forked from extern/shorewall_code
Bring masq file ipsec capability in line with documentation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1880 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
db822c621e
commit
d7b00b618e
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-12-11</pubdate>
|
||||
<pubdate>2004-12-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -2223,6 +2223,67 @@ eth0 192.168.1.0/24 :4000-5000 tcp</programlisting>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>IPSEC (Added in Shorewall version 2.2.0)</term>
|
||||
|
||||
<listitem>
|
||||
<para>If you specify a value other than "-" in this column, you must
|
||||
be running kernel 2.6 and your kernel and iptables must include
|
||||
policy match support.</para>
|
||||
|
||||
<para>The value in this column is a comma-separated list of options
|
||||
from the following. Only packets that will be encrypted via an SA
|
||||
that matches these options will have their source address
|
||||
changed.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Yes or yes ― Match any SA. Normally used as the only
|
||||
option.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>reqid=<<emphasis>number</emphasis>> where
|
||||
<<emphasis>number</emphasis>> is specified using setkey(8)
|
||||
using the 'unique:<<emphasis>number</emphasis>>' option
|
||||
for the SPD level.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>spi=<<emphasis>number</emphasis>> where
|
||||
<<emphasis>number</emphasis>> is the SPI of the SA.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>proto=ah|esp|ipcomp</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>mode=transport|tunnel</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>tunnel-src=<<emphasis>address</emphasis>>[/<<emphasis>mask</emphasis>>]
|
||||
(only available with mode=tunnel)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>tunnel-dst=<<emphasis>address</emphasis>>[/<<emphasis>mask</emphasis>>]
|
||||
(only available with mode=tunnel)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>strict — Means that packets must match all rules.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>next — Separates rules; can only be used with
|
||||
strict.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<example>
|
||||
|
Loading…
Reference in New Issue
Block a user