From 910c260cb386e1cb09a919814f5cc4ed7992ab95 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 13:19:16 -0700 Subject: [PATCH] Document FORMAT 2 and the ORIGINAL DEST column --- docs/Macros.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/Macros.xml b/docs/Macros.xml index 37a8e722f..f32323fa8 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -465,6 +465,45 @@ ACCEPT fw loc tcp 135,139,445 action rule. + + ORIGINAL DEST (Shorewall-perl 4.2.0 and later) + + To use this column, you must include 'FORMAT 2' as the first + non-comment line in your macro file. + + If ACTION is DNAT[-] or REDIRECT[-] then if this column is + included and is different from the IP address given in the SERVER + column, then connections destined for that address will be forwarded + to the IP and port specified in the DEST column. + + A comma-separated list of addresses may also be used. This is + most useful with the REDIRECT target where you want to redirect + traffic destined for particular set of hosts. Finally, if the list of + addresses begins with "!" (exclusion) then the rule will be followed + only if the original destination address in the connection request + does not match any of the addresses listed. + + For other actions, this column may be included and may contain + one or more addresses (host or network) separated by commas. Address + ranges are not allowed. When this column is supplied, rules are + generated that require that the original destination address matches + one of the listed addresses. This feature is most useful when you want + to generate a filter rule that corresponds to a DNAT- or REDIRECT- + rule. In this usage, the list of addresses should not begin with + "!". + + It is also possible to specify a set of addresses then exclude + part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 + specifies the addresses 192.168.1.0-182.168.1.15 and + 192.168.1.32-192.168.1.255. See shorewall-exclusion(5). + + See http://shorewall.net/PortKnocking.html + for an example of using an entry in this column with a user-defined + action rule. + + RATE LIMIT - You may rate-limit the rule by placing a value in this column: