diff --git a/manpages/shorewall-tcclasses.xml b/manpages/shorewall-tcclasses.xml index 75961d01e..533427882 100644 --- a/manpages/shorewall-tcclasses.xml +++ b/manpages/shorewall-tcclasses.xml @@ -111,7 +111,7 @@ INTERFACE — - interface + interface[:class] Name of interface. Each interface may be @@ -119,6 +119,14 @@ alias (e.g., eth0:0) here; see http://www.shorewall.net/FAQ.htm#faq18 + If you are running Shorewall-perl 4.1.6 or later, you may + specify the interface number rather than the interface name. If the + classify option is given for the + interface in shorewall-tcdevices(5), then + you must also specify an interface class (an integer that must be + unique within classes associated with this interface). + You may NOT specify wildcards here, e.g. if you have multiple ppp interfaces, you need to put them all in here! @@ -131,14 +139,17 @@ MARK — - value + {-|value} The mark value which is an integer in the range 1-255. You set mark values in the shorewall-tcrules(5) file, - marking the traffic you want to fit in the classes defined in - here. + marking the traffic you want to fit in the classes defined in here. + Must be specified as '-' if the classify option is given for the interface in + shorewall-tcdevices(5) You can use the same marks for different interfaces. diff --git a/manpages/shorewall-tcdevices.xml b/manpages/shorewall-tcdevices.xml index 48b5ac11b..c6c1f6e02 100644 --- a/manpages/shorewall-tcdevices.xml +++ b/manpages/shorewall-tcdevices.xml @@ -94,7 +94,7 @@ INTERFACE — - interface + [number:]interface Name of interface. Each interface may be @@ -108,6 +108,13 @@ If the device doesn't exist, a warning message will be issued during "shorewall [re]start" and "shorewall refresh" and traffic shaping configuration will be skipped for that device. + + Shorewall assigns a sequential interface + number to each interface (the first entry in the file is + interface 1, the second is interface 2 and so on) Beginning with + Shorewall-perl 4.1.6, you can explicitly specify the interface + number by prefixing the interface name with the number and a colon + (":"). Example: 1:eth0. @@ -126,7 +133,8 @@ If you don't want any traffic to be dropped, set this to a value to zero in which case Shorewall will not create an ingress - qdisc. + qdisc.Must be set to zero if the REDIRECTED INTERFACES column is + non-empty. @@ -140,8 +148,6 @@ speed you can refer as "full" if you define the tc classes in shorewall-tcclasses(5). Outgoing traffic above this rate will be dropped. - - @@ -157,13 +163,22 @@ url="shorewall-tcrules.html">shorewall-tcrules(5). - - - This file is currently limited to ten (10) entries. Additional - entries will cause run-time errors in the generated firewall - script. - + + REDIRECTED INTERFACES - + [interface[,interface]...] + + + Added in Shorewall-perl 4.1.6. May only be specified if the + interface in the INTERFACE column is an Intermediate Frame Block + (IFB) device. Causes packets that enter each listed interface to be + passed through the egress filters defined for this device, thus + providing a form of incoming traffic shaping. When this column is + non-empty, the classify option is + assumed. + + + @@ -178,8 +193,9 @@ interface for this. The device has an outgoing bandwidth of 500kbit and an incoming bandwidth of 6000kbit - #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH - ppp0 6000kbit 500kbit + #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED + # INTERFACES + 1:ppp0 6000kbit 500kbit diff --git a/manpages/shorewall-tcfilters.xml b/manpages/shorewall-tcfilters.xml new file mode 100644 index 000000000..758f2606d --- /dev/null +++ b/manpages/shorewall-tcfilters.xml @@ -0,0 +1,171 @@ + + + + shorewall-tcfilters + + 5 + + + + tcfilters + + Shorewall u32 classifier rules file + + + + + /etc/shorewall/tcfilters + + + + + Description + + Entries in this file cause packets to be marked as a means of + classifying them for traffic control or policy routing. + + + Unlike rules in the shorewall-rules(5) file, evaluation + of rules in this file will continue after a match. So the final mark for + each packet will be the one assigned by the LAST tcrule that + matches. + + If you use multiple internet providers with the 'track' option, in + /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html. + + + The columns in the file are as follows. + + + + CLASS — + interface:class + + + The name or number of an interface + defined in shorewall-tcdevices(5) + followed by a class number defined for + that interface in shorewall-tcclasses(5). + + + + + SOURCE — {-|address} + + + Source of the packet. May be a host or network + address. DNS names are not + allowed. + + + + + DEST — {-|address}} + + + Destination of the packet. Comma separated list of IP + addresses and/or subnets. If your kernel and iptables include + iprange match support, IP address ranges are also allowed. List + elements may also consist of an interface name followed by ":" and + an address (e.g., eth1:192.168.1.0/24). If the MARK column specificies a classification of + the form major:minor then + this column may also contain an interface name. + + You may exclude certain hosts from the set already defined + through use of an exclusion (see shorewall-exclusion(5)). + + + + + PROTO — {-|protocol-number|protocol-name|all} + + + Protocol. + + + + + DEST PORT (Optional) — + [-|port-name-or-number] + + + Destination Ports. A Port names (from services(5)) or a + port number; if the protocol is icmp, this column is interpreted as the + destination icmp-type(s). + + + + + SOURCE PORT (Optional) — + [-|port-name-or-number] + + + Source port. + + + + + + + Example + + + + Example 1: + + + Place all ICMP echo traffic on interface 1 in class 10. + + #CLASS SOURCE DEST PROTO DEST + # PORT + 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request + 1:1- 0.0.0.0/0 0.0.0.0/0 icmp echo-reply + + + + + + + + FILES + + /etc/shorewall/tcfilters + + + + See ALSO + + http://shorewall.net/traffic_shaping.htm + + http://shorewall.net/MultiISP.html + + http://shorewall.net/PacketMarking.html + + shorewall(8), shorewall-accounting(5), shorewall-actions(5), + shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), + shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), + shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), + shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), + shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), + shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), + shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5), + shorewall-tunnels(5), shorewall-zones(5) + + \ No newline at end of file diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index 649058014..25b93b414 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -14,7 +14,7 @@ - /etc/shorewall/ + /etc/shorewall/rules diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 936a08873..0250e3259 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -446,7 +446,7 @@ + choice="req"> @@ -951,7 +951,7 @@ role="bold">refresh command, the mangle table is refreshed along with the blacklist chain (if any). This allows you to modify /etc/shorewall/tcrules and install - the changes using refresh. + the changes using refresh. @@ -1160,7 +1160,8 @@ - classifiers + classifiers|filters Displays information about the packet classifiers