extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 09:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Try to avoid TC confusion

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-03 23:56:17 +00:00
parent f35013649e
commit 7d395d3571
5 changed files with 163 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/configuration_file_basics.xml
View File

@ -941,6 +941,11 @@ Shorewall has detected the following iptables/netfilter capabilities:
been eliminated and the Shorewall-perl compiler uses Perl's interfaces
to getprotobyname(3posix) and getservbyname(3posix).</para>
</note></para>
<para>Also, unless otherwise documented, a protocol number/name can be
preceded by '!' to specify "All protocols except this one" (e.g., "!tcp").
Shorewall-perl support for that feature was added in Shorewall
4.2.6.</para>
</section>
<section id="Ranges">
@ -956,6 +961,11 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
<para>If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.</para>
<para>Also, unless otherwise documented, a port range can be preceded by
'!' to specify "All ports except those in this range" (e.g.,
"!4000:4100"). Shorewall-perl support for that feature was added in
Shorewall 4.2.6.</para>
</section>
<section id="Portlists">
@ -993,6 +1003,10 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
versions earlier than 4.0.5 will never break a list longer than 15 ports
(with each range counting as two ports) into smaller lists.</para>
</note>
<para>Also, unless otherwise documented, a port list can be preceded by
'!' to specify "All ports except these" (e.g., "!80,443"). Shorewall-perl
support for that feature was added in Shorewall 4.2.6.</para>
</section>
<section id="MAC">

101
docs/traffic_shaping.xml
View File

@ -686,7 +686,10 @@ ppp0 6000kbit 500kbit</programlisting>
<note>
<para>The "T" qualifier was added in Shorewall version 3.3.6 and
is not available in earlier versions.</para>
is not available in earlier versions. <emphasis role="bold">Use
this qualifier if you want the rule to apply equally to traffic
being routed through the firewall and to traffic originating on
the firewall itself.</emphasis></para>
</note>
<para>Normally, the mark is applied to the packet. If you follow the
@ -780,35 +783,78 @@ ppp0 6000kbit 500kbit</programlisting>
</listitem>
<listitem>
<para>SOURCE - Source of the packet. A comma-separated list of
interface names, IP addresses, MAC addresses and/or subnets for
packets being routed through a common path. List elements may also
consist of an interface name followed by ":" and an address (e.g.,
eth1:192.168.1.0/24). For example, all packets for connections
masqueraded to eth0 from other interfaces can be matched in a single
rule with several alternative SOURCE criteria. However, a connection
whose packets gets to eth0 in a different way, e.g., direct from the
firewall itself, needs a different rule.</para>
<para>SOURCE - Source of the packet. </para>
<para>Accordingly, use $FW in its own separate rule for packets
originating on the firewall. In such a rule, the MARK column may NOT
specify either ":P" or ":F" because marking for firewall-originated
packets always occurs in the OUTPUT chain.</para>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name - matches traffic entering the firewall
on the specified interface. May not be used in classify rules or
in rules using the :T chain qualifier.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses or
MAC addresses. <emphasis role="bold">This form will not match
traffic that originates on the firewall itself unless either
&lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
the MARK column.</emphasis></para>
<para>Examples:<simplelist>
<member>0.0.0.0/0</member>
</simplelist></para>
<para><simplelist>
<member>192.168.1.0/24, 172.20.4.0/24</member>
</simplelist></para>
</listitem>
<listitem>
<para>An interface name followed by a colon (":") followed by a
comma-separated list of host or network IP addresses or MAC
addresses. May not be used in classify rules or in rules using
the :T chain qualifier.</para>
</listitem>
<listitem>
<para>$FW optionally followed by a colon (":") and a
comma-separated list of host or network IP addresses. matches
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.</para>
</listitem>
</orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
<para>If your kernel includes iprange match support, then address
ranges may be included in the address lists.</para>
</listitem>
<listitem>
<para>DEST - Destination of the packet. Comma separated list of IP
addresses and/or subnets. If your kernel and iptables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:192.168.1.0/24). If the MARK column specifies
a classification of the form &lt;major&gt;:&lt;minor&gt; then this
column may also contain an interface name.</para>
<para>DEST - Destination of the packet. </para>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name. May not be used in the PREROUTING chain
(:P in the mark column or no chain qualifier and
MARK_IN_FORWARD_CHAIN=No in <ulink
url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
interface name may be optionally followed by a colon (":") and
an IP address list.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses.
The list may include ip address ranges if your kernel and
iptables include iprange support.</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
@ -943,17 +989,17 @@ ppp0 6000kbit 500kbit</programlisting>
1 eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all
3 $FW 0.0.0.0/0 all</programlisting>
3 $FW 0.0.0.0/0 all</programlisting>
</example>
<example id="Example2">
<title></title>
<para>All GRE (protocol 47) packets not originating on the firewall
and destined for 155.186.235.151 should be marked with 12.</para>
<para>All GRE (protocol 47) packets destined for 155.186.235.151
should be marked with 12.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S)
12 0.0.0.0/0 155.182.235.151 47</programlisting>
12:T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example>
<example id="Example3">
@ -963,7 +1009,7 @@ ppp0 6000kbit 500kbit</programlisting>
destined for 155.186.235.151 should be marked with 22.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S)
22 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
22:T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example>
<example id="Example4">
@ -989,7 +1035,8 @@ ppp0 6000kbit 500kbit</programlisting>
ipp2p module is unable to determine all packets in a connection are
P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match. We assume packet/connection mark 0 to
means unclassified.</para>
means unclassified. Traffic originating on the firewall is not covered
by this example.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
# PORT(S) GROUP

6
manpages/shorewall-blacklist.xml
View File

@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-blacklist</refentrytitle>
@ -52,7 +54,7 @@
<varlistentry>
<term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
{<emphasis
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
role="bold">-</emphasis>|[!]<emphasis>protocol-number</emphasis>|[!]<emphasis>protocol-name</emphasis>}</term>
<listitem>
<para>If specified, must be a protocol number or a protocol name
@ -62,7 +64,7 @@
<varlistentry>
<term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
role="bold">-</emphasis>|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
<listitem>
<para>May only be specified if the protocol is TCP (6) or UDP (17).

4
manpages/shorewall-masq.xml
View File

@ -215,7 +215,7 @@
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}</term>
role="bold">-</emphasis>|[!]<emphasis>protocol-name</emphasis>|[!]<emphasis>protocol-number</emphasis>}</term>
<listitem>
<para>If you wish to restrict this entry to a particular protocol
@ -226,7 +226,7 @@
<varlistentry>
<term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
[<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>
[[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>
<listitem>
<para>If the PROTO column specifies TCP (protocol 6) or UDP

105
manpages/shorewall-tcrules.xml
View File

@ -256,22 +256,45 @@
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>Source of the packet. A comma-separated list of interface
names, IP addresses, MAC addresses and/or subnets for packets being
routed through a common path. List elements may also consist of an
interface name followed by ":" and an address (e.g.,
eth1:192.168.1.0/24). For example, all packets for connections
masqueraded to eth0 from other interfaces can be matched in a single
rule with several alternative SOURCE criteria. However, a connection
whose packets gets to eth0 in a different way, e.g., direct from the
firewall itself, needs a different rule.</para>
<para>May be:</para>
<para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
own separate rule for packets originating on the firewall. In such a
rule, the MARK column may NOT specify either <emphasis
role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
because marking for firewall-originated packets always occurs in the
OUTPUT chain.</para>
<orderedlist>
<listitem>
<para>An interface name - matches traffic entering the firewall
on the specified interface. May not be used in classify rules or
in rules using the :T chain qualifier.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses or
MAC addresses. <emphasis role="bold">This form will not match
traffic that originates on the firewall itself unless either
&lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
the MARK column.</emphasis></para>
<para>Examples:<simplelist>
<member>0.0.0.0/0</member>
</simplelist></para>
<para><simplelist>
<member>192.168.1.0/24, 172.20.4.0/24</member>
</simplelist></para>
</listitem>
<listitem>
<para>An interface name followed by a colon (":") followed by a
comma-separated list of host or network IP addresses or MAC
addresses. May not be used in classify rules or in rules using
the :T chain qualifier.</para>
</listitem>
<listitem>
<para>$FW optionally followed by a colon (":") and a
comma-separated list of host or network IP addresses. Matches
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.</para>
</listitem>
</orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
@ -290,14 +313,24 @@
role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
<listitem>
<para>Destination of the packet. Comma separated list of IP
addresses and/or subnets. If your kernel and iptables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:192.168.1.0/24). If the <emphasis
role="bold">MARK</emphasis> column specificies a classification of
the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
this column may also contain an interface name.</para>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name. May not be used in the PREROUTING chain
(:P in the mark column or no chain qualifier and
MARK_IN_FORWARD_CHAIN=No in <ulink
url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
interface name may be optionally followed by a colon (":") and
an IP address list.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses.
The list may include ip address ranges if your kernel and
iptables include iprange support.</para>
</listitem>
</orderedlist>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
@ -506,7 +539,7 @@
role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
role="bold">B</emphasis>}[:{<emphasis
role="bold">B</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">A</emphasis>}]]] </term>
role="bold">A</emphasis>}]]]</term>
<listitem>
<para>Connection Bytes; defines a byte or packet range that the
@ -532,8 +565,8 @@
directions.</para>
</blockquote></para>
<para>If omitted, <emphasis role="bold">B</emphasis> is assumed.
</para>
<para>If omitted, <emphasis role="bold">B</emphasis> is
assumed.</para>
<para>The second letter determines what the range refers
to.<blockquote>
@ -544,7 +577,7 @@
<para><emphasis role="bold">A</emphasis> - Average packet
size.</para>
</blockquote>If omitted, <emphasis role="bold">B</emphasis> is
assumed. </para>
assumed.</para>
</listitem>
</varlistentry>
@ -564,7 +597,7 @@
<para>Example: Mark all FTP data connections with mark
4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
#CLASSIFY PORT(S)
4 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
</listitem>
</varlistentry>
</variablelist>
@ -588,14 +621,14 @@
<para>We assume packet/connection mark 0 means unclassified.</para>
<programlisting> #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
#CLASSIFY PORT(S)
1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
4 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting>
<programlisting> #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
#CLASSIFY PORT(S)
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting>
<para>If a packet hasn't been classifed (packet mark is 0), copy the
connection mark to the packet mark. If the packet mark is set, we're