diff --git a/manpages/shorewall-tcclasses.xml b/manpages/shorewall-tcclasses.xml
index 75961d01e..533427882 100644
--- a/manpages/shorewall-tcclasses.xml
+++ b/manpages/shorewall-tcclasses.xml
@@ -111,7 +111,7 @@
INTERFACE —
- interface
+ interface[:class]
Name of interface. Each interface may be
@@ -119,6 +119,14 @@
alias (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18
+ If you are running Shorewall-perl 4.1.6 or later, you may
+ specify the interface number rather than the interface name. If the
+ classify option is given for the
+ interface in shorewall-tcdevices(5), then
+ you must also specify an interface class (an integer that must be
+ unique within classes associated with this interface).
+
You may NOT specify wildcards here, e.g. if you have multiple
ppp interfaces, you need to put them all in here!
@@ -131,14 +139,17 @@
MARK —
- value
+ {-|value}
The mark value which is an integer in the
range 1-255. You set mark values in the shorewall-tcrules(5) file,
- marking the traffic you want to fit in the classes defined in
- here.
+ marking the traffic you want to fit in the classes defined in here.
+ Must be specified as '-' if the classify option is given for the interface in
+ shorewall-tcdevices(5)
You can use the same marks for different interfaces.
diff --git a/manpages/shorewall-tcdevices.xml b/manpages/shorewall-tcdevices.xml
index 48b5ac11b..c6c1f6e02 100644
--- a/manpages/shorewall-tcdevices.xml
+++ b/manpages/shorewall-tcdevices.xml
@@ -94,7 +94,7 @@
INTERFACE —
- interface
+ [number:]interfaceName of interface. Each interface may be
@@ -108,6 +108,13 @@
If the device doesn't exist, a warning message will be issued
during "shorewall [re]start" and "shorewall refresh" and traffic
shaping configuration will be skipped for that device.
+
+ Shorewall assigns a sequential interface
+ number to each interface (the first entry in the file is
+ interface 1, the second is interface 2 and so on) Beginning with
+ Shorewall-perl 4.1.6, you can explicitly specify the interface
+ number by prefixing the interface name with the number and a colon
+ (":"). Example: 1:eth0.
@@ -126,7 +133,8 @@
If you don't want any traffic to be dropped, set this to a
value to zero in which case Shorewall will not create an ingress
- qdisc.
+ qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
+ non-empty.
@@ -140,8 +148,6 @@
speed you can refer as "full" if you define the tc classes in shorewall-tcclasses(5).
Outgoing traffic above this rate will be dropped.
-
-
@@ -157,13 +163,22 @@
url="shorewall-tcrules.html">shorewall-tcrules(5).
-
-
- This file is currently limited to ten (10) entries. Additional
- entries will cause run-time errors in the generated firewall
- script.
-
+
+ REDIRECTED INTERFACES -
+ [interface[,interface]...]
+
+
+ Added in Shorewall-perl 4.1.6. May only be specified if the
+ interface in the INTERFACE column is an Intermediate Frame Block
+ (IFB) device. Causes packets that enter each listed interface to be
+ passed through the egress filters defined for this device, thus
+ providing a form of incoming traffic shaping. When this column is
+ non-empty, the classify option is
+ assumed.
+
+
+
@@ -178,8 +193,9 @@
interface for this. The device has an outgoing bandwidth of 500kbit
and an incoming bandwidth of 6000kbit
- #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
- ppp0 6000kbit 500kbit
+ #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
+ # INTERFACES
+ 1:ppp0 6000kbit 500kbit
diff --git a/manpages/shorewall-tcfilters.xml b/manpages/shorewall-tcfilters.xml
new file mode 100644
index 000000000..758f2606d
--- /dev/null
+++ b/manpages/shorewall-tcfilters.xml
@@ -0,0 +1,171 @@
+
+
+
+ shorewall-tcfilters
+
+ 5
+
+
+
+ tcfilters
+
+ Shorewall u32 classifier rules file
+
+
+
+
+ /etc/shorewall/tcfilters
+
+
+
+
+ Description
+
+ Entries in this file cause packets to be marked as a means of
+ classifying them for traffic control or policy routing.
+
+
+ Unlike rules in the shorewall-rules(5) file, evaluation
+ of rules in this file will continue after a match. So the final mark for
+ each packet will be the one assigned by the LAST tcrule that
+ matches.
+
+ If you use multiple internet providers with the 'track' option, in
+ /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html.
+
+
+ The columns in the file are as follows.
+
+
+
+ CLASS —
+ interface:class
+
+
+ The name or number of an interface
+ defined in shorewall-tcdevices(5)
+ followed by a class number defined for
+ that interface in shorewall-tcclasses(5).
+
+
+
+
+ SOURCE — {-|address}
+
+
+ Source of the packet. May be a host or network
+ address. DNS names are not
+ allowed.
+
+
+
+
+ DEST — {-|address}}
+
+
+ Destination of the packet. Comma separated list of IP
+ addresses and/or subnets. If your kernel and iptables include
+ iprange match support, IP address ranges are also allowed. List
+ elements may also consist of an interface name followed by ":" and
+ an address (e.g., eth1:192.168.1.0/24). If the MARK column specificies a classification of
+ the form major:minor then
+ this column may also contain an interface name.
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall-exclusion(5)).
+
+
+
+
+ PROTO — {-|protocol-number|protocol-name|all}
+
+
+ Protocol.
+
+
+
+
+ DEST PORT (Optional) —
+ [-|port-name-or-number]
+
+
+ Destination Ports. A Port names (from services(5)) or a
+ port number; if the protocol is icmp, this column is interpreted as the
+ destination icmp-type(s).
+
+
+
+
+ SOURCE PORT (Optional) —
+ [-|port-name-or-number]
+
+
+ Source port.
+
+
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Place all ICMP echo traffic on interface 1 in class 10.
+
+ #CLASS SOURCE DEST PROTO DEST
+ # PORT
+ 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
+ 1:1- 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
+
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tcfilters
+
+
+
+ See ALSO
+
+ http://shorewall.net/traffic_shaping.htm
+
+ http://shorewall.net/MultiISP.html
+
+ http://shorewall.net/PacketMarking.html
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
+ shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index 649058014..25b93b414 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -14,7 +14,7 @@
- /etc/shorewall/
+ /etc/shorewall/rules
diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml
index 936a08873..0250e3259 100644
--- a/manpages/shorewall.xml
+++ b/manpages/shorewall.xml
@@ -446,7 +446,7 @@
+ choice="req">
@@ -951,7 +951,7 @@
role="bold">refresh command, the mangle table is
refreshed along with the blacklist chain (if any). This allows you
to modify /etc/shorewall/tcrules and install
- the changes using refresh.
+ the changes using refresh.
@@ -1160,7 +1160,8 @@
- classifiers
+ classifiers|filtersDisplays information about the packet classifiers