extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-05 04:58:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update URLs to tcrules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-10-04 08:20:33 -07:00
parent fed6e7c352
commit 0385b2cd37
6 changed files with 42 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/MultiISP.xml
View File

@ -926,7 +926,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
<para>If you are running a Shorewall version earlier than 4.6.0, the <para>If you are running a Shorewall version earlier than 4.6.0, the
above rules in <ulink above rules in <ulink
url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink> url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
would be:</para> would be:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
@ -1771,7 +1771,7 @@ ISP2 2 2 - eth1 130.252.99.254 track
except when you explicitly direct it to use the other provider via except when you explicitly direct it to use the other provider via
<ulink url="manpages/shorewall-rtrules.html">shorewall-rtrules</ulink> <ulink url="manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>
(5) or <ulink (5) or <ulink
url="manpages/shorewall-tcrules.html">shorewall-mangle</ulink> url="manpages4/manpages/shorewall-tcrules.html">shorewall-mangle</ulink>
(5).</para> (5).</para>
<para>Example (send all traffic through the 'shorewall' provider unless <para>Example (send all traffic through the 'shorewall' provider unless
@ -1950,7 +1950,7 @@ ONBOOT=yes</programlisting>
url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5) url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
is available in the form of a PROBABILITY column in <ulink is available in the form of a PROBABILITY column in <ulink
url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5). url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
This feature requires the <firstterm>Statistic Match</firstterm> This feature requires the <firstterm>Statistic Match</firstterm>
capability in your iptables and kernel.</para> capability in your iptables and kernel.</para>

4
docs/PacketHandling.xml
View File

@ -186,7 +186,7 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Packets are marked based on the contents of your <para>Packets are marked based on the contents of your
<filename>/etc/shorewall/tcrules</filename> file and the setting of <filename>/etc/shorewall/mangle</filename> file and the setting of
MARK_IN_FORWARD_CHAIN in MARK_IN_FORWARD_CHAIN in
<filename>/etc/shorewall/shorewall.conf</filename>. This occurs in the <filename>/etc/shorewall/shorewall.conf</filename>. This occurs in the
<emphasis role="bold">tcfor</emphasis> chain of the <emphasis role="bold">tcfor</emphasis> chain of the
@ -261,7 +261,7 @@
<listitem> <listitem>
<para>Packets are marked based on the contents of your <para>Packets are marked based on the contents of your
<filename>/etc/shorewall/tcrules</filename> file. This occurs in the <filename>/etc/shorewall/mangle</filename> file. This occurs in the
<emphasis role="bold">tcout</emphasis> chain of the <emphasis role="bold">tcout</emphasis> chain of the
<emphasis>mangle</emphasis> table.</para> <emphasis>mangle</emphasis> table.</para>
</listitem> </listitem>

4
docs/QOSExample.xml
View File

@ -289,9 +289,9 @@ ip link set ifb0 up</programlisting>
</section> </section>
<section> <section>
<title>/etc/shorewall/tcrules</title> <title>/etc/shorewall/mangle</title>
<para>The tcrules file classifies upload packets:</para> <para>The mangle file classifies upload packets:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE USER TEST <programlisting>#MARK SOURCE DEST PROTO DEST SOURCE USER TEST
# PORT(S) PORT(S) # PORT(S) PORT(S)

3
docs/Shorewall_Squid_Usage.xml
View File

@ -248,7 +248,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
<para>If you are still using a tcrules file, you should consider <para>If you are still using a tcrules file, you should consider
switching to using a mangle file (<command>shorewall update switching to using a mangle file (<command>shorewall update
-t</command> will do that for you). Corresponding -t</command> (<command>shorewall update</command> on
Shorewall 5.0 and later) will do that for you). Corresponding
/etc/shorewall/tcrules entries are:</para> /etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST <programlisting>#MARK SOURCE DEST PROTO DEST

6
docs/Shorewall_and_Routing.xml
View File

@ -91,7 +91,7 @@
<para>Packets may be marked using entries in the <ulink <para>Packets may be marked using entries in the <ulink
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink> url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>
(<ulink (<ulink
url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>) url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
file. Entries in that file containing ":P" in the mark column are file. Entries in that file containing ":P" in the mark column are
applied here as are rules that default to the applied here as are rules that default to the
MARK_IN_FORWARD_CHAIN=No setting in MARK_IN_FORWARD_CHAIN=No setting in
@ -145,9 +145,9 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Packets may be marked using entries in the <ulink <para>Packets may be marked using entries in the <ulink
url="manpages/shorewall-tcrules.html">/etc/shorewall/mangle</ulink> url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/mangle</ulink>
(<ulink (<ulink
url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>) url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
file (rules with "$FW" in the SOURCE column). These marks may be file (rules with "$FW" in the SOURCE column). These marks may be
used to specify that the packet should be re-routed using an used to specify that the packet should be re-routed using an
alternate routing table.</para> alternate routing table.</para>

58
docs/traffic_shaping.xml
View File

@ -184,7 +184,7 @@
you set WIDE_TC_MARKS=Yes in <ulink you set WIDE_TC_MARKS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
assign packet marks to different types of traffic using entries in the assign packet marks to different types of traffic using entries in the
<filename>/etc/shorewall/tcrules</filename> file (Shorewall 4.6.0 or <filename>/etc/shorewall/mangle</filename> file (Shorewall 4.6.0 or
later) or <filename>/etc/shorewall/tcrules</filename> (Prior to later) or <filename>/etc/shorewall/tcrules</filename> (Prior to
Shorewall 4.6.0).</para> Shorewall 4.6.0).</para>
@ -202,7 +202,7 @@
<para>One class for each interface must be designated as the <para>One class for each interface must be designated as the
<firstterm>default class</firstterm>. This is the class to which unmarked <firstterm>default class</firstterm>. This is the class to which unmarked
traffic (packets to which you have not assigned a mark value in traffic (packets to which you have not assigned a mark value in
<filename>/etc/shorewall/tcrules</filename>) is assigned.</para> <filename>/etc/shorewall/mangle</filename>) is assigned.</para>
<para>Netfilter also supports a mark value on each connection. You can <para>Netfilter also supports a mark value on each connection. You can
assign connection mark values in assign connection mark values in
@ -226,10 +226,10 @@
<para>This screen shot shows how I configured QoS in a 2.6.16 <para>This screen shot shows how I configured QoS in a 2.6.16
Kernel:</para> Kernel:</para>
<graphic align="center" fileref="images/traffic_shaping2.6.png" /> <graphic align="center" fileref="images/traffic_shaping2.6.png"/>
<para>And here's my recommendation for a 2.6.21 kernel:<graphic <para>And here's my recommendation for a 2.6.21 kernel:<graphic
align="center" fileref="images/traffic_shaping2.6.21.png" /></para> align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
</section> </section>
<section id="Shorewall"> <section id="Shorewall">
@ -501,7 +501,7 @@
</itemizedlist> </itemizedlist>
<example id="Example0"> <example id="Example0">
<title></title> <title/>
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
interface for this. The device has an outgoing bandwidth of 500kbit interface for this. The device has an outgoing bandwidth of 500kbit
@ -839,13 +839,13 @@ ppp0 6000kbit 500kbit</programlisting>
<para>Also unlike rules in the <ulink <para>Also unlike rules in the <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
the tcrules file is not stateful. So every packet that goes into, out the mangle (tcrules) file is not stateful. So every packet that goes
of or through your firewall is subject to entries in the tcrules into, out of or through your firewall is subject to entries in the
file.</para> mangle (tcrules) file.</para>
<para>Because tcrules are not stateful, it is necessary to understand <para>Because mangle (tcrules) entries are not stateful, it is
basic IP socket operation. Here is an edited excerpt from a post on necessary to understand basic IP socket operation. Here is an edited
the Shorewall Users list:<blockquote> excerpt from a post on the Shorewall Users list:<blockquote>
<para>For the purposes of this discussion, the world is separated <para>For the purposes of this discussion, the world is separated
into clients and servers. Servers provide services to into clients and servers. Servers provide services to
clients.</para> clients.</para>
@ -898,10 +898,12 @@ ppp0 6000kbit 500kbit</programlisting>
</important> </important>
<para>The fwmark classifier provides a convenient way to classify <para>The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The <quote>/etc/shorewall/tcrules</quote> packets for traffic shaping. The
file is used for specifying these marks in a tabular fashion. For an <filename>/etc/shorewall/mangle</filename>
in-depth look at the packet marking facility in Netfilter/Shorewall, (<filename>/etc/shorewall/tcrules</filename>) file is used for
please see <ulink url="PacketMarking.html">this article</ulink>.</para> specifying these marks in a tabular fashion. For an in-depth look at the
packet marking facility in Netfilter/Shorewall, please see <ulink
url="PacketMarking.html">this article</ulink>.</para>
<para><emphasis role="bold">For marking forwarded traffic, you must <para><emphasis role="bold">For marking forwarded traffic, you must
either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F
@ -914,7 +916,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>The following examples are for the mangle file.</para> <para>The following examples are for the mangle file.</para>
<example id="Example1"> <example id="Example1">
<title></title> <title/>
<para>All packets arriving on eth1 should be marked with 1. All <para>All packets arriving on eth1 should be marked with 1. All
packets arriving on eth2 and eth3 should be marked with 2. All packets packets arriving on eth2 and eth3 should be marked with 2. All packets
@ -928,7 +930,7 @@ MARK(3) $FW 0.0.0.0/0 all</programlisting>
</example> </example>
<example id="Example2"> <example id="Example2">
<title></title> <title/>
<para>All GRE (protocol 47) packets destined for 155.186.235.151 <para>All GRE (protocol 47) packets destined for 155.186.235.151
should be marked with 12.</para> should be marked with 12.</para>
@ -938,7 +940,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example> </example>
<example id="Example3"> <example id="Example3">
<title></title> <title/>
<para>All SSH request packets originating in 192.168.1.0/24 and <para>All SSH request packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</para> destined for 155.186.235.151 should be marked with 22.</para>
@ -948,7 +950,7 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example> </example>
<example id="Example4"> <example id="Example4">
<title></title> <title/>
<para>All SSH packets packets going out of the first device in in <para>All SSH packets packets going out of the first device in in
/etc/shorewall/tcdevices should be assigned to the class with mark /etc/shorewall/tcdevices should be assigned to the class with mark
@ -961,7 +963,7 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</
</example> </example>
<example id="Example5"> <example id="Example5">
<title></title> <title/>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
peer traffic with packet mark 4.</para> peer traffic with packet mark 4.</para>
@ -994,7 +996,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - -
</example> </example>
<example> <example>
<title></title> <title/>
<para>Mark all forwarded VOIP connections with connection mark 1 and <para>Mark all forwarded VOIP connections with connection mark 1 and
ensure that all VOIP packets also receive that mark (assumes that ensure that all VOIP packets also receive that mark (assumes that
@ -1305,15 +1307,15 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
</section> </section>
<section id="realtcr"> <section id="realtcr">
<title>tcrules file</title> <title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER <programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S) # PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
# mark traffic which should have a lower priority with a 3: # mark traffic which should have a lower priority with a 3:
# mldonkey # mldonkey
3 0.0.0.0/0 0.0.0.0/0 udp - 4666</programlisting> MARK(3):F 0.0.0.0/0 0.0.0.0/0 udp - 4666</programlisting>
<para>Wondershaper allows you to define a set of hosts and/or ports <para>Wondershaper allows you to define a set of hosts and/or ports
you want to classify as low priority. To achieve this , you have to you want to classify as low priority. To achieve this , you have to
@ -1343,7 +1345,7 @@ NOPRIOPORTSRC="6662 6663"
NOPRIOPORTDST="6662 6663" </programlisting> NOPRIOPORTDST="6662 6663" </programlisting>
<para>This would result in the following additional settings to the <para>This would result in the following additional settings to the
tcrules file:</para> mangle file:</para>
<programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all <programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all
MARK(3) 192.168.3.28 0.0.0.0/0 all MARK(3) 192.168.3.28 0.0.0.0/0 all
@ -1602,13 +1604,13 @@ ip link set ifb0 up</command></programlisting>
<para>While this file was created to allow shaping of traffic through an <para>While this file was created to allow shaping of traffic through an
IFB, the file may be used for general traffic classification as well. IFB, the file may be used for general traffic classification as well.
The file is similar to <ulink The file is similar to <ulink
url="shorewall-tcrules.html">shorewall-mangle</ulink>(5) with the url="shorewall-mangle.html">shorewall-mangle</ulink>(5) with the
following key exceptions:</para> following key exceptions:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>The first match determines the classification, whereas in the <para>The first match determines the classification, whereas in the
tcrules file, the last match determines the classification.</para> mangle file, the last match determines the classification.</para>
</listitem> </listitem>
<listitem> <listitem>