From 7d395d35711e466e2ddeb0067d6a5474dd9c617d Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 3 Feb 2009 23:56:17 +0000 Subject: [PATCH] Try to avoid TC confusion git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/configuration_file_basics.xml | 14 ++++ docs/traffic_shaping.xml | 101 +++++++++++++++++++-------- manpages/shorewall-blacklist.xml | 6 +- manpages/shorewall-masq.xml | 4 +- manpages/shorewall-tcrules.xml | 105 +++++++++++++++++++---------- 5 files changed, 163 insertions(+), 67 deletions(-) diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 0cf191165..860beb686 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -941,6 +941,11 @@ Shorewall has detected the following iptables/netfilter capabilities: been eliminated and the Shorewall-perl compiler uses Perl's interfaces to getprotobyname(3posix) and getservbyname(3posix). + + Also, unless otherwise documented, a protocol number/name can be + preceded by '!' to specify "All protocols except this one" (e.g., "!tcp"). + Shorewall-perl support for that feature was added in Shorewall + 4.2.6.
@@ -956,6 +961,11 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 If you omit the low port number, a value of zero is assumed; if you omit the high port number, a value of 65535 is assumed. + + Also, unless otherwise documented, a port range can be preceded by + '!' to specify "All ports except those in this range" (e.g., + "!4000:4100"). Shorewall-perl support for that feature was added in + Shorewall 4.2.6.
@@ -993,6 +1003,10 @@ DNAT net loc:192.168.1.3 tcp 4000:4100 versions earlier than 4.0.5 will never break a list longer than 15 ports (with each range counting as two ports) into smaller lists. + + Also, unless otherwise documented, a port list can be preceded by + '!' to specify "All ports except these" (e.g., "!80,443"). Shorewall-perl + support for that feature was added in Shorewall 4.2.6.
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index 47f33ab22..39bbfda6b 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -686,7 +686,10 @@ ppp0 6000kbit 500kbit The "T" qualifier was added in Shorewall version 3.3.6 and - is not available in earlier versions. + is not available in earlier versions. Use + this qualifier if you want the rule to apply equally to traffic + being routed through the firewall and to traffic originating on + the firewall itself. Normally, the mark is applied to the packet. If you follow the @@ -780,35 +783,78 @@ ppp0 6000kbit 500kbit - SOURCE - Source of the packet. A comma-separated list of - interface names, IP addresses, MAC addresses and/or subnets for - packets being routed through a common path. List elements may also - consist of an interface name followed by ":" and an address (e.g., - eth1:192.168.1.0/24). For example, all packets for connections - masqueraded to eth0 from other interfaces can be matched in a single - rule with several alternative SOURCE criteria. However, a connection - whose packets gets to eth0 in a different way, e.g., direct from the - firewall itself, needs a different rule. + SOURCE - Source of the packet. - Accordingly, use $FW in its own separate rule for packets - originating on the firewall. In such a rule, the MARK column may NOT - specify either ":P" or ":F" because marking for firewall-originated - packets always occurs in the OUTPUT chain. + May be: + + + + An interface name - matches traffic entering the firewall + on the specified interface. May not be used in classify rules or + in rules using the :T chain qualifier. + + + + A comma-separated list of host or network IP addresses or + MAC addresses. This form will not match + traffic that originates on the firewall itself unless either + <major><minor> or the :T chain qualifier is used in + the MARK column. + + Examples: + 0.0.0.0/0 + + + + 192.168.1.0/24, 172.20.4.0/24 + + + + + An interface name followed by a colon (":") followed by a + comma-separated list of host or network IP addresses or MAC + addresses. May not be used in classify rules or in rules using + the :T chain qualifier. + + + + $FW optionally followed by a colon (":") and a + comma-separated list of host or network IP addresses. matches + packets originating on the firewall. May not be used with a + chain qualifier (:P, :F, etc.) in the MARK column. + + MAC addresses must be prefixed with "~" and use "-" as a separator. Example: ~00-A0-C9-15-39-78 + + If your kernel includes iprange match support, then address + ranges may be included in the address lists. - DEST - Destination of the packet. Comma separated list of IP - addresses and/or subnets. If your kernel and iptables include - iprange match support, IP address ranges are also allowed. List - elements may also consist of an interface name followed by ":" and - an address (e.g., eth1:192.168.1.0/24). If the MARK column specifies - a classification of the form <major>:<minor> then this - column may also contain an interface name. + DEST - Destination of the packet. + + May be: + + + + An interface name. May not be used in the PREROUTING chain + (:P in the mark column or no chain qualifier and + MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)). The + interface name may be optionally followed by a colon (":") and + an IP address list. + + + + A comma-separated list of host or network IP addresses. + The list may include ip address ranges if your kernel and + iptables include iprange support. + + @@ -943,17 +989,17 @@ ppp0 6000kbit 500kbit 1 eth1 0.0.0.0/0 all 2 eth2 0.0.0.0/0 all 2 eth3 0.0.0.0/0 all -3 $FW 0.0.0.0/0 all +3 $FW 0.0.0.0/0 all - All GRE (protocol 47) packets not originating on the firewall - and destined for 155.186.235.151 should be marked with 12. + All GRE (protocol 47) packets destined for 155.186.235.151 + should be marked with 12. #MARK SOURCE DESTINATION PROTOCOL PORT(S) -12 0.0.0.0/0 155.182.235.151 47 +12:T 0.0.0.0/0 155.182.235.151 47 @@ -963,7 +1009,7 @@ ppp0 6000kbit 500kbit destined for 155.186.235.151 should be marked with 22. #MARK SOURCE DESTINATION PROTOCOL PORT(S) -22 192.168.1.0/24 155.182.235.151 tcp 22 +22:T 192.168.1.0/24 155.182.235.151 tcp 22 @@ -989,7 +1035,8 @@ ppp0 6000kbit 500kbit ipp2p module is unable to determine all packets in a connection are P2P packets, we mark the entire connection as P2P if any of the packets are determined to match. We assume packet/connection mark 0 to - means unclassified. + means unclassified. Traffic originating on the firewall is not covered + by this example. #MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST # PORT(S) GROUP diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml index 915ee6f69..e9019230b 100644 --- a/manpages/shorewall-blacklist.xml +++ b/manpages/shorewall-blacklist.xml @@ -1,4 +1,6 @@ + shorewall-blacklist @@ -52,7 +54,7 @@ PROTOCOL (Optional) - {-|protocol-number|protocol-name} + role="bold">-|[!]protocol-number|[!]protocol-name} If specified, must be a protocol number or a protocol name @@ -62,7 +64,7 @@ PORTS (Optional) - {-|port-name-or-number[,port-name-or-number]...} + role="bold">-|[!]port-name-or-number[,port-name-or-number]...} May only be specified if the protocol is TCP (6) or UDP (17). diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml index e185a4a81..82d7bb3b3 100644 --- a/manpages/shorewall-masq.xml +++ b/manpages/shorewall-masq.xml @@ -215,7 +215,7 @@ PROTO (Optional) - {-|protocol-name|protocol-number} + role="bold">-|[!]protocol-name|[!]protocol-number} If you wish to restrict this entry to a particular protocol @@ -226,7 +226,7 @@ PORT(S) (Optional) - - [port-name-or-number[,port-name-or-number]...] + [[!]port-name-or-number[,port-name-or-number]...] If the PROTO column specifies TCP (protocol 6) or UDP diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index 66704a09d..870c8fe3c 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -256,22 +256,45 @@ role="bold">,address-or-range]...}[exclusion] - Source of the packet. A comma-separated list of interface - names, IP addresses, MAC addresses and/or subnets for packets being - routed through a common path. List elements may also consist of an - interface name followed by ":" and an address (e.g., - eth1:192.168.1.0/24). For example, all packets for connections - masqueraded to eth0 from other interfaces can be matched in a single - rule with several alternative SOURCE criteria. However, a connection - whose packets gets to eth0 in a different way, e.g., direct from the - firewall itself, needs a different rule. + May be: - Accordingly, use $FW in its - own separate rule for packets originating on the firewall. In such a - rule, the MARK column may NOT specify either :P or :F - because marking for firewall-originated packets always occurs in the - OUTPUT chain. + + + An interface name - matches traffic entering the firewall + on the specified interface. May not be used in classify rules or + in rules using the :T chain qualifier. + + + + A comma-separated list of host or network IP addresses or + MAC addresses. This form will not match + traffic that originates on the firewall itself unless either + <major><minor> or the :T chain qualifier is used in + the MARK column. + + Examples: + 0.0.0.0/0 + + + + 192.168.1.0/24, 172.20.4.0/24 + + + + + An interface name followed by a colon (":") followed by a + comma-separated list of host or network IP addresses or MAC + addresses. May not be used in classify rules or in rules using + the :T chain qualifier. + + + + $FW optionally followed by a colon (":") and a + comma-separated list of host or network IP addresses. Matches + packets originating on the firewall. May not be used with a + chain qualifier (:P, :F, etc.) in the MARK column. + + MAC addresses must be prefixed with "~" and use "-" as a separator. @@ -290,14 +313,24 @@ role="bold">,address-or-range]...}[exclusion] - Destination of the packet. Comma separated list of IP - addresses and/or subnets. If your kernel and iptables include - iprange match support, IP address ranges are also allowed. List - elements may also consist of an interface name followed by ":" and - an address (e.g., eth1:192.168.1.0/24). If the MARK column specificies a classification of - the form major:minor then - this column may also contain an interface name. + May be: + + + + An interface name. May not be used in the PREROUTING chain + (:P in the mark column or no chain qualifier and + MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)). The + interface name may be optionally followed by a colon (":") and + an IP address list. + + + + A comma-separated list of host or network IP addresses. + The list may include ip address ranges if your kernel and + iptables include iprange support. + + You may exclude certain hosts from the set already defined through use of an exclusion (see O|R|B}[:{B|P|A}]]] + role="bold">A}]]] Connection Bytes; defines a byte or packet range that the @@ -532,8 +565,8 @@ directions. - If omitted, B is assumed. - + If omitted, B is + assumed. The second letter determines what the range refers to.
@@ -544,7 +577,7 @@ A - Average packet size.
If omitted, B is - assumed. + assumed. @@ -564,7 +597,7 @@ Example: Mark all FTP data connections with mark 4:#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER #CLASSIFY PORT(S) -4 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp +4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp @@ -588,14 +621,14 @@ We assume packet/connection mark 0 means unclassified. - #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST - #CLASSIFY PORT(S) - 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request - 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply - RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 - CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 - 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all - SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 + #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST + #CLASSIFY PORT(S) + 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request + 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply + RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0 + CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 + 4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all + SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 If a packet hasn't been classifed (packet mark is 0), copy the connection mark to the packet mark. If the packet mark is set, we're