Blob Blame History Raw
commit d59ebd007fad012de4ee16be6ce163d11fd7a83f
Author: Thomas Woerner <twoerner@redhat.com>
Date:   Tue Jul 26 18:24:56 2016 +0200

    Add missing information about MAC and ipset sources to man pages and help output
    
    The help output of firewall-cmd and firewall-offline-cmd was lacking information
    about mac and ispet sources. Also the man pages of these tools and the
    firewalld.zone man page.

diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml
index 7354bb1..d441198 100644
--- a/doc/xml/firewall-cmd.xml
+++ b/doc/xml/firewall-cmd.xml
@@ -273,10 +273,10 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--permanent</option></optional> <option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--permanent</option></optional> <option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Print the name of the zone the <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to or <emphasis>no zone</emphasis>.
+	      Print the name of the zone the source is bound to or <emphasis>no zone</emphasis>.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -906,7 +906,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
 	Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.
       </para>
       <para>
-	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address (no mask). For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
+	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
       </para>
       <para>
 	Options in this section affect only one particular zone. If used with <option>--zone</option>=<replaceable>zone</replaceable> option, they affect the zone <replaceable>zone</replaceable>. If the option is omitted, they affect default zone (see <option>--get-default-zone</option>).
@@ -925,19 +925,19 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Bind source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
+	      Bind the source to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Change zone the source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to to zone <replaceable>zone</replaceable>.
+	      Change zone the source is bound to to zone <replaceable>zone</replaceable>.
 	      It's basically <option>--remove-source</option> followed by <option>--add-source</option>.
 	      If the source has not been bound to a zone before, it behaves like <option>--add-source</option>.
 	      If zone is omitted, default zone will be used.
@@ -946,19 +946,19 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Query whether the source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
+	      Query whether the source is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--permanent</option></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--permanent</option></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Remove binding of source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> from zone it was previously added to.
+	      Remove binding of the source from zone it was previously added to.
 	    </para>
 	  </listitem>
 	</varlistentry>
diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
index 3b9c1d1..c4e5b80 100644
--- a/doc/xml/firewall-offline-cmd.xml
+++ b/doc/xml/firewall-offline-cmd.xml
@@ -313,10 +313,10 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term><option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Print the name of the zone the <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to or <emphasis>no zone</emphasis>.
+	      Print the name of the zone the source is bound to or <emphasis>no zone</emphasis>.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -883,7 +883,7 @@
 	Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.
       </para>
       <para>
-	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address (no mask). For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
+	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
       </para>
       <para>
 	Options in this section affect only one particular zone. If used with <option>--zone</option>=<replaceable>zone</replaceable> option, they affect the zone <replaceable>zone</replaceable>. If the option is omitted, they affect default zone (see <option>--get-default-zone</option>).
@@ -902,37 +902,37 @@
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Bind source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
+	      Bind the source to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Change zone the source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. If old and new zone are the same, the call will be ignored without an error. If the source has not been bound to a zone before, it will behave like <option>--add-source</option>.
+	      Change zone the source is bound to to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. If old and new zone are the same, the call will be ignored without an error. If the source has not been bound to a zone before, it will behave like <option>--add-source</option>.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Query whether the source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
+	      Query whether the source is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
 	<varlistentry>
-	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
+	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 	  <listitem>
 	    <para>
-	      Remove binding of source <replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional> from zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
+	      Remove binding of the source from zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
 	    </para>
 	  </listitem>
 	</varlistentry>
diff --git a/doc/xml/firewallctl.xml b/doc/xml/firewallctl.xml
index 69ac511..ff99e5d 100644
--- a/doc/xml/firewallctl.xml
+++ b/doc/xml/firewallctl.xml
@@ -558,11 +558,11 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
 
 	<varlistentry>
 	  <term>
-	    <option>source</option> { <replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional> | ipset:<replaceable>ipset</replaceable> }
+	    <option>source</option> { <replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional> | MAC | ipset:<replaceable>ipset</replaceable> }
 	  </term>
 	  <listitem>
 	    <para>
-	      A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address (no mask) or also an ipset. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
+	      A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or also an ipset. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
 	    </para>
 	  </listitem>
 	</varlistentry>
diff --git a/doc/xml/firewalld.zone.xml b/doc/xml/firewalld.zone.xml
index 747308e..130acbb 100644
--- a/doc/xml/firewalld.zone.xml
+++ b/doc/xml/firewalld.zone.xml
@@ -71,7 +71,7 @@
   [ &lt;short&gt;<replaceable>short description</replaceable>&lt;/short&gt; ]
   [ &lt;description&gt;<replaceable>description</replaceable>&lt;/description&gt; ]
   [ &lt;interface name="<replaceable>string</replaceable>"/&gt; ]
-  [ &lt;source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|ipset="<replaceable>ipset</replaceable>"/&gt; ]
+  [ &lt;source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>"/&gt; ]
   [ &lt;service name="<replaceable>string</replaceable>"/&gt; ]
   [ &lt;port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/&gt; ]
   [ &lt;protcol value="<replaceable>protocol</replaceable>"/&gt; ]
@@ -82,7 +82,7 @@
   [ &lt;source-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/&gt; ]
   [
     &lt;rule [family="<literal>ipv4</literal>|<literal>ipv6</literal>"]&gt;
-    [ &lt;source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|ipset="<replaceable>ipset</replaceable>" [invert="<replaceable>True</replaceable>"]/&gt; ]
+    [ &lt;source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>" [invert="<replaceable>True</replaceable>"]/&gt; ]
     [ &lt;destination address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]" [invert="<replaceable>True</replaceable>"]/&gt; ]
     [
       &lt;service name="<replaceable>string</replaceable>"/&gt; |
@@ -182,18 +182,35 @@
     <refsect2 id="source">
       <title>source</title>
       <para>
-	Is an optional empty-element tag and can be used several times. It can be used to bind a source address or source address range to a zone. This can also be a MAC address. A source entry has exactly one attribute:
+	Is an optional empty-element tag and can be used several times. It can be used to bind a source address, address range, a MAC address or an ipset to a zone. A source entry has exactly one of these attributes:
       </para>
       <variablelist>
 	<varlistentry>
 	  <term>address="<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional>"</term>
           <listitem>
 	    <para>
-	      The source to be bound to the zone. The source is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address (no mask). The network family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
+	      The source is either an IP address or a network IP address with a mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
 	    </para>
 	  </listitem>
 	</varlistentry>
 
+	<varlistentry>
+	  <term>mac="<replaceable>MAC</replaceable>"</term>
+          <listitem>
+	    <para>
+	      The source is a MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
+	  <term>ipset="<replaceable>ipset</replaceable>"</term>
+          <listitem>
+	    <para>
+	      The source is an ipset.
+	    </para>
+	  </listitem>
+	</varlistentry>
       </variablelist>
     </refsect2>
 
diff --git a/src/firewall-cmd b/src/firewall-cmd
index df0747d..405d08c 100755
--- a/src/firewall-cmd
+++ b/src/firewall-cmd
@@ -79,8 +79,8 @@ Zone Options
   --get-icmptypes      Print predefined icmptypes [P]
   --get-zone-of-interface=<interface>
                        Print name of the zone the interface is bound to [P]
-  --get-zone-of-source=<source>[/<mask>]
-                       Print name of the zone the source[/mask] is bound to [P]
+  --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Print name of the zone the source is bound to [P]
   --list-all-zones     List everything added for or enabled in all zones [P]
   --new-zone=<zone>    Add a new zone [P only]
   --new-zone-from-file=<filename> [--name=<zone>]
@@ -310,15 +310,14 @@ Options to Handle Bindings of Interfaces
 
 Options to Handle Bindings of Sources
   --list-sources       List sources that are bound to a zone [P] [Z]
-  --add-source=<source>[/<mask>]
-                       Bind <source>[/<mask>] to a zone [P] [Z]
-  --change-source=<source>[/<mask>]
-                       Change zone the <source>[/<mask>] is bound to [Z]
-  --query-source=<source>[/<mask>]
-                       Query whether <source>[/<mask>] is bound to a zone
-                       [P] [Z]
-  --remove-source=<source>[/<mask>]
-                       Remove binding of <source>[/<mask>] from a zone [P] [Z]
+  --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Bind the source to a zone [P] [Z]
+  --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Change zone the source is bound to [Z]
+  --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Query whether the source is bound to a zone [P] [Z]
+  --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Remove binding of the source from a zone [P] [Z]
 
 Direct Options
   --direct             First option for all direct options
diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd
index 4a9432f..978ad8a 100755
--- a/src/firewall-offline-cmd
+++ b/src/firewall-offline-cmd
@@ -104,8 +104,8 @@ Zone Options
   --get-icmptypes      Print predefined icmptypes
   --get-zone-of-interface=<interface>
                        Print name of the zone the interface is bound to
-  --get-zone-of-source=<source>[/<mask>]
-                       Print name of the zone the source[/mask] is bound to
+  --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Print name of the zone the source is bound to
   --list-all-zones     List everything added for or enabled in all zones
   --new-zone=<zone>    Add a new empty zone
   --new-zone-from-file=<filename> [--name=<zone>]
@@ -330,15 +330,14 @@ Options to Handle Bindings of Interfaces
 
 Options to Handle Bindings of Sources
   --list-sources       List sources that are bound to a zone [Z]
-  --add-source=<source>[/<mask>]
-                       Bind <source>[/<mask>] to a zone [Z]
-  --change-source=<source>[/<mask>]
-                       Change zone the <source>[/<mask>] is bound to [Z]
-  --query-source=<source>[/<mask>]
-                       Query whether <source>[/<mask>] is bound to a zone
-                       [Z]
-  --remove-source=<source>[/<mask>]
-                       Remove binding of <source>[/<mask>] from a zone [Z]
+  --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Bind the source to a zone [Z]
+  --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Change zone the source is bound to [Z]
+  --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Query whether the source is bound to a zone [Z]
+  --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
+                       Remove binding of the source from a zone [Z]
 
 Direct Options
   --direct             First option for all direct options