mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
First round of manpage updates for IFB/tcfilters
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8309 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
96a1c58405
commit
6f95ef2a22
@ -111,7 +111,7 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INTERFACE</emphasis> —
|
||||
<emphasis>interface</emphasis></term>
|
||||
<emphasis>interface</emphasis>[:<emphasis>class</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Name of <emphasis>interface</emphasis>. Each interface may be
|
||||
@ -119,6 +119,14 @@
|
||||
alias (e.g., eth0:0) here; see <ulink
|
||||
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
|
||||
|
||||
<para>If you are running Shorewall-perl 4.1.6 or later, you may
|
||||
specify the interface number rather than the interface name. If the
|
||||
<emphasis role="bold">classify</emphasis> option is given for the
|
||||
interface in <ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
|
||||
you must also specify an interface class (an integer that must be
|
||||
unique within classes associated with this interface).</para>
|
||||
|
||||
<para>You may NOT specify wildcards here, e.g. if you have multiple
|
||||
ppp interfaces, you need to put them all in here!</para>
|
||||
|
||||
@ -131,14 +139,17 @@
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">MARK</emphasis> —
|
||||
<emphasis>value</emphasis></term>
|
||||
{-|<emphasis>value</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>The mark <emphasis>value</emphasis> which is an integer in the
|
||||
range 1-255. You set mark values in the <ulink
|
||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) file,
|
||||
marking the traffic you want to fit in the classes defined in
|
||||
here.</para>
|
||||
marking the traffic you want to fit in the classes defined in here.
|
||||
Must be specified as '-' if the <emphasis
|
||||
role="bold">classify</emphasis> option is given for the interface in
|
||||
<ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>
|
||||
|
||||
<para>You can use the same marks for different interfaces.</para>
|
||||
</listitem>
|
||||
|
@ -94,7 +94,7 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">INTERFACE</emphasis> —
|
||||
<emphasis>interface</emphasis></term>
|
||||
[<emphasis>number</emphasis>:]<emphasis>interface</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Name of <emphasis>interface</emphasis>. Each interface may be
|
||||
@ -108,6 +108,13 @@
|
||||
<para>If the device doesn't exist, a warning message will be issued
|
||||
during "shorewall [re]start" and "shorewall refresh" and traffic
|
||||
shaping configuration will be skipped for that device.</para>
|
||||
|
||||
<para>Shorewall assigns a sequential <firstterm>interface
|
||||
number</firstterm> to each interface (the first entry in the file is
|
||||
interface 1, the second is interface 2 and so on) Beginning with
|
||||
Shorewall-perl 4.1.6, you can explicitly specify the interface
|
||||
number by prefixing the interface name with the number and a colon
|
||||
(":"). Example: 1:eth0.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -126,7 +133,8 @@
|
||||
|
||||
<para>If you don't want any traffic to be dropped, set this to a
|
||||
value to zero in which case Shorewall will not create an ingress
|
||||
qdisc.</para>
|
||||
qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
|
||||
non-empty.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -140,8 +148,6 @@
|
||||
speed you can refer as "full" if you define the tc classes in <ulink
|
||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
|
||||
Outgoing traffic above this rate will be dropped.</para>
|
||||
|
||||
<para></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -157,13 +163,22 @@
|
||||
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<warning>
|
||||
<para>This file is currently limited to ten (10) entries. Additional
|
||||
entries will cause run-time errors in the generated firewall
|
||||
script.</para>
|
||||
</warning>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">REDIRECTED INTERFACES</emphasis> -
|
||||
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall-perl 4.1.6. May only be specified if the
|
||||
interface in the INTERFACE column is an Intermediate Frame Block
|
||||
(IFB) device. Causes packets that enter each listed interface to be
|
||||
passed through the egress filters defined for this device, thus
|
||||
providing a form of incoming traffic shaping. When this column is
|
||||
non-empty, the <emphasis role="bold">classify</emphasis> option is
|
||||
assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@ -178,8 +193,9 @@
|
||||
interface for this. The device has an outgoing bandwidth of 500kbit
|
||||
and an incoming bandwidth of 6000kbit</para>
|
||||
|
||||
<programlisting> #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
|
||||
ppp0 6000kbit 500kbit</programlisting>
|
||||
<programlisting> #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
|
||||
# INTERFACES
|
||||
1:ppp0 6000kbit 500kbit</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
171
manpages/shorewall-tcfilters.xml
Normal file
171
manpages/shorewall-tcfilters.xml
Normal file
@ -0,0 +1,171 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall-tcfilters</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>tcfilters</refname>
|
||||
|
||||
<refpurpose>Shorewall u32 classifier rules file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall/tcfilters</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>Entries in this file cause packets to be marked as a means of
|
||||
classifying them for traffic control or policy routing.</para>
|
||||
|
||||
<important>
|
||||
<para>Unlike rules in the <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
|
||||
of rules in this file will continue after a match. So the final mark for
|
||||
each packet will be the one assigned by the LAST tcrule that
|
||||
matches.</para>
|
||||
|
||||
<para>If you use multiple internet providers with the 'track' option, in
|
||||
/etc/shorewall/providers be sure to read the restrictions at <ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
|
||||
</important>
|
||||
|
||||
<para>The columns in the file are as follows.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CLASS</emphasis> —
|
||||
<emphasis>interface</emphasis><emphasis
|
||||
role="bold">:</emphasis><emphasis>class</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The name or number of an <returnvalue>interface</returnvalue>
|
||||
defined in <ulink
|
||||
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
|
||||
followed by a <replaceable>class</replaceable> number defined for
|
||||
that interface in <ulink
|
||||
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> — {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source of the packet. May be a host or network
|
||||
<replaceable>address</replaceable>. DNS names are not
|
||||
allowed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST</emphasis> — {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>address</emphasis>}}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination of the packet. Comma separated list of IP
|
||||
addresses and/or subnets. If your kernel and iptables include
|
||||
iprange match support, IP address ranges are also allowed. List
|
||||
elements may also consist of an interface name followed by ":" and
|
||||
an address (e.g., eth1:192.168.1.0/24). If the <emphasis
|
||||
role="bold">MARK</emphasis> column specificies a classification of
|
||||
the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
|
||||
this column may also contain an interface name.</para>
|
||||
|
||||
<para>You may exclude certain hosts from the set already defined
|
||||
through use of an <emphasis>exclusion</emphasis> (see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROTO</emphasis> — {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
|
||||
role="bold">all}</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Protocol.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DEST PORT</emphasis> (Optional) —
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Destination Ports. A Port names (from services(5)) or a
|
||||
<emphasis>port number</emphasis>; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) —
|
||||
[<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Source port.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Example</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Example 1:</term>
|
||||
|
||||
<listitem>
|
||||
<para>Place all ICMP echo traffic on interface 1 in class 10.</para>
|
||||
|
||||
<programlisting> #CLASS SOURCE DEST PROTO DEST
|
||||
# PORT
|
||||
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
|
||||
1:1- 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
|
||||
</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall/tcfilters</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
|
||||
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
|
||||
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
|
||||
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
|
||||
shorewall-tunnels(5), shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
@ -14,7 +14,7 @@
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall/</command>
|
||||
<command>/etc/shorewall/rules</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
|
@ -446,7 +446,7 @@
|
||||
<arg choice="plain"><option>show</option></arg>
|
||||
|
||||
<arg
|
||||
choice="req"><option>actions|classifiers|connections|config|macros|zones</option></arg>
|
||||
choice="req"><option>actions|classifiers|connections|config|filters|macros|zones</option></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
@ -951,7 +951,7 @@
|
||||
role="bold">refresh</emphasis> command, the mangle table is
|
||||
refreshed along with the blacklist chain (if any). This allows you
|
||||
to modify <filename>/etc/shorewall/tcrules </filename>and install
|
||||
the changes using <emphasis role="bold">refresh</emphasis>. </para>
|
||||
the changes using <emphasis role="bold">refresh</emphasis>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1160,7 +1160,8 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">classifiers</emphasis></term>
|
||||
<term><emphasis
|
||||
role="bold">classifiers|filters</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Displays information about the packet classifiers
|
||||
|
Loading…
Reference in New Issue
Block a user