mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
More manpage updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9943 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
073eea1e9e
commit
43faa0880a
@ -49,8 +49,10 @@
|
||||
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
|
||||
role="bold">SAVE</emphasis>[<emphasis
|
||||
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
|
||||
role="bold">CONTINUE</emphasis>|SAME|<emphasis
|
||||
role="bold">COMMENT</emphasis>|IPMARK[([(<emphasis
|
||||
role="bold">CONTINUE</emphasis>|<emphasis
|
||||
role="bold">SAME</emphasis>|<emphasis
|
||||
role="bold">COMMENT</emphasis>|<emphasis
|
||||
role="bold">IPMARK</emphasis>[([(<emphasis
|
||||
role="bold">src</emphasis>|<emphasis
|
||||
role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
|
||||
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
|
||||
@ -283,7 +285,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
to each matching packet based on the either the source or
|
||||
destination IP address. By default, it assigns a mark value
|
||||
equal to the low-order 8 bits of the source address. Default
|
||||
values are: </para>
|
||||
values are:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>src</member>
|
||||
@ -319,7 +321,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
|
||||
<member>0x8400 >> 8 = 0x84</member>
|
||||
|
||||
<member>Mark = 0x84 = 132 </member>
|
||||
<member>Mark = 0x84 = 132</member>
|
||||
</simplelist>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
|
@ -287,6 +287,41 @@
|
||||
</note>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">occurs</emphasis>=<emphasis>number</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Typically used with an IPMARK entry in tcrules. Causes
|
||||
the rule to be replicated for a total of
|
||||
<emphasis>number</emphasis> rules. Each rule has a
|
||||
successively class number and mark value.</para>
|
||||
|
||||
<para>When 'occurs' is used:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The associated device may not have the 'classify'
|
||||
option.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The class may not be the default class.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The class may not have any 'tos=' options (including
|
||||
'tcp-ack').</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The 'RATE' and 'CEIL' parameters apply to each instance
|
||||
of the class. So the total RATE represented by an entry with
|
||||
'occurs' will be the listed RATE multiplied by
|
||||
<emphasis>number</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
@ -50,7 +50,10 @@
|
||||
role="bold">SAVE</emphasis>[<emphasis
|
||||
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
|
||||
role="bold">CONTINUE</emphasis>|<emphasis
|
||||
role="bold">COMMENT</emphasis>}[<emphasis
|
||||
role="bold">COMMENT</emphasis>|<emphasis
|
||||
role="bold">IPMARK</emphasis>[([(<emphasis
|
||||
role="bold">src</emphasis>|<emphasis
|
||||
role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
|
||||
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
|
||||
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
|
||||
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
|
||||
@ -241,6 +244,52 @@
|
||||
<para>To stop the comment from being attached to further rules,
|
||||
simply include COMMENT on a line by itself.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">IPMARK</emphasis> ‒ Assigns a mark
|
||||
to each matching packet based on the either the source or
|
||||
destination IP address. By default, it assigns a mark value
|
||||
equal to the low-order 8 bits of the source address. Default
|
||||
values are:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>src</member>
|
||||
|
||||
<member><emphasis>mask1</emphasis> = 0xFF</member>
|
||||
|
||||
<member><emphasis>mask2</emphasis> = 0x00</member>
|
||||
|
||||
<member><emphasis>shift</emphasis> = 0</member>
|
||||
</simplelist>
|
||||
|
||||
<para>'src' and 'dst' specify whether the mark is to be based on
|
||||
the source or destination address respectively. The selected
|
||||
address is first LANDed with <emphasis>mask1</emphasis> then
|
||||
LORed with <emphasis>ma<emphasis>s</emphasis>k2</emphasis>. The
|
||||
result is then shifted <emphasis>shift</emphasis> bits to the
|
||||
right.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<blockquote>
|
||||
<para><simplelist>
|
||||
<member>IPMARK(dst, 0XFF00, 0x8000,8)</member>
|
||||
|
||||
<member>Destination IP address is 192.168.4.3 =
|
||||
0xc0a80103</member>
|
||||
</simplelist>Meaning:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>0xc0a80403 LAND 0xFF00 = 0x0400</member>
|
||||
|
||||
<member>0x0400 LOR 0x80 = 0x8400</member>
|
||||
|
||||
<member>0x8400 >> 8 = 0x84</member>
|
||||
|
||||
<member>Mark = 0x84 = 132</member>
|
||||
</simplelist>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
Loading…
Reference in New Issue
Block a user