First round of manpage updates for IFB/tcfilters

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8309 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-03-19 20:43:43 +00:00
parent 96a1c58405
commit 6f95ef2a22
5 changed files with 219 additions and 20 deletions

View File

@ -111,7 +111,7 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis>
<emphasis>interface</emphasis></term>
<emphasis>interface</emphasis>[:<emphasis>class</emphasis>]</term>
<listitem>
<para>Name of <emphasis>interface</emphasis>. Each interface may be
@ -119,6 +119,14 @@
alias (e.g., eth0:0) here; see <ulink
url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
<para>If you are running Shorewall-perl 4.1.6 or later, you may
specify the interface number rather than the interface name. If the
<emphasis role="bold">classify</emphasis> option is given for the
interface in <ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
you must also specify an interface class (an integer that must be
unique within classes associated with this interface).</para>
<para>You may NOT specify wildcards here, e.g. if you have multiple
ppp interfaces, you need to put them all in here!</para>
@ -131,14 +139,17 @@
<varlistentry>
<term><emphasis role="bold">MARK</emphasis>
<emphasis>value</emphasis></term>
{-|<emphasis>value</emphasis>}</term>
<listitem>
<para>The mark <emphasis>value</emphasis> which is an integer in the
range 1-255. You set mark values in the <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) file,
marking the traffic you want to fit in the classes defined in
here.</para>
marking the traffic you want to fit in the classes defined in here.
Must be specified as '-' if the <emphasis
role="bold">classify</emphasis> option is given for the interface in
<ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>
<para>You can use the same marks for different interfaces.</para>
</listitem>

View File

@ -94,7 +94,7 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis>
<emphasis>interface</emphasis></term>
[<emphasis>number</emphasis>:]<emphasis>interface</emphasis></term>
<listitem>
<para>Name of <emphasis>interface</emphasis>. Each interface may be
@ -108,6 +108,13 @@
<para>If the device doesn't exist, a warning message will be issued
during "shorewall [re]start" and "shorewall refresh" and traffic
shaping configuration will be skipped for that device.</para>
<para>Shorewall assigns a sequential <firstterm>interface
number</firstterm> to each interface (the first entry in the file is
interface 1, the second is interface 2 and so on) Beginning with
Shorewall-perl 4.1.6, you can explicitly specify the interface
number by prefixing the interface name with the number and a colon
(":"). Example: 1:eth0.</para>
</listitem>
</varlistentry>
@ -126,7 +133,8 @@
<para>If you don't want any traffic to be dropped, set this to a
value to zero in which case Shorewall will not create an ingress
qdisc.</para>
qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
non-empty.</para>
</listitem>
</varlistentry>
@ -140,8 +148,6 @@
speed you can refer as "full" if you define the tc classes in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
Outgoing traffic above this rate will be dropped.</para>
<para></para>
</listitem>
</varlistentry>
@ -157,13 +163,22 @@
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
</listitem>
</varlistentry>
</variablelist>
<warning>
<para>This file is currently limited to ten (10) entries. Additional
entries will cause run-time errors in the generated firewall
script.</para>
</warning>
<varlistentry>
<term><emphasis role="bold">REDIRECTED INTERFACES</emphasis> -
[<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
<listitem>
<para>Added in Shorewall-perl 4.1.6. May only be specified if the
interface in the INTERFACE column is an Intermediate Frame Block
(IFB) device. Causes packets that enter each listed interface to be
passed through the egress filters defined for this device, thus
providing a form of incoming traffic shaping. When this column is
non-empty, the <emphasis role="bold">classify</emphasis> option is
assumed.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
@ -178,8 +193,9 @@
interface for this. The device has an outgoing bandwidth of 500kbit
and an incoming bandwidth of 6000kbit</para>
<programlisting> #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
ppp0 6000kbit 500kbit</programlisting>
<programlisting> #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH OPTIONS REDIRECTED
# INTERFACES
1:ppp0 6000kbit 500kbit</programlisting>
</listitem>
</varlistentry>
</variablelist>

View File

@ -0,0 +1,171 @@
<?xml version="1.0" encoding="UTF-8"?>
<refentry>
<refmeta>
<refentrytitle>shorewall-tcfilters</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>tcfilters</refname>
<refpurpose>Shorewall u32 classifier rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcfilters</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Entries in this file cause packets to be marked as a means of
classifying them for traffic control or policy routing.</para>
<important>
<para>Unlike rules in the <ulink
url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
of rules in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.</para>
<para>If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at <ulink
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
</important>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">CLASS</emphasis>
<emphasis>interface</emphasis><emphasis
role="bold">:</emphasis><emphasis>class</emphasis></term>
<listitem>
<para>The name or number of an <returnvalue>interface</returnvalue>
defined in <ulink
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
followed by a <replaceable>class</replaceable> number defined for
that interface in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> — {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}</term>
<listitem>
<para>Source of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> — {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}}</term>
<listitem>
<para>Destination of the packet. Comma separated list of IP
addresses and/or subnets. If your kernel and iptables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:192.168.1.0/24). If the <emphasis
role="bold">MARK</emphasis> column specificies a classification of
the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
this column may also contain an interface name.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> — {<emphasis
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
<listitem>
<para>Protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT</emphasis> (Optional) —
[<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Destination Ports. A Port names (from services(5)) or a
<emphasis>port number</emphasis>; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) —
[<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Source port.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Place all ICMP echo traffic on interface 1 in class 10.</para>
<programlisting> #CLASS SOURCE DEST PROTO DEST
# PORT
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:1- 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tcfilters</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
<para><ulink
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
<para><ulink
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -14,7 +14,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/</command>
<command>/etc/shorewall/rules</command>
</cmdsynopsis>
</refsynopsisdiv>

View File

@ -446,7 +446,7 @@
<arg choice="plain"><option>show</option></arg>
<arg
choice="req"><option>actions|classifiers|connections|config|macros|zones</option></arg>
choice="req"><option>actions|classifiers|connections|config|filters|macros|zones</option></arg>
</cmdsynopsis>
<cmdsynopsis>
@ -951,7 +951,7 @@
role="bold">refresh</emphasis> command, the mangle table is
refreshed along with the blacklist chain (if any). This allows you
to modify <filename>/etc/shorewall/tcrules </filename>and install
the changes using <emphasis role="bold">refresh</emphasis>. </para>
the changes using <emphasis role="bold">refresh</emphasis>.</para>
</listitem>
</varlistentry>
@ -1160,7 +1160,8 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">classifiers</emphasis></term>
<term><emphasis
role="bold">classifiers|filters</emphasis></term>
<listitem>
<para>Displays information about the packet classifiers