forked from extern/shorewall_code
Update manpages for INLINE
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
8b91575c9e
commit
ef01748dc9
@ -50,6 +50,18 @@
|
||||
<para>Added in Shorewall 4.5.10. Available options are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>builtin</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.16. Defines the action as a rule
|
||||
target that is supported by your iptables but is not directly
|
||||
supported by Shorewall. The action may be used as the rule
|
||||
target in an INLINE rule in <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>inline</term>
|
||||
|
||||
|
||||
@ -427,6 +427,47 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">INLINE</emphasis>[(<replaceable>action</replaceable>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.16. This action allows you to
|
||||
construct most of the rule yourself using iptables syntax. The
|
||||
part that you specify must follow a semicolon (';') and is
|
||||
completely free-form. If the target of the rule (the part
|
||||
following 'j') is something that Shorewall supports in the
|
||||
ACTION column, then you may enclose it in parentheses (e.g.,
|
||||
INLINE(ACCEPT)). Otherwise, you can include it after the
|
||||
semicolon. In this case, you must declare the target as a
|
||||
builtin action in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5).</para>
|
||||
|
||||
<para>Some considerations when using INLINE:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The <option>p</option>, <option>s</option>,
|
||||
<option>d</option>, <option>i</option>,
|
||||
<option>o</option>, <option>policy</option>, and state
|
||||
match (<option>state</option> or <option>conntrack
|
||||
--ctstate</option>) matches will always appear in the
|
||||
front of the rule in that order.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When multiple matches are specified, the compiler
|
||||
will keep them in the order in which they appear
|
||||
(excluding the above listed ones), but they will not
|
||||
necessarily be at the end of the generated rule. For
|
||||
example, if addresses are specified in the SOURCE and/or
|
||||
DEST columns, their generated matches will appear after
|
||||
those specified using ';'.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
|
||||
@ -1713,6 +1754,30 @@
|
||||
DROP net:^A1,A2 fw tcp 25</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 14:</term>
|
||||
|
||||
<listitem>
|
||||
<para>You want to generate your own rule involving iptables targets
|
||||
and matches not supported by Shorewall.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>The above will generate the following iptables-restore
|
||||
input:</para>
|
||||
|
||||
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>Note that SECCTX must be defined as a builtin action in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5):</para>
|
||||
|
||||
<programlisting> #ACTION OPTIONS
|
||||
SECCTX builtin</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@ -50,6 +50,18 @@
|
||||
<para>Added in Shorewall 4.5.10. Available options are:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>builtin</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.16. Defines the action as a rule
|
||||
target that is supported by your ip6tables but is not directly
|
||||
supported by Shorewall. The action may be used as the rule
|
||||
target in an INLINE rule in <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>inline</term>
|
||||
|
||||
|
||||
@ -401,6 +401,47 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">INLINE</emphasis>[(<replaceable>action</replaceable>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.16. This action allows you to
|
||||
construct most of the rule yourself using ip6tables syntax.
|
||||
The part that you specify must follow a semicolon (';') and is
|
||||
completely free-form. If the target of the rule (the part
|
||||
following 'j') is something that Shorewall supports in the
|
||||
ACTION column, then you may enclose it in parentheses (e.g.,
|
||||
INLINE(ACCEPT)). Otherwise, you can include it after the
|
||||
semicolon. In this case, you must declare the target as a
|
||||
builtin action in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
|
||||
|
||||
<para>Some considerations when using INLINE:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The <option>p</option>, <option>s</option>,
|
||||
<option>d</option>, <option>i</option>,
|
||||
<option>o</option>, <option>policy</option>, and state
|
||||
match (<option>state</option> or <option>conntrack
|
||||
--ctstate</option>) matches will always appear in the
|
||||
front of the rule in that order.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>When multiple matches are specified, the compiler
|
||||
will keep them in the order in which they appear
|
||||
(excluding the above listed ones), but they will not
|
||||
necessarily be at the end of the generated rule. For
|
||||
example, if addresses are specified in the SOURCE and/or
|
||||
DEST columns, their generated matches will appear after
|
||||
those specified using ';'.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
|
||||
@ -1559,6 +1600,30 @@
|
||||
DROP net:^ZZ fw tcp 25</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 8:</term>
|
||||
|
||||
<listitem>
|
||||
<para>You want to generate your own rule involving ip6tables targets
|
||||
and matches not supported by Shorewall.</para>
|
||||
|
||||
<programlisting> #ACTION SOURCE DEST PROTO DEST
|
||||
# PORT(S)
|
||||
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>The above will generate the following ip6tables-restore
|
||||
input:</para>
|
||||
|
||||
<programlisting> -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
|
||||
|
||||
<para>Note that SECCTX must be defined as a builtin action in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5):</para>
|
||||
|
||||
<programlisting> #ACTION OPTIONS
|
||||
SECCTX builtin</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user