diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index d67dce2b0..3d6190a96 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -926,7 +926,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 25 If you are running a Shorewall version earlier than 4.6.0, the above rules in /etc/shorewall/tcrules + url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules would be: #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST @@ -1771,7 +1771,7 @@ ISP2 2 2 - eth1 130.252.99.254 track except when you explicitly direct it to use the other provider via shorewall-rtrules (5) or shorewall-mangle + url="manpages4/manpages/shorewall-tcrules.html">shorewall-mangle (5). Example (send all traffic through the 'shorewall' provider unless @@ -1950,7 +1950,7 @@ ONBOOT=yes url="manpages/shorewall-providers.html">shorewall-providers (5) is available in the form of a PROBABILITY column in shorewall-mangle(5) (shorewall-tcrules) (5). + url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules) (5). This feature requires the Statistic Match capability in your iptables and kernel. diff --git a/docs/PacketHandling.xml b/docs/PacketHandling.xml index 7fcbcd88b..e150783f7 100644 --- a/docs/PacketHandling.xml +++ b/docs/PacketHandling.xml @@ -186,7 +186,7 @@ Packets are marked based on the contents of your - /etc/shorewall/tcrules file and the setting of + /etc/shorewall/mangle file and the setting of MARK_IN_FORWARD_CHAIN in /etc/shorewall/shorewall.conf. This occurs in the tcfor chain of the @@ -261,7 +261,7 @@ Packets are marked based on the contents of your - /etc/shorewall/tcrules file. This occurs in the + /etc/shorewall/mangle file. This occurs in the tcout chain of the mangle table. diff --git a/docs/QOSExample.xml b/docs/QOSExample.xml index 69c6763d9..2f034d58c 100644 --- a/docs/QOSExample.xml +++ b/docs/QOSExample.xml @@ -289,9 +289,9 @@ ip link set ifb0 up
- /etc/shorewall/tcrules + /etc/shorewall/mangle - The tcrules file classifies upload packets: + The mangle file classifies upload packets: #MARK SOURCE DEST PROTO DEST SOURCE USER TEST # PORT(S) PORT(S) diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml index b300aee67..c6d48cd18 100644 --- a/docs/Shorewall_Squid_Usage.xml +++ b/docs/Shorewall_Squid_Usage.xml @@ -248,7 +248,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80 If you are still using a tcrules file, you should consider switching to using a mangle file (shorewall update - -t will do that for you). Corresponding + -t (shorewall update on + Shorewall 5.0 and later) will do that for you). Corresponding /etc/shorewall/tcrules entries are: #MARK SOURCE DEST PROTO DEST diff --git a/docs/Shorewall_and_Routing.xml b/docs/Shorewall_and_Routing.xml index 7678a617b..d42da77e8 100644 --- a/docs/Shorewall_and_Routing.xml +++ b/docs/Shorewall_and_Routing.xml @@ -91,7 +91,7 @@ Packets may be marked using entries in the /etc/shorewall/mangle (/etc/shorewall/tcrules) + url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules) file. Entries in that file containing ":P" in the mark column are applied here as are rules that default to the MARK_IN_FORWARD_CHAIN=No setting in @@ -145,9 +145,9 @@ Packets may be marked using entries in the /etc/shorewall/mangle + url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/mangle (/etc/shorewall/tcrules) + url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules) file (rules with "$FW" in the SOURCE column). These marks may be used to specify that the packet should be re-routed using an alternate routing table. diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index a6e99a3e4..0012fb676 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -184,7 +184,7 @@ you set WIDE_TC_MARKS=Yes in shorewall.conf (5) ). You assign packet marks to different types of traffic using entries in the - /etc/shorewall/tcrules file (Shorewall 4.6.0 or + /etc/shorewall/mangle file (Shorewall 4.6.0 or later) or /etc/shorewall/tcrules (Prior to Shorewall 4.6.0). @@ -202,7 +202,7 @@ One class for each interface must be designated as the default class. This is the class to which unmarked traffic (packets to which you have not assigned a mark value in - /etc/shorewall/tcrules) is assigned. + /etc/shorewall/mangle) is assigned. Netfilter also supports a mark value on each connection. You can assign connection mark values in @@ -226,10 +226,10 @@ This screen shot shows how I configured QoS in a 2.6.16 Kernel: - + And here's my recommendation for a 2.6.21 kernel: + align="center" fileref="images/traffic_shaping2.6.21.png"/>
@@ -501,7 +501,7 @@ - + <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the interface for this. The device has an outgoing bandwidth of 500kbit @@ -839,13 +839,13 @@ ppp0 6000kbit 500kbit</programlisting> <para>Also unlike rules in the <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, - the tcrules file is not stateful. So every packet that goes into, out - of or through your firewall is subject to entries in the tcrules - file.</para> + the mangle (tcrules) file is not stateful. So every packet that goes + into, out of or through your firewall is subject to entries in the + mangle (tcrules) file.</para> - <para>Because tcrules are not stateful, it is necessary to understand - basic IP socket operation. Here is an edited excerpt from a post on - the Shorewall Users list:<blockquote> + <para>Because mangle (tcrules) entries are not stateful, it is + necessary to understand basic IP socket operation. Here is an edited + excerpt from a post on the Shorewall Users list:<blockquote> <para>For the purposes of this discussion, the world is separated into clients and servers. Servers provide services to clients.</para> @@ -898,10 +898,12 @@ ppp0 6000kbit 500kbit</programlisting> </important> <para>The fwmark classifier provides a convenient way to classify - packets for traffic shaping. The <quote>/etc/shorewall/tcrules</quote> - file is used for specifying these marks in a tabular fashion. For an - in-depth look at the packet marking facility in Netfilter/Shorewall, - please see <ulink url="PacketMarking.html">this article</ulink>.</para> + packets for traffic shaping. The + <filename>/etc/shorewall/mangle</filename> + (<filename>/etc/shorewall/tcrules</filename>) file is used for + specifying these marks in a tabular fashion. For an in-depth look at the + packet marking facility in Netfilter/Shorewall, please see <ulink + url="PacketMarking.html">this article</ulink>.</para> <para><emphasis role="bold">For marking forwarded traffic, you must either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F @@ -914,7 +916,7 @@ ppp0 6000kbit 500kbit</programlisting> <para>The following examples are for the mangle file.</para> <example id="Example1"> - <title> + <para>All packets arriving on eth1 should be marked with 1. All packets arriving on eth2 and eth3 should be marked with 2. All packets @@ -928,7 +930,7 @@ MARK(3) $FW 0.0.0.0/0 all</programlisting> </example> <example id="Example2"> - <title> + <para>All GRE (protocol 47) packets destined for 155.186.235.151 should be marked with 12.</para> @@ -938,7 +940,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting> </example> <example id="Example3"> - <title> + <para>All SSH request packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22.</para> @@ -948,7 +950,7 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting> </example> <example id="Example4"> - <title> + <para>All SSH packets packets going out of the first device in in /etc/shorewall/tcdevices should be assigned to the class with mark @@ -961,7 +963,7 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</ </example> <example id="Example5"> - <title> + <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer traffic with packet mark 4.</para> @@ -994,7 +996,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - </example> <example> - <title> + <para>Mark all forwarded VOIP connections with connection mark 1 and ensure that all VOIP packets also receive that mark (assumes that @@ -1305,15 +1307,15 @@ ppp0 3 2*full/10 8*full/10 2</programlisting> </section> <section id="realtcr"> - <title>tcrules file + mangle file #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER # PORT(S) -1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request -1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply +MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request +MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply # mark traffic which should have a lower priority with a 3: # mldonkey -3 0.0.0.0/0 0.0.0.0/0 udp - 4666 +MARK(3):F 0.0.0.0/0 0.0.0.0/0 udp - 4666 Wondershaper allows you to define a set of hosts and/or ports you want to classify as low priority. To achieve this , you have to @@ -1343,7 +1345,7 @@ NOPRIOPORTSRC="6662 6663" NOPRIOPORTDST="6662 6663" This would result in the following additional settings to the - tcrules file: + mangle file: MARK(3) 192.168.1.128/25 0.0.0.0/0 all MARK(3) 192.168.3.28 0.0.0.0/0 all @@ -1602,13 +1604,13 @@ ip link set ifb0 up While this file was created to allow shaping of traffic through an IFB, the file may be used for general traffic classification as well. The file is similar to shorewall-mangle(5) with the + url="shorewall-mangle.html">shorewall-mangle(5) with the following key exceptions: The first match determines the classification, whereas in the - tcrules file, the last match determines the classification. + mangle file, the last match determines the classification.