diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 8bf8f4718..bf5a245a7 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1682,14 +1682,13 @@ sub generate_loopback_rules1( $$$$ ) {
for my $typeref ( values %{$dest_hosts_ref} ) {
for my $hostref ( @{$typeref->{'%vserver%'}} ) {
- my $ipsec_match = match_ipsec_out $z2 , $hostref;
my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
for my $net ( @{$hostref->{hosts}} ) {
add_jump( $chainref,
$exclusion ,
0,
- join('', $match, $ipsec_match,, match_dest_net( $net ) ) )
+ join('', $match, match_dest_net( $net ) ) )
}
}
}
diff --git a/docs/Vserver.xml b/docs/Vserver.xml
index 10c279cf2..aa5848e1a 100644
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -53,8 +53,9 @@
Their contents must be defined using the shorewall-hosts (5)
- file.
+ url="manpages/shorewall-hosts.html">shorewall-hosts (5) file.
+ The ipsec option may not be
+ specified.
@@ -82,6 +83,31 @@
applications. Such connections will appear to come from the $FW zone
rather than the intended Vserver zone.
+
+
+ While you can define the vservers to be associated with the
+ network interface where their IP addresses are added at vserver
+ startup time, Shorewall internally associates all vservers with the
+ loopback interface (lo). Here's an
+ example of how that association can show up:
+
+ gateway:~# shorewall show zones
+Shorewall 4.4.11-Beta2 Zones at gateway - Fri Jul 2 12:26:30 PDT 2010
+
+fw (firewall)
+drct (ipv4)
+ eth4:+drct_eth4
+loc (ipv4)
+ eth4:0.0.0.0/0
+net (ipv4)
+ eth1:0.0.0.0/0
+vpn (ipv4)
+ tun+:0.0.0.0/0
+dmz (vserver)
+ lo:70.90.191.124/31
+
+gateway:~#
+