More SNAT/DNAT manpage updates

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/manpages/shorewall-rules.xml

@@ -893,88 +893,79 @@
               </listitem>
             </orderedlist></para>
 
-          <blockquote>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
-            <para/>
+          role="bold">+]|[-</emphasis>] is specified, the server may be
+          further restricted to a particular network, host or interface by
+          appending ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>
 
-            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          <para>You may exclude certain hosts from the set already defined
-            role="bold">+]|[-</emphasis>] is specified, the server may be
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
-            further restricted to a particular network, host or interface by
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
-            appending ":" and the network, host or interface. See <emphasis
-            role="bold">SOURCE</emphasis> above.</para>
 
-            <para>You may exclude certain hosts from the set already defined
+          <para>Restriction: MAC addresses are not allowed (this is a
-            through use of an <emphasis>exclusion</emphasis> (see <ulink
+          Netfilter restriction).</para>
-            url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
 
-            <para>Restrictions:</para>
+          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          you may specify a range of IP addresses using the syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">DNAT-</emphasis>, the connections will be assigned to
+          addresses in the range in a round-robin fashion.</para>
 
-            <para>1. MAC addresses are not allowed (this is a Netfilter
+          <para>If you kernel and iptables have ipset match support then you
-            restriction).</para>
+          may give the name of an ipset prefaced by "+". The ipset name may be
+          optionally followed by a number from 1 to 6 enclosed in square
+          brackets ([]) to indicate the number of levels of destination
+          bindings to be matched. Only one of the <emphasis
+          role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DEST</emphasis> columns may specify an ipset
+          name.</para>
 
-            <para>2. You may not specify both an interface and an
+          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
-            address.</para>
+          firewall interface can be specified by an apersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
+          (5).</para>
 
-            <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          <para>The <replaceable>port</replaceable> that the server is
-            you may specify a range of IP addresses using the syntax
+          listening on may be included and separated from the server's IP
-            <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          address by ":". If omitted, the firewall will not modifiy the
-            When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          destination port. A destination port may only be included if the
-            role="bold">DNAT</emphasis> or <emphasis
+          <emphasis role="bold">ACTION</emphasis> is <emphasis
-            role="bold">DNAT-</emphasis>, the connections will be assigned to
+          role="bold">DNAT</emphasis> or <emphasis
-            addresses in the range in a round-robin fashion.</para>
+          role="bold">REDIRECT</emphasis>.</para>
 
-            <para>If you kernel and iptables have ipset match support then you
+          <variablelist>
-            may give the name of an ipset prefaced by "+". The ipset name may
+            <varlistentry>
-            be optionally followed by a number from 1 to 6 enclosed in square
+              <term>Example:</term>
-            brackets ([]) to indicate the number of levels of destination
-            bindings to be matched. Only one of the <emphasis
-            role="bold">SOURCE</emphasis> and <emphasis
-            role="bold">DEST</emphasis> columns may specify an ipset
-            name.</para>
 
-            <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+              <listitem>
-            firewall interface can be specified by an apersand ('&amp;')
+                <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
-            followed by the logical name of the interface as found in the
+                specifies a local server at IP address 192.168.1.3 and
-            INTERFACE column of <ulink
+                listening on port 3128.</para>
-            url="shorewall-interfaces.html">shorewall-interfaces</ulink>
+              </listitem>
-            (5).</para>
+            </varlistentry>
+          </variablelist>
 
-            <para>The <replaceable>port</replaceable> that the server is
+          <para>The <emphasis>port</emphasis> may be specified as a service
-            listening on may be included and separated from the server's IP
+          name. You may specify a port range in the form
-            address by ":". If omitted, the firewall will not modifiy the
+          <emphasis>lowport-highport</emphasis> to cause connections to be
-            destination port. A destination port may only be included if the
+          assigned to ports in the range in round-robin fashion. When a port
-            <emphasis role="bold">ACTION</emphasis> is <emphasis
+          range is specified, <emphasis>lowport</emphasis> and
-            role="bold">DNAT</emphasis> or <emphasis
+          <emphasis>highport</emphasis> must be given as integers; service
-            role="bold">REDIRECT</emphasis>.</para>
+          names are not permitted. Additionally, the port range may be
+          optionally followed by <emphasis role="bold">:random</emphasis>
+          which causes assignment to ports in the list to be random.</para>
 
-            <variablelist>
+          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
-              <varlistentry>
+          role="bold">REDIRECT</emphasis> or <emphasis
-                <term>Example:</term>
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
-
+          the port number on the firewall that the request should be
-                <listitem>
+          redirected to. That is equivalent to specifying
-                  <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
+          <option>$FW</option>::<replaceable>port</replaceable>.</para>
-                  specifies a local server at IP address 192.168.1.3 and
-                  listening on port 3128.</para>
-                </listitem>
-              </varlistentry>
-            </variablelist>
-
-            <para>The <emphasis>port</emphasis> may be specified as a service
-            name. You may specify a port range in the form
-            <emphasis>lowport-highport</emphasis> to cause connections to be
-            assigned to ports in the range in round-robin fashion. When a port
-            range is specified, <emphasis>lowport</emphasis> and
-            <emphasis>highport</emphasis> must be given as integers; service
-            names are not permitted. Additionally, the port range may be
-            optionally followed by <emphasis role="bold">:random</emphasis>
-            which causes assignment to ports in the list to be random.</para>
-
-            <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
-            role="bold">REDIRECT</emphasis> or <emphasis
-            role="bold">REDIRECT-</emphasis>, this column needs only to
-            contain the port number on the firewall that the request should be
-            redirected to. That is equivalent to specifying
-            <option>$FW</option>::<replaceable>port</replaceable>.</para>
-          </blockquote>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-rules.xml

@@ -182,7 +182,8 @@
                 role="bold">DNAT</emphasis>[<emphasis
                 role="bold">-</emphasis>] or <emphasis
                 role="bold">REDIRECT</emphasis>[<emphasis
-                role="bold">-</emphasis>] rules.</para>
+                role="bold">-</emphasis>] rules. Requires Shorewall 4.5.14 or
+                later.</para>
               </listitem>
             </varlistentry>
 
@@ -351,7 +352,7 @@
 
               <listitem>
                 <para>Forward the request to another system (and optionally
-                another port).</para>
+                another port). Requires Shorewall 4.5.14 or later.</para>
               </listitem>
             </varlistentry>
 
@@ -364,7 +365,8 @@
                 <para>Like <emphasis role="bold">DNAT</emphasis> but only
                 generates the <emphasis role="bold">DNAT</emphasis> iptables
                 rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                role="bold">ACCEPT</emphasis> rule. Requires Shorewall 4.5.14
+                or later.</para>
               </listitem>
             </varlistentry>
 
@@ -481,7 +483,8 @@
                 <para>Excludes the connection from any subsequent <emphasis
                 role="bold">DNAT</emphasis>[-] or <emphasis
                 role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
-                a rule to accept the traffic.</para>
+                a rule to accept the traffic. Requires Shorewall 4.5.14 or
+                later.</para>
               </listitem>
             </varlistentry>
 
@@ -510,7 +513,7 @@
 
               <listitem>
                 <para>Redirect the request to a server running on the
-                firewall.</para>
+                firewall. Requires Shorewall 4.5.14 or later.</para>
               </listitem>
             </varlistentry>
 
@@ -523,7 +526,8 @@
                 <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                 generates the <emphasis role="bold">REDIRECT</emphasis>
                 iptables rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                role="bold">ACCEPT</emphasis> rule. Requires Shorewall 4.5.14
+                or later.</para>
               </listitem>
             </varlistentry>
 
@@ -780,7 +784,8 @@
         role="bold">-</emphasis>]}<emphasis
         role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
         role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}</emphasis></term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}[<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">random</emphasis>]]</emphasis></term>
 
         <listitem>
           <para>Location of Server. May be a zone declared in <ulink
@@ -845,31 +850,65 @@
               </listitem>
             </orderedlist></para>
 
-          <blockquote>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
-            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+]|[-</emphasis>] is specified, the server may be
-            role="bold">+]|[-</emphasis>] is specified, the server may be
+          further restricted to a particular network, host or interface by
-            further restricted to a particular network, host or interface by
+          appending ":" and the network, host or interface. See <emphasis
-            appending ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>
-            role="bold">SOURCE</emphasis> above.</para>
 
-            <para>You may exclude certain hosts from the set already defined
+          <para>You may exclude certain hosts from the set already defined
-            through use of an <emphasis>exclusion</emphasis> (see <ulink
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
-            url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
+          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
 
-            <para>Restrictions:</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
+          Netfilter restriction).</para>
 
-            <para>1. MAC addresses are not allowed (this is a Netfilter
+          <para>If you kernel and ip6tables have ipset match support then you
-            restriction).</para>
+          may give the name of an ipset prefaced by "+". The ipset name may be
+          optionally followed by a number from 1 to 6 enclosed in square
+          brackets ([]) to indicate the number of levels of destination
+          bindings to be matched. Only one of the <emphasis
+          role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DEST</emphasis> columns may specify an ipset
+          name.</para>
 
-            <para>If you kernel and ip6tables have ipset match support then
+          <para>The <replaceable>port</replaceable> that the server is
-            you may give the name of an ipset prefaced by "+". The ipset name
+          listening on may be included and separated from the server's IP
-            may be optionally followed by a number from 1 to 6 enclosed in
+          address by ":". If omitted, the firewall will not modifiy the
-            square brackets ([]) to indicate the number of levels of
+          destination port. A destination port may only be included if the
-            destination bindings to be matched. Only one of the <emphasis
+          <emphasis role="bold">ACTION</emphasis> is <emphasis
-            role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
-            role="bold">DEST</emphasis> columns may specify an ipset
+          role="bold">REDIRECT</emphasis>.</para>
-            name.</para>
+
-          </blockquote>
+          <variablelist>
+            <varlistentry>
+              <term>Example:</term>
+
+              <listitem>
+                <para><emphasis
+                role="bold">loc:[2001:470:b:227::44]:3128</emphasis> specifies
+                a local server at IP address 2001:470:b:227::44 and listening
+                on port 3128.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>The <emphasis>port</emphasis> may be specified as a service
+          name. You may specify a port range in the form
+          <emphasis>lowport-highport</emphasis> to cause connections to be
+          assigned to ports in the range in round-robin fashion. When a port
+          range is specified, <emphasis>lowport</emphasis> and
+          <emphasis>highport</emphasis> must be given as integers; service
+          names are not permitted. Additionally, the port range may be
+          optionally followed by <emphasis role="bold">:random</emphasis>
+          which causes assignment to ports in the list to be random.</para>
+
+          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">REDIRECT</emphasis> or <emphasis
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
+          the port number on the firewall that the request should be
+          redirected to. That is equivalent to specifying
+          <option>$FW</option>::<replaceable>port</replaceable>.</para>
         </listitem>
       </varlistentry>