"Fossies" - the Fresh Open Source Software Archive

Member "firewalld-0.8.0/doc/xml/firewall-cmd.xml.in" (5 Nov 2019, 108331 Bytes) of package /linux/misc/firewalld-0.8.0.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "firewall-cmd.xml.in": 0.7.2_vs_0.8.0.

    1 <?xml version="1.0" encoding="utf-8"?>
    2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
    3 [
    4 <!ENTITY authors SYSTEM "@SRCDIR@/authors.xml">
    5 <!ENTITY seealso SYSTEM "@SRCDIR@/seealso.xml">
    6 <!ENTITY notes SYSTEM "@SRCDIR@/notes.xml">
    7 <!ENTITY errorcodes SYSTEM "errorcodes.xml">
    8 ]>
    9 
   10 <!--
   11   This file is part of firewalld.
   12 
   13   Copyright (C) 2010-2014 Red Hat, Inc.
   14   Authors:
   15   Thomas Woerner <twoerner@redhat.com>
   16 
   17   This program is free software; you can redistribute it and/or modify
   18   it under the terms of the GNU General Public License as published by
   19   the Free Software Foundation; either version 2 of the License, or
   20   (at your option) any later version.
   21 
   22   This program is distributed in the hope that it will be useful,
   23   but WITHOUT ANY WARRANTY; without even the implied warranty of
   24   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   25   GNU General Public License for more details.
   26 
   27   You should have received a copy of the GNU General Public License
   28   along with this program.  If not, see <http://www.gnu.org/licenses/>.
   29 -->
   30 
   31 <refentry id="firewall-cmd">
   32 
   33   <refentryinfo>
   34     <title>firewall-cmd</title>
   35     <productname>firewalld</productname>
   36     &authors;
   37   </refentryinfo>
   38 
   39   <refmeta>
   40     <refentrytitle>firewall-cmd</refentrytitle>
   41     <manvolnum>1</manvolnum>
   42   </refmeta>
   43 
   44   <refnamediv>
   45     <refname>firewall-cmd</refname>
   46     <refpurpose>firewalld command line client</refpurpose>
   47   </refnamediv>
   48 
   49   <refsynopsisdiv>
   50     <cmdsynopsis>
   51       <command>firewall-cmd</command> <arg choice="opt" rep="repeat">OPTIONS</arg>
   52     </cmdsynopsis>
   53   </refsynopsisdiv>
   54 
   55   <refsect1 id="description">
   56     <title>Description</title>
   57 		
   58     <para>
   59       firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
   60     </para>
   61 
   62     <para>
   63       The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration.
   64     </para>
   65   </refsect1>
   66 
   67   <refsect1 id="options">
   68     <title>Options</title>
   69     <para>
   70       Sequence options are the options that can be specified multiple times, the exit code is 0 if there is at least one item that succeeded. The <literal>ALREADY_ENABLED</literal> (11), <literal>NOT_ENABLED</literal> (12) and also <literal>ZONE_ALREADY_SET</literal> (16) errors are treated as succeeded.
   71       If there are issues while parsing the items, then these are treated as warnings and will not change the result as long as there is a succeeded one.
   72       Without any succeeded item, the exit code will depend on the error codes. If there is exactly one error code, then this is used. If there are more than one then <literal>UNKNOWN_ERROR</literal> (254) will be used.
   73     </para>
   74 
   75     <para>
   76       The following options are supported:
   77     </para>
   78 
   79     <refsect2 id="general_options">
   80       <title>General Options</title>
   81       <variablelist>
   82 	<varlistentry>
   83           <term><option>-h</option></term>
   84           <term><option>--help</option></term>
   85           <listitem>
   86 	    <para>
   87 	      Prints a short help text and exits.
   88 	    </para>
   89 	  </listitem>
   90 	</varlistentry>
   91 
   92 	<varlistentry>
   93           <term><option>-V</option></term>
   94           <term><option>--version</option></term>
   95           <listitem>
   96 	    <para>
   97 	      Print the version string of firewalld. This option is not combinable with other options.
   98 	    </para>
   99 	  </listitem>
  100 	</varlistentry>
  101 
  102 	<varlistentry>
  103           <term><option>-q</option></term>
  104           <term><option>--quiet</option></term>
  105           <listitem>
  106 	    <para>
  107 	      Do not print status messages.
  108 	    </para>
  109 	  </listitem>
  110 	</varlistentry>
  111       </variablelist>
  112     </refsect2>
  113 
  114     <refsect2 id="status_options">
  115       <title>Status Options</title>
  116       <variablelist>
  117 	<varlistentry>
  118 	  <term><option>--state</option></term>
  119 	  <listitem>
  120 	    <para>
  121 	      Check whether the firewalld daemon is active (i.e. running). Returns an exit code 0 if it is active, <replaceable>RUNNING_BUT_FAILED</replaceable> if failure occurred on startup, <replaceable>NOT_RUNNING</replaceable> otherwise. See <xref linkend="exit_codes"/>. This will also print the state to <replaceable>STDOUT</replaceable>.
  122 	    </para>
  123 	  </listitem>
  124 	</varlistentry>
  125 
  126 	<varlistentry>
  127 	  <term><option>--reload</option></term>
  128 	  <listitem>
  129 	    <para>
  130 	      Reload firewall rules and keep state information.
  131 	      Current permanent configuration will become new runtime configuration,
  132 	      i.e. all runtime only changes done until reload are lost with reload
  133 	      if they have not been also in permanent configuration.
  134 	    </para>
  135 	    <para>
  136 	      Note: Runtime changes applied via the direct interface are not
  137 	      affected and will therefore stay in place until firewalld daemon
  138 	      is restarted completely.
  139 	    </para>
  140 	  </listitem>
  141 	</varlistentry>
  142 
  143 	<varlistentry>
  144 	  <term><option>--complete-reload</option></term>
  145 	  <listitem>
  146 	    <para>
  147 	      Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules.
  148 	    </para>
  149 	    <para>
  150 	      Note: Runtime changes applied via the direct interface are not
  151 	      affected and will therefore stay in place until firewalld daemon
  152 	      is restarted completely.
  153 	    </para>
  154 	  </listitem>
  155 	</varlistentry>
  156 
  157 	<varlistentry>
  158 	  <term><option>--runtime-to-permanent</option></term>
  159 	  <listitem>
  160 	    <para>
  161 	      Save active runtime configuration and overwrite permanent configuration with it.
  162 	      The way this is supposed to work is that when configuring firewalld you do runtime changes only and
  163 	      once you're happy with the configuration and you tested that it works the way you want, you save
  164 	      the configuration to disk.
  165 	    </para>
  166 	  </listitem>
  167 	</varlistentry>
  168 
  169     <varlistentry>
  170       <term><option>--check-config</option></term>
  171       <listitem>
  172         <para>
  173           Run checks on the permanent configuration. This includes XML validity
  174           and semantics.
  175         </para>
  176       </listitem>
  177     </varlistentry>
  178       </variablelist>
  179     </refsect2>
  180 
  181     <refsect2 id="log_denied_options">
  182       <title>Log Denied Options</title>
  183       <variablelist>
  184 	<varlistentry>
  185 	  <term><option>--get-log-denied</option></term>
  186 	  <listitem>
  187 	    <para>
  188 	      Print the log denied setting.
  189 	    </para>
  190 	  </listitem>
  191 	</varlistentry>
  192 
  193 	<varlistentry>
  194 	  <term><option>--set-log-denied</option>=<replaceable>value</replaceable></term>
  195 	  <listitem>
  196 	    <para>
  197 	      Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones for the configured link-layer packet type. The possible values are: <replaceable>all</replaceable>, <replaceable>unicast</replaceable>, <replaceable>broadcast</replaceable>, <replaceable>multicast</replaceable> and <replaceable>off</replaceable>. The default setting is <replaceable>off</replaceable>, which disables the logging.
  198 	    </para>
  199 	    <para>
  200 	      This is a runtime and permanent change and will also reload the firewall to be able to add the logging rules.
  201 	    </para>
  202 	  </listitem>
  203 	</varlistentry>
  204       </variablelist>
  205     </refsect2>
  206 
  207     <refsect2 id="permanent_options">
  208       <title>Permanent Options</title>
  209       <variablelist>
  210 
  211 	<varlistentry>
  212           <term><option>--permanent</option></term>
  213           <listitem>
  214 	    <para>
  215 	      The permanent option <option>--permanent</option> can be used to set options permanently. These changes are not effective immediately, only after service restart/reload or system reboot. Without the <option>--permanent</option> option, a change will only be part of the runtime configuration.
  216 	    </para>
  217 	    <para>If you want to make a change in runtime and permanent configuration, use the same call with and without the <option>--permanent</option> option.
  218 	    </para>
  219 	    <para>
  220 	      The <option>--permanent</option> option can be optionally added to all options further down where it is supported.
  221 	    </para>
  222 	  </listitem>
  223 	</varlistentry>
  224       </variablelist>
  225     </refsect2>
  226 
  227     <refsect2 id="zone_options">
  228       <title>Zone Options</title>
  229       <variablelist>
  230 	<varlistentry>
  231 	  <term><option>--get-default-zone</option></term>
  232 	  <listitem>
  233 	    <para>
  234 	      Print default zone for connections and interfaces.
  235 	    </para>
  236 	  </listitem>
  237 	</varlistentry>
  238 
  239 	<varlistentry>
  240 	  <term><option>--set-default-zone</option>=<replaceable>zone</replaceable></term>
  241 	  <listitem>
  242 	    <para>
  243 	      Set default zone for connections and interfaces where no zone has been selected. Setting the default zone changes the zone for the connections or interfaces, that are using the default zone.
  244 	    </para>
  245 	    <para>
  246 	      This is a runtime and permanent change.
  247 	    </para>
  248 	  </listitem>
  249 	</varlistentry>
  250 
  251 	<varlistentry>
  252 	  <term><option>--get-active-zones</option></term>
  253 	  <listitem>
  254 	    <para>
  255 	      Print currently active zones altogether with interfaces and sources used in these zones. Active zones are zones, that have a binding to an interface or source. The output format is:
  256 	      <programlisting>
  257 <replaceable>zone1</replaceable>
  258   interfaces: <replaceable>interface1</replaceable> <replaceable>interface2</replaceable> ..
  259   sources: <replaceable>source1</replaceable> ..
  260 <replaceable>zone2</replaceable>
  261   interfaces: <replaceable>interface3</replaceable> ..
  262 <replaceable>zone3</replaceable>
  263   sources: <replaceable>source2</replaceable> ..
  264 	      </programlisting>
  265 	      If there are no interfaces or sources bound to the zone, the corresponding line will be omitted.
  266 	    </para>
  267 	  </listitem>
  268 	</varlistentry>
  269 
  270 	<varlistentry>
  271 	  <term><optional><option>--permanent</option></optional> <option>--get-zones</option></term>
  272 	  <listitem>
  273 	    <para>
  274 	      Print predefined zones as a space separated list.
  275 	    </para>
  276 	  </listitem>
  277 	</varlistentry>
  278 
  279 	<varlistentry>
  280 	  <term><optional><option>--permanent</option></optional> <option>--get-services</option></term>
  281 	  <listitem>
  282 	    <para>
  283 	      Print predefined services as a space separated list.
  284 	    </para>
  285 	  </listitem>
  286 	</varlistentry>
  287 
  288 	<varlistentry>
  289 	  <term><optional><option>--permanent</option></optional> <option>--get-icmptypes</option></term>
  290 	  <listitem>
  291 	    <para>
  292 	      Print predefined icmptypes as a space separated list.
  293 	    </para>
  294 	  </listitem>
  295 	</varlistentry>
  296 
  297 	<varlistentry>
  298 	  <term><optional><option>--permanent</option></optional> <option>--get-zone-of-interface</option>=<replaceable>interface</replaceable></term>
  299 	  <listitem>
  300 	    <para>
  301 	      Print the name of the zone the <replaceable>interface</replaceable> is bound to or <emphasis>no zone</emphasis>.
  302 	    </para>
  303 	  </listitem>
  304 	</varlistentry>
  305 
  306 	<varlistentry>
  307 	  <term><optional><option>--permanent</option></optional> <option>--get-zone-of-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
  308 	  <listitem>
  309 	    <para>
  310 	      Print the name of the zone the source is bound to or <emphasis>no zone</emphasis>.
  311 	    </para>
  312 	  </listitem>
  313 	</varlistentry>
  314 
  315 	<varlistentry>
  316 	  <term><optional><option>--permanent</option></optional> <option>--info-zone=<replaceable>zone</replaceable></option></term>
  317 	  <listitem>
  318 	    <para>
  319 	      Print information about the zone <replaceable>zone</replaceable>. The output format is:
  320 	      <programlisting>
  321 <replaceable>zone</replaceable>
  322   interfaces: <replaceable>interface1</replaceable> ..
  323   sources: <replaceable>source1</replaceable> ..
  324   services: <replaceable>service1</replaceable> ..
  325   ports: <replaceable>port1</replaceable> ..
  326   protocols: <replaceable>protocol1</replaceable> ..
  327   forward-ports:
  328         <replaceable>forward-port1</replaceable>
  329         ..
  330   source-ports: <replaceable>source-port1</replaceable> ..
  331   icmp-blocks: <replaceable>icmp-type1</replaceable> ..
  332   rich rules:
  333         <replaceable>rich-rule1</replaceable>
  334         ..
  335               </programlisting>
  336 	    </para>
  337 	  </listitem>
  338 	</varlistentry>
  339 
  340 	<varlistentry>
  341 	  <term><optional><option>--permanent</option></optional> <option>--list-all-zones</option></term>
  342 	  <listitem>
  343 	    <para>
  344 	      List everything added for or enabled in all zones. The output format is:
  345 	      <programlisting>
  346 <replaceable>zone1</replaceable>
  347   interfaces: <replaceable>interface1</replaceable> ..
  348   sources: <replaceable>source1</replaceable> ..
  349   services: <replaceable>service1</replaceable> ..
  350   ports: <replaceable>port1</replaceable> ..
  351   protocols: <replaceable>protocol1</replaceable> ..
  352   forward-ports:
  353         <replaceable>forward-port1</replaceable>
  354         ..
  355   icmp-blocks: <replaceable>icmp-type1</replaceable> ..
  356   rich rules:
  357         <replaceable>rich-rule1</replaceable>
  358         ..
  359 ..
  360               </programlisting>
  361 	    </para>
  362 	  </listitem>
  363 	</varlistentry>
  364 
  365 	<varlistentry>
  366           <term><option>--permanent</option> <option>--new-zone</option>=<replaceable>zone</replaceable></term>
  367           <listitem>
  368             <para>
  369               Add a new permanent and empty zone.
  370             </para>
  371           </listitem>
  372 	</varlistentry>
  373 
  374 	<varlistentry>
  375           <term><option>--permanent</option> <option>--new-zone-from-file</option>=<replaceable>filename</replaceable> <optional><option>--name</option>=<replaceable>zone</replaceable></optional></term>
  376           <listitem>
  377             <para>
  378               Add a new permanent zone from a prepared zone file with an optional name override.
  379             </para>
  380           </listitem>
  381 	</varlistentry>
  382 
  383 	<varlistentry>
  384           <term><option>--permanent</option> <option>--delete-zone</option>=<replaceable>zone</replaceable></term>
  385           <listitem>
  386             <para>
  387               Delete an existing permanent zone.
  388             </para>
  389           </listitem>
  390 	</varlistentry>
  391 
  392 	<varlistentry>
  393           <term><option>--permanent</option> <option>--load-zone-defaults</option>=<replaceable>zone</replaceable></term>
  394           <listitem>
  395             <para>
  396               Load zone default settings or report NO_DEFAULTS error.
  397             </para>
  398           </listitem>
  399 	</varlistentry>
  400 
  401 	<varlistentry>
  402 	  <term><option>--permanent</option> <option>--path-zone=<replaceable>zone</replaceable></option></term>
  403 	  <listitem>
  404 	    <para>
  405 	      Print path of the zone configuration file.
  406 	    </para>
  407 	  </listitem>
  408 	</varlistentry>
  409 
  410 	<varlistentry>
  411          <term><option>--permanent</option> <option>--zone</option>=<replaceable>zone</replaceable> <option>--set-description</option>=<replaceable>description</replaceable></term>
  412          <listitem>
  413            <para>
  414              Set new description to zone
  415            </para>
  416          </listitem>
  417 	</varlistentry>
  418 	<varlistentry>
  419          <term><option>--permanent</option> <option>--zone</option>=<replaceable>zone</replaceable> <option>--get-description</option></term>
  420          <listitem>
  421            <para>
  422              Print description for zone
  423            </para>
  424          </listitem>
  425 	</varlistentry>
  426 	<varlistentry>
  427          <term><option>--permanent</option> <option>--zone</option>=<replaceable>zone</replaceable> <option>--set-short</option>=<replaceable>description</replaceable></term>
  428          <listitem>
  429            <para>
  430              Set short description to zone
  431            </para>
  432          </listitem>
  433 	</varlistentry>
  434 	<varlistentry>
  435          <term><option>--permanent</option> <option>--zone</option>=<replaceable>zone</replaceable> <option>--get-short</option></term>
  436          <listitem>
  437            <para>
  438              Print short description for zone
  439            </para>
  440          </listitem>
  441 	</varlistentry>
  442 	<varlistentry>
  443           <term><option>--permanent</option> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--get-target</option></term>
  444           <listitem>
  445             <para>
  446               Get the target of a permanent zone.
  447             </para>
  448           </listitem>
  449 	</varlistentry>
  450 
  451 	<varlistentry>
  452           <term><option>--permanent</option> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--set-target</option>=<replaceable>target</replaceable></term>
  453           <listitem>
  454             <para>
  455               Set the target of a permanent zone. <replaceable>target</replaceable> is one of: <literal>default</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
  456             </para>
  457           </listitem>
  458 	</varlistentry>
  459       </variablelist>
  460     </refsect2>
  461 
  462     <refsect2 id="options_to_adapt_and_query_zones">
  463       <title>Options to Adapt and Query Zones</title>
  464       <para>
  465 	Options in this section affect only one particular zone. If used with <option>--zone</option>=<replaceable>zone</replaceable> option, they affect the zone <replaceable>zone</replaceable>. If the option is omitted, they affect default zone (see <option>--get-default-zone</option>).
  466       </para>
  467       <variablelist>
  468 
  469 	<!-- list-all -->
  470 
  471 	<varlistentry>
  472 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-all</option></term>
  473 	  <listitem>
  474 	    <para>
  475 	      List everything added for or enabled in <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
  476 	    </para>
  477 	  </listitem>
  478 	</varlistentry>
  479 
  480 	<!-- list/add/remove/query service -->
  481 
  482 	<varlistentry>
  483 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-services</option></term>
  484 	  <listitem>
  485 	    <para>
  486 	      List services added for <replaceable>zone</replaceable> as a space separated list. If zone is omitted, default zone will be used.
  487 	    </para>
  488 	  </listitem>
  489 	</varlistentry>
  490 
  491 	<varlistentry>
  492 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-service</option>=<replaceable>service</replaceable> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
  493 	  <listitem>
  494 	    <para>
  495 	      Add a service for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
  496 	      <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
  497 	    </para>
  498 	    <para>
  499 	      The service is one of the firewalld provided services. To get a list of the supported services, use <command>firewall-cmd --get-services</command>.
  500 	    </para>
  501 	    <para>
  502 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
  503 	    </para>
  504 	  </listitem>
  505 	</varlistentry>
  506 
  507 	<varlistentry>
  508 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-service</option>=<replaceable>service</replaceable></term>
  509 	  <listitem>
  510 	    <para>
  511 	      Remove a service from <replaceable>zone</replaceable>. This option can be specified multiple times. If zone is omitted, default zone will be used.
  512 	    </para>
  513 	  </listitem>
  514 	</varlistentry>
  515 
  516 	<varlistentry>
  517 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-service</option>=<replaceable>service</replaceable></term>
  518 	  <listitem>
  519 	    <para>
  520 	      Return whether <replaceable>service</replaceable> has been added for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.
  521 	    </para>
  522 	  </listitem>
  523 	</varlistentry>
  524 
  525 	<!-- list/add/remove/query port -->
  526 
  527 	<varlistentry>
  528 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-ports</option></term>
  529 	  <listitem>
  530 	    <para>
  531 	      List ports added for <replaceable>zone</replaceable> as a space separated list. A port is of the form <replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable>, it can be either a port and protocol pair or a port range with a protocol. If zone is omitted, default zone will be used.
  532 	    </para>
  533 	  </listitem>
  534 	</varlistentry>
  535 
  536 	<varlistentry>
  537 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
  538 	  <listitem>
  539 	    <para>
  540 	      Add the port for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
  541 	      <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
  542 	    </para>
  543 	    <para>
  544 	      The port can either be a single port number or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. The protocol can either be <literal>tcp</literal>, <literal>udp</literal>, <literal>sctp</literal> or <literal>dccp</literal>.
  545 	    </para>
  546 	    <para>
  547 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
  548 	    </para>
  549 	  </listitem>
  550 	</varlistentry>
  551 
  552 	<varlistentry>
  553 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
  554 	  <listitem>
  555 	    <para>
  556 	      Remove the port from <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times.
  557 	    </para>
  558 	  </listitem>
  559 	</varlistentry>
  560 
  561 	<varlistentry>
  562 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
  563 	  <listitem>
  564 	    <para>
  565 	      Return whether the port has been added for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.
  566 	    </para>
  567 	  </listitem>
  568 	</varlistentry>
  569 
  570 	<!-- list/add/remove/query protocol -->
  571 
  572 	<varlistentry>
  573 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-protocols</option></term>
  574 	  <listitem>
  575 	    <para>
  576 	      List protocols added for <replaceable>zone</replaceable> as a space separated list. If zone is omitted, default zone will be used.
  577 	    </para>
  578 	  </listitem>
  579 	</varlistentry>
  580 
  581 	<varlistentry>
  582 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-protocol</option>=<replaceable>protocol</replaceable> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
  583 	  <listitem>
  584 	    <para>
  585 	      Add the protocol for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
  586 	      <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
  587 	    </para>
  588 	    <para>
  589 	      The protocol can be any protocol supported by the system. Please have a look at <filename>/etc/protocols</filename> for supported protocols.
  590 	    </para>
  591 	    <para>
  592 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
  593 	    </para>
  594 	  </listitem>
  595 	</varlistentry>
  596 
  597 	<varlistentry>
  598 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-protocol</option>=<replaceable>protocol</replaceable></term>
  599 	  <listitem>
  600 	    <para>
  601 	      Remove the protocol from <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times.
  602 	    </para>
  603 	  </listitem>
  604 	</varlistentry>
  605 
  606 	<varlistentry>
  607 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-protocol</option>=<replaceable>protocol</replaceable></term>
  608 	  <listitem>
  609 	    <para>
  610 	      Return whether the protocol has been added for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.
  611 	    </para>
  612 	  </listitem>
  613 	</varlistentry>
  614 
  615 	<!-- list/add/remove/query source port -->
  616 
  617 	<varlistentry>
  618 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-source-ports</option></term>
  619 	  <listitem>
  620 	    <para>
  621 	      List source ports added for <replaceable>zone</replaceable> as a space separated list. A port is of the form <replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable>. If zone is omitted, default zone will be used.
  622 	    </para>
  623 	  </listitem>
  624 	</varlistentry>
  625 
  626 	<varlistentry>
  627 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
  628 	  <listitem>
  629 	    <para>
  630 	      Add the source port for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
  631 	      <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
  632 	    </para>
  633 	    <para>
  634 	      The port can either be a single port number or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. The protocol can either be <literal>tcp</literal>, <literal>udp</literal>, <literal>sctp</literal> or <literal>dccp</literal>.
  635 	    </para>
  636 	    <para>
  637 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
  638 	    </para>
  639 	  </listitem>
  640 	</varlistentry>
  641 
  642 	<varlistentry>
  643 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
  644 	  <listitem>
  645 	    <para>
  646 	      Remove the source port from <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times.
  647 	    </para>
  648 	  </listitem>
  649 	</varlistentry>
  650 
  651 	<varlistentry>
  652 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
  653 	  <listitem>
  654 	    <para>
  655 	      Return whether the source port has been added for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.
  656 	    </para>
  657 	  </listitem>
  658 	</varlistentry>
  659 
  660 	<!-- list/add/remove/query icmp-block -->
  661 
  662 	<varlistentry>
  663 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-icmp-blocks</option></term>
  664 	  <listitem>
  665 	    <para>
  666 	      List Internet Control Message Protocol (ICMP) type blocks added for <replaceable>zone</replaceable> as a space separated list. If zone is omitted, default zone will be used.
  667 	    </para>
  668 	  </listitem>
  669 	</varlistentry>
  670 
  671 	<varlistentry>
  672 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-icmp-block</option>=<replaceable>icmptype</replaceable> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
  673 	  <listitem>
  674 	    <para>
  675 	      Add an ICMP block for <replaceable>icmptype</replaceable> for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
  676 	      <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
  677 	    </para>
  678 	    <para>
  679 	      The <replaceable>icmptype</replaceable> is the one of the icmp types firewalld supports. To get a listing of supported icmp types: <command>firewall-cmd --get-icmptypes</command>
  680 	    </para>
  681 	    <para>
  682 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
  683 	    </para>
  684 	  </listitem>
  685 	</varlistentry>
  686 
  687 	<varlistentry>
  688 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-icmp-block</option>=<replaceable>icmptype</replaceable></term>
  689 	  <listitem>
  690 	    <para>
  691 	      Remove the ICMP block for <replaceable>icmptype</replaceable> from <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times.
  692 	    </para>
  693 	  </listitem>
  694 	</varlistentry>
  695 
  696 	<varlistentry>
  697 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-icmp-block</option>=<replaceable>icmptype</replaceable></term>
  698 	  <listitem>
  699 	    <para>
  700 	      Return whether an ICMP block for <replaceable>icmptype</replaceable> has been added for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.
  701 	    </para>
  702 	  </listitem>
  703 	</varlistentry>
  704 
  705 	<!-- list/add/remove/query forward-port -->
  706 
  707 	<varlistentry>
  708 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-forward-ports</option></term>
  709 	  <listitem>
  710 	    <para>
  711 	      List <emphasis>IPv4</emphasis> forward ports added for <replaceable>zone</replaceable> as a space separated list. If zone is omitted, default zone will be used.
  712 	    </para>
  713 	    <para>
  714 	      For <emphasis>IPv6</emphasis> forward ports, please use the rich language.
  715 	    </para>
  716 	  </listitem>
  717 	</varlistentry>
  718 
  719 	<varlistentry>
  720 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-forward-port</option>=port=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>:proto=<replaceable>protocol</replaceable><optional>:toport=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional></optional><optional>:toaddr=<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></optional> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
  721 	  <listitem>
  722 	    <para>
  723 	      Add the <emphasis>IPv4</emphasis> forward port for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
  724 	      <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
  725 	    </para>
  726 	    <para>
  727 	      The port can either be a single port number <replaceable>portid</replaceable> or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. The protocol can either be <literal>tcp</literal>, <literal>udp</literal>, <literal>sctp</literal> or <literal>dccp</literal>. The destination address is a simple IP address.
  728 	    </para>
  729 	    <para>
  730 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
  731 	    </para>
  732 	    <para>
  733 	      For <emphasis>IPv6</emphasis> forward ports, please use the rich language.
  734 	    </para>
  735 	    <para>
  736 	      <emphasis>Note:</emphasis> IP forwarding will be implicitly enabled if <option>toaddr</option> is specified.
  737 	    </para>
  738 	  </listitem>
  739 	</varlistentry>
  740 
  741 	<varlistentry>
  742 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-forward-port</option>=port=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>:proto=<replaceable>protocol</replaceable><optional>:toport=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional></optional><optional>:toaddr=<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></optional></term>
  743 	  <listitem>
  744 	    <para>
  745 	      Remove the <emphasis>IPv4</emphasis> forward port from <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times.
  746 	    </para>
  747 	    <para>
  748 	      For <emphasis>IPv6</emphasis> forward ports, please use the rich language.
  749 	    </para>
  750 	  </listitem>
  751 	</varlistentry>
  752 
  753 	<varlistentry>
  754 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-forward-port</option>=port=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>:proto=<replaceable>protocol</replaceable><optional>:toport=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional></optional><optional>:toaddr=<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></optional></term>
  755 	  <listitem>
  756 	    <para>
  757 	      Return whether the <emphasis>IPv4</emphasis> forward port has been added for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.
  758 	    </para>
  759 	    <para>
  760 	      For <emphasis>IPv6</emphasis> forward ports, please use the rich language.
  761 	    </para>
  762 	  </listitem>
  763 	</varlistentry>
  764 
  765 	<!-- add/remove/query masquerade -->
  766 
  767 	<varlistentry>
  768 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-masquerade</option> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
  769 	  <listitem>
  770 	    <para>
  771 	      Enable <emphasis>IPv4</emphasis> masquerade for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. If a timeout is supplied, masquerading will be active for the specified amount of time.
  772 	      <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
  773 	      Masquerading is useful if the machine is a router and machines connected over an interface in another zone should be able to use the first connection.
  774 	    </para>
  775 	    <para>
  776 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
  777 	    </para>
  778 	    <para>
  779 	      For <emphasis>IPv6</emphasis> masquerading, please use the rich language.
  780 	    </para>
  781 	    <para>
  782 	      <emphasis>Note:</emphasis> IP forwarding will be implicitly enabled.
  783 	    </para>
  784 	  </listitem>
  785 	</varlistentry>
  786 
  787 	<varlistentry>
  788 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-masquerade</option></term>
  789 	  <listitem>
  790 	    <para>
  791 	      Disable <emphasis>IPv4</emphasis> masquerade for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. If the masquerading was enabled with a timeout, it will be disabled also.
  792 	    </para>
  793 	    <para>
  794 	      For <emphasis>IPv6</emphasis> masquerading, please use the rich language.
  795 	    </para>
  796 	  </listitem>
  797 	</varlistentry>
  798 
  799 	<varlistentry>
  800 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-masquerade</option></term>
  801 	  <listitem>
  802 	    <para>
  803 	      Return whether <emphasis>IPv4</emphasis> masquerading has been enabled for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.
  804 	    </para>
  805 	    <para>
  806 	      For <emphasis>IPv6</emphasis> masquerading, please use the rich language.
  807 	    </para>
  808 	  </listitem>
  809 	</varlistentry>
  810 
  811 	<!-- list/add/remove/query rich rule -->
  812 
  813 	<varlistentry>
  814 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-rich-rules</option></term>
  815 	  <listitem>
  816 	    <para>
  817 	      List rich language rules added for <replaceable>zone</replaceable> as a newline separated list. If zone is omitted, default zone will be used.
  818 	    </para>
  819 	  </listitem>
  820 	</varlistentry>
  821 
  822 	<varlistentry>
  823 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-rich-rule</option>='<replaceable>rule</replaceable>' <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
  824 	  <listitem>
  825 	    <para>
  826 	      Add rich language rule '<replaceable>rule</replaceable>' for <replaceable>zone</replaceable>. This option can be specified multiple times. If zone is omitted, default zone will be used. If a timeout is supplied, the <replaceable>rule</replaceable> will be active for the specified amount of time and will be removed automatically afterwards.
  827 	      <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
  828 	    </para>
  829 	    <para>
  830 	      For the rich language rule syntax, please have a look at <citerefentry><refentrytitle>firewalld.richlanguage</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
  831 	    </para>
  832 	    <para>
  833 	      The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
  834 	    </para>
  835 	  </listitem>
  836 	</varlistentry>
  837 
  838 	<varlistentry>
  839 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--remove-rich-rule</option>='<replaceable>rule</replaceable>'</term>
  840 	  <listitem>
  841 	    <para>
  842 	      Remove rich language rule '<replaceable>rule</replaceable>' from <replaceable>zone</replaceable>. This option can be specified multiple times. If zone is omitted, default zone will be used.
  843 	    </para>
  844 	    <para>
  845 	      For the rich language rule syntax, please have a look at <citerefentry><refentrytitle>firewalld.richlanguage</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
  846 	    </para>
  847 	  </listitem>
  848 	</varlistentry>
  849 
  850 	<varlistentry>
  851 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-rich-rule</option>='<replaceable>rule</replaceable>'</term>
  852 	  <listitem>
  853 	    <para>
  854 	      Return whether a rich language rule '<replaceable>rule</replaceable>' has been added for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise.
  855 	    </para>
  856 	    <para>
  857 	      For the rich language rule syntax, please have a look at <citerefentry><refentrytitle>firewalld.richlanguage</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
  858 	    </para>
  859 	  </listitem>
  860 	</varlistentry>
  861 
  862       </variablelist>
  863     </refsect2>
  864 
  865     <refsect2 id="options_to_handle_bindings_of_interfaces">
  866       <title>Options to Handle Bindings of Interfaces</title>
  867       <para>
  868 	Binding an interface to a zone means that this zone settings are used to restrict traffic via the interface.
  869       </para>
  870       <para>
  871 	Options in this section affect only one particular zone. If used with <option>--zone</option>=<replaceable>zone</replaceable> option, they affect the zone <replaceable>zone</replaceable>. If the option is omitted, they affect default zone (see <option>--get-default-zone</option>).
  872       </para>
  873       <para>
  874 	For a list of predefined zones use <command>firewall-cmd --get-zones</command>.
  875       </para>
  876       <para>
  877 	An interface name is a string up to 16 characters long, that may not contain <option>' '</option>, <option>'/'</option>, <option>'!'</option> and <option>'*'</option>.
  878       </para>
  879       <variablelist>
  880 	<varlistentry>
  881 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-interfaces</option></term>
  882 	  <listitem>
  883 	    <para>
  884 	      List interfaces that are bound to zone <replaceable>zone</replaceable> as a space separated list. If zone is omitted, default zone will be used.
  885 	    </para>
  886 	  </listitem>
  887 	</varlistentry>
  888 
  889 	<varlistentry>
  890 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-interface</option>=<replaceable>interface</replaceable></term>
  891 	  <listitem>
  892 	    <para>
  893 	      Bind interface <replaceable>interface</replaceable> to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
  894 	    </para>
  895 	    <para>
  896 	      If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface. If this fails, the zone binding is created in firewalld and the limitations below apply.
  897 For interfaces that are not under control of NetworkManager, firewalld tries to change the ZONE setting in the ifcfg file, if the file exists.
  898 	    </para>
  899 	    <para>
  900 	      As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to <option>ZONE=</option> option from ifcfg-<replaceable>interface</replaceable> file) if <replaceable>NM_CONTROLLED=no</replaceable> is not set.
  901 	      You should do it only if there's no @IFCFGDIR@/ifcfg-<replaceable>interface</replaceable> file.
  902 	      If there is such file and you add interface to zone with this <option>--add-interface</option> option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined.
  903 	      Please also have a look at the <citerefentry><refentrytitle>firewalld</refentrytitle><manvolnum>1</manvolnum></citerefentry> man page in the <replaceable>Concepts</replaceable> section.
  904 	      For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in <citerefentry><refentrytitle>firewalld.zones</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
  905 	    </para>
  906 	  </listitem>
  907 	</varlistentry>
  908 
  909 	<varlistentry>
  910 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-interface</option>=<replaceable>interface</replaceable></term>
  911 	  <listitem>
  912 	    <para>
  913 	      If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface. If this fails, the zone binding is created in firewalld and the limitations below apply.
  914 For interfaces that are not under control of NetworkManager, firewalld tries to change the ZONE setting in the ifcfg file, if the file exists.
  915 	    </para>
  916 	    <para>
  917 	      Change zone the interface <replaceable>interface</replaceable> is bound to to zone <replaceable>zone</replaceable>.
  918 	      It's basically <option>--remove-interface</option> followed by <option>--add-interface</option>.
  919 	      If the interface has not been bound to a zone before, it behaves like <option>--add-interface</option>.
  920 	      If zone is omitted, default zone will be used.
  921 	    </para>
  922 	  </listitem>
  923 	</varlistentry>
  924 
  925 	<varlistentry>
  926 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-interface</option>=<replaceable>interface</replaceable></term>
  927 	  <listitem>
  928 	    <para>
  929 	      Query whether interface <replaceable>interface</replaceable> is bound to zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
  930 	    </para>
  931 	  </listitem>
  932 	</varlistentry>
  933 
  934 	<varlistentry>
  935 	  <term><optional><option>--permanent</option></optional> <option>--remove-interface</option>=<replaceable>interface</replaceable></term>
  936 	  <listitem>
  937 	    <para>
  938 	      If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface. If this fails, the zone binding is created in firewalld and the limitations below apply.
  939 	    </para>
  940 	    <para>
  941 	      For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
  942 	    </para>
  943 	    <para>
  944 	      Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.
  945 	    </para>
  946 	    <para>
  947 	      Remove binding of interface <replaceable>interface</replaceable> from zone it was previously added to.
  948 	    </para>
  949 	  </listitem>
  950 	</varlistentry>
  951       </variablelist>
  952     </refsect2>
  953 
  954     <refsect2 id="options_to_handle_bindings_of_sources">
  955       <title>Options to Handle Bindings of Sources</title>
  956       <para>
  957 	Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.
  958       </para>
  959       <para>
  960 	A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
  961       </para>
  962       <para>
  963 	Options in this section affect only one particular zone. If used with <option>--zone</option>=<replaceable>zone</replaceable> option, they affect the zone <replaceable>zone</replaceable>. If the option is omitted, they affect default zone (see <option>--get-default-zone</option>).
  964       </para>
  965       <para>
  966 	For a list of predefined zones use <command>firewall-cmd <optional><option>--permanent</option></optional> --get-zones</command>.
  967       </para>
  968       <variablelist>
  969 	<varlistentry>
  970 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--list-sources</option></term>
  971 	  <listitem>
  972 	    <para>
  973 	      List sources that are bound to zone <replaceable>zone</replaceable> as a space separated list. If zone is omitted, default zone will be used.
  974 	    </para>
  975 	  </listitem>
  976 	</varlistentry>
  977 
  978 	<varlistentry>
  979 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
  980 	  <listitem>
  981 	    <para>
  982 	      Bind the source to zone <replaceable>zone</replaceable>. If zone is omitted, default zone will be used.
  983 	    </para>
  984 	  </listitem>
  985 	</varlistentry>
  986 
  987 	<varlistentry>
  988 	  <term><optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--change-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
  989 	  <listitem>
  990 	    <para>
  991 	      Change zone the source is bound to to zone <replaceable>zone</replaceable>.
  992 	      It's basically <option>--remove-source</option> followed by <option>--add-source</option>.
  993 	      If the source has not been bound to a zone before, it behaves like <option>--add-source</option>.
  994 	      If zone is omitted, default zone will be used.
  995 	    </para>
  996 	  </listitem>
  997 	</varlistentry>
  998 
  999 	<varlistentry>
 1000 	  <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--query-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 1001 	  <listitem>
 1002 	    <para>
 1003 	      Query whether the source is bound to the zone <replaceable>zone</replaceable>. Returns 0 if true, 1 otherwise.
 1004 	    </para>
 1005 	  </listitem>
 1006 	</varlistentry>
 1007 
 1008 	<varlistentry>
 1009 	  <term><optional><option>--permanent</option></optional> <option>--remove-source</option>=<replaceable>source</replaceable><optional>/<replaceable>mask</replaceable></optional>|<replaceable>MAC</replaceable>|ipset:<replaceable>ipset</replaceable></term>
 1010 	  <listitem>
 1011 	    <para>
 1012 	      Remove binding of the source from zone it was previously added to.
 1013 	    </para>
 1014 	  </listitem>
 1015 	</varlistentry>
 1016       </variablelist>
 1017     </refsect2>
 1018 
 1019     <refsect2 id="ipset_options">
 1020       <title>IPSet Options</title>
 1021       <variablelist>
 1022 	<varlistentry>
 1023 	  <term><option>--get-ipset-types</option></term>
 1024           <listitem>
 1025             <para>
 1026 	      Print the supported ipset types.
 1027             </para>
 1028           </listitem>
 1029 	</varlistentry>
 1030 	<varlistentry>
 1031           <term><option>--permanent</option> <option>--new-ipset</option>=<replaceable>ipset</replaceable> <option>--type</option>=<replaceable>type</replaceable> <optional><option>--family</option>=<literal>inet</literal>|<literal>inet6</literal></optional> <optional><option>--option</option>=<replaceable>key</replaceable><optional>=<replaceable>value</replaceable></optional></optional></term>
 1032           <listitem>
 1033             <para>
 1034               Add a new permanent and empty ipset with specifying the type and optional the family and options like <literal>timeout</literal>, <literal>hashsize</literal> and <literal>maxelem</literal>. For more information please have a look at <citerefentry><refentrytitle>ipset</refentrytitle><manvolnum>8</manvolnum></citerefentry> man page.
 1035             </para>
 1036           </listitem>
 1037 	</varlistentry>
 1038 	<varlistentry>
 1039           <term><option>--permanent</option> <option>--new-ipset-from-file</option>=<replaceable>filename</replaceable> <optional><option>--name</option>=<replaceable>ipset</replaceable></optional></term>
 1040           <listitem>
 1041             <para>
 1042 	      Add a new permanent ipset from a prepared ipset file with an optional name override.
 1043             </para>
 1044           </listitem>
 1045 	</varlistentry>
 1046 	<varlistentry>
 1047           <term><option>--permanent</option> <option>--delete-ipset</option>=<replaceable>ipset</replaceable></term>
 1048           <listitem>
 1049             <para>
 1050               Delete an existing permanent ipset.
 1051             </para>
 1052           </listitem>
 1053 	</varlistentry>
 1054 	<varlistentry>
 1055           <term><option>--permanent</option> <option>--load-ipset-defaults</option>=<replaceable>ipset</replaceable></term>
 1056           <listitem>
 1057             <para>
 1058               Load ipset default settings or report NO_DEFAULTS error.
 1059             </para>
 1060           </listitem>
 1061 	</varlistentry>
 1062 	<varlistentry>
 1063 	  <term><optional><option>--permanent</option></optional> <option>--info-ipset=<replaceable>ipset</replaceable></option></term>
 1064 	  <listitem>
 1065 	    <para>
 1066 	      Print information about the ipset <replaceable>ipset</replaceable>. The output format is:
 1067 	      <programlisting>
 1068 <replaceable>ipset</replaceable>
 1069   type: <replaceable>type</replaceable>
 1070   options: <replaceable>option1[=value1]</replaceable> ..
 1071   entries: <replaceable>entry1</replaceable> ..
 1072               </programlisting>
 1073 	    </para>
 1074 	  </listitem>
 1075 	</varlistentry>
 1076 
 1077 	<varlistentry>
 1078 	  <term><optional><option>--permanent</option></optional> <option>--get-ipsets</option></term>
 1079 	  <listitem>
 1080 	    <para>
 1081 	      Print predefined ipsets as a space separated list.
 1082 	    </para>
 1083 	  </listitem>
 1084 	</varlistentry>
 1085 	<varlistentry>
 1086          <term><option>--permanent</option> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--set-description</option>=<replaceable>description</replaceable></term>
 1087          <listitem>
 1088            <para>
 1089              Set new description to ipset
 1090            </para>
 1091          </listitem>
 1092 	</varlistentry>
 1093 	<varlistentry>
 1094          <term><option>--permanent</option> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--get-description</option></term>
 1095          <listitem>
 1096            <para>
 1097              Print description for ipset
 1098            </para>
 1099          </listitem>
 1100 	</varlistentry>
 1101 	<varlistentry>
 1102          <term><option>--permanent</option> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--set-short</option>=<replaceable>description</replaceable></term>
 1103          <listitem>
 1104            <para>
 1105              Set short description to ipset
 1106            </para>
 1107          </listitem>
 1108 	</varlistentry>
 1109 	<varlistentry>
 1110          <term><option>--permanent</option> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--get-short</option></term>
 1111          <listitem>
 1112            <para>
 1113              Print short description for ipset
 1114            </para>
 1115          </listitem>
 1116 	</varlistentry>
 1117 	<varlistentry>
 1118          <term><optional><option>--permanent</option></optional> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--add-entry</option>=<replaceable>entry</replaceable></term>
 1119          <listitem>
 1120            <para>
 1121              Add a new entry to the ipset.
 1122            </para>
 1123            <para>
 1124              Adding an entry to an ipset with option <literal>timeout</literal>
 1125              is permitted, but these entries are not tracked by firewalld.
 1126            </para>
 1127          </listitem>
 1128        </varlistentry>
 1129 
 1130 	<varlistentry>
 1131          <term><optional><option>--permanent</option></optional> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--remove-entry</option>=<replaceable>entry</replaceable></term>
 1132          <listitem>
 1133            <para>
 1134              Remove an entry from the ipset.
 1135            </para>
 1136          </listitem>
 1137        </varlistentry>
 1138 
 1139 	<varlistentry>
 1140          <term><optional><option>--permanent</option></optional> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--query-entry</option>=<replaceable>entry</replaceable></term>
 1141          <listitem>
 1142            <para>
 1143 	     Return whether the entry has been added to an ipset. Returns 0 if true, 1 otherwise.
 1144            </para>
 1145            <para>
 1146              Querying an ipset with a timeout will yield an error. Entries are
 1147              not tracked for ipsets with a timeout.
 1148            </para>
 1149          </listitem>
 1150        </varlistentry>
 1151 
 1152 	<varlistentry>
 1153          <term><optional><option>--permanent</option></optional> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--get-entries</option></term>
 1154          <listitem>
 1155            <para>
 1156              List all entries of the ipset.
 1157            </para>
 1158          </listitem>
 1159        </varlistentry>
 1160 
 1161 	<varlistentry>
 1162          <term><optional><option>--permanent</option></optional> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--add-entries-from-file</option>=<replaceable>filename</replaceable></term>
 1163          <listitem>
 1164            <para>
 1165              Add a new entries to the ipset from the file. For all entries that are listed in the file but already in the ipset, a warning will be printed.
 1166            </para>
 1167            <para>
 1168 	     The file should contain an entry per line. Lines starting with an hash or semicolon are ignored. Also empty lines.
 1169            </para>
 1170          </listitem>
 1171        </varlistentry>
 1172 
 1173 	<varlistentry>
 1174          <term><optional><option>--permanent</option></optional> <option>--ipset</option>=<replaceable>ipset</replaceable> <option>--remove-entries-from-file</option>=<replaceable>filename</replaceable></term>
 1175          <listitem>
 1176            <para>
 1177              Remove existing entries from the ipset from the file. For all entries that are listed in the file but not in the ipset, a warning will be printed.
 1178            </para>
 1179            <para>
 1180 	     The file should contain an entry per line. Lines starting with an hash or semicolon are ignored. Also empty lines.
 1181            </para>
 1182          </listitem>
 1183        </varlistentry>
 1184 	<varlistentry>
 1185 	  <term><option>--permanent</option> <option>--path-ipset=<replaceable>ipset</replaceable></option></term>
 1186 	  <listitem>
 1187 	    <para>
 1188 	      Print path of the ipset configuration file.
 1189 	    </para>
 1190 	  </listitem>
 1191 	</varlistentry>
 1192      </variablelist>
 1193     </refsect2>
 1194 
 1195     <refsect2 id="service_options">
 1196       <title>Service Options</title>
 1197       <para>
 1198 	Options in this section affect only one particular service.
 1199       </para>
 1200       <variablelist>
 1201 	<varlistentry>
 1202 	  <term><optional><option>--permanent</option></optional> <option>--info-service=<replaceable>service</replaceable></option></term>
 1203 	  <listitem>
 1204 	    <para>
 1205 	      Print information about the service <replaceable>service</replaceable>. The output format is:
 1206 	      <programlisting>
 1207 <replaceable>service</replaceable>
 1208   ports: <replaceable>port1</replaceable> ..
 1209   protocols: <replaceable>protocol1</replaceable> ..
 1210   source-ports: <replaceable>source-port1</replaceable> ..
 1211   helpers: <replaceable>helper1</replaceable> ..
 1212   destination: <replaceable>ipv1</replaceable>:<replaceable>address1</replaceable> ..
 1213               </programlisting>
 1214 	    </para>
 1215 	  </listitem>
 1216 	</varlistentry>
 1217       </variablelist>
 1218       <para>
 1219 	The following options are only usable in the permanent configuration.
 1220       </para>
 1221       <variablelist>
 1222        <varlistentry>
 1223          <term><option>--permanent</option> <option>--new-service</option>=<replaceable>service</replaceable></term>
 1224          <listitem>
 1225            <para>
 1226              Add a new permanent and empty service.
 1227            </para>
 1228          </listitem>
 1229        </varlistentry>
 1230        <varlistentry>
 1231          <term><option>--permanent</option> <option>--new-service-from-file</option>=<replaceable>filename</replaceable> <optional><option>--name</option>=<replaceable>service</replaceable></optional></term>
 1232          <listitem>
 1233            <para>
 1234               Add a new permanent service from a prepared service file with an optional name override.
 1235            </para>
 1236          </listitem>
 1237        </varlistentry>
 1238        <varlistentry>
 1239          <term><option>--permanent</option> <option>--delete-service</option>=<replaceable>service</replaceable></term>
 1240          <listitem>
 1241            <para>
 1242              Delete an existing permanent service.
 1243            </para>
 1244          </listitem>
 1245        </varlistentry>
 1246 	<varlistentry>
 1247           <term><option>--permanent</option> <option>--load-service-defaults</option>=<replaceable>service</replaceable></term>
 1248           <listitem>
 1249             <para>
 1250               Load service default settings or report NO_DEFAULTS error.
 1251             </para>
 1252           </listitem>
 1253 	</varlistentry>
 1254 	<varlistentry>
 1255 	  <term><option>--permanent</option> <option>--path-service=<replaceable>service</replaceable></option></term>
 1256 	  <listitem>
 1257 	    <para>
 1258 	      Print path of the service configuration file.
 1259 	    </para>
 1260 	  </listitem>
 1261 	</varlistentry>
 1262        <varlistentry>
 1263          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--set-description</option>=<replaceable>description</replaceable></term>
 1264          <listitem>
 1265            <para>
 1266              Set new description to service
 1267            </para>
 1268          </listitem>
 1269        </varlistentry>
 1270        <varlistentry>
 1271          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--get-description</option></term>
 1272          <listitem>
 1273            <para>
 1274              Print description for service
 1275            </para>
 1276          </listitem>
 1277        </varlistentry>
 1278        <varlistentry>
 1279          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--set-short</option>=<replaceable>description</replaceable></term>
 1280          <listitem>
 1281            <para>
 1282              Set short description to service
 1283            </para>
 1284          </listitem>
 1285        </varlistentry>
 1286        <varlistentry>
 1287          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--get-short</option></term>
 1288          <listitem>
 1289            <para>
 1290              Print short description for service
 1291            </para>
 1292          </listitem>
 1293        </varlistentry>
 1294        <varlistentry>
 1295          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--add-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1296          <listitem>
 1297            <para>
 1298              Add a new port to the permanent service.
 1299            </para>
 1300          </listitem>
 1301        </varlistentry>
 1302        <varlistentry>
 1303          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--remove-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1304          <listitem>
 1305            <para>
 1306              Remove a port from the permanent service.
 1307            </para>
 1308          </listitem>
 1309        </varlistentry>
 1310        <varlistentry>
 1311          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1312          <listitem>
 1313            <para>
 1314              Return wether the port has been added to the permanent service.
 1315            </para>
 1316          </listitem>
 1317        </varlistentry>
 1318        <varlistentry>
 1319          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--get-ports</option></term>
 1320          <listitem>
 1321            <para>
 1322              List ports added to the permanent service.
 1323            </para>
 1324          </listitem>
 1325        </varlistentry>
 1326 
 1327        <varlistentry>
 1328          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--add-protocol</option>=<replaceable>protocol</replaceable></term>
 1329          <listitem>
 1330            <para>
 1331              Add a new protocol to the permanent service.
 1332            </para>
 1333          </listitem>
 1334        </varlistentry>
 1335        <varlistentry>
 1336          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--remove-protocol</option>=<replaceable>protocol</replaceable></term>
 1337          <listitem>
 1338            <para>
 1339              Remove a protocol from the permanent service.
 1340            </para>
 1341          </listitem>
 1342        </varlistentry>
 1343        <varlistentry>
 1344          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-protocol</option>=<replaceable>protocol</replaceable></term>
 1345          <listitem>
 1346            <para>
 1347              Return wether the protocol has been added to the permanent service.
 1348            </para>
 1349          </listitem>
 1350        </varlistentry>
 1351        <varlistentry>
 1352          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--get-protocols</option></term>
 1353          <listitem>
 1354            <para>
 1355              List protocols added to the permanent service.
 1356            </para>
 1357          </listitem>
 1358        </varlistentry>
 1359 
 1360        <varlistentry>
 1361          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--add-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1362          <listitem>
 1363            <para>
 1364              Add a new source port to the permanent service.
 1365            </para>
 1366          </listitem>
 1367        </varlistentry>
 1368        <varlistentry>
 1369          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--remove-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1370          <listitem>
 1371            <para>
 1372              Remove a source port from the permanent service.
 1373            </para>
 1374          </listitem>
 1375        </varlistentry>
 1376        <varlistentry>
 1377          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-source-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1378          <listitem>
 1379            <para>
 1380              Return wether the source port has been added to the permanent service.
 1381            </para>
 1382          </listitem>
 1383        </varlistentry>
 1384        <varlistentry>
 1385          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--get-source-ports</option></term>
 1386          <listitem>
 1387            <para>
 1388              List source ports added to the permanent service.
 1389            </para>
 1390          </listitem>
 1391        </varlistentry>
 1392 
 1393        <varlistentry>
 1394          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--add-helper</option>=<replaceable>helper</replaceable></term>
 1395          <listitem>
 1396            <para>
 1397              Add a new helper to the permanent service.
 1398            </para>
 1399          </listitem>
 1400        </varlistentry>
 1401        <varlistentry>
 1402          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--remove-helper</option>=<replaceable>helper</replaceable></term>
 1403          <listitem>
 1404            <para>
 1405              Remove a helper from the permanent service.
 1406            </para>
 1407          </listitem>
 1408        </varlistentry>
 1409        <varlistentry>
 1410          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-helper</option>=<replaceable>helper</replaceable></term>
 1411          <listitem>
 1412            <para>
 1413              Return wether the helper has been added to the permanent service.
 1414            </para>
 1415          </listitem>
 1416        </varlistentry>
 1417        <varlistentry>
 1418          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--get-service-helpers</option></term>
 1419          <listitem>
 1420            <para>
 1421              List helpers added to the permanent service.
 1422            </para>
 1423          </listitem>
 1424        </varlistentry>
 1425 
 1426        <varlistentry>
 1427          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--set-destination</option>=<replaceable>ipv</replaceable>:<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
 1428          <listitem>
 1429            <para>
 1430              Set destination for ipv to address[/mask] in the permanent service.
 1431            </para>
 1432          </listitem>
 1433        </varlistentry>
 1434        <varlistentry>
 1435          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--remove-destination</option>=<replaceable>ipv</replaceable></term>
 1436          <listitem>
 1437            <para>
 1438              Remove the destination for ipv from the permanent service.
 1439            </para>
 1440          </listitem>
 1441        </varlistentry>
 1442        <varlistentry>
 1443          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-destination</option>=<replaceable>ipv</replaceable>:<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></term>
 1444          <listitem>
 1445            <para>
 1446              Return wether the destination ipv to address[/mask] has been set in the permanent service.
 1447            </para>
 1448          </listitem>
 1449        </varlistentry>
 1450        <varlistentry>
 1451          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--get-destinations</option></term>
 1452          <listitem>
 1453            <para>
 1454              List destinations added to the permanent service.
 1455            </para>
 1456          </listitem>
 1457        </varlistentry>
 1458 
 1459        <varlistentry>
 1460          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--add-include</option>=<replaceable>service</replaceable></term>
 1461          <listitem>
 1462            <para>
 1463              Add a new include to the permanent service.
 1464            </para>
 1465          </listitem>
 1466        </varlistentry>
 1467        <varlistentry>
 1468          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--remove-include</option>=<replaceable>service</replaceable></term>
 1469          <listitem>
 1470            <para>
 1471              Remove a include from the permanent service.
 1472            </para>
 1473          </listitem>
 1474        </varlistentry>
 1475        <varlistentry>
 1476          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--query-include</option>=<replaceable>service</replaceable></term>
 1477          <listitem>
 1478            <para>
 1479              Return wether the include has been added to the permanent service.
 1480            </para>
 1481          </listitem>
 1482        </varlistentry>
 1483        <varlistentry>
 1484          <term><option>--permanent</option> <option>--service</option>=<replaceable>service</replaceable> <option>--get-includes</option></term>
 1485          <listitem>
 1486            <para>
 1487              List includes added to the permanent service.
 1488            </para>
 1489          </listitem>
 1490        </varlistentry>
 1491       </variablelist>
 1492     </refsect2>
 1493 
 1494     <refsect2 id="helper_options">
 1495       <title>Helper Options</title>
 1496       <para>
 1497 	Options in this section affect only one particular helper.
 1498       </para>
 1499       <variablelist>
 1500 	<varlistentry>
 1501 	  <term><optional><option>--permanent</option></optional> <option>--info-helper=<replaceable>helper</replaceable></option></term>
 1502 	  <listitem>
 1503 	    <para>
 1504 	      Print information about the helper <replaceable>helper</replaceable>. The output format is:
 1505 	      <programlisting>
 1506 <replaceable>helper</replaceable>
 1507   family: <replaceable>family</replaceable>
 1508   module: <replaceable>module</replaceable>
 1509   ports: <replaceable>port1</replaceable> ..
 1510               </programlisting>
 1511 	    </para>
 1512 	  </listitem>
 1513 	</varlistentry>
 1514       </variablelist>
 1515       <para>
 1516 	The following options are only usable in the permanent configuration.
 1517       </para>
 1518       <variablelist>
 1519        <varlistentry>
 1520          <term><option>--permanent</option> <option>--new-helper</option>=<replaceable>helper</replaceable> <option>--module</option>=<replaceable>nf_conntrack_module</replaceable> <optional><option>--family</option>=<literal>ipv4</literal>|<literal>ipv6</literal></optional></term>
 1521          <listitem>
 1522            <para>
 1523              Add a new permanent helper with module and optionally family defined.
 1524            </para>
 1525          </listitem>
 1526        </varlistentry>
 1527        <varlistentry>
 1528          <term><option>--permanent</option> <option>--new-helper-from-file</option>=<replaceable>filename</replaceable> <optional><option>--name</option>=<replaceable>helper</replaceable></optional></term>
 1529          <listitem>
 1530            <para>
 1531               Add a new permanent helper from a prepared helper file with an optional name override.
 1532            </para>
 1533          </listitem>
 1534        </varlistentry>
 1535        <varlistentry>
 1536          <term><option>--permanent</option> <option>--delete-helper</option>=<replaceable>helper</replaceable></term>
 1537          <listitem>
 1538            <para>
 1539              Delete an existing permanent helper.
 1540            </para>
 1541          </listitem>
 1542        </varlistentry>
 1543 	<varlistentry>
 1544           <term><option>--permanent</option> <option>--load-helper-defaults</option>=<replaceable>helper</replaceable></term>
 1545           <listitem>
 1546             <para>
 1547               Load helper default settings or report NO_DEFAULTS error.
 1548             </para>
 1549           </listitem>
 1550 	</varlistentry>
 1551 	<varlistentry>
 1552 	  <term><option>--permanent</option> <option>--path-helper=<replaceable>helper</replaceable></option></term>
 1553 	  <listitem>
 1554 	    <para>
 1555 	      Print path of the helper configuration file.
 1556 	    </para>
 1557 	  </listitem>
 1558 	</varlistentry>
 1559 
 1560 	<varlistentry>
 1561 	  <term><optional><option>--permanent</option></optional> <option>--get-helpers</option></term>
 1562 	  <listitem>
 1563 	    <para>
 1564 	      Print predefined helpers as a space separated list.
 1565 	    </para>
 1566 	  </listitem>
 1567 	</varlistentry>
 1568 
 1569        <varlistentry>
 1570          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--set-description</option>=<replaceable>description</replaceable></term>
 1571          <listitem>
 1572            <para>
 1573              Set new description to helper
 1574            </para>
 1575          </listitem>
 1576        </varlistentry>
 1577        <varlistentry>
 1578          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--get-description</option></term>
 1579          <listitem>
 1580            <para>
 1581              Print description for helper
 1582            </para>
 1583          </listitem>
 1584        </varlistentry>
 1585        <varlistentry>
 1586          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--set-short</option>=<replaceable>description</replaceable></term>
 1587          <listitem>
 1588            <para>
 1589              Set short description to helper
 1590            </para>
 1591          </listitem>
 1592        </varlistentry>
 1593        <varlistentry>
 1594          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--get-short</option></term>
 1595          <listitem>
 1596            <para>
 1597              Print short description for helper
 1598            </para>
 1599          </listitem>
 1600        </varlistentry>
 1601        
 1602        <varlistentry>
 1603          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--add-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1604          <listitem>
 1605            <para>
 1606              Add a new port to the permanent helper.
 1607            </para>
 1608          </listitem>
 1609        </varlistentry>
 1610        <varlistentry>
 1611          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--remove-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1612          <listitem>
 1613            <para>
 1614              Remove a port from the permanent helper.
 1615            </para>
 1616          </listitem>
 1617        </varlistentry>
 1618        <varlistentry>
 1619          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--query-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable></term>
 1620          <listitem>
 1621            <para>
 1622              Return wether the port has been added to the permanent helper.
 1623            </para>
 1624          </listitem>
 1625        </varlistentry>
 1626        <varlistentry>
 1627          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--get-ports</option></term>
 1628          <listitem>
 1629            <para>
 1630              List ports added to the permanent helper.
 1631            </para>
 1632          </listitem>
 1633        </varlistentry>
 1634 
 1635        <varlistentry>
 1636          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--set-module</option>=<replaceable>description</replaceable></term>
 1637          <listitem>
 1638            <para>
 1639              Set module description for helper
 1640            </para>
 1641          </listitem>
 1642        </varlistentry>
 1643        <varlistentry>
 1644          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--get-module</option></term>
 1645          <listitem>
 1646            <para>
 1647              Print module description for helper
 1648            </para>
 1649          </listitem>
 1650        </varlistentry>
 1651 
 1652        <varlistentry>
 1653          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--set-family</option>=<replaceable>description</replaceable></term>
 1654          <listitem>
 1655            <para>
 1656              Set family description for helper
 1657            </para>
 1658          </listitem>
 1659        </varlistentry>
 1660        <varlistentry>
 1661          <term><option>--permanent</option> <option>--helper</option>=<replaceable>helper</replaceable> <option>--get-family</option></term>
 1662          <listitem>
 1663            <para>
 1664              Print family description of helper
 1665            </para>
 1666          </listitem>
 1667        </varlistentry>
 1668      </variablelist>
 1669     </refsect2>
 1670 
 1671     <refsect2 id="icmptype_options">
 1672       <title>Internet Control Message Protocol (ICMP) type Options</title>
 1673       <para>
 1674 	Options in this section affect only one particular icmptype.
 1675       </para>
 1676       <variablelist>
 1677 	<varlistentry>
 1678 	  <term><optional><option>--permanent</option></optional> <option>--info-icmptype=<replaceable>icmptype</replaceable></option></term>
 1679 	  <listitem>
 1680 	    <para>
 1681 	      Print information about the icmptype <replaceable>icmptype</replaceable>. The output format is:
 1682 	      <programlisting>
 1683 <replaceable>icmptype</replaceable>
 1684   destination: <replaceable>ipv1</replaceable> ..
 1685               </programlisting>
 1686 	    </para>
 1687 	  </listitem>
 1688 	</varlistentry>
 1689       </variablelist>
 1690       <para>
 1691 	The following options are only usable in the permanent configuration.
 1692       </para>
 1693       <variablelist>
 1694        <varlistentry>
 1695          <term><option>--permanent</option> <option>--new-icmptype</option>=<replaceable>icmptype</replaceable></term>
 1696          <listitem>
 1697            <para>
 1698              Add a new permanent and empty icmptype.
 1699            </para>
 1700          </listitem>
 1701        </varlistentry>
 1702 
 1703        <varlistentry>
 1704          <term><option>--permanent</option> <option>--new-icmptype-from-file</option>=<replaceable>filename</replaceable> <optional><option>--name</option>=<replaceable>icmptype</replaceable></optional></term>
 1705          <listitem>
 1706            <para>
 1707 	     Add a new permanent icmptype from a prepared icmptype file with an optional name override.
 1708            </para>
 1709          </listitem>
 1710        </varlistentry>
 1711 
 1712 
 1713        <varlistentry>
 1714          <term><option>--permanent</option> <option>--delete-icmptype</option>=<replaceable>icmptype</replaceable></term>
 1715          <listitem>
 1716            <para>
 1717              Delete an existing permanent icmptype.
 1718            </para>
 1719          </listitem>
 1720        </varlistentry>
 1721        <varlistentry>
 1722          <term><option>--permanent</option> <option>--load-icmptype-defaults</option>=<replaceable>icmptype</replaceable></term>
 1723          <listitem>
 1724            <para>
 1725              Load icmptype default settings or report NO_DEFAULTS error.
 1726            </para>
 1727          </listitem>
 1728        </varlistentry>
 1729        <varlistentry>
 1730          <term><option>--permanent</option> <option>--icmptype</option>=<replaceable>icmptype</replaceable> <option>--set-description</option>=<replaceable>description</replaceable></term>
 1731          <listitem>
 1732            <para>
 1733              Set new description to icmptype
 1734            </para>
 1735          </listitem>
 1736        </varlistentry>
 1737        <varlistentry>
 1738          <term><option>--permanent</option> <option>--icmptype</option>=<replaceable>icmptype</replaceable> <option>--get-description</option></term>
 1739          <listitem>
 1740            <para>
 1741              Print description for icmptype
 1742            </para>
 1743          </listitem>
 1744        </varlistentry>
 1745        <varlistentry>
 1746          <term><option>--permanent</option> <option>--icmptype</option>=<replaceable>icmptype</replaceable> <option>--set-short</option>=<replaceable>description</replaceable></term>
 1747          <listitem>
 1748            <para>
 1749              Set short description to icmptype
 1750            </para>
 1751          </listitem>
 1752        </varlistentry>
 1753        <varlistentry>
 1754          <term><option>--permanent</option> <option>--icmptype</option>=<replaceable>icmptype</replaceable> <option>--get-short</option></term>
 1755          <listitem>
 1756            <para>
 1757              Print short description for icmptype
 1758            </para>
 1759          </listitem>
 1760        </varlistentry>
 1761 
 1762        <varlistentry>
 1763          <term><option>--permanent</option> <option>--icmptype</option>=<replaceable>icmptype</replaceable> <option>--add-destination</option>=<replaceable>ipv</replaceable></term>
 1764          <listitem>
 1765            <para>
 1766              Enable destination for ipv in permanent icmptype. ipv is one of <literal>ipv4</literal> or <literal>ipv6</literal>.
 1767            </para>
 1768          </listitem>
 1769        </varlistentry>
 1770        <varlistentry>
 1771          <term><option>--permanent</option> <option>--icmptype</option>=<replaceable>icmptype</replaceable> <option>--remove-destination</option>=<replaceable>ipv</replaceable></term>
 1772          <listitem>
 1773            <para>
 1774              Disable destination for ipv in permanent icmptype. ipv is one of <literal>ipv4</literal> or <literal>ipv6</literal>.
 1775            </para>
 1776          </listitem>
 1777        </varlistentry>
 1778        <varlistentry>
 1779          <term><option>--permanent</option> <option>--icmptype</option>=<replaceable>icmptype</replaceable> <option>--query-destination</option>=<replaceable>ipv</replaceable></term>
 1780          <listitem>
 1781            <para>
 1782              Return whether destination for ipv is enabled in permanent icmptype. ipv is one of <literal>ipv4</literal> or <literal>ipv6</literal>.
 1783            </para>
 1784          </listitem>
 1785        </varlistentry>
 1786        <varlistentry>
 1787          <term><option>--permanent</option> <option>--icmptype</option>=<replaceable>icmptype</replaceable> <option>--get-destinations</option></term>
 1788          <listitem>
 1789            <para>
 1790               List destinations in permanent icmptype.
 1791            </para>
 1792          </listitem>
 1793        </varlistentry>
 1794 	<varlistentry>
 1795 	  <term><option>--permanent</option> <option>--path-icmptype=<replaceable>icmptype</replaceable></option></term>
 1796 	  <listitem>
 1797 	    <para>
 1798 	      Print path of the icmptype configuration file.
 1799 	    </para>
 1800 	  </listitem>
 1801 	</varlistentry>
 1802       </variablelist>
 1803     </refsect2>
 1804 
 1805     <refsect2 id="direct_options">
 1806       <title>Direct Options</title>
 1807       <para>
 1808 	The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts, i.e. <literal>table</literal> (filter/mangle/nat/...), <literal>chain</literal> (INPUT/OUTPUT/FORWARD/...), <literal>commands</literal> (-A/-D/-I/...), <literal>parameters</literal> (-p/-s/-d/-j/...) and <literal>targets</literal> (ACCEPT/DROP/REJECT/...).
 1809       </para>
 1810       <para>
 1811 	Direct options should be used only as a last resort when it's not possible to use for example <option>--add-service</option>=<replaceable>service</replaceable> or <option>--add-rich-rule</option>='<replaceable>rule</replaceable>'.
 1812       </para>
 1813       <para>
 1814 	The first argument of each option has to be <literal>ipv4</literal> or <literal>ipv6</literal> or <literal>eb</literal>. With <literal>ipv4</literal> it will be for IPv4 (<citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>), with <literal>ipv6</literal> for IPv6 (<citerefentry><refentrytitle>ip6tables</refentrytitle><manvolnum>8</manvolnum></citerefentry>) and with <literal>eb</literal> for ethernet bridges (<citerefentry><refentrytitle>ebtables</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
 1815       </para>
 1816       <variablelist>
 1817 
 1818 	<!-- direct chain -->
 1819 
 1820 	<varlistentry>
 1821 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-all-chains</option></term>
 1822 	  <listitem>
 1823 	    <para>
 1824 	      Get all chains added to all tables.
 1825 	      This option concerns only chains previously added with <option>--direct --add-chain</option>.
 1826 	    </para>
 1827 	  </listitem>
 1828 	</varlistentry>
 1829 
 1830 	<varlistentry>
 1831 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-chains</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable></term>
 1832 	  <listitem>
 1833 	    <para>
 1834 	      Get all chains added to table <replaceable>table</replaceable> as a space separated list.
 1835 	      This option concerns only chains previously added with <option>--direct --add-chain</option>.
 1836 	    </para>
 1837 	  </listitem>
 1838 	</varlistentry>
 1839 
 1840 	<varlistentry>
 1841 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--add-chain</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable> <replaceable>chain</replaceable></term>
 1842 	  <listitem>
 1843 	    <para>
 1844 	      Add a new chain with name <replaceable>chain</replaceable> to table <replaceable>table</replaceable>. Make sure there's no other chain with this name already.
 1845 	    </para>
 1846 	    <para>
 1847 	      There already exist basic chains to use with direct options, for example <literal>INPUT_direct</literal> chain (see <literal>iptables-save | grep direct</literal> output for all of them).
 1848 	      These chains are jumped into before chains for zones, i.e. every rule put into <literal>INPUT_direct</literal> will be checked before rules in zones.
 1849 	    </para>
 1850 	  </listitem>
 1851 	</varlistentry>
 1852 
 1853 	<varlistentry>
 1854 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--remove-chain</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable> <replaceable>chain</replaceable></term>
 1855 	  <listitem>
 1856 	    <para>
 1857 	      Remove chain with name <replaceable>chain</replaceable> from table <replaceable>table</replaceable>.
 1858 	      Only chains previously added with <option>--direct --add-chain</option> can be removed this way.
 1859 	    </para>
 1860 	  </listitem>
 1861 	</varlistentry>
 1862 
 1863 	<varlistentry>
 1864 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--query-chain</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable> <replaceable>chain</replaceable></term>
 1865 	  <listitem>
 1866 	    <para>
 1867 	      Return whether a chain with name <replaceable>chain</replaceable> exists in table <replaceable>table</replaceable>. Returns 0 if true, 1 otherwise.
 1868 	      This option concerns only chains previously added with <option>--direct --add-chain</option>.
 1869 	    </para>
 1870 	  </listitem>
 1871 	</varlistentry>
 1872 
 1873 	<!-- direct rule -->
 1874 
 1875 	<varlistentry>
 1876 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-all-rules</option></term>
 1877 	  <listitem>
 1878 	    <para>
 1879 	      Get all rules added to all chains in all tables as a newline separated list of the priority and arguments.
 1880 	      This option concerns only rules previously added with <option>--direct --add-rule</option>.
 1881 	    </para>
 1882 	  </listitem>
 1883 	</varlistentry>
 1884 
 1885 	<varlistentry>
 1886 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-rules</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable> <replaceable>chain</replaceable></term>
 1887 	  <listitem>
 1888 	    <para>
 1889 	      Get all rules added to chain <replaceable>chain</replaceable> in table <replaceable>table</replaceable> as a newline separated list of the priority and arguments.
 1890 	      This option concerns only rules previously added with <option>--direct --add-rule</option>.
 1891 	    </para>
 1892 	  </listitem>
 1893 	</varlistentry>
 1894 
 1895 	<varlistentry>
 1896 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--add-rule</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable> <replaceable>chain</replaceable> <replaceable>priority</replaceable> <replaceable>args</replaceable></term>
 1897 	  <listitem>
 1898 	    <para>
 1899 	      Add a rule with the arguments <replaceable>args</replaceable> to chain <replaceable>chain</replaceable> in table <replaceable>table</replaceable> with priority <replaceable>priority</replaceable>.
 1900 	    </para>
 1901 	    <para>
 1902 	      The <replaceable>priority</replaceable> is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following.
 1903 	    </para>
 1904 	  </listitem>
 1905 	</varlistentry>
 1906 
 1907 	<varlistentry>
 1908 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--remove-rule</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable> <replaceable>chain</replaceable> <replaceable>priority</replaceable> <replaceable>args</replaceable></term>
 1909 	  <listitem>
 1910 	    <para>
 1911 	      Remove a rule with <replaceable>priority</replaceable> and the arguments <replaceable>args</replaceable> from chain <replaceable>chain</replaceable> in table <replaceable>table</replaceable>.
 1912 	      Only rules previously added with <option>--direct --add-rule</option> can be removed this way.
 1913 	    </para>
 1914 	  </listitem>
 1915 	</varlistentry>
 1916 
 1917 	<varlistentry>
 1918 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--remove-rules</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable> <replaceable>chain</replaceable></term>
 1919 	  <listitem>
 1920 	    <para>
 1921 	      Remove all rules in the chain with name <replaceable>chain</replaceable> exists in table <replaceable>table</replaceable>.
 1922 	      This option concerns only rules previously added with <option>--direct --add-rule</option> in this chain.
 1923 	    </para>
 1924 	  </listitem>
 1925 	</varlistentry>
 1926 
 1927 	<varlistentry>
 1928 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--query-rule</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>table</replaceable> <replaceable>chain</replaceable> <replaceable>priority</replaceable> <replaceable>args</replaceable></term>
 1929 	  <listitem>
 1930 	    <para>
 1931 	      Return whether a rule with <replaceable>priority</replaceable> and the arguments <replaceable>args</replaceable> exists in chain <replaceable>chain</replaceable> in table <replaceable>table</replaceable>.
 1932 	      Returns 0 if true, 1 otherwise. This option concerns only rules previously added with <option>--direct --add-rule</option>.
 1933 	    </para>
 1934 	  </listitem>
 1935 	</varlistentry>
 1936 
 1937 	<!-- direct untracked passthrough -->
 1938 
 1939 	<varlistentry>
 1940 	  <term><option>--direct</option> <option>--passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
 1941 	  <listitem>
 1942 	    <para>
 1943 	      Pass a command through to the firewall. <replaceable>args</replaceable> can be all <command>iptables</command>, <command>ip6tables</command> and <command>ebtables</command> command line arguments. This command is untracked, which means that firewalld is not able to provide information about this command later on, also not a listing of the untracked passthoughs.
 1944 	    </para>
 1945 	  </listitem>
 1946 	</varlistentry>
 1947 
 1948 	<!-- direct tracked passthrough -->
 1949 
 1950 	<varlistentry>
 1951 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-all-passthroughs</option></term>
 1952 	  <listitem>
 1953 	    <para>
 1954 	      Get all passthrough rules as a newline separated list of the ipv value and arguments.
 1955 	    </para>
 1956 	  </listitem>
 1957 	</varlistentry>
 1958 
 1959 	<varlistentry>
 1960 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-passthroughs</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> }</term>
 1961 	  <listitem>
 1962 	    <para>
 1963 	      Get all passthrough rules for the ipv value as a newline separated list of the priority and arguments.
 1964 	    </para>
 1965 	  </listitem>
 1966 	</varlistentry>
 1967 
 1968 	<varlistentry>
 1969 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--add-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
 1970 	  <listitem>
 1971 	    <para>
 1972 	      Add a passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
 1973 	    </para>
 1974 	  </listitem>
 1975 	</varlistentry>
 1976 
 1977 	<varlistentry>
 1978 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--remove-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
 1979 	  <listitem>
 1980 	    <para>
 1981 	      Remove a passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
 1982 	    </para>
 1983 	  </listitem>
 1984 	</varlistentry>
 1985 
 1986 	<varlistentry>
 1987 	  <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--query-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
 1988 	  <listitem>
 1989 	    <para>
 1990 	      Return whether a passthrough rule with the arguments <replaceable>args</replaceable> exists for the ipv value. Returns 0 if true, 1 otherwise.
 1991 	    </para>
 1992 	  </listitem>
 1993 	</varlistentry>
 1994       </variablelist>
 1995     </refsect2>
 1996 
 1997     <refsect2 id="lockdown_options">
 1998       <title>Lockdown Options</title>
 1999       <para>
 2000 	Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt) or are authenticated using PolicyKit. With this feature administrators can lock the firewall configuration so that only applications on lockdown whitelist are able to request firewall changes.
 2001       </para>
 2002       <para>
 2003 	The lockdown access check limits D-Bus methods that are changing firewall rules. Query, list and get methods are not limited.
 2004       </para>
 2005       <para>
 2006 	The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default.
 2007       </para>
 2008       <variablelist>
 2009 	<varlistentry>
 2010 	  <term><option>--lockdown-on</option></term>
 2011 	  <listitem>
 2012 	    <para>
 2013 	      Enable lockdown. Be careful - if firewall-cmd is not on lockdown whitelist when you enable lockdown you won't be able to disable it again with firewall-cmd, you would need to edit firewalld.conf.
 2014 	    </para>
 2015 	    <para>
 2016 	      This is a runtime and permanent change.
 2017 	    </para>
 2018 	  </listitem>
 2019 	</varlistentry>
 2020 
 2021 	<varlistentry>
 2022 	  <term><option>--lockdown-off</option></term>
 2023 	  <listitem>
 2024 	    <para>
 2025 	      Disable lockdown.
 2026 	    </para>
 2027 	    <para>
 2028 	      This is a runtime and permanent change.
 2029 	    </para>
 2030 	  </listitem>
 2031 	</varlistentry>
 2032 
 2033 	<varlistentry>
 2034 	  <term><option>--query-lockdown</option></term>
 2035 	  <listitem>
 2036 	    <para>
 2037 	      Query whether lockdown is enabled. Returns 0 if lockdown is enabled, 1 otherwise.
 2038 	    </para>
 2039 	  </listitem>
 2040 	</varlistentry>
 2041       </variablelist>
 2042     </refsect2>
 2043 
 2044     <refsect2 id="lockdown_whitelist_options">
 2045       <title>Lockdown Whitelist Options</title>
 2046       <para>
 2047 	The lockdown whitelist can contain <replaceable>commands</replaceable>, <replaceable>contexts</replaceable>, <replaceable>users</replaceable> and <replaceable>user ids</replaceable>.
 2048       </para>
 2049       <para>
 2050 	If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
 2051       </para>
 2052       <para>
 2053 	Commands for user root and others is not always the same. Example: As root <command>/bin/firewall-cmd</command> is used, as a normal user <command>/usr/bin/firewall-cmd</command> is be used on Fedora. 
 2054       </para>
 2055       <para>
 2056 	The context is the security (SELinux) context of a running application or service. To get the context of a running application use <command>ps -e --context</command>.
 2057       </para>
 2058       <para>
 2059 	<emphasis role="bold">Warning:</emphasis> If the context is unconfined, then this will open access for more than the desired application. 
 2060       </para>
 2061       <para>
 2062 	The lockdown whitelist entries are checked in the following order:
 2063 	<simplelist columns="1">
 2064 	  <member>1. <replaceable>context</replaceable></member>
 2065 	  <member>2. <replaceable>uid</replaceable></member>
 2066 	  <member>3. <replaceable>user</replaceable></member>
 2067 	  <member>4. <replaceable>command</replaceable></member>
 2068 	</simplelist>
 2069       </para>
 2070       <variablelist>
 2071 	<varlistentry>
 2072 	  <term><optional><option>--permanent</option></optional> <option>--list-lockdown-whitelist-commands</option></term>
 2073 	  <listitem>
 2074 	    <para>
 2075 	      List all command lines that are on the whitelist.
 2076 	    </para>
 2077 	  </listitem>
 2078 	</varlistentry>
 2079 
 2080 	<varlistentry>
 2081 	  <term><optional><option>--permanent</option></optional> <option>--add-lockdown-whitelist-command</option>=<replaceable>command</replaceable></term>
 2082 	  <listitem>
 2083 	    <para>
 2084 	      Add the <replaceable>command</replaceable> to the whitelist.
 2085 	    </para>
 2086 	  </listitem>
 2087 	</varlistentry>
 2088 
 2089 	<varlistentry>
 2090 	  <term><optional><option>--permanent</option></optional> <option>--remove-lockdown-whitelist-command</option>=<replaceable>command</replaceable></term>
 2091 	  <listitem>
 2092 	    <para>
 2093 	      Remove the <replaceable>command</replaceable> from the whitelist.
 2094 	    </para>
 2095 	  </listitem>
 2096 	</varlistentry>
 2097 
 2098 	<varlistentry>
 2099 	  <term><optional><option>--permanent</option></optional> <option>--query-lockdown-whitelist-command</option>=<replaceable>command</replaceable></term>
 2100 	  <listitem>
 2101 	    <para>
 2102 	      Query whether the <replaceable>command</replaceable> is on the whitelist. Returns 0 if true, 1 otherwise.
 2103 	    </para>
 2104 	  </listitem>
 2105 	</varlistentry>
 2106 
 2107 	<varlistentry>
 2108 	  <term><optional><option>--permanent</option></optional> <option>--list-lockdown-whitelist-contexts</option></term>
 2109 	  <listitem>
 2110 	    <para>
 2111 	      List all contexts that are on the whitelist.
 2112 	    </para>
 2113 	  </listitem>
 2114 	</varlistentry>
 2115 
 2116 	<varlistentry>
 2117 	  <term><optional><option>--permanent</option></optional> <option>--add-lockdown-whitelist-context</option>=<replaceable>context</replaceable></term>
 2118 	  <listitem>
 2119 	    <para>
 2120 	      Add the context <replaceable>context</replaceable> to the whitelist.
 2121 	    </para>
 2122 	  </listitem>
 2123 	</varlistentry>
 2124 
 2125 	<varlistentry>
 2126 	  <term><optional><option>--permanent</option></optional> <option>--remove-lockdown-whitelist-context</option>=<replaceable>context</replaceable></term>
 2127 	  <listitem>
 2128 	    <para>
 2129 	      Remove the <replaceable>context</replaceable> from the whitelist.
 2130 	    </para>
 2131 	  </listitem>
 2132 	</varlistentry>
 2133 
 2134 	<varlistentry>
 2135 	  <term><optional><option>--permanent</option></optional> <option>--query-lockdown-whitelist-context</option>=<replaceable>context</replaceable></term>
 2136 	  <listitem>
 2137 	    <para>
 2138 	      Query whether the <replaceable>context</replaceable> is on the whitelist. Returns 0 if true, 1 otherwise.
 2139 	    </para>
 2140 	  </listitem>
 2141 	</varlistentry>
 2142 
 2143 	<varlistentry>
 2144 	  <term><optional><option>--permanent</option></optional> <option>--list-lockdown-whitelist-uids</option></term>
 2145 	  <listitem>
 2146 	    <para>
 2147 	      List all user ids that are on the whitelist.
 2148 	    </para>
 2149 	  </listitem>
 2150 	</varlistentry>
 2151 
 2152 	<varlistentry>
 2153 	  <term><optional><option>--permanent</option></optional> <option>--add-lockdown-whitelist-uid</option>=<replaceable>uid</replaceable></term>
 2154 	  <listitem>
 2155 	    <para>
 2156 	      Add the user id <replaceable>uid</replaceable> to the whitelist.
 2157 	    </para>
 2158 	  </listitem>
 2159 	</varlistentry>
 2160 
 2161 	<varlistentry>
 2162 	  <term><optional><option>--permanent</option></optional> <option>--remove-lockdown-whitelist-uid</option>=<replaceable>uid</replaceable></term>
 2163 	  <listitem>
 2164 	    <para>
 2165 	      Remove the user id <replaceable>uid</replaceable> from the whitelist.
 2166 	    </para>
 2167 	  </listitem>
 2168 	</varlistentry>
 2169 
 2170 	<varlistentry>
 2171 	  <term><optional><option>--permanent</option></optional> <option>--query-lockdown-whitelist-uid</option>=<replaceable>uid</replaceable></term>
 2172 	  <listitem>
 2173 	    <para>
 2174 	      Query whether the user id <replaceable>uid</replaceable> is on the whitelist. Returns 0 if true, 1 otherwise.
 2175 	    </para>
 2176 	  </listitem>
 2177 	</varlistentry>
 2178 
 2179 	<varlistentry>
 2180 	  <term><optional><option>--permanent</option></optional> <option>--list-lockdown-whitelist-users</option></term>
 2181 	  <listitem>
 2182 	    <para>
 2183 	      List all user names that are on the whitelist.
 2184 	    </para>
 2185 	  </listitem>
 2186 	</varlistentry>
 2187 
 2188 	<varlistentry>
 2189 	  <term><optional><option>--permanent</option></optional> <option>--add-lockdown-whitelist-user</option>=<replaceable>user</replaceable></term>
 2190 	  <listitem>
 2191 	    <para>
 2192 	      Add the user name <replaceable>user</replaceable> to the whitelist.
 2193 	    </para>
 2194 	  </listitem>
 2195 	</varlistentry>
 2196 
 2197 	<varlistentry>
 2198 	  <term><optional><option>--permanent</option></optional> <option>--remove-lockdown-whitelist-user</option>=<replaceable>user</replaceable></term>
 2199 	  <listitem>
 2200 	    <para>
 2201 	      Remove the user name <replaceable>user</replaceable> from the whitelist.
 2202 	    </para>
 2203 	  </listitem>
 2204 	</varlistentry>
 2205 
 2206 	<varlistentry>
 2207 	  <term><optional><option>--permanent</option></optional> <option>--query-lockdown-whitelist-user</option>=<replaceable>user</replaceable></term>
 2208 	  <listitem>
 2209 	    <para>
 2210 	      Query whether the user name <replaceable>user</replaceable> is on the whitelist. Returns 0 if true, 1 otherwise.
 2211 	    </para>
 2212 	  </listitem>
 2213 	</varlistentry>
 2214       </variablelist>
 2215     </refsect2>
 2216   </refsect1>
 2217 
 2218     <refsect2 id="panic_options">
 2219       <title>Panic Options</title>
 2220       <variablelist>
 2221 	<varlistentry>
 2222 	  <term><option>--panic-on</option></term>
 2223 	  <listitem>
 2224 	    <para>
 2225 	      Enable panic mode. All incoming and outgoing packets are dropped, active connections will expire. Enable this only if there are serious problems with your network environment. For example if the machine is getting hacked in.
 2226 	    </para>
 2227 	    <para>
 2228 	      This is a runtime only change.
 2229 	    </para>
 2230 	  </listitem>
 2231 	</varlistentry>
 2232 
 2233 	<varlistentry>
 2234 	  <term><option>--panic-off</option></term>
 2235 	  <listitem>
 2236 	    <para>
 2237 	      Disable panic mode. After disabling panic mode established connections might work again, if panic mode was enabled for a short period of time.
 2238 	    </para>
 2239 	    <para>
 2240 	      This is a runtime only change.
 2241 	    </para>
 2242 	  </listitem>
 2243 	</varlistentry>
 2244 
 2245 	<varlistentry>
 2246 	  <term><option>--query-panic</option></term>
 2247 	  <listitem>
 2248 	    <para>
 2249 	      Returns 0 if panic mode is enabled, 1 otherwise.
 2250 	    </para>
 2251 	  </listitem>
 2252 	</varlistentry>
 2253       </variablelist>
 2254     </refsect2>
 2255 
 2256   <refsect1>
 2257     <title>Examples</title>
 2258       <para>
 2259 	For more examples see <ulink url="http://fedoraproject.org/wiki/FirewallD"></ulink>
 2260       </para>
 2261 
 2262     <refsect2>
 2263       <title>Example 1</title>
 2264       <para>
 2265 	Enable http service in default zone. This is runtime only change, i.e. effective until restart.
 2266       </para>
 2267       <para>
 2268 	<programlisting>
 2269 firewall-cmd --add-service=http
 2270 	</programlisting>
 2271       </para>
 2272     </refsect2>
 2273 
 2274     <refsect2>
 2275       <title>Example 2</title>
 2276       <para>
 2277 	Enable port 443/tcp immediately and permanently in default zone.
 2278 	To make the change effective immediately and also after restart we need two commands.
 2279 	The first command makes the change in runtime configuration, i.e. makes it effective immediately, until restart.
 2280 	The second command makes the change in permanent configuration, i.e. makes it effective after restart.
 2281       </para>
 2282       <para>
 2283 	<programlisting>
 2284 firewall-cmd --add-port=443/tcp
 2285 firewall-cmd --permanent --add-port=443/tcp
 2286 	</programlisting>
 2287       </para>
 2288     </refsect2>
 2289   </refsect1>
 2290 
 2291   <refsect1 id="exit_codes">
 2292     <title>Exit Codes</title>
 2293     <para>
 2294       On success 0 is returned.
 2295       On failure the output is red colored and exit code is either 2 in case of wrong command-line option usage or one of the following error codes in other cases:
 2296 
 2297       <informaltable frame="all">
 2298 	<tgroup cols="2" colsep="1" rowsep="1">
 2299 	  <colspec align="left"/>
 2300 	  <colspec align="right"/>
 2301 	  <thead>
 2302 	    <row>
 2303 	      <entry>String</entry>
 2304 	      <entry>Code</entry>
 2305 	    </row>
 2306 	  </thead>
 2307 	  <tbody>
 2308 	    &errorcodes;
 2309 	  </tbody>
 2310 	</tgroup>
 2311       </informaltable>
 2312     </para>
 2313     <para>
 2314       Note that return codes of <command>--query-*</command> options are special: Successful queries return 0, unsuccessful ones return 1 unless an error occurred in which case the table above applies.
 2315     </para>
 2316   </refsect1>
 2317 
 2318   &seealso;
 2319 
 2320   &notes;
 2321 
 2322 </refentry>