From d7b00b618e2b116cda05696d73ae52b533a8e5a4 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 1 Jan 2005 16:51:00 +0000 Subject: [PATCH] Bring masq file ipsec capability in line with documentation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1880 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation.xml | 63 ++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 491318294..c0543a366 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2004-12-11 + 2004-12-31 2001-2004 @@ -2223,6 +2223,67 @@ eth0 192.168.1.0/24 :4000-5000 tcp + + + IPSEC (Added in Shorewall version 2.2.0) + + + If you specify a value other than "-" in this column, you must + be running kernel 2.6 and your kernel and iptables must include + policy match support. + + The value in this column is a comma-separated list of options + from the following. Only packets that will be encrypted via an SA + that matches these options will have their source address + changed. + + + + Yes or yes ― Match any SA. Normally used as the only + option. + + + + reqid=<number> where + <number> is specified using setkey(8) + using the 'unique:<number>' option + for the SPD level. + + + + spi=<number> where + <number> is the SPI of the SA. + + + + proto=ah|esp|ipcomp + + + + mode=transport|tunnel + + + + tunnel-src=<address>[/<mask>] + (only available with mode=tunnel) + + + + tunnel-dst=<address>[/<mask>] + (only available with mode=tunnel) + + + + strict — Means that packets must match all rules. + + + + next — Separates rules; can only be used with + strict. + + + +