mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-07 05:58:49 +01:00
Some documentation updates
This commit is contained in:
parent
5236a793a9
commit
142fab8d46
@ -39,26 +39,33 @@ if [ $FAMILY -eq 4 ]; then
|
|||||||
. /usr/share/shorewall-lite/lib.base
|
. /usr/share/shorewall-lite/lib.base
|
||||||
[ -f /etc/shorewall-lite/params ] && . /etc/shorewall-lite/params
|
[ -f /etc/shorewall-lite/params ] && . /etc/shorewall-lite/params
|
||||||
[ -n "${COMMAND:="/sbin/shorewall-lite restart; /sbin/ip -4 route ls"}" ]
|
[ -n "${COMMAND:="/sbin/shorewall-lite restart; /sbin/ip -4 route ls"}" ]
|
||||||
STATEDIR=/etc/shorewall-lite
|
CONFDIR=/etc/shorewall-lite
|
||||||
|
VARDIR=/var/lib/shorewall-lite
|
||||||
elif [ -f /usr/share/shorewall/lib.base ]; then
|
elif [ -f /usr/share/shorewall/lib.base ]; then
|
||||||
. /usr/share/shorewall/lib.base
|
. /usr/share/shorewall/lib.base
|
||||||
[ -f /etc/shorewall/params ] && . /etc/shorewall/params
|
[ -f /etc/shorewall/params ] && . /etc/shorewall/params
|
||||||
[ -n "${COMMAND:="/sbin/shorewall restart -f; /sbin/ip -4 route ls"}" ]
|
[ -n "${COMMAND:="/sbin/shorewall restart -f; /sbin/ip -4 route ls"}" ]
|
||||||
STATEDIR=/etc/shorewall
|
CONFDIR=/etc/shorewall
|
||||||
|
VARDIR=/var/lib/shorewall
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
if [ -f /usr/share/shorewall6-lite/lib.base ]; then
|
if [ -f /usr/share/shorewall6-lite/lib.base ]; then
|
||||||
. /usr/share/shorewall6-lite/lib.base
|
. /usr/share/shorewall6-lite/lib.base
|
||||||
[ -f /etc/shorewall6-lite/params ] && . /etc/shorewall6-lite/params
|
[ -f /etc/shorewall6-lite/params ] && . /etc/shorewall6-lite/params
|
||||||
[ -n "${COMMAND:="/sbin/shorewall6-lite restart; /sbin/ip -4 route ls"}" ]
|
[ -n "${COMMAND:="/sbin/shorewall6-lite restart; /sbin/ip -4 route ls"}" ]
|
||||||
STATEDIR=/etc/shorewall6-lite
|
CONFDIR=/etc/shorewall6-lite
|
||||||
|
VARDIR=/var/lib/shorewall6-lite
|
||||||
elif [ -f /usr/share/shorewall6/lib.base ]; then
|
elif [ -f /usr/share/shorewall6/lib.base ]; then
|
||||||
. /usr/share/shorewal6l/lib.base
|
. /usr/share/shorewal6l/lib.base
|
||||||
[ -f /etc/shorewall6/params ] && . /etc/shorewall6/params
|
[ -f /etc/shorewall6/params ] && . /etc/shorewall6/params
|
||||||
[ -n "${COMMAND:="/sbin/shorewall6 restart -f; /sbin/ip -4 route ls"}" ]
|
[ -n "${COMMAND:="/sbin/shorewall6 restart -f; /sbin/ip -4 route ls"}" ]
|
||||||
STATEDIR=/etc/shorewall6
|
CONFDIR=/etc/shorewall6
|
||||||
|
VARDIR=/var/lib/shorewall6
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
|
||||||
|
|
||||||
#
|
#
|
||||||
# Interfaces to monitor -- you may use shell variables from your params file
|
# Interfaces to monitor -- you may use shell variables from your params file
|
||||||
#
|
#
|
||||||
@ -124,8 +131,8 @@ get_target() {
|
|||||||
#
|
#
|
||||||
# Script starts here
|
# Script starts here
|
||||||
#
|
#
|
||||||
rm -f $STATEDIR/${IF1}.status
|
rm -f $VARDIR/${IF1}.status
|
||||||
rm -f $STATEDIR/${IF2}.status
|
rm -f $VARDIR/${IF2}.status
|
||||||
|
|
||||||
while : ; do
|
while : ; do
|
||||||
target=$TARGET1
|
target=$TARGET1
|
||||||
@ -216,8 +223,8 @@ while : ; do
|
|||||||
#
|
#
|
||||||
# One of the interfaces changed state -- restart Shorewall
|
# One of the interfaces changed state -- restart Shorewall
|
||||||
#
|
#
|
||||||
echo $if1_state > $STATEDIR/${IF1}.status
|
echo $if1_state > $VARDIR/${IF1}.status
|
||||||
echo $if2_state > $STATEDIR/${IF2}.status
|
echo $if2_state > $VARDIR/${IF2}.status
|
||||||
eval $COMMAND
|
eval $COMMAND
|
||||||
state_changed=
|
state_changed=
|
||||||
fi
|
fi
|
||||||
|
@ -16,7 +16,7 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
local status=0
|
local status=0
|
||||||
|
|
||||||
[ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status)
|
[ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
|
||||||
|
|
||||||
return $status
|
return $status
|
||||||
|
|
||||||
|
@ -1089,7 +1089,7 @@ shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional<
|
|||||||
<filename>swping</filename>. The <filename>swping</filename> file is
|
<filename>swping</filename>. The <filename>swping</filename> file is
|
||||||
available in the main directory contained in the Shorewall-common
|
available in the main directory contained in the Shorewall-common
|
||||||
tarball and is included in the Shorewall-common documentation
|
tarball and is included in the Shorewall-common documentation
|
||||||
directory on the Shorewall-common RPM. The script is inspired by
|
directory in the Shorewall-common RPM. The script is inspired by
|
||||||
Angsuman Chakraborty's <ulink
|
Angsuman Chakraborty's <ulink
|
||||||
url="http://blog.taragana.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/">gwping</ulink>
|
url="http://blog.taragana.com/index.php/archive/how-to-load-balancing-failover-with-dual-multi-wan-adsl-cable-connections-on-linux/">gwping</ulink>
|
||||||
script.</para>
|
script.</para>
|
||||||
@ -1167,9 +1167,9 @@ DOWN_COUNT=2</programlisting>
|
|||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>For each interface, a file is placed in /etc/shorewall to
|
<para>For each interface, a file is placed in ${VARDIR} (normally
|
||||||
record the status of the interface: either 0 (UP) or 1 (DOWN). The
|
/var/lib/shorewall) to record the status of the interface: either
|
||||||
name of the file is
|
0 (UP) or 1 (DOWN). The name of the file is
|
||||||
<filename><replaceable>interface</replaceable>.status</filename>
|
<filename><replaceable>interface</replaceable>.status</filename>
|
||||||
where <replaceable>interface</replaceable> is the interface (e.g.,
|
where <replaceable>interface</replaceable> is the interface (e.g.,
|
||||||
<filename>eth0.status</filename>).</para>
|
<filename>eth0.status</filename>).</para>
|
||||||
@ -1189,16 +1189,13 @@ DOWN_COUNT=2</programlisting>
|
|||||||
<para>The .status files are intended to be used with the following
|
<para>The .status files are intended to be used with the following
|
||||||
<filename>/etc/shorewall/isusable</filename> script.<programlisting>local status=0
|
<filename>/etc/shorewall/isusable</filename> script.<programlisting>local status=0
|
||||||
|
|
||||||
case $1 in
|
[ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
|
||||||
<emphasis role="bold">eth0|eth1</emphasis>)
|
|
||||||
[ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status)
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
return $status</programlisting></para>
|
return $status</programlisting></para>
|
||||||
|
|
||||||
<para>Be sure that you modify the interface names to match your
|
<para>The above script is installed in <filename
|
||||||
configuration.</para>
|
class="directory">/etc/shorewall</filename>, beginning with Shorewall
|
||||||
|
4.3.11.</para>
|
||||||
|
|
||||||
<para>Also included is a sample init script
|
<para>Also included is a sample init script
|
||||||
(<filename>swping.init</filename>) to start the monitoring daemon.
|
(<filename>swping.init</filename>) to start the monitoring daemon.
|
||||||
@ -1266,20 +1263,26 @@ fi</programlisting></para>
|
|||||||
more sophisticated monitoring than the simple swping script described
|
more sophisticated monitoring than the simple swping script described
|
||||||
in the preceding section.</para>
|
in the preceding section.</para>
|
||||||
|
|
||||||
|
<para>Like many Open Source products, LSM is poorly documented. It's
|
||||||
|
main configuration file is normally kept in /etc/lsm/lsm.conf, but the
|
||||||
|
file's name is passed as an argument to the lsm program so you can
|
||||||
|
name it anything you want.</para>
|
||||||
|
|
||||||
|
<para>The sample <filename>lsm.conf</filename> included with the
|
||||||
|
product shows some of the possibilities for configuration. One feature
|
||||||
|
that is not mentioned in the sample is that an "include" directive is
|
||||||
|
supported. This allows additional files to be sourced in from the main
|
||||||
|
configuration file.</para>
|
||||||
|
|
||||||
<para>I personally use LSM here at shorewall.net (configuration is
|
<para>I personally use LSM here at shorewall.net (configuration is
|
||||||
described <link linkend="Complete">below</link>). Here are my relevant
|
described <link linkend="Complete">below</link>). Here are my relevant
|
||||||
configuration files:</para>
|
configuration files:</para>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/isusable</filename>:</para>
|
<para><filename>/etc/shorewall/isusable</filename>:</para>
|
||||||
|
|
||||||
<programlisting>local status
|
<programlisting>local status=0
|
||||||
status=0
|
|
||||||
|
|
||||||
case $1 in
|
[ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)
|
||||||
eth0|eth3)
|
|
||||||
[ -f /etc/shorewall/${1}.status ] && status=$(cat /etc/shorewall/${1}.status)
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
return $status</programlisting>
|
return $status</programlisting>
|
||||||
|
|
||||||
@ -1289,7 +1292,7 @@ return $status</programlisting>
|
|||||||
# My 'restored' script calls this one if there is no lsm process running
|
# My 'restored' script calls this one if there is no lsm process running
|
||||||
###############################################################################
|
###############################################################################
|
||||||
if [ "$COMMAND" = start -o "$COMMAND" = restore ]; then
|
if [ "$COMMAND" = start -o "$COMMAND" = restore ]; then
|
||||||
killproc lsm 2> /dev/null
|
killall lsm 2> /dev/null
|
||||||
cat <<EOF > /etc/lsm/shorewall.conf
|
cat <<EOF > /etc/lsm/shorewall.conf
|
||||||
connection {
|
connection {
|
||||||
name=Avvanta
|
name=Avvanta
|
||||||
@ -1305,7 +1308,7 @@ connection {
|
|||||||
ttl=1
|
ttl=1
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
rm -f /etc/shorewall/*.status
|
rm -f ${VARDIR}/*.status
|
||||||
/usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm
|
/usr/sbin/lsm /etc/lsm/lsm.conf >> /var/log/lsm
|
||||||
fi</programlisting>
|
fi</programlisting>
|
||||||
|
|
||||||
@ -1363,6 +1366,16 @@ CONS_WAIT=${11}
|
|||||||
CONS_MISS=${12}
|
CONS_MISS=${12}
|
||||||
AVG_RTT=${13}
|
AVG_RTT=${13}
|
||||||
|
|
||||||
|
if [ -f /usr/share/shorewall-lite/lib.base ]; then
|
||||||
|
VARDIR=/var/lib/shorewall-lite
|
||||||
|
STATEDIR=/etc/shorewall-lite
|
||||||
|
else
|
||||||
|
VARDIR=/var/lib/shorewall
|
||||||
|
STATEDIR=/etc/shorewall
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -f ${STATEDIR}/vardir ] && . ${STATEDIR}/vardir
|
||||||
|
|
||||||
cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
|
cat <<EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
|
||||||
|
|
||||||
Hi,
|
Hi,
|
||||||
@ -1392,7 +1405,7 @@ EOM
|
|||||||
|
|
||||||
[ ${STATE} = up ] && state=0 || state=1
|
[ ${STATE} = up ] && state=0 || state=1
|
||||||
|
|
||||||
echo $state > /etc/shorewall/${DEVICE}.status
|
echo $state > ${VARDIR}/${DEVICE}.status
|
||||||
|
|
||||||
/sbin/shorewall -f restart >> /var/log/lsm 2>&1
|
/sbin/shorewall -f restart >> /var/log/lsm 2>&1
|
||||||
|
|
||||||
@ -1407,7 +1420,7 @@ exit 0;
|
|||||||
<section id="Shared">
|
<section id="Shared">
|
||||||
<title>Two Providers Sharing an Interface</title>
|
<title>Two Providers Sharing an Interface</title>
|
||||||
|
|
||||||
<para>Shared interface support has the following characteristics"</para>
|
<para>Shared interface support has the following characteristics:</para>
|
||||||
|
|
||||||
<orderedlist numeration="loweralpha">
|
<orderedlist numeration="loweralpha">
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -24,7 +24,7 @@
|
|||||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2001-2008</year>
|
<year>2001-2009</year>
|
||||||
|
|
||||||
<holder>Thomas M. Eastep</holder>
|
<holder>Thomas M. Eastep</holder>
|
||||||
</copyright>
|
</copyright>
|
||||||
@ -429,7 +429,15 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
option in <filename>/etc/shorewall/tcdevices</filename>, then the
|
option in <filename>/etc/shorewall/tcdevices</filename>, then the
|
||||||
interface name or number must be followed by a colon and a
|
interface name or number must be followed by a colon and a
|
||||||
<firstterm>class number</firstterm>. Examples: eth0:1, 4:9. Class
|
<firstterm>class number</firstterm>. Examples: eth0:1, 4:9. Class
|
||||||
numbers must be unique for a given interface.</para>
|
numbers must be unique for a given interface. Normally, all classes
|
||||||
|
defined here are sub-classes of a root class that is implicitly
|
||||||
|
defined from the entry in <ulink
|
||||||
|
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5). You
|
||||||
|
can establish a class hierarchy by specifying a
|
||||||
|
<emphasis>parent</emphasis> class (e.g.,
|
||||||
|
<emphasis>interface</emphasis>:<emphasis>parent-class</emphasis>:<emphasis>class</emphasis>)
|
||||||
|
-- the number of a class that you have previously defined. The
|
||||||
|
sub-class may borrow unused bandwidth from its parent.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -559,6 +567,48 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
<ulink url="manpages/shorewall-tcrules.html">tcrules</ulink>
|
<ulink url="manpages/shorewall-tcrules.html">tcrules</ulink>
|
||||||
(5).</para>
|
(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>flow=<emphasis>keys</emphasis> - Shorewall attaches an SFQ
|
||||||
|
queuing discipline to each leaf HTB class. SFQ ensures that each
|
||||||
|
<firstterm>flow</firstterm> gets equal access to the interface.
|
||||||
|
The default definition of a flow corresponds roughly to a
|
||||||
|
Netfilter connection. So if one internal system is running
|
||||||
|
BitTorrent, for example, it can have lots of 'flows' and can
|
||||||
|
thus take up a larger share of the bandwidth than a system
|
||||||
|
having only a single active connection. The
|
||||||
|
<option>flow</option> classifier (module cls_flow) works around
|
||||||
|
this by letting you define what a 'flow' is. The clasifier must
|
||||||
|
be used carefully or it can block off all traffic on an
|
||||||
|
interface! The flow option can be specified for an HTB leaf
|
||||||
|
class (one that has no sub-classes). We recommend that you use
|
||||||
|
the following:</para>
|
||||||
|
|
||||||
|
<simplelist>
|
||||||
|
<member>Shaping internet-bound traffic: flow=nfct-src</member>
|
||||||
|
|
||||||
|
<member>Shaping traffic bound for your local net:
|
||||||
|
flow=dst</member>
|
||||||
|
</simplelist>
|
||||||
|
|
||||||
|
<para>These will cause a 'flow' to consists of the traffic
|
||||||
|
to/from each internal system.</para>
|
||||||
|
|
||||||
|
<para>When more than one key is give, they must be enclosed in
|
||||||
|
parenthesis and separated by commas.</para>
|
||||||
|
|
||||||
|
<para>To see a list of the possible flow keys, run this
|
||||||
|
command:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para><command>tc filter add flow help</command></para>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
|
<para>Those that begin with "nfct-" are Netfilter connection
|
||||||
|
tracking fields. As shown above, we recommend flow=nfct-src;
|
||||||
|
that means that we want to use the source IP address
|
||||||
|
<emphasis>before NAT</emphasis> as the key.</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
@ -344,6 +344,53 @@
|
|||||||
(5).</para>
|
(5).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>flow=<emphasis>keys</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Shorewall attaches an SFQ queuing discipline to each
|
||||||
|
leaf HTB class. SFQ ensures that each
|
||||||
|
<firstterm>flow</firstterm> gets equal access to the
|
||||||
|
interface. The default definition of a flow corresponds
|
||||||
|
roughly to a Netfilter connection. So if one internal system
|
||||||
|
is running BitTorrent, for example, it can have lots of
|
||||||
|
'flows' and can thus take up a larger share of the bandwidth
|
||||||
|
than a system having only a single active connection. The
|
||||||
|
<option>flow</option> classifier (module cls_flow) works
|
||||||
|
around this by letting you define what a 'flow' is. The
|
||||||
|
clasifier must be used carefully or it can block off all
|
||||||
|
traffic on an interface! The flow option can be specified for
|
||||||
|
an HTB leaf class (one that has no sub-classes). We recommend
|
||||||
|
that you use the following:</para>
|
||||||
|
|
||||||
|
<simplelist>
|
||||||
|
<member>Shaping internet-bound traffic:
|
||||||
|
flow=nfct-src</member>
|
||||||
|
|
||||||
|
<member>Shaping traffic bound for your local net:
|
||||||
|
flow=dst</member>
|
||||||
|
</simplelist>
|
||||||
|
|
||||||
|
<para>These will cause a 'flow' to consists of the traffic
|
||||||
|
to/from each internal system.</para>
|
||||||
|
|
||||||
|
<para>When more than one key is give, they must be enclosed in
|
||||||
|
parenthesis and separated by commas.</para>
|
||||||
|
|
||||||
|
<para>To see a list of the possible flow keys, run this
|
||||||
|
command:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para><command>tc filter add flow help</command></para>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
|
<para>Those that begin with "nfct-" are Netfilter connection
|
||||||
|
tracking fields. As shown above, we recommend flow=nfct-src;
|
||||||
|
that means that we want to use the source IP address
|
||||||
|
<emphasis>before NAT</emphasis> as the key. </para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -134,7 +134,15 @@
|
|||||||
<para>Please note that you can only use interface names in here that
|
<para>Please note that you can only use interface names in here that
|
||||||
have a bandwidth defined in the <ulink
|
have a bandwidth defined in the <ulink
|
||||||
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
|
||||||
file</para>
|
file.</para>
|
||||||
|
|
||||||
|
<para>Normally, all classes defined here are sub-classes of a root
|
||||||
|
class that is implicitly defined from the entry in <ulink
|
||||||
|
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
|
||||||
|
can establish a class hierarchy by specifying a
|
||||||
|
<emphasis>parent</emphasis> class -- the number of a class that you
|
||||||
|
have previously defined. The sub-class may borrow unused bandwidth
|
||||||
|
from its parent.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -287,6 +295,53 @@
|
|||||||
</note>
|
</note>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>flow=<emphasis>keys</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Shorewall attaches an SFQ queuing discipline to each
|
||||||
|
leaf HTB class. SFQ ensures that each
|
||||||
|
<firstterm>flow</firstterm> gets equal access to the
|
||||||
|
interface. The default definition of a flow corresponds
|
||||||
|
roughly to a Netfilter connection. So if one internal system
|
||||||
|
is running BitTorrent, for example, it can have lots of
|
||||||
|
'flows' and can thus take up a larger share of the bandwidth
|
||||||
|
than a system having only a single active connection. The
|
||||||
|
<option>flow</option> classifier (module cls_flow) works
|
||||||
|
around this by letting you define what a 'flow' is. The
|
||||||
|
clasifier must be used carefully or it can block off all
|
||||||
|
traffic on an interface! The flow option can be specified for
|
||||||
|
an HTB leaf class (one that has no sub-classes). We recommend
|
||||||
|
that you use the following:</para>
|
||||||
|
|
||||||
|
<simplelist>
|
||||||
|
<member>Shaping internet-bound traffic:
|
||||||
|
flow=nfct-src</member>
|
||||||
|
|
||||||
|
<member>Shaping traffic bound for your local net:
|
||||||
|
flow=dst</member>
|
||||||
|
</simplelist>
|
||||||
|
|
||||||
|
<para>These will cause a 'flow' to consists of the traffic
|
||||||
|
to/from each internal system.</para>
|
||||||
|
|
||||||
|
<para>When more than one key is give, they must be enclosed in
|
||||||
|
parenthesis and separated by commas.</para>
|
||||||
|
|
||||||
|
<para>To see a list of the possible flow keys, run this
|
||||||
|
command:</para>
|
||||||
|
|
||||||
|
<blockquote>
|
||||||
|
<para><command>tc filter add flow help</command></para>
|
||||||
|
</blockquote>
|
||||||
|
|
||||||
|
<para>Those that begin with "nfct-" are Netfilter connection
|
||||||
|
tracking fields. As shown above, we recommend flow=nfct-src;
|
||||||
|
that means that we want to use the source IP address
|
||||||
|
<emphasis>before NAT</emphasis> as the key.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
Loading…
Reference in New Issue
Block a user