Clarify logging of DNAT rules in the FAQ

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3030 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-08 08:44:05 +01:00 · 2005-11-18 22:21:53 +00:00 · 2005-11-18 22:21:53 +00:00 · 888e69b392
commit 888e69b392
parent d0feffd526
2 changed files with 14 additions and 6 deletions
--- a/Shorewall-docs2/FAQ.xml
+++ b/Shorewall-docs2/FAQ.xml
@ -17,7 +17,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-10-25</pubdate>
+    <pubdate>2005-11-18</pubdate>

    <copyright>
      <year>2001-2005</year>
@ -1082,7 +1082,14 @@ LOGBURST=""</programlisting>
            <listitem>
              <para>if accepted, the packet would be sent on eth1. If you see
              <quote>OUT=</quote> with no interface name, the packet would be
-              processed by the firewall itself.</para>
+              processed by the firewall itself. </para>
+
+              <note>
+                <para>When a DNAT rule is logged, there will never be an OUT=
+                shown because the packet is being logged before it is routed.
+                Also, DNAT logging will show the <emphasis>original</emphasis>
+                destination IP address and destination port number.</para>
+              </note>
            </listitem>
          </varlistentry>

--- a/Shorewall-docs2/Macros.xml
+++ b/Shorewall-docs2/Macros.xml
@ -141,10 +141,11 @@ ACCEPT       loc           fw           tcp     135,139,445</programlisting>
        <listitem>
          <para>If a value other than "-" appears in both the macro body and
          in the invocation of the macro, then the value in the invocation is
-          examined and the appropriate action is taken. If the value in the
-          invocation appears to be an address (IP or MAC) or the name of an
-          ipset, then it is placed after the value in the macro body.
-          Otherwise, it is placed before the value in the macro body.</para>
+          examined and the appropriate action is taken (you will want to be
+          running Shorewall 3.0.1 or later). If the value in the invocation
+          appears to be an address (IP or MAC) or the name of an ipset, then
+          it is placed after the value in the macro body. Otherwise, it is
+          placed before the value in the macro body.</para>

          <para>Example 1:</para>