More SNAT/DNAT manpage updates

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-02-19 12:42:09 -08:00 · 2013-02-19 12:42:09 -08:00 · 524d6242b0
commit 524d6242b0
parent 2591a17946
2 changed files with 130 additions and 100 deletions
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@ -893,9 +893,6 @@
              </listitem>
            </orderedlist></para>
          <blockquote>
            <para/>
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+]|[-</emphasis>] is specified, the server may be
          further restricted to a particular network, host or interface by
@ -906,13 +903,8 @@
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-            <para>Restrictions:</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
-
+          Netfilter restriction).</para>
            <para>1. MAC addresses are not allowed (this is a Netfilter
            restriction).</para>
            <para>2. You may not specify both an interface and an
            address.</para>
          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
          you may specify a range of IP addresses using the syntax
@ -923,8 +915,8 @@
          addresses in the range in a round-robin fashion.</para>
          <para>If you kernel and iptables have ipset match support then you
-            may give the name of an ipset prefaced by "+". The ipset name may
+          may give the name of an ipset prefaced by "+". The ipset name may be
-            be optionally followed by a number from 1 to 6 enclosed in square
+          optionally followed by a number from 1 to 6 enclosed in square
          brackets ([]) to indicate the number of levels of destination
          bindings to be matched. Only one of the <emphasis
          role="bold">SOURCE</emphasis> and <emphasis
@ -970,11 +962,10 @@
          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">REDIRECT</emphasis> or <emphasis
-            role="bold">REDIRECT-</emphasis>, this column needs only to
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
-            contain the port number on the firewall that the request should be
+          the port number on the firewall that the request should be
          redirected to. That is equivalent to specifying
          <option>$FW</option>::<replaceable>port</replaceable>.</para>
          </blockquote>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@ -182,7 +182,8 @@
                role="bold">DNAT</emphasis>[<emphasis
                role="bold">-</emphasis>] or <emphasis
                role="bold">REDIRECT</emphasis>[<emphasis
-                role="bold">-</emphasis>] rules.</para>
+                role="bold">-</emphasis>] rules. Requires Shorewall 4.5.14 or
                later.</para>
              </listitem>
            </varlistentry>
@ -351,7 +352,7 @@
              <listitem>
                <para>Forward the request to another system (and optionally
-                another port).</para>
+                another port). Requires Shorewall 4.5.14 or later.</para>
              </listitem>
            </varlistentry>
@ -364,7 +365,8 @@
                <para>Like <emphasis role="bold">DNAT</emphasis> but only
                generates the <emphasis role="bold">DNAT</emphasis> iptables
                rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                role="bold">ACCEPT</emphasis> rule. Requires Shorewall 4.5.14
                or later.</para>
              </listitem>
            </varlistentry>
@ -481,7 +483,8 @@
                <para>Excludes the connection from any subsequent <emphasis
                role="bold">DNAT</emphasis>[-] or <emphasis
                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
-                a rule to accept the traffic.</para>
+                a rule to accept the traffic. Requires Shorewall 4.5.14 or
                later.</para>
              </listitem>
            </varlistentry>
@ -510,7 +513,7 @@
              <listitem>
                <para>Redirect the request to a server running on the
-                firewall.</para>
+                firewall. Requires Shorewall 4.5.14 or later.</para>
              </listitem>
            </varlistentry>
@ -523,7 +526,8 @@
                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                generates the <emphasis role="bold">REDIRECT</emphasis>
                iptables rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                role="bold">ACCEPT</emphasis> rule. Requires Shorewall 4.5.14
                or later.</para>
              </listitem>
            </varlistentry>
@ -780,7 +784,8 @@
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}</emphasis></term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}[<option>:</option><replaceable>port</replaceable>[:<emphasis
        role="bold">random</emphasis>]]</emphasis></term>
        <listitem>
          <para>Location of Server. May be a zone declared in <ulink
@ -845,7 +850,6 @@
              </listitem>
            </orderedlist></para>
          <blockquote>
          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
          role="bold">+]|[-</emphasis>] is specified, the server may be
          further restricted to a particular network, host or interface by
@ -856,20 +860,55 @@
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
-            <para>Restrictions:</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
          Netfilter restriction).</para>
-            <para>1. MAC addresses are not allowed (this is a Netfilter
+          <para>If you kernel and ip6tables have ipset match support then you
-            restriction).</para>
+          may give the name of an ipset prefaced by "+". The ipset name may be
-
+          optionally followed by a number from 1 to 6 enclosed in square
-            <para>If you kernel and ip6tables have ipset match support then
+          brackets ([]) to indicate the number of levels of destination
-            you may give the name of an ipset prefaced by "+". The ipset name
+          bindings to be matched. Only one of the <emphasis
            may be optionally followed by a number from 1 to 6 enclosed in
            square brackets ([]) to indicate the number of levels of
            destination bindings to be matched. Only one of the <emphasis
          role="bold">SOURCE</emphasis> and <emphasis
          role="bold">DEST</emphasis> columns may specify an ipset
          name.</para>
-          </blockquote>
+
          <para>The <replaceable>port</replaceable> that the server is
          listening on may be included and separated from the server's IP
          address by ":". If omitted, the firewall will not modifiy the
          destination port. A destination port may only be included if the
          <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">DNAT</emphasis> or <emphasis
          role="bold">REDIRECT</emphasis>.</para>
          <variablelist>
            <varlistentry>
              <term>Example:</term>
              <listitem>
                <para><emphasis
                role="bold">loc:[2001:470:b:227::44]:3128</emphasis> specifies
                a local server at IP address 2001:470:b:227::44 and listening
                on port 3128.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>The <emphasis>port</emphasis> may be specified as a service
          name. You may specify a port range in the form
          <emphasis>lowport-highport</emphasis> to cause connections to be
          assigned to ports in the range in round-robin fashion. When a port
          range is specified, <emphasis>lowport</emphasis> and
          <emphasis>highport</emphasis> must be given as integers; service
          names are not permitted. Additionally, the port range may be
          optionally followed by <emphasis role="bold">:random</emphasis>
          which causes assignment to ports in the list to be random.</para>
          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
          role="bold">REDIRECT</emphasis> or <emphasis
          role="bold">REDIRECT-</emphasis>, this column needs only to contain
          the port number on the firewall that the request should be
          redirected to. That is equivalent to specifying
          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>