From 95ccd20826d7958def0a12e4855615f86be26ee4 Mon Sep 17 00:00:00 2001
From: Lukas Raska <lukas@raska.me>
Date: Mon, 28 Nov 2022 18:52:11 +0100
Subject: [PATCH] Correct TCP transport documentation regarding master-side
 filtering

---
 changelog/63120.fixed         |  1 +
 doc/topics/transports/tcp.rst | 14 +++++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)
 create mode 100644 changelog/63120.fixed

diff --git a/changelog/63120.fixed b/changelog/63120.fixed
new file mode 100644
index 00000000000..80ed0d754e3
--- /dev/null
+++ b/changelog/63120.fixed
@@ -0,0 +1 @@
+TCP transport documentation now contains proper master/minion-side filtering information
diff --git a/doc/topics/transports/tcp.rst b/doc/topics/transports/tcp.rst
index 1bfff73e6f5..267b6fb012c 100644
--- a/doc/topics/transports/tcp.rst
+++ b/doc/topics/transports/tcp.rst
@@ -46,7 +46,7 @@ The TCP transport allows for the master/minion communication to be optionally
 wrapped in a TLS connection. Enabling this is simple, the master and minion need
 to be using the tcp connection, then the `ssl` option is enabled. The `ssl`
 option is passed as a dict and corresponds to the options passed to the
-Python `ssl.wrap_socket <https://docs.python.org/3/library/ssl.html#ssl.wrap_socket>`
+Python `ssl.wrap_socket <https://docs.python.org/3/library/ssl.html#ssl.wrap_socket>`_
 function.
 
 A simple setup looks like this, on the Salt Master add the `ssl` option to the
@@ -58,6 +58,7 @@ master configuration file:
       keyfile: <path_to_keyfile>
       certfile: <path_to_certfile>
       ssl_version: PROTOCOL_TLSv1_2
+      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
 
 The minimal `ssl` option in the minion configuration file looks like this:
 
@@ -75,7 +76,8 @@ Specific options can be sent to the minion also, as defined in the Python
     While setting the ssl_version is not required, we recommend it. Some older
     versions of python do not support the latest TLS protocol and if this is
     the case for your version of python we strongly recommend upgrading your
-    version of Python.
+    version of Python. Ciphers specification might be omitted, but strongly
+    recommended as otherwise all available ciphers will be enabled.
 
 
 Crypto
@@ -90,7 +92,13 @@ the remote end interprets as a one-way send.
 
 .. note::
 
-    As of today we send all publishes to all minions and rely on minion-side filtering.
+    As of Salt `2016.3.0 <https://github.com/saltstack/salt/commit/1a395ed7a3e72eac87e81dfa072be9cf049453d3>`_, publishes using ``list`` targeting are sent only to relevant minions and not broadcasted.
+
+    As of Salt `3005 <https://github.com/saltstack/salt/commit/9db1af7147f7e6176e5f226cfedf1654ca038ec1>`_, publishes using ``pcre`` and ``glob`` targeting are also sent only to relevant minions and not broadcasted. Other targeting types are always sent to all minions and rely on minion-side filtering.
+
+.. note::
+
+   Salt CLI defaults to ``glob`` targeting type, so in order to target specific minions without broadcast, you need to use `-L` option, such as ``salt -L my.minion test.ping``, for masters before 3005.
 
 
 Request Server and Client