Some 3.2.0 Documentation Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3891 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-05-07 14:55:44 +00:00
parent db6e832174
commit 17eff43202
2 changed files with 146 additions and 6 deletions

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2006-04-23</pubdate> <pubdate>2006-05-07</pubdate>
<copyright> <copyright>
<year>2001-2006</year> <year>2001-2006</year>
@ -2742,6 +2742,125 @@ eth0 eth1 206.124.146.176</programlisting>
<para>This file is used to set the following firewall parameters:</para> <para>This file is used to set the following firewall parameters:</para>
<variablelist> <variablelist>
<varlistentry>
<term>VERBOSITY (Added in version 3.2.0)</term>
<listitem>
<para>Shorewall has traditionally been very noisy (produced lots of
output). You may now set the default level of verbosity using the
VERBOSITY OPTION.</para>
<para>Values are:</para>
<simplelist>
<member>0 — Silent. You may make it more verbose using the -v
option</member>
<member>1 — Major progress messages displayed</member>
<member>2 — All progress messages displayed (old default
behavior)</member>
</simplelist>
<para>If not specified, then 2 is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IMPLICIT_CONTINUE (Added in version 3.2.0)</term>
<listitem>
<para>When this option is set to "Yes", it causes subzones to be
treated differently with respect to policies.</para>
<para>Subzones are defined by following their name with ":" and a
list of parent zones (in /etc/shorewall/zones). Normally, you want
to have a set of special rules for the subzone and if a connection
doesn't match any of those subzone-specific rules then you want the
parent zone rules and policies to be applied. With
IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
<para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
then subzones are not subject to this special treatment. With
IMPLICIT_CONTINUE=Yes, an implicit CONTINUE policy may be overridden
by including an explicit policy (one that does not specify "all" in
either the SOURCE or the DEST columns).</para>
<para>Example:</para>
<blockquote>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE
prnt ipv4
chld:prnt ipv4</programlisting>
<para>Traffic to/from the <emphasis role="bold">chld</emphasis>
zone will first pass through the applicable <emphasis
role="bold">chld</emphasis> rules and if none of those rules match
then it will be passed through the appropriate <emphasis
role="bold">prnt</emphasis> rules. If the connection request does
not match any of the <emphasis role="bold">prnt</emphasis> rules
then the relevant <emphasis role="bold">prnt</emphasis> policy is
applied.</para>
<para>If you want the <emphasis
role="bold">fw</emphasis>-&gt;<emphasis
role="bold">chld</emphasis> policy to be ACCEPT, simply add this
entry to <filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DESTINATION POLICY
$FW chld ACCEPT</programlisting>
<para>Traffic from all other zones to 'chld' will be subject to
the implicit CONTINUE policy.</para>
</blockquote>
</listitem>
</varlistentry>
<varlistentry>
<term>HIGH_ROUTE_MARKS (Added in version 3.2.0)</term>
<listitem>
<para>Prior to version 3.2.0, it was not possible to use connection
marking in <filename>/etc/shorewall/tcrules</filename> if you have a
multi-ISP configuration that uses the <emphasis
role="bold">track</emphasis> option.</para>
<para>Beginning with release 3.2.0, you may now set
HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and
connection mark into two 8-byte mark fields.</para>
<para>When you do this:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The MARK field in the <filename>providers</filename> file
must have a value that is less than 65536 and that is a multiple
of 256 (using hex representation, the values are 0x0100-0xFF00
with the low-order 8 bits being zero).</para>
</listitem>
<listitem>
<para>You may only set those mark values in the PREROUTING
chain.</para>
</listitem>
<listitem>
<para>Marks used for traffic shaping must still be in the range
of 1-255 and may still not be set in the PREROUTING
chain.</para>
</listitem>
<listitem>
<para>When you SAVE or RESTORE in tcrules, only the TC mark
value is saved or restored. Shorewall handles saving and
restoring the routing (provider) marks.</para>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>FASTACCEPT</term> <term>FASTACCEPT</term>

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2006-05-06</pubdate> <pubdate>2006-05-07</pubdate>
<copyright> <copyright>
<year>2005</year> <year>2005</year>
@ -207,8 +207,27 @@
<para>A mark value used in your /etc/shorewall/tcrules file to <para>A mark value used in your /etc/shorewall/tcrules file to
direct packets to this provider. Shorewall will also mark direct packets to this provider. Shorewall will also mark
connections that have seen input from this provider with this connections that have seen input from this provider with this
value and will restore the packet mark in the PREROUTING value and will restore the packet mark in the PREROUTING CHAIN.
CHAIN.</para> Mark values must be in the range 1-255.</para>
<para>Beginning with Shorewall version 3.2.0 Beta 6, you may use
may set HIGH_ROUTE_MARKS=Yes in
<filename>/etc/shorewall/shorewall.conf</filename>. This allows
you to:</para>
<itemizedlist>
<listitem>
<para>Use connection marks for traffic shaping, provided that
you assign those marks in the FORWARD table.</para>
</listitem>
<listitem>
<para>Use mark values &gt; 255 for provider marks in this
column. These mark values must be a multiple of 256 in the
range 256-65280 (hex equivalent 0x100 - 0xFF00 with the
low-order 8 bits being zero).</para>
</listitem>
</itemizedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -487,12 +506,14 @@ ip route add</command> 192.168.1.1 dev eth3 scope link
case ${priority%:} in case ${priority%:} in
0|3276[67]) 0|3276[67])
;; ;;
*) ip rule del $rule *)
ip rule del $rule
;; ;;
esac esac
done</programlisting> done</programlisting>
<para>That will delete all but the default routing rules.</para> <para>That code will delete all but the default routing
rules.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</warning> </warning>