diff --git a/docs/ISO-3661.xml b/docs/ISO-3661.xml index bc172765a..978c2ee70 100644 --- a/docs/ISO-3661.xml +++ b/docs/ISO-3661.xml @@ -57,12 +57,37 @@ Using this feature requires the GeoIP Match capability in your iptables and kernel. As of this writing, that capability requires installing xtables-addons and - building a + url="http://xtables-addons.sourceforge.net/">xtables-addons 1.33 + or later and creating a country-code database. - The country codes recognized by Shorewall as of Shorewall 4.5.4 are - shown in the following two sections. + The Shorewall compiler uses the geoip country-code database to + determine the valid set of two-character alphanumeric country codes. The + location of that database is currently hard-coded in xtables-addons as + /usr/share/xt_geoip/. Within that directory are two + sub-directories: + + + + LE -- contains the little-endian database + + + + BE -- contains the big-endian database + + + + To accomodate both big-endian and little-endian machines as well as + any future ability to install the database at another location, Shorewall + supports a GEOIPDIR option in shorewall.conf (5) and shorewall6.conf (5). The + default value of that option is + /usr/share/xt_geoip/LE. + + The country codes at the time of this writing are shown in the + following two sections.