diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 491318294..c0543a366 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -15,7 +15,7 @@ - 2004-12-11 + 2004-12-31 2001-2004 @@ -2223,6 +2223,67 @@ eth0 192.168.1.0/24 :4000-5000 tcp + + + IPSEC (Added in Shorewall version 2.2.0) + + + If you specify a value other than "-" in this column, you must + be running kernel 2.6 and your kernel and iptables must include + policy match support. + + The value in this column is a comma-separated list of options + from the following. Only packets that will be encrypted via an SA + that matches these options will have their source address + changed. + + + + Yes or yes ― Match any SA. Normally used as the only + option. + + + + reqid=<number> where + <number> is specified using setkey(8) + using the 'unique:<number>' option + for the SPD level. + + + + spi=<number> where + <number> is the SPI of the SA. + + + + proto=ah|esp|ipcomp + + + + mode=transport|tunnel + + + + tunnel-src=<address>[/<mask>] + (only available with mode=tunnel) + + + + tunnel-dst=<address>[/<mask>] + (only available with mode=tunnel) + + + + strict — Means that packets must match all rules. + + + + next — Separates rules; can only be used with + strict. + + + +