path: root/extensions/
diff options
Diffstat (limited to 'extensions/')
1 files changed, 10 insertions, 7 deletions
diff --git a/extensions/ b/extensions/
index daef78f..7b34799 100644
--- a/extensions/
+++ b/extensions/
@@ -7,7 +7,7 @@ modified (and all future packets in this connection will also be
mangled), and rules should cease being examined. It takes one type
of option:
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" [ "--random" ]
+.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
which can specify a single new source IP address, an inclusive range
of IP addresses, and optionally, a port range (which is only valid if
the rule also specifies
@@ -17,15 +17,18 @@ or
If no port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023 inclusive
will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will If option
-.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
+1024 or above. Where possible, no port alteration will
In Kernels up to 2.6.10, you can add several --to-source options. For those
kernels, if you specify more than one source address, either via an address
range or multiple --to-source options, a simple round-robin (one after another
in cycle) takes place between these addresses.
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.21).