Some 3.2.0 Documentation Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3891 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-22 06:10:42 +01:00 · 2006-05-07 14:55:44 +00:00 · 2006-05-07 14:55:44 +00:00 · 17eff43202
commit 17eff43202
parent db6e832174
2 changed files with 146 additions and 6 deletions
--- a/docs/Documentation.xml
+++ b/docs/Documentation.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2006-04-23</pubdate>
+    <pubdate>2006-05-07</pubdate>

    <copyright>
      <year>2001-2006</year>
@ -2742,6 +2742,125 @@ eth0                  eth1            206.124.146.176</programlisting>
    <para>This file is used to set the following firewall parameters:</para>

    <variablelist>
+      <varlistentry>
+        <term>VERBOSITY (Added in version 3.2.0)</term>
+
+        <listitem>
+          <para>Shorewall has traditionally been very noisy (produced lots of
+          output). You may now set the default level of verbosity using the
+          VERBOSITY OPTION.</para>
+
+          <para>Values are:</para>
+
+          <simplelist>
+            <member>0 — Silent. You may make it more verbose using the -v
+            option</member>
+
+            <member>1 — Major progress messages displayed</member>
+
+            <member>2 — All progress messages displayed (old default
+            behavior)</member>
+          </simplelist>
+
+          <para>If not specified, then 2 is assumed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>IMPLICIT_CONTINUE (Added in version 3.2.0)</term>
+
+        <listitem>
+          <para>When this option is set to "Yes", it causes subzones to be
+          treated differently with respect to policies.</para>
+
+          <para>Subzones are defined by following their name with ":" and a
+          list of parent zones (in /etc/shorewall/zones). Normally, you want
+          to have a set of special rules for the subzone and if a connection
+          doesn't match any of those subzone-specific rules then you want the
+          parent zone rules and policies to be applied. With
+          IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
+
+          <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
+          then subzones are not subject to this special treatment. With
+          IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
+          by including an explicit policy (one that does not specify "all" in
+          either the SOURCE or the DEST columns).</para>
+
+          <para>Example:</para>
+
+          <blockquote>
+            <para><filename>/etc/shorewall/zones</filename>:</para>
+
+            <programlisting>#ZONE      TYPE
+prnt       ipv4
+chld:prnt  ipv4</programlisting>
+
+            <para>Traffic to/from the <emphasis role="bold">chld</emphasis>
+            zone will first pass through the applicable <emphasis
+            role="bold">chld</emphasis> rules and if none of those rules match
+            then it will be passed through the appropriate <emphasis
+            role="bold">prnt</emphasis> rules. If the connection request does
+            not match any of the <emphasis role="bold">prnt</emphasis> rules
+            then the relevant <emphasis role="bold">prnt</emphasis> policy is
+            applied.</para>
+
+            <para>If you want the <emphasis
+            role="bold">fw</emphasis>-&gt;<emphasis
+            role="bold">chld</emphasis> policy to be ACCEPT, simply add this
+            entry to <filename>/etc/shorewall/policy</filename>:</para>
+
+            <programlisting>#SOURCE  DESTINATION        POLICY
+$FW      chld               ACCEPT</programlisting>
+
+            <para>Traffic from all other zones to 'chld' will be subject to
+            the implicit CONTINUE policy.</para>
+          </blockquote>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>HIGH_ROUTE_MARKS (Added in version 3.2.0)</term>
+
+        <listitem>
+          <para>Prior to version 3.2.0, it was not possible to use connection
+          marking in <filename>/etc/shorewall/tcrules</filename> if you have a
+          multi-ISP configuration that uses the <emphasis
+          role="bold">track</emphasis> option.</para>
+
+          <para>Beginning with release 3.2.0, you may now set
+          HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and
+          connection mark into two 8-byte mark fields.</para>
+
+          <para>When you do this:</para>
+
+          <orderedlist numeration="loweralpha">
+            <listitem>
+              <para>The MARK field in the <filename>providers</filename> file
+              must have a value that is less than 65536 and that is a multiple
+              of 256 (using hex representation, the values are 0x0100-0xFF00
+              with the low-order 8 bits being zero).</para>
+            </listitem>
+
+            <listitem>
+              <para>You may only set those mark values in the PREROUTING
+              chain.</para>
+            </listitem>
+
+            <listitem>
+              <para>Marks used for traffic shaping must still be in the range
+              of 1-255 and may still not be set in the PREROUTING
+              chain.</para>
+            </listitem>
+
+            <listitem>
+              <para>When you SAVE or RESTORE in tcrules, only the TC mark
+              value is saved or restored. Shorewall handles saving and
+              restoring the routing (provider) marks.</para>
+            </listitem>
+          </orderedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>FASTACCEPT</term>

--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2006-05-06</pubdate>
+    <pubdate>2006-05-07</pubdate>

    <copyright>
      <year>2005</year>
@ -207,8 +207,27 @@
            <para>A mark value used in your /etc/shorewall/tcrules file to
            direct packets to this provider. Shorewall will also mark
            connections that have seen input from this provider with this
-            value and will restore the packet mark in the PREROUTING
-            CHAIN.</para>
+            value and will restore the packet mark in the PREROUTING CHAIN.
+            Mark values must be in the range 1-255.</para>
+
+            <para>Beginning with Shorewall version 3.2.0 Beta 6, you may use
+            may set HIGH_ROUTE_MARKS=Yes in
+            <filename>/etc/shorewall/shorewall.conf</filename>. This allows
+            you to:</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>Use connection marks for traffic shaping, provided that
+                you assign those marks in the FORWARD table.</para>
+              </listitem>
+
+              <listitem>
+                <para>Use mark values &gt; 255 for provider marks in this
+                column. These mark values must be a multiple of 256 in the
+                range 256-65280 (hex equivalent 0x100 - 0xFF00 with the
+                low-order 8 bits being zero).</para>
+              </listitem>
+            </itemizedlist>
          </listitem>
        </varlistentry>

@ -487,12 +506,14 @@ ip route add</command> 192.168.1.1 dev eth3  scope link
    case ${priority%:} in
        0|3276[67])
            ;;
-        *) ip rule del $rule
+        *)
+            ip rule del $rule
            ;;
    esac
 done</programlisting>

-            <para>That will delete all but the default routing rules.</para>
+            <para>That code will delete all but the default routing
+            rules.</para>
          </listitem>
        </itemizedlist>
      </warning>