Add missing information about MAC and ipset sources to man pages and …

…help output The help output of firewall-cmd and firewall-offline-cmd was lacking information about mac and ispet sources. Also the man pages of these tools and the firewalld.zone man page.
t-woerner · Jul 26, 2016 · d59ebd0 · d59ebd0
1 parent e7909ed
commit d59ebd0
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 50 deletions.
diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml
@@ -273,10 +273,10 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--permanent</option></optional> <option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--permanent</option></optional> <option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Print the name of the zone the <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to or <emphasis>no zone</emphasis>.
+	      Print the name of the zone the source is bound to or <emphasis>no zone</emphasis>.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -906,7 +906,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
 	Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.
       </para>
       <para>
-	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address (no mask). For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
+	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
       </para>
       <para>
 	Options in this section affect only one particular zone. If used with <option>--zone</option>=<replaceable>zone</replaceable> option, they affect the zone <replaceable>zone</replaceable>. If the option is omitted, they affect default zone (see <option>--get-default-zone</option>).
@@ -925,19 +925,19 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Bind source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
+	      Bind the source to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Change zone the source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to to zone <replaceable>zone</replaceable>.
+	      Change zone the source is bound to to zone <replaceable>zone</replaceable>.
 	      It's basically <option>--remove-source</option> followed by <option>--add-source</option>.
 	      If the source has not been bound to a zone before, it behaves like <option>--add-source</option>.
 	      If zone is omitted, default zone will be used.
@@ -946,19 +946,19 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Query whether the source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
+	      Query whether the source is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--permanent</option></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--permanent</option></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Remove binding of source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> from zone it was previously added to.
+	      Remove binding of the source from zone it was previously added to.
 	    </para>
 	  </listitem>
 	</varlistentry>

diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
@@ -313,10 +313,10 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term><option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Print the name of the zone the <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to or <emphasis>no zone</emphasis>.
+	      Print the name of the zone the source is bound to or <emphasis>no zone</emphasis>.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -883,7 +883,7 @@
 	Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.
       </para>
       <para>
-	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address (no mask). For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
+	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
       </para>
       <para>
 	Options in this section affect only one particular zone. If used with <option>--zone</option>=<replaceable>zone</replaceable> option, they affect the zone <replaceable>zone</replaceable>. If the option is omitted, they affect default zone (see <option>--get-default-zone</option>).
@@ -902,37 +902,37 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Bind source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
+	      Bind the source to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Change zone the source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. If old and new zone are the same, the call will be ignored without an error. If the source has not been bound to a zone before, it will behave like <option>--add-source</option>.
+	      Change zone the source is bound to to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. If old and new zone are the same, the call will be ignored without an error. If the source has not been bound to a zone before, it will behave like <option>--add-source</option>.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Query whether the source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
+	      Query whether the source is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Remove binding of source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> from zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
+	      Remove binding of the source from zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
 	    </para>
 	  </listitem>
 	</varlistentry>

diff --git a/doc/xml/firewallctl.xml b/doc/xml/firewallctl.xml
@@ -558,11 +558,11 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
 
 	<varlistentry>
 	  <term>
-	    <option>source</option> { <replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional> | ipset:<replaceable>ipset</replaceable> }
+	    <option>source</option> { <replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional> | MAC | ipset:<replaceable>ipset</replaceable> }
 	  </term>
 	  <listitem>
 	    <para>
-	      A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address (no mask) or also an ipset. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
+	      A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or also an ipset. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
 	    </para>
 	  </listitem>
 	</varlistentry>

diff --git a/doc/xml/firewalld.zone.xml b/doc/xml/firewalld.zone.xml
@@ -71,7 +71,7 @@
   [ &lt;short&gt;<replaceable>short description</replaceable>&lt;/short&gt; ]
   [ &lt;description&gt;<replaceable>description</replaceable>&lt;/description&gt; ]
   [ &lt;interface name="<replaceable>string</replaceable>"/&gt; ]
-  [ &lt;source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|ipset="<replaceable>ipset</replaceable>"/&gt; ]
+  [ &lt;source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>"/&gt; ]
   [ &lt;service name="<replaceable>string</replaceable>"/&gt; ]
   [ &lt;port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/&gt; ]
   [ &lt;protcol value="<replaceable>protocol</replaceable>"/&gt; ]
@@ -82,7 +82,7 @@
   [ &lt;source-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/&gt; ]
   [
     &lt;rule [family="<literal>ipv4</literal>|<literal>ipv6</literal>"]&gt;
-    [ &lt;source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|ipset="<replaceable>ipset</replaceable>" [invert="<replaceable>True</replaceable>"]/&gt; ]
+    [ &lt;source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>" [invert="<replaceable>True</replaceable>"]/&gt; ]
     [ &lt;destination address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]" [invert="<replaceable>True</replaceable>"]/&gt; ]
     [
       &lt;service name="<replaceable>string</replaceable>"/&gt; |
@@ -182,18 +182,35 @@
     <refsect2 id="source">
       <title>source</title>
       <para>
-	Is an optional empty-element tag and can be used several times. It can be used to bind a source address or source address range to a zone. This can also be a MAC address. A source entry has exactly one attribute:
+	Is an optional empty-element tag and can be used several times. It can be used to bind a source address, address range, a MAC address or an ipset to a zone. A source entry has exactly one of these attributes:
       </para>
       <variablelist>
 	<varlistentry>
 	  <term>address="<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional>"</term>
           <listitem>
 	    <para>
-	      The source to be bound to the zone. The source is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address (no mask). The network family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
+	      The source is either an IP address or a network IP address with a mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
+	<varlistentry>
+	  <term>mac="<replaceable>MAC</replaceable>"</term>
+          <listitem>
+	    <para>
+	      The source is a MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term>ipset="<replaceable>ipset</replaceable>"</term>
+          <listitem>
+	    <para>
+	      The source is an ipset.
+	    </para>
+	  </listitem>
+	</varlistentry>
       </variablelist>
     </refsect2>
 

diff --git a/src/firewall-cmd b/src/firewall-cmd
@@ -79,8 +79,8 @@ Zone Options
   --get-icmptypes      Print predefined icmptypes [P]
   --get-zone-of-interface=<interface>
                        Print name of the zone the interface is bound to [P]
-  --get-zone-of-source=<source>[/<mask>]
-                       Print name of the zone the source[/mask] is bound to [P]
+  --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Print name of the zone the source is bound to [P]
   --list-all-zones     List everything added for or enabled in all zones [P]
   --new-zone=<zone>    Add a new zone [P only]
   --new-zone-from-file=<filename> [--name=<zone>]
@@ -310,15 +310,14 @@ Options to Handle Bindings of Interfaces
 
 Options to Handle Bindings of Sources
   --list-sources       List sources that are bound to a zone [P] [Z]
-  --add-source=<source>[/<mask>]
-                       Bind <source>[/<mask>] to a zone [P] [Z]
-  --change-source=<source>[/<mask>]
-                       Change zone the <source>[/<mask>] is bound to [Z]
-  --query-source=<source>[/<mask>]
-                       Query whether <source>[/<mask>] is bound to a zone
-                       [P] [Z]
-  --remove-source=<source>[/<mask>]
-                       Remove binding of <source>[/<mask>] from a zone [P] [Z]
+  --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Bind the source to a zone [P] [Z]
+  --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Change zone the source is bound to [Z]
+  --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Query whether the source is bound to a zone [P] [Z]
+  --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Remove binding of the source from a zone [P] [Z]
 
 Direct Options
   --direct             First option for all direct options

diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd
@@ -104,8 +104,8 @@ Zone Options
   --get-icmptypes      Print predefined icmptypes
   --get-zone-of-interface=<interface>
                        Print name of the zone the interface is bound to
-  --get-zone-of-source=<source>[/<mask>]
-                       Print name of the zone the source[/mask] is bound to
+  --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Print name of the zone the source is bound to
   --list-all-zones     List everything added for or enabled in all zones
   --new-zone=<zone>    Add a new empty zone
   --new-zone-from-file=<filename> [--name=<zone>]
@@ -330,15 +330,14 @@ Options to Handle Bindings of Interfaces
 
 Options to Handle Bindings of Sources
   --list-sources       List sources that are bound to a zone [Z]
-  --add-source=<source>[/<mask>]
-                       Bind <source>[/<mask>] to a zone [Z]
-  --change-source=<source>[/<mask>]
-                       Change zone the <source>[/<mask>] is bound to [Z]
-  --query-source=<source>[/<mask>]
-                       Query whether <source>[/<mask>] is bound to a zone
-                       [Z]
-  --remove-source=<source>[/<mask>]
-                       Remove binding of <source>[/<mask>] from a zone [Z]
+  --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Bind the source to a zone [Z]
+  --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Change zone the source is bound to [Z]
+  --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Query whether the source is bound to a zone [Z]
+  --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Remove binding of the source from a zone [Z]
 
 Direct Options
   --direct             First option for all direct options