assigned in the OUTPUT chain. This has been
     changed so that only high mark values may be assigned
-    there. Traffic shaping rules for traffic originating on the
-    firewall must be coded in the POSTROUTING table.
+    there. Packet marking rules for traffic shaping of packets
+    originating on the firewall must be coded in the POSTROUTING table.
 
 New Features in Shorewall 4.1.
 
@@ -154,9 +169,9 @@ New Features in Shorewall 4.1.
 	206.124.146.177	-			Blarg		26000
 
 2)  You may now include the name of a table (nat, mangle or filter) in
-    a 'shorewall refresh' command by following the name with a colon
-    (e.g., mangle:). This causes all non-builtin chains in the table to
-    be reloaded.
+    a 'shorewall refresh' command by following the table name with a
+    colon (e.g., mangle:). This causes all non-builtin chains in the
+    table to be reloaded.
 
     Example:
 

Shorewall-perl/compiler.pl

@@ -28,11 +28,13 @@
 #     Options:
 #
 #         --export                    # Compile for export
-#         --verbosity=<number>        # Set VERBOSITY
+#         --verbosity=<number>        # Set VERBOSITY range -1 to 2
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
+#         --log=<filename>            # Log file
+#         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #
 use strict;
 use FindBin;
@@ -46,12 +48,12 @@ sub usage() {
   options are:
     [ --export ]
     [ --directory=<directory> ]
-    [ --verbose={0-2} ]
+    [ --verbose={-1|0-2} ]
     [ --timestamp ]
-    [ -- debug ]
+    [ --debug ]
     [ --refresh=<chainlist> ]
     [ --log=<filename> ]
-    [ --log-verbose={0-2} ]
+    [ --log-verbose={-1|0-2} ]
 ';
     exit 1;
 }

docs/Shorewall-perl.xml

@@ -241,7 +241,7 @@
           script failed and will abort the compilation.</para>
 
           <para>When a script is invoked, the <emphasis
-          role="bold">$chainref</emphasis> scalar variable will hold a
+          role="bold">$chainref</emphasis> scalar variable will usually hold a
           reference to a chain table entry.</para>
 
           <simplelist>
@@ -255,16 +255,16 @@
           <para>To add a rule to the chain:</para>
 
           <simplelist>
-            <member>add_rule $chainref, &lt;<replaceable>the
-            rule</replaceable>&gt;</member>
+            <member>add_rule $chainref,
+            <replaceable>the-rule</replaceable></member>
           </simplelist>
 
           <para>Where</para>
 
           <simplelist>
-            <member>&lt;<replaceable>the rule</replaceable>&gt; is a scalar
-            argument holding the rule text. Do not include "-A
-            &lt;<replaceable>chain name</replaceable>&gt;"</member>
+            <member><replaceable>the rule</replaceable> is a scalar argument
+            holding the rule text. Do not include "-A
+            <replaceable>chain-name</replaceable>"</member>
           </simplelist>
 
           <para>Example:</para>
@@ -276,9 +276,8 @@
           <para>To insert a rule into the chain:</para>
 
           <simplelist>
-            <member>insert_rule $chainref,
-            &lt;<replaceable>rulenum</replaceable>&gt;, &lt;<replaceable>the
-            rule</replaceable>&gt;</member>
+            <member>insert_rule $chainref, <replaceable>rulenum</replaceable>,
+            <replaceable>the-rule</replaceable></member>
           </simplelist>
 
           <para>The log_rule_limit function works like it does in the shell
@@ -448,8 +447,8 @@ fi</programlisting>
 
         <listitem>
           <para>The pre Shorewall-3.0 format of the zones file is not
-          supported; neither is the <filename>/etc/shorewall/ipsec</filename>
-          file.</para>
+          supported (IPSECFILE=ipsec); neither is the
+          <filename>/etc/shorewall/ipsec</filename> file.</para>
         </listitem>
 
         <listitem>
@@ -984,8 +983,9 @@ fatal_error "You have made an error";
 progress_message  "This will only be seen if VERBOSITY &gt;= 2";
 progress_message2 "This will only be seen if VERBOSITY &gt;= 1";
 progress_message3 "This will be seen unless VERBOSITY &lt; 0";
-</programlisting><programlisting>use lib '/usr/share/shorewall-perl';
-use Shorewall::Chains qw/shorewall/;
+</programlisting>The <emphasis role="bold">shorewall()</emphasis> function may
+      be optionally included.<programlisting>use lib '/usr/share/shorewall-perl';
+use Shorewall::Config qw/shorewall/;
 
 shorewall $config_file_entry;</programlisting>The Shorewall::Config module
       provides basic services to Shorewall-perl. By default, it exports the
@@ -998,13 +998,14 @@ shorewall $config_file_entry;</programlisting>The Shorewall::Config module
 
       <para>To raise a fatal error, call <emphasis
       role="bold">fatal_error()</emphasis>. Again, the single argument
-      described the error. </para>
+      described the error.</para>
 
       <para>In both cases, the function will augment the warning/error with
-      the current configuration file and line number, if any. fatal_error()
-      raised an exception via either <emphasis
-      role="bold">confess()</emphasis> or <emphasis
-      role="bold">die()</emphasis>.</para>
+      the current configuration file and line number, if any. <emphasis
+      role="bold">fatal_error()</emphasis> raised an exception via either
+      <emphasis role="bold">confess()</emphasis> or <emphasis
+      role="bold">die()</emphasis>, depending on whether the debugging stack
+      trace is enabled or not..</para>
 
       <para>The three 'progress message' functions conditionally produce
       output depending on the current verbosity setting.</para>

manpages/shorewall-tcrules.xml

@@ -72,17 +72,6 @@
               in your kernel and iptables; neither may be used with connection
               marks (see below).</para>
 
-              <para>If HIGH_ROUTE_MARKS=Yes in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5) then you may
-              also specify a value in the range 0x0100-0xFF00 with the
-              low-order byte being zero. Such values may only be used in the
-              PREROUTING chain(value followed by <emphasis
-              role="bold">:P</emphasis> or you have set
-              MARK_IN_FORWARD_CHAIN=No in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
-              followed the value with <option>:F</option>) or the OUTPUT chain
-              (SOURCE is <emphasis role="bold">$FW</emphasis>).</para>
-
               <para>May optionally be followed by <emphasis
               role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
               or <emphasis role="bold">:T</emphasis> where<emphasis
@@ -146,6 +135,26 @@
                   </listitem>
                 </varlistentry>
               </variablelist>
+
+              <para><emphasis role="bold">Special considerations for If
+              HIGH_ROUTE_MARKS=Yes in <ulink
+              url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
+
+              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
+              in the range 0x0100-0xFF00 with the low-order byte being zero.
+              Such values may only be used in the PREROUTING chain (value
+              followed by <emphasis role="bold">:P</emphasis> or you have set
+              MARK_IN_FORWARD_CHAIN=No in <ulink
+              url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
+              followed the value with <option>:F</option>) or the OUTPUT chain
+              (SOURCE is <emphasis role="bold">$FW</emphasis>). With
+              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
+              permitted. Shorewall 4.1 and later versions prohibit non-zero
+              mark values less that 256 in the OUTPUT chain when
+              HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
+              in the OUTPUT chain, it is strongly recommended that with
+              HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
+              traffic shaping marks/classification.</para>
             </listitem>
 
             <listitem>
@@ -167,7 +176,7 @@
               role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in
               which case classification occurs in the OUTPUT chain.</para>
 
-              <para>When using Shorewall's built-in traffic tool, the
+              <para>When using Shorewall's built-in traffic shaping tool, the
               <emphasis>major</emphasis> class is the device number (the first
               device in <ulink
               url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is