A little editing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2605 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/two-interface.xml

@@ -33,6 +33,13 @@
     </legalnotice>
   </articleinfo>
 
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 3.0 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    3.0.0 then please see the documentation for that
+    release.</emphasis></para>
+  </caution>
+
   <section>
     <title>Introduction</title>
 
@@ -596,28 +603,33 @@ fw         net         ACCEPT</programlisting> The above policy will:
     <para>The general form of a simple port forwarding rule in <filename
     class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
     <programlisting>#ACTION   SOURCE    DEST                                          PROTO      DEST PORT(S)
-DNAT      net       loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
+DNAT      net       loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>Shorewall
-    <example label="1">
+    has macros for many popular applications. Look at
+    /usr/share/shorewall/macro.* to see what is available in your release.
+    Macros simplify creating DNAT rules by supplying the protocol and port(s)
+    as shown in the following examples.</para>
+
+    <para><example label="1">
         <title>Web Server</title>
 
         <para>You run a Web Server on computer 2 and you want to forward
         incoming <acronym>TCP</acronym> port 80 to that system:
         <programlisting>#ACTION   SOURCE    DEST             PROTO     DEST PORT(S)
-Web/DNAT  net      192.168.1.5</programlisting></para>
+Web/DNAT  net       loc:192.168.1.5</programlisting></para>
       </example> <example label="2">
         <title>FTP Server</title>
 
         <para>You run an <acronym>FTP</acronym> Server on computer 1 so you
         want to forward incoming <acronym>TCP</acronym> port 21 to that
         system: <programlisting>#ACTION    SOURCE    DEST            PROTO     DEST PORT(S)
-FTP/DNAT    net     10.10.10.1</programlisting> For <acronym>FTP</acronym>,
+FTP/DNAT   net       loc:10.10.10.1</programlisting> For
-        you will also need to have <acronym>FTP</acronym> connection tracking
+        <acronym>FTP</acronym>, you will also need to have
-        and <acronym>NAT</acronym> support in your kernel. For vendor-supplied
+        <acronym>FTP</acronym> connection tracking and <acronym>NAT</acronym>
-        kernels, this means that the <filename
+        support in your kernel. For vendor-supplied kernels, this means that
-        class="libraryfile">ip_conntrack_ftp</filename> and <filename
+        the <filename class="libraryfile">ip_conntrack_ftp</filename> and
-        class="libraryfile">ip_nat_ftp</filename> modules must be loaded.
+        <filename class="libraryfile">ip_nat_ftp</filename> modules must be
-        Shorewall will automatically load these modules if they are available
+        loaded. Shorewall will automatically load these modules if they are
-        and located in the standard place under <filename
+        available and located in the standard place under <filename
         class="directory">/lib/modules/&lt;kernel
         version&gt;/kernel/net/ipv4/netfilter</filename>.</para>
       </example> A couple of important points to keep in mind: <itemizedlist>
@@ -716,11 +728,10 @@ DNS/ACCEPT   fw        net</programlisting>This rule allows
     accept connection requests have names that begin with
     <quote>Allow</quote>.</para>
 
-    <para>You don't have to use defined actions when coding a rule in
+    <para>You don't have to use defined macros when coding a rule in
-    <filename>/etc/shorewall/rules</filename>; the generated Netfilter ruleset
+    <filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
-    is slightly more efficient if you code your rules directly rather than
+    faster if you code your rules directly rather than using macros. The the
-    using defined actions. The the rule shown above could also have been coded
+    rule shown above could also have been coded as follows:<programlisting>#ACTION    SOURCE    DEST               PROTO     DEST PORT(S)
-    as follows:<programlisting>#ACTION    SOURCE    DEST               PROTO     DEST PORT(S)
 ACCEPT     fw        net                udp       53
 ACCEPT     fw        net                tcp       53</programlisting></para>
 
@@ -734,9 +745,8 @@ SSH/ACCEPT   loc       fw</programlisting> That rule allows you to run an
     from your local systems.</para>
 
     <para>If you wish to enable other connections from your firewall to other
-    systems, the general format using an <quote>Allow</quote> action is:
+    systems, the general format using a macro is: <programlisting>#ACTION         SOURCE    DEST               PROTO      DEST PORT(S)
-    <programlisting>#ACTION    SOURCE    DEST               PROTO      DEST PORT(S)
+&lt;macro&gt;/ACCEPT  fw        <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
-&lt;action&gt;   fw        <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
     general format when not using defined actions is:<programlisting>#ACTION    SOURCE    DEST               PROTO      DEST PORT(S)
 ACCEPT     fw        <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example>
         <title>Web Server on Firewall</title>