Documentation updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7825 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-12-04 22:19:40 +00:00
parent 1deb277832
commit dea79aa763
4 changed files with 68 additions and 41 deletions

View File

@ -86,13 +86,28 @@ Other changes in Shorewall 4.1.2.
Messages in the log are always timestamped. Messages in the log are always timestamped.
This change implemented two new options to the Shorewall-perl
compiler (/usr/share/shorewall-perl/compiler.pl).
--log=<logfile>
--log_verbosity={-1|0-2}
The --log option is ignored when --log_verbosity is not supplied or
is supplied with value -1.
2) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
mark values < 256 to be assigned in the OUTPUT chain. This has been
changed so that only high mark values may be assigned
there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING table.
Migration Issues. Migration Issues.
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed mark 1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
values < 256 to be assigned in the OUTPUT chain. This has been mark values < 256 to be assigned in the OUTPUT chain. This has been
changed so that only high mark values may be assigned changed so that only high mark values may be assigned
there. Traffic shaping rules for traffic originating on the there. Packet marking rules for traffic shaping of packets
firewall must be coded in the POSTROUTING table. originating on the firewall must be coded in the POSTROUTING table.
New Features in Shorewall 4.1. New Features in Shorewall 4.1.
@ -154,9 +169,9 @@ New Features in Shorewall 4.1.
206.124.146.177 - Blarg 26000 206.124.146.177 - Blarg 26000
2) You may now include the name of a table (nat, mangle or filter) in 2) You may now include the name of a table (nat, mangle or filter) in
a 'shorewall refresh' command by following the name with a colon a 'shorewall refresh' command by following the table name with a
(e.g., mangle:). This causes all non-builtin chains in the table to colon (e.g., mangle:). This causes all non-builtin chains in the
be reloaded. table to be reloaded.
Example: Example:

View File

@ -28,11 +28,13 @@
# Options: # Options:
# #
# --export # Compile for export # --export # Compile for export
# --verbosity=<number> # Set VERBOSITY # --verbosity=<number> # Set VERBOSITY range -1 to 2
# --directory=<directory> # Directory where configuration resides (default is /etc/shorewall) # --directory=<directory> # Directory where configuration resides (default is /etc/shorewall)
# --timestamp # Timestamp all progress messages # --timestamp # Timestamp all progress messages
# --debug # Print stack trace on warnings and fatal error. # --debug # Print stack trace on warnings and fatal error.
# --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'. # --refresh=<chainlist> # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
# --log=<filename> # Log file
# --log_verbosity=<number> # Log Verbosity range -1 to 2
# #
use strict; use strict;
use FindBin; use FindBin;
@ -46,12 +48,12 @@ sub usage() {
options are: options are:
[ --export ] [ --export ]
[ --directory=<directory> ] [ --directory=<directory> ]
[ --verbose={0-2} ] [ --verbose={-1|0-2} ]
[ --timestamp ] [ --timestamp ]
[ -- debug ] [ --debug ]
[ --refresh=<chainlist> ] [ --refresh=<chainlist> ]
[ --log=<filename> ] [ --log=<filename> ]
[ --log-verbose={0-2} ] [ --log-verbose={-1|0-2} ]
'; ';
exit 1; exit 1;
} }

View File

@ -241,7 +241,7 @@
script failed and will abort the compilation.</para> script failed and will abort the compilation.</para>
<para>When a script is invoked, the <emphasis <para>When a script is invoked, the <emphasis
role="bold">$chainref</emphasis> scalar variable will hold a role="bold">$chainref</emphasis> scalar variable will usually hold a
reference to a chain table entry.</para> reference to a chain table entry.</para>
<simplelist> <simplelist>
@ -255,16 +255,16 @@
<para>To add a rule to the chain:</para> <para>To add a rule to the chain:</para>
<simplelist> <simplelist>
<member>add_rule $chainref, &lt;<replaceable>the <member>add_rule $chainref,
rule</replaceable>&gt;</member> <replaceable>the-rule</replaceable></member>
</simplelist> </simplelist>
<para>Where</para> <para>Where</para>
<simplelist> <simplelist>
<member>&lt;<replaceable>the rule</replaceable>&gt; is a scalar <member><replaceable>the rule</replaceable> is a scalar argument
argument holding the rule text. Do not include "-A holding the rule text. Do not include "-A
&lt;<replaceable>chain name</replaceable>&gt;"</member> <replaceable>chain-name</replaceable>"</member>
</simplelist> </simplelist>
<para>Example:</para> <para>Example:</para>
@ -276,9 +276,8 @@
<para>To insert a rule into the chain:</para> <para>To insert a rule into the chain:</para>
<simplelist> <simplelist>
<member>insert_rule $chainref, <member>insert_rule $chainref, <replaceable>rulenum</replaceable>,
&lt;<replaceable>rulenum</replaceable>&gt;, &lt;<replaceable>the <replaceable>the-rule</replaceable></member>
rule</replaceable>&gt;</member>
</simplelist> </simplelist>
<para>The log_rule_limit function works like it does in the shell <para>The log_rule_limit function works like it does in the shell
@ -448,8 +447,8 @@ fi</programlisting>
<listitem> <listitem>
<para>The pre Shorewall-3.0 format of the zones file is not <para>The pre Shorewall-3.0 format of the zones file is not
supported; neither is the <filename>/etc/shorewall/ipsec</filename> supported (IPSECFILE=ipsec); neither is the
file.</para> <filename>/etc/shorewall/ipsec</filename> file.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -984,8 +983,9 @@ fatal_error "You have made an error";
progress_message "This will only be seen if VERBOSITY &gt;= 2"; progress_message "This will only be seen if VERBOSITY &gt;= 2";
progress_message2 "This will only be seen if VERBOSITY &gt;= 1"; progress_message2 "This will only be seen if VERBOSITY &gt;= 1";
progress_message3 "This will be seen unless VERBOSITY &lt; 0"; progress_message3 "This will be seen unless VERBOSITY &lt; 0";
</programlisting><programlisting>use lib '/usr/share/shorewall-perl'; </programlisting>The <emphasis role="bold">shorewall()</emphasis> function may
use Shorewall::Chains qw/shorewall/; be optionally included.<programlisting>use lib '/usr/share/shorewall-perl';
use Shorewall::Config qw/shorewall/;
shorewall $config_file_entry;</programlisting>The Shorewall::Config module shorewall $config_file_entry;</programlisting>The Shorewall::Config module
provides basic services to Shorewall-perl. By default, it exports the provides basic services to Shorewall-perl. By default, it exports the
@ -998,13 +998,14 @@ shorewall $config_file_entry;</programlisting>The Shorewall::Config module
<para>To raise a fatal error, call <emphasis <para>To raise a fatal error, call <emphasis
role="bold">fatal_error()</emphasis>. Again, the single argument role="bold">fatal_error()</emphasis>. Again, the single argument
described the error. </para> described the error.</para>
<para>In both cases, the function will augment the warning/error with <para>In both cases, the function will augment the warning/error with
the current configuration file and line number, if any. fatal_error() the current configuration file and line number, if any. <emphasis
raised an exception via either <emphasis role="bold">fatal_error()</emphasis> raised an exception via either
role="bold">confess()</emphasis> or <emphasis <emphasis role="bold">confess()</emphasis> or <emphasis
role="bold">die()</emphasis>.</para> role="bold">die()</emphasis>, depending on whether the debugging stack
trace is enabled or not..</para>
<para>The three 'progress message' functions conditionally produce <para>The three 'progress message' functions conditionally produce
output depending on the current verbosity setting.</para> output depending on the current verbosity setting.</para>

View File

@ -72,17 +72,6 @@
in your kernel and iptables; neither may be used with connection in your kernel and iptables; neither may be used with connection
marks (see below).</para> marks (see below).</para>
<para>If HIGH_ROUTE_MARKS=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) then you may
also specify a value in the range 0x0100-0xFF00 with the
low-order byte being zero. Such values may only be used in the
PREROUTING chain(value followed by <emphasis
role="bold">:P</emphasis> or you have set
MARK_IN_FORWARD_CHAIN=No in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
followed the value with <option>:F</option>) or the OUTPUT chain
(SOURCE is <emphasis role="bold">$FW</emphasis>).</para>
<para>May optionally be followed by <emphasis <para>May optionally be followed by <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis> role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis> where<emphasis or <emphasis role="bold">:T</emphasis> where<emphasis
@ -146,6 +135,26 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para><emphasis role="bold">Special considerations for If
HIGH_ROUTE_MARKS=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
<para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
in the range 0x0100-0xFF00 with the low-order byte being zero.
Such values may only be used in the PREROUTING chain (value
followed by <emphasis role="bold">:P</emphasis> or you have set
MARK_IN_FORWARD_CHAIN=No in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
followed the value with <option>:F</option>) or the OUTPUT chain
(SOURCE is <emphasis role="bold">$FW</emphasis>). With
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
permitted. Shorewall 4.1 and later versions prohibit non-zero
mark values less that 256 in the OUTPUT chain when
HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
in the OUTPUT chain, it is strongly recommended that with
HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
traffic shaping marks/classification.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -167,7 +176,7 @@
role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in
which case classification occurs in the OUTPUT chain.</para> which case classification occurs in the OUTPUT chain.</para>
<para>When using Shorewall's built-in traffic tool, the <para>When using Shorewall's built-in traffic shaping tool, the
<emphasis>major</emphasis> class is the device number (the first <emphasis>major</emphasis> class is the device number (the first
device in <ulink device in <ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is