From 2c10a936f5cf37d6d016fda26db0b96712f041d3 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 21 Mar 2008 02:35:56 +0000
Subject: [PATCH] More tcfilter documentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 docs/traffic_shaping.xml | 105 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 105 insertions(+)

diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index 99b5e28b1..2ec35cc17 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -1334,6 +1334,111 @@ qt ip link set dev ifb0 up</programlisting></para>
 2:110           -               206.124.146.179                          #SNAT Responses
 2:110           -               206.124.146.180                          #Work Laptop
 2:130           -               206.124.146.177 tcp     25               #Incoming Email.</programlisting></para>
+
+      <para>You can examine the installed filters with the <command>shorewall
+      show filters</command> command. What follows shows the output for
+      <filename class="devicefile">eth0</filename> with the filters shown
+      above. <emphasis role="bold">Bold font</emphasis> are comments
+      explaining the rules.<programlisting>gateway:~ # shorewall-lite show filters 
+Shorewall Lite 4.1.6 Clasifiers at gateway - Thu Mar 20 16:38:10 PDT 2008
+
+Device eth1:
+
+Device eth2:
+
+Device eth0:
+filter parent 1: protocol ip pref 10 u32
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 2:</emphasis> ht divisor 1 <emphasis
+            role="bold">  &lt;========= Start of table 2. parses TCP header</emphasis>
+<emphasis role="bold"> </emphasis>
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 2::800</emphasis> order 2048 key ht 2 bkt 0 <emphasis
+            role="bold">flowid 1:130</emphasis>  (rule hit 2268 success 0)
+  match c1210000/ffff0000 at nexthdr+0 (success 0 )         <emphasis
+            role="bold">  &lt;========= SOURCE PORT 49441 goes to class 1:130</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 2::801</emphasis> order 2049 key ht 2 bkt 0 flowid <emphasis
+            role="bold">1:130</emphasis>  (rule hit 2268 success 546)
+  match 03690000/ffff0000 at nexthdr+0 (success 546 )       <emphasis
+            role="bold">  &lt;========= SOURCE PORT 873 goes to class 1:130</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 1:</emphasis> ht divisor 1 <emphasis
+            role="bold">  &lt;========= Start of table 1. parses ICMP header</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 1::800</emphasis> order 2048 key ht 1 bkt 0 <emphasis
+            role="bold">flowid 1:110</emphasis>  (rule hit 16 success 10)
+  match 08000000/ff000000 at nexthdr+0 (success 10 )        <emphasis
+            role="bold">  &lt;========= echo-request goes to class 1:110</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 1::801</emphasis> order 2049 key ht 1 bkt 0 flowid 1:110  (rule hit 6 success 6)
+  match 00000000/ff000000 at nexthdr+0 (success 6 )           <emphasis
+            role="bold">&lt;========= echo-reply goes to class 1:110
+</emphasis>
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800:</emphasis> ht divisor 1 <emphasis
+            role="bold">&lt;========= Start of Table 800. Packets start here!</emphasis>
+
+   <emphasis role="bold">=============== The following 2 rules are generated by the class definition in /etc/shorewall/classes ==================</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::800</emphasis> order 2048 key ht 800 bkt 0 <emphasis
+            role="bold">flowid </emphasis><emphasis role="bold">1:110</emphasis>  (rule hit 19434 success 1686)
+  match 00060000/00ff0000 at 8 (success 5359 )                <emphasis
+            role="bold">&lt;========= TCP   </emphasis> 
+  match 05000000/0f00ffc0 at 0 (success 2867 )                <emphasis
+            role="bold">&lt;========= Header length 20 and Packet Length &lt; 64</emphasis> 
+  match 00100000/00ff0000 at 32 (success 1686 )               <emphasis
+            role="bold">&lt;========= ACK</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::801</emphasis> order 2049 key ht 800 bkt 0 <emphasis
+            role="bold">flowid 1:110</emphasis>  (rule hit 17748 success 16)
+  match 00100000/00100000 at 0 (success 16 )                  <emphasis
+            role="bold">&lt;========= Minimize-delay</emphasis><emphasis
+            role="bold"> jumps to class 1:110</emphasis>
+
+   <emphasis role="bold">                     =============== Jump to Table 2 if the matches are met ==================</emphasis>
+ 
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::807</emphasis> order 2055 key ht 800 bkt 0 <emphasis
+            role="bold">link 2:</emphasis>  (rule hit 5853 success 0)
+  match ce7c92b2/ffffffff at 12 (success 0 )                  <emphasis
+            role="bold">&lt;========= SOURCE 206.124.146.178 </emphasis>               
+  match 00060000/00ff0000 at 8 (success 0 )                   <emphasis
+            role="bold">&lt;========= PROTO TCP</emphasis>
+    offset 0f00&gt;&gt;6 at 0  eat 
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::802</emphasis> order 2050 key ht 800 bkt 0 <emphasis
+            role="bold">flowid 1:110 </emphasis> (rule hit 17732 success 3800)
+  match ce7c92b2/ffffffff at 12 (success 3800 )               <emphasis
+            role="bold">&lt;========= SOURCE 206.124.146.178 goes to class 1:110</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::803</emphasis> order 2051 key ht 800 bkt 0 <emphasis
+            role="bold">flowid 1:110</emphasis>  (rule hit 13932 success 1058)
+  match ce7c92b3/ffffffff at 12 (success 1058 )               <emphasis
+            role="bold">&lt;========= SOURCE 206.124.146.179 goes to class 1:110</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::804</emphasis> order 2052 key ht 800 bkt 0 flowid 1:110  (rule hit 12874 success 7005)
+  match ce7c92b4/ffffffff at 12 (success 7005 )               <emphasis
+            role="bold">&lt;========= SOURCE 206.124.146.180 goes to class 1:110</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::805</emphasis> order 2053 key ht 800 bkt 0 <emphasis
+            role="bold">link 1:</emphasis>  (rule hit 5869 success 0)
+  match 00010000/00ff0000 at 8 (success 16 )                  <emphasis
+            role="bold">&lt;========= PROTO ICMP</emphasis> <emphasis
+            role="bold">jumps to Table 1</emphasis>
+    offset 0f00&gt;&gt;6 at 0  eat 
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::806</emphasis> order 2054 key ht 800 bkt 0 <emphasis
+            role="bold">link 1: </emphasis> (rule hit 5853 success 0)
+  match 00010000/00ff0000 at 8 (success 0 )                   <emphasis
+            role="bold">&lt;========= PROTO ICMP jumps to Table 1 (Shorewall-perl isn't</emphasis>
+    offset 0f00&gt;&gt;6 at 0  eat                                             <emphasis
+            role="bold">smart enough yet to suppress this duplicate rule)</emphasis>
+
+   <emphasis role="bold">                    =============== Jump to Table 2 if the matches are met ==================</emphasis>
+
+filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800::808</emphasis> order 2056 key ht 800 bkt 0 <emphasis
+            role="bold">link 2: </emphasis> (rule hit 5853 success 0)
+  match ce7c92b1/ffffffff at 12 (success 5654 )               <emphasis
+            role="bold">&lt;========= SOURCE 206.124.146.177</emphasis>
+  match 00060000/00ff0000 at 8 (success 2268 )                <emphasis
+            role="bold">&lt;========= PROTO TCP</emphasis>
+    offset 0f00&gt;&gt;6 at 0  eat</programlisting></para>
     </section>
   </section>