Update SUBSYSLOCK documentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9452 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2009-02-18 16:48:34 +00:00 · 2009-02-18 16:48:34 +00:00 · ece5bd4c72
commit ece5bd4c72
parent 70a16e2212
8 changed files with 194 additions and 57 deletions
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@ -266,8 +266,8 @@ net     ipv4</programlisting>
    action</ulink> defined for the policy in
    <filename>/etc/shorewall/actions</filename> or
    <filename>/usr/share/shorewall/actions.std</filename> then that action is
-    performed before the policy is applied. The purpose of the common action is
+    performed before the policy is applied. The purpose of the common action
-    two-fold:</para>
+    is two-fold:</para>
    <itemizedlist>
      <listitem>
@ -582,6 +582,11 @@ SSH/ACCEPT  net       $FW           </programlisting>
      <varname>STARTUP_ENABLED=Yes.</varname></para>
    </important>
    <para>While you are editing <filename>shorewall.conf</filename>, it is a
    good idea to check the value of the SUBSYSLOCK option. You can find a
    description of this option by typing 'man shorewall.conf' at a shell
    prompt and searching for SUBSYSLOCK.</para>
    <para>The firewall is started using the <quote><command>shorewall
    start</command></quote> command and stopped using
    <quote><command>shorewall stop</command></quote>. When the firewall is
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@ -286,11 +286,11 @@ dmz     ipv4</programlisting>Zone names are defined in
    If no rule in that file matches the connection request then the first
    policy in <filename>/etc/shorewall/policy</filename> that matches the
    request is applied. If there is a <ulink
-    url="shorewall_extension_scripts.htm">common action</ulink> defined for the
+    url="shorewall_extension_scripts.htm">common action</ulink> defined for
-    policy in <filename>/etc/shorewall/actions</filename> or
+    the policy in <filename>/etc/shorewall/actions</filename> or
    <filename>/usr/share/shorewall/actions.std</filename> then that action is
-    performed before the action is applied. The purpose of the common action is
+    performed before the action is applied. The purpose of the common action
-    two-fold:</para>
+    is two-fold:</para>
    <itemizedlist>
      <listitem>
@ -615,13 +615,10 @@ root@lists:~# </programlisting>
          <imagedata fileref="images/dmz2.png" />
        </imageobject>
-        <caption>
+        <caption><para>The default gateway for the DMZ computers would be
-          <para>The default gateway for the DMZ computers would be <systemitem
+        <systemitem class="ipaddress">10.10.11.254</systemitem> and the
-          class="ipaddress">10.10.11.254</systemitem> and the default gateway
+        default gateway for the Local computers would be <systemitem
-          for the Local computers would be <systemitem
+        class="ipaddress">10.10.10.254</systemitem>.</para> <warning>
          class="ipaddress">10.10.10.254</systemitem>.</para>
          <warning>
            <para>Your ISP might assign your external interface an RFC 1918
            address. If that address is in the <systemitem
            class="ipaddress">10.10.10.0/24</systemitem> subnet then you will
@ -629,8 +626,7 @@ root@lists:~# </programlisting>
            and if it is in the <systemitem
            class="ipaddress">10.10.11.0/24</systemitem> subnet then you will
            need to select a different RFC 1918 subnet for your DMZ.</para>
-          </warning>
+          </warning></caption>
        </caption>
      </mediaobject>
    </figure>
  </section>
@ -648,10 +644,9 @@ root@lists:~# </programlisting>
    look as if the firewall itself is initiating the connection. This is
    necessary so that the destination host will be able to route return
    packets back to the firewall (remember that packets whose destination
-    address is reserved by RFC 1918 can't be routed across the Internet).
+    address is reserved by RFC 1918 can't be routed across the Internet). When
-    When the firewall receives a return packet, it rewrites the destination
+    the firewall receives a return packet, it rewrites the destination address
-    address back to 10.10.10.1 and forwards the packet on to local computer
+    back to 10.10.10.1 and forwards the packet on to local computer 1.</para>
    1.</para>
    <para>On Linux systems, the above process is often referred to as IP
    Masquerading and you will also see the term Source Network Address
@ -1086,10 +1081,17 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
        <para>Users of the <filename>.deb</filename> package must edit
        <filename>/etc/default/shorewall</filename> and set
        <varname>startup=1</varname>.</para>
-      </important>The firewall is started using the <command>shorewall
+      </important></para>
-    start</command> command and stopped using <command>shorewall
+
-    stop</command>. When the firewall is stopped, routing is enabled on those
+    <para>While you are editing <filename>shorewall.conf</filename>, it is a
-    hosts that have an entry in <ulink
+    good idea to check the value of the SUBSYSLOCK option. You can find a
    description of this option by typing 'man shorewall.conf' at a shell
    prompt and searching for SUBSYSLOCK </para>
    <para>The firewall is started using the <command>shorewall start</command>
    command and stopped using <command>shorewall stop</command>. When the
    firewall is stopped, routing is enabled on those hosts that have an entry
    in <ulink
    url="manpages/shorewall-routestopped.html"><filename>/etc/shorewall/routestopped</filename></ulink>.
    A running firewall may be restarted using the <command>shorewall
    restart</command> command. If you want to totally remove any trace of
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@ -269,11 +269,11 @@ loc     ipv4</programlisting>Zones are defined in the <ulink
    first policy in <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    that matches the request is applied. If there is a <ulink
-    url="shorewall_extension_scripts.htm">common action</ulink> defined for the
+    url="shorewall_extension_scripts.htm">common action</ulink> defined for
-    policy in <filename>/etc/shorewall/actions</filename> or
+    the policy in <filename>/etc/shorewall/actions</filename> or
    <filename>/usr/share/shorewall/actions.std</filename> then that action is
-    performed before the action is applied. The purpose of the common action is
+    performed before the action is applied. The purpose of the common action
-    two-fold:</para>
+    is two-fold:</para>
    <itemizedlist>
      <listitem>
@ -1002,7 +1002,12 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
        <para>Users of the .deb package must edit <filename
        class="directory">/etc/default/</filename><filename>shorewall</filename>
        and set <varname>startup=1</varname>.</para>
-      </important> The firewall is started using the <quote><command>shorewall
+      </important> While you are editing <filename>shorewall.conf</filename>,
    it is a good idea to check the value of the SUBSYSLOCK option. You can
    find a description of this option by typing 'man shorewall.conf' at a
    shell prompt and searching for SUBSYSLOCK.</para>
    <para>The firewall is started using the <quote><command>shorewall
    start</command></quote> command and stopped using
    <quote><command>shorewall stop</command></quote>. When the firewall is
    stopped, routing is enabled on those hosts that have an entry in <filename
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@ -3,62 +3,124 @@
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-</refentrytitle>
+    <refentrytitle>shorewall6-notrack</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
  <refnamediv>
-    <refname>file</refname>
+    <refname>notrack</refname>
-    <refpurpose>Shorewall file</refpurpose>
+    <refpurpose>shorewall6 notrack file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/</command>
+      <command>/etc/shorewall6/notrack</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>The notrack file is used to exempt certain traffic from Netfilter
    connection tracking. Traffic matching entries in this fill will not be
    tracked.</para>
    <para>The file was added in shorewall6-perl 4.2.7 and is not supported by
    shorewall6-shell or by earlier versions of shorewall6-perl.</para>
    <para>The columns in the file are as follows.</para>
    <variablelist>
      <varlistentry>
-        <term>COLUMN 1</term>
+        <term>SOURCE ‒
        <emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term>
        <listitem>
-          <para></para>
+          <para>where <replaceable>zone</replaceable> is the name of a zone,
          <replaceable>interface</replaceable> is an interface to that zone,
          and <replaceable>address-list</replaceable> is a comma-separated
          list of addresses (may contain exclusion - see <ulink
          url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
          (5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST ‒ [<replaceable>address-list</replaceable>]</term>
        <listitem>
          <para>where <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
          <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
          (5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROTO ‒
        <replaceable>protocol-name-or-number</replaceable></term>
        <listitem>
          <para>A protocol name from <filename>/etc/protocols</filename> or a
          protocol number.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST PORT(S) - port-number/service-name-list</term>
        <listitem>
          <para>A comma-separated list of port numbers and/or service names
          from <filename>/etc/services</filename>. May also include port
          ranges of the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SOURCE PORT(S) - port-number/service-name-list</term>
        <listitem>
          <para>A comma-separated list of port numbers and/or service names
          from <filename>/etc/services</filename>. May also include port
          ranges of the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>USER/GROUP ‒
        [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
        <listitem>
          <para>May only be specified if the SOURCE
          <replaceable>zone</replaceable> is $FW. Specifies the effective user
          id and or group id of the process sending the traffic.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Example</title>
    <para></para>
  </refsect1>
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/</para>
+    <para>/etc/shorewall6/notrack</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-ipsec(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-providers(5), shorewall6-proxyarp(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall6-tunnels(5), shorewall-zones(5)</para>
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-routestopped.xml
+++ b/manpages/shorewall-routestopped.xml
@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-routestopped</refentrytitle>
@ -127,9 +129,55 @@
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>notrack</term>
              <listitem>
                <para>The traffic will be exempted from conntection
                tracking.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROTO (Optional) ‒
        <replaceable>protocol-name-or-number</replaceable></term>
        <listitem>
          <para>Only available with Shorewall-perl 4.2.7 and later.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>DEST PORT(S) (Optional) ‒
        <replaceable>service-name/port-number-list</replaceable></term>
        <listitem>
          <para>Only available with Shorewall-perl 4.2.7 and later. A
          comma-separated list of port numbers and/or service names from
          <filename>/etc/services</filename>. May also include port ranges of
          the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SOURCE PORT(S) (Optional) ‒
        <replaceable>service-name/port-number-list</replaceable></term>
        <listitem>
          <para>Only available with Shorewall-perl 4.2.7 and later. A
          comma-separated list of port numbers and/or service names from
          <filename>/etc/services</filename>. May also include port ranges of
          the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <note>
@ -148,11 +196,13 @@
        <term>Example 1:</term>
        <listitem>
-          <programlisting>        #INTERFACE      HOST(S)                 OPTIONS
+          <programlisting>        #INTERFACE      HOST(S)                 OPTIONS         PROTO          DEST       SOURCE
        #                                                                      PORT(S)    PORT(S)
        eth2            192.168.1.0/24
        eth0            192.0.2.44
        br0             -                       routeback
-        eth3            -                       source</programlisting>
+        eth3            -                       source
        eth4            -                       notrack        41</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@ -1480,9 +1480,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          <para>This parameter should be set to the name of a file that the
          firewall should create if it starts successfully and remove when it
          stops. Creating and removing this file allows Shorewall to work with
-          your distribution's initscripts. For RedHat, this should be set to
+          your distribution's initscripts. For RedHat and OpenSuSE, this
-          /var/lock/subsys/shorewall. For Debian, the value is
+          should be set to /var/lock/subsys/shorewall. For Debian, the value
-          /var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
+          is /var/lock/shorewall and in LEAF it is /var/run/shorwall.</para>
        </listitem>
      </varlistentry>
--- a/manpages/shorewall.xml
+++ b/manpages/shorewall.xml
@ -1306,6 +1306,19 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">raw</emphasis></term>
              <listitem>
                <para>Displays the Netfilter raw table using the command
                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@ -1030,7 +1030,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          stops. Creating and removing this file allows Shorewall6 to work
          with your distribution's initscripts. For RedHat, this should be set
          to /var/lock/subsys/shorewall6. For Debian, the value is
-          /var/state/shorewall6 and in LEAF it is /var/run/shorwall.</para>
+          /var/lock/shorewall6 and in LEAF it is /var/run/shorwall.</para>
        </listitem>
      </varlistentry>