extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move 4.5 manpage/doc updates to master

Browse Source
This commit is contained in:
Tom Eastep 2009-12-26 12:40:16 -08:00
parent 3bd3defd8e
commit 7e3675fb30
11 changed files with 1072 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
docs/Documentation_Index.xml
View File

@ -5,7 +5,7 @@
<!--/$Id$-->
<articleinfo>
<title>Shorewall 4.4 Documentation</title>
<title>Shorewall 4.4/4.5 Documentation</title>
<authorgroup>
<author>
@ -166,9 +166,8 @@
<entry><ulink url="MyNetwork.html">My Shorewall
Configuration</ulink></entry>
<entry><ulink url="traffic_shaping.htm">Traffic
Shaping/QOS</ulink> (<ulink
url="traffic_shaping_ru.html">Russian</ulink>)</entry>
<entry><ulink url="simple_traffic_shaping.html">Traffic
Shaping/QOS - Simple </ulink></entry>
</row>
<row>
@ -178,8 +177,9 @@
<entry><ulink url="NetfilterOverview.html">Netfilter
Overview</ulink></entry>
<entry><ulink url="Shorewall_Squid_Usage.html">Transparent
Proxy</ulink></entry>
<entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
Complex</ulink> (<ulink
url="traffic_shaping_ru.html">Russian</ulink>)</entry>
</row>
<row>
@ -188,7 +188,8 @@
<entry><ulink url="netmap.html">Network Mapping</ulink></entry>
<entry><ulink url="UPnP.html">UPnP</ulink></entry>
<entry><ulink url="Shorewall_Squid_Usage.html">Transparent
Proxy</ulink></entry>
</row>
<row>
@ -198,8 +199,7 @@
<entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
NAT)</entry>
<entry><ulink url="upgrade_issues.htm">Upgrade
Issues</ulink></entry>
<entry><ulink url="UPnP.html">UPnP</ulink></entry>
</row>
<row>
@ -208,8 +208,8 @@
<entry><ulink url="Multiple_Zones.html"><ulink
url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
<entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
(Upgrading Debian Lenny to Squeeze)</ulink></entry>
<entry><ulink url="upgrade_issues.htm">Upgrade
Issues</ulink></entry>
</row>
<row>
@ -219,7 +219,8 @@
<entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
<entry><ulink url="VPNBasics.html">VPN</ulink></entry>
<entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
(Upgrading Debian Lenny to Squeeze)</ulink></entry>
</row>
<row>
@ -228,7 +229,7 @@
<entry><ulink url="starting_and_stopping_shorewall.htm">Operating
Shorewall</ulink></entry>
<entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
<entry><ulink url="VPNBasics.html">VPN</ulink></entry>
</row>
<row>
@ -238,8 +239,7 @@
<entry><ulink url="PacketMarking.html">Packet
Marking</ulink></entry>
<entry><ulink url="whitelisting_under_shorewall.htm">White List
Creation</ulink></entry>
<entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
</row>
<row>
@ -250,8 +250,8 @@
<entry><ulink url="PacketHandling.html">Packet Processing in a
Shorewall-based Firewall</ulink></entry>
<entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
DomU</ulink></entry>
<entry><ulink url="whitelisting_under_shorewall.htm">White List
Creation</ulink></entry>
</row>
<row>
@ -260,8 +260,8 @@
<entry><ulink url="ping.html">'Ping' Management</ulink></entry>
<entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
Xen Dom0</ulink></entry>
<entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
DomU</ulink></entry>
</row>
<row>
@ -270,7 +270,8 @@
<entry><ulink url="two-interface.htm#DNAT">Port
Forwarding</ulink></entry>
<entry></entry>
<entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
Xen Dom0</ulink></entry>
</row>
<row>

9
docs/Manpages.xml
View File

@ -5,7 +5,7 @@
<!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
<articleinfo>
<title>Shorewall 4.3 Manpages</title>
<title>Shorewall 4.4/4.5 Manpages</title>
<authorgroup>
<author>
@ -137,6 +137,13 @@
url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
speed of devices for traffic shaping.</member>
<member><ulink
url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
Specify devices for simplified traffic shaping.</member>
<member><ulink url="manpages/shorewall-tcpri.html">tcpri</ulink> -
Classify traffic for simplified traffic shaping.</member>
<member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
Define packet marking rules, usually for traffic shaping.</member>

9
docs/Manpages6.xml
View File

@ -5,7 +5,7 @@
<!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
<articleinfo>
<title>Shorewall6 4.3 Manpages</title>
<title>Shorewall6 4.4/4.5 Manpages</title>
<authorgroup>
<author>
@ -122,6 +122,13 @@
url="manpages6/shorewall6-tcdevices.html">tcdevices</ulink> - Specify
speed of devices for traffic shaping.</member>
<member><ulink
url="manpages6/shorewall6-tcinterfaces.html">tcinterfaces</ulink> -
Specify interfaces for simplified traffic shaping.</member>
<member><ulink url="manpages6/shorewall6-tcpri.html">tcpri</ulink> -
Classify traffic for simplified traffic shaping.</member>
<member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
- Define packet marking rules, usually for traffic shaping.</member>

227
docs/simple_traffic_shaping.xml Normal file
View File

@ -0,0 +1,227 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Simple Traffic Shaping/Control</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2009</year>
<year>2010</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Introduction</title>
<para>Traffic shaping and control was originally introduced into Shorewall
in version 2.2.5. That facility was based on Arne Bernin's
<firstterm>tc4shorewall</firstterm> and is generally felt to be complex
and difficult to use.</para>
<para>In Shorewall 4.5.0, a second traffic shaping facility that is simple
to understand and to configure was introduced. This newer facility is
described in this document while the original facility is documented in
<ulink url="traffic_shaping.htm">Complex Traffic
Shaping/Control</ulink>.</para>
</section>
<section>
<title>Enabling Simple Traffic Shaping</title>
<para>Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
<ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). You
then add an entry for your external interface to <ulink
url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
(<filename>/etc/shorewall/tcinterfaces</filename>).</para>
<para>Assuming that your external interface is eth0:</para>
<programlisting>#INTERFACE TYPE IN-BANDWIDTH
eth0 External</programlisting>
<para>With this simple contfiguration, packets to be sent through
interface eth0 will be assigned to a priority band based on the value of
their TOS field:</para>
<programlisting>TOS Bits Means Linux Priority BAND
------------------------------------------------------------
0x0 0 Normal Service 0 Best Effort 2
0x2 1 Minimize Monetary Cost 1 Filler 3
0x4 2 Maximize Reliability 0 Best Effort 2
0x6 3 mmc+mr 0 Best Effort 2
0x8 4 Maximize Throughput 2 Bulk 3
0xa 5 mmc+mt 2 Bulk 3
0xc 6 mr+mt 2 Bulk 3
0xe 7 mmc+mr+mt 2 Bulk 3
0x10 8 Minimize Delay 6 Interactive 1
0x12 9 mmc+md 6 Interactive 1
0x14 10 mr+md 6 Interactive 1
0x16 11 mmc+mr+md 6 Interactive 1
0x18 12 mt+md 4 Int. Bulk 2
0x1a 13 mmc+mt+md 4 Int. Bulk 2
0x1c 14 mr+mt+md 4 Int. Bulk 2
0x1e 15 mmc+mr+mt+md 4 Int. Bulk 2</programlisting>
<para>When dequeueing, band 1 is tried first and only if it did not
deliver a packet does the system try band 2, and so onwards. Maximum
reliability packets should therefore go to band 1, minimum delay to band 2
and the rest to band 3.</para>
<note>
<para>If you run both an IPv4 and an IPv6 firewall on your system, you
should define each interface in only one of the two
configurations.</para>
</note>
</section>
<section>
<title>Customizing Simple Traffic Shaping</title>
<para>The default mapping of TOS to bands can be changed using the
TC_PRIOMAP setting in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The default
setting of this option is:</para>
<programlisting>TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"</programlisting>
<para>These entries map Linux Priority to priority BAND. So only entries
0, 1, 2, 4 and 6 in the map are relevant to TOS-&gt;BAND mapping.</para>
<para>Further customizations can be defined in <ulink
url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5)
(<filename>/etc/shorewall/tcpri</filename>). Using that file, you
can:</para>
<orderedlist>
<listitem>
<para>Assign traffic entering the firewall on a particular interface
to a specific priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
2 - - - eth1</programlisting>
<para>In this example, traffic from eth1 will be assigned to priority
band 2.</para>
<note>
<para>When an INTERFACE is specified, the PROTO, PORT(S) and ADDRESS
column must contain '-'.</para>
</note>
</listitem>
<listitem>
<para>Assign traffic from a particular IP address to a specific
priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
1 - - 192.168.1.44</programlisting>
<para>In this example, traffic from 192.168.1.44 will be assigned to
priority band 1.</para>
<note>
<para>When an ADDRESS is specified, the PROTO, PORT(S) and INTERFACE
columns must be empty.</para>
</note>
</listitem>
<listitem>
<para>Assign traffic to/from a particular application to a specific
priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
1 udp 1194</programlisting>
<para>In that example, OpenVPN traffic is assigned to priority band
1.</para>
</listitem>
<listitem>
<para>Assign traffic that uses a particular Netfilter helper to a
particular priority band:</para>
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
1 - - - - sip</programlisting>
<para>In this example, SIP and associated RTP traffic will be assigned
to priority band 1 (assuming that the nf_conntrack_sip helper is
loaded).</para>
</listitem>
</orderedlist>
<para>It is suggested that entries specifying an INTERFACE be placed the
top of the file. That way, the band assigned to a particular packet will
be the <emphasis role="bold">last</emphasis> entry matched by the packet.
Packets which match no entry in <ulink
url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5) are
assigned to priority bands using their TOS field as previously
described.</para>
<para>One cause of high latency on interactive traffic can be that queues
are building up at your ISP's gateway router. If you suspect that is
happening in your case, you can try to eliminate the problem by using the
IN-BANDWIDTH setting in <ulink
url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5).
The contents of the column are a <replaceable>rate</replaceable>. For
defining the rate, use <emphasis role="bold">kbit</emphasis> or <emphasis
role="bold">kbps</emphasis> (for Kilobytes per second) and make sure there
is NO space between the number and the unit (it is 100kbit not 100 kbit).
<emphasis role="bold">mbit</emphasis>, <emphasis
role="bold">mbps</emphasis> or a raw number (which means bytes) can be
used, but note that only integer numbers are supported (0.5 is not valid).
To pick an appropriate setting, we recommend that you start by setting
IN-BANDWIDTH significantly below your measured download bandwidth (20% or
so). While downloading, measure the ping response time from the firewall
to the upstream router as you gradually increase the setting. The optimal
setting is at the point beyond which the ping time increases sharply as
you increase the setting.</para>
<para>Simple Traffic Shaping is only appropriate on interfaces where
output queuing occurs. As a consequence, you usually only use it on
extermal interfaces. There are cases where you may need to use it on an
internal interface (a VPN interface, for example). If so, just add an
entry to <ulink
url="manpages/shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5):</para>
<programlisting>#INTERFACE TYPE IN-BANDWIDTH
tun0 Internal</programlisting>
</section>
<section>
<title>Additional Reading</title>
<para>The PRIO(8) (tc-prio) manpage has additional information on the
facility that Shorewall Simple Traffic Shaping is based on.</para>
<caution>
<para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
refers to them as bands 0-2.</para>
</caution>
</section>
</article>

51
docs/traffic_shaping.xml
View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title>Traffic Shaping/Control</title>
<title>Complex Traffic Shaping/Control</title>
<authorgroup>
<author>
@ -93,6 +93,14 @@
<section id="Intro">
<title>Introduction</title>
<para>Beginning with Shorewall 4.5.0, Shorewall includes two separate
implementations of traffic shaping. This document describes the original
implementation which is complex and difficult to configure. A much simpler
version is described in <ulink role="bold"
url="simple_traffic_shaping.html">Simple Traffic Shaping/Control</ulink>
and is highly recommended unless you really need to delay certain traffic
passing through your firewall.</para>
<para>Shorewall has builtin support for traffic shaping and control. This
support does not cover all options available (and especially all
algorithms that can be used to queue traffic) in the Linux kernel but it
@ -183,6 +191,13 @@
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
assign packet marks to different types of traffic using entries in the
<filename>/etc/shorewall/tcrules</filename> file.</para>
<note>
<para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
which specifies the width in bits of the traffic shaping mark field.
The default is based on the setting of WIDE_TC_MARKS so as to
provide upward compatibility.</para>
</note>
</listitem>
</orderedlist>
@ -479,6 +494,13 @@ ppp0 6000kbit 500kbit</programlisting>
if the device specified in the INTERFACE column has the <emphasis
role="bold">classify</emphasis> option in
<filename>/etc/shorewall/tcdevices</filename>.</para>
<note>
<para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
which specifies the width in bits of the traffic shaping mark
field. The default is based on the setting of WIDE_TC_MARKS so as
to provide upward compatibility.</para>
</note>
</listitem>
<listitem>
@ -647,7 +669,7 @@ ppp0 6000kbit 500kbit</programlisting>
<emphasis>before SNAT</emphasis> as the key.</para>
<note>
<para> Shorewall cannot determine ahead of time if the flow
<para>Shorewall cannot determine ahead of time if the flow
classifier is available in your kernel (especially if it was
built into the kernel as opposed to being loaded as a module).
Consequently, you should check ahead of time to ensure that
@ -669,7 +691,7 @@ ppp0 6000kbit 500kbit</programlisting>
...</programlisting>
<para> If 'flow' is not supported, you will see:</para>
<para>If 'flow' is not supported, you will see:</para>
<programlisting> Unknown filter "flow", hence option "help" is unparsable</programlisting>
@ -696,7 +718,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>For modularized kernels, Shorewall will attempt to load
<filename>/lib/modules/&lt;kernel-version&gt;/net/sched/cls_flow.ko</filename>
by default. </para>
by default.</para>
</note>
</listitem>
@ -808,12 +830,21 @@ ppp0 6000kbit 500kbit</programlisting>
<para>MARK or CLASSIFY - MARK specifies the mark value is to be
assigned in case of a match. This is an integer in the range 1-255
(1-16383 if you set WIDE_TC_MARKS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ).
This value may be optionally followed by <quote>:</quote> and either
<quote>F</quote>, <quote>P</quote> or "T" to designate that the
marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
respectively. If this additional specification is omitted, the chain
used to mark packets will be determined as follows:</para>
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
).</para>
<note>
<para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
which specifies the width in bits of the traffic shaping mark
field. The default is based on the setting of WIDE_TC_MARKS so as
to provide upward compatibility.</para>
</note>
<para>This value may be optionally followed by <quote>:</quote> and
either <quote>F</quote>, <quote>P</quote> or "T" to designate that
the marking will occur in the FORWARD, PREROUTING or POSTROUTING
chains respectively. If this additional specification is omitted,
the chain used to mark packets will be determined as follows:</para>
<itemizedlist>
<listitem>

105
manpages/shorewall-tcinterfaces.xml Normal file
View File

@ -0,0 +1,105 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tcinterfaces</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>tcinterfaces</refname>
<refpurpose>Shorewall file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcinterfaces</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file lists the interfaces that are subject to simple traffic
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis></term>
<listitem>
<para>The logical name of an interface. If you run both IPv4 and
IPv6 Shorewall firewalls, a given interface should only be listed in
one of the two configurations.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TYPE</emphasis> - [<emphasis
role="bold">external</emphasis>|<emphasis
role="bold">internal</emphasis>]</term>
<listitem>
<para>Optional. If given specifies whether the interface is
<emphasis role="bold">external</emphasis> (facing toward the
Internet) or <emphasis role="bold">internal</emphasis> (facing
toward a local network) and enables SFQ flow classification.</para>
<note>
<para>Simple traffic shaping is only useful on interfaces where
queuing occurs. As a consequence, internal interfaces seldom
benefit from simple traffic shaping. VPN interfaces are an
exception because the encapsulated packets are later transferred
over a slower external link.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>IN-BANDWIDTH - [<replaceable>rate</replaceable>]</term>
<listitem>
<para>Optional. If specified, enables ingress policing on the
interface. If incoming traffic exceeds the given
<replaceable>rate</replaceable>, received packets are dropped
randomly. With some DSL and Cable links, large queues can build up
in the ISP's gateway router. While this insures maximum throughput,
it kills interactive response time. By setting IN-BANDWIDTH, you can
eliminate these queues.</para>
<para>To pick an appropriate setting, we recommend that you start by
setting it significantly below your measured download bandwidth (20%
or so). While downloading, measure the ping response time from the
firewall to the upstream router as you gradually increase the
setting.The optimal setting is at the point beyond which the ping
time increases sharply as you increase the setting.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tcinterfaces.</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcpri(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

159
manpages/shorewall-tcpri.xml Normal file
View File

@ -0,0 +1,159 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tcpri</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>tcpri</refname>
<refpurpose>Shorewall file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/tcpri</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to specify the priority of traffic for simple
traffic shaping (TC_ENABLED=Simple in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)). The priority band of
each packet is determined by the <emphasis role="bold">last</emphasis>
entry that the packet matches. If a packet doesn't match any entry in this
file, then its priority will be determined by its TOS field. The default
mapping is as follows but can be changed by setting the TC_PRIOMAP option
in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<programlisting>TOS Bits Means Linux Priority BAND
------------------------------------------------------------
0x0 0 Normal Service 0 Best Effort 2
0x2 1 Minimize Monetary Cost 1 Filler 3
0x4 2 Maximize Reliability 0 Best Effort 2
0x6 3 mmc+mr 0 Best Effort 2
0x8 4 Maximize Throughput 2 Bulk 3
0xa 5 mmc+mt 2 Bulk 3
0xc 6 mr+mt 2 Bulk 3
0xe 7 mmc+mr+mt 2 Bulk 3
0x10 8 Minimize Delay 6 Interactive 1
0x12 9 mmc+md 6 Interactive 1
0x14 10 mr+md 6 Interactive 1
0x16 11 mmc+mr+md 6 Interactive 1
0x18 12 mt+md 4 Int. Bulk 2
0x1a 13 mmc+mt+md 4 Int. Bulk 2
0x1c 14 mr+mt+md 4 Int. Bulk 2
0x1e 15 mmc+mr+mt+md 4 Int. Bulk 2</programlisting>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">BAND</emphasis> - {<emphasis
role="bold">1</emphasis>|<emphasis role="bold">2</emphasis>|<emphasis
role="bold">3</emphasis>}</term>
<listitem>
<para>Classifies matching traffic as High Priority (1), Medium
Priority (2) or Low Priority (3). For those interfaces listed in
<ulink
url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5),
Priority 2 traffic will be deferred so long and there is Priority 1
traffic queued and Priority 3 traffic will be deferred so long as
there is Priority 1 or Priority 2 traffic to send.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> -
<replaceable>protocol</replaceable></term>
<listitem>
<para>Optional. The name or number of an IPv4
<replaceable>protocol</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
<listitem>
<para>Optional. May only be given if the the PROTO is tcp (6) or udp
(17). A list of one or more port numbers or service names from
/etc/services. Port ranges of the form
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
may also be included.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ADDRESS - [<replaceable>address</replaceable>]</term>
<listitem>
<para>Optional. The IP or MAC address that the traffic originated
from. MAC addresses must be given in Shorewall format. If this
column contains an address, then the PROTO, PORT(S) and INTERFACE
column must be empty ("-").</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INTERFACE - [<replaceable>interface</replaceable>]</term>
<listitem>
<para>Optional. The logical name of an
<replaceable>interface</replaceable> that traffic arrives from. If
given, the PROTO, PORT(S) and ADDRESS columns must be empty
("-").</para>
<note>
<para>INTERFACE classification of packets occurs before
classification by PROTO/PORT(S)/ADDRESS. So it is highly
recommended to place entries that specify INTERFACE at the top of
the file so that the rule about <emphasis>last entry
matches</emphasis> is preserved.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HELPER</emphasis> -
[<replaceable>helper</replaceable>]</term>
<listitem>
<para>Optional. Names a Netfiler protocol helper module such as ftp,
sip, amanda, etc. A packet will match if it was accepted by the
named helper module. You can also append "-" and a port number to
the helper module name (e.g., ftp-21) to specify the port number
that the original connection was made on.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/tcpri</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>PRIO(8), shorewall(8), shorewall-accounting(5),
shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

152
manpages/shorewall.conf.xml
View File

@ -169,6 +169,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ACCOUNTING=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.0. If set to Yes, Shorewall accounting
is enabled (see <ulink
url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
not specified or set to the empty value, ACCOUNTING=Yes is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ADD_IP_ALIASES=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -554,9 +567,13 @@ net all DROP info</programlisting>then the chain name is 'net2all'
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
a multi-ISP configuration that uses the track option.</para>
<para>Beginning with release 3.2.0, you may set HIGH_ROUTE_MARKS=Yes
in to effectively divide the packet mark and connection mark into
two mark fields.</para>
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
packet mark and connection mark into two mark fields.</para>
<note>
<para>From Shorewall 2.5.0 onward, this option is deprecated in
favor of the PROVIDER_OFFSET option.</para>
</note>
<para>The width of the fields are determined by the setting of
WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default):</para>
@ -1044,6 +1061,24 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">MASK_BITS</emphasis>=<emphasis>bits</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. This option specifies the number of
<emphasis>bits</emphasis> to use as a mask for traffic shaping marks
and must be greater than or equal to TC_BITS. The default value
depends on the setting of WIDE_TC_MARKS:</para>
<simplelist>
<member>WIDE_TC_MARKS=No - 8 bits.</member>
<member>WIDE_TC_MARKS=Yes - 16 bits.</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
@ -1168,6 +1203,42 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">PROVIDER_BITS</emphasis>=<emphasis>bits</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. Specifies the number of bits of the
packet/connection mark to use for the provider (routing) mark.
Provider mark values must be &gt;= 2**PROVIDER_OFFSET and less than
2**(PROVIDER_OFFSET + PROVIDER_BITS). The default value is 8
bits.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">PROVIDER_OFFSET</emphasis>=<emphasis>offset</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. Specifies the
<emphasis>offset</emphasis> in bits from the least significate bit
of the packet/connection mark where the Provider Mark value is
stored. The default is based on the settings of HIGH_ROUTE_MARKS and
WIDE_TC_MARKS:</para>
<simplelist>
<member>HIGH_ROUTE_MARKS=No - 0 bits.</member>
<member>HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=No - 8
bits.</member>
<member>HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes - 16
bits.</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PKTTYPE=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1291,28 +1362,24 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<varlistentry>
<term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
role="bold">Yes</emphasis>|1|<emphasis
role="bold">No|0</emphasis>|2|Keep]</term>
role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|Keep]</term>
<listitem>
<para>If this parameter is given the value <emphasis
role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>
or 1 then route filtering (anti-spoofing) is enabled on all network
then route filtering (anti-spoofing) is enabled on all network
interfaces which are brought up while Shorewall is in the started
state. The default value is <emphasis role="bold">no</emphasis>
(0).</para>
state. The default value is <emphasis
role="bold">no</emphasis>.</para>
<para>The value <emphasis role="bold">Keep</emphasis> causes
Shorewall to ignore the option. If the option is set to <emphasis
role="bold">Yes</emphasis> or 1, then route filtering occurs on all
role="bold">Yes</emphasis>, then route filtering occurs on all
interfaces. If the option is set to <emphasis
role="bold">No</emphasis>, then route filtering is disabled on all
interfaces except those specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
<para>The value 2 is only available with Shorewall 4.4.5.1 and later
running on kernel 2.6.31 or later. It specifies a looser form of
reverse path filtering than the value Yes (1).</para>
</listitem>
</varlistentry>
@ -1407,11 +1474,34 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TC_BITS</emphasis>=<emphasis>bits</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. This option replaces WIDE_TC_MARKS
by allowing you to specify the number of <emphasis>bits</emphasis>
of the 32-bit packet/connection mark to be used for traffic shaping.
The default value is based on the settings of WIDE_TC_MARKS:</para>
<simplelist>
<member>WIDE_TC_MARKS=No - 8 bits.</member>
<member>WIDE_TC_MARKS=Yes - 14 bits.</member>
</simplelist>
<para>Mark values specified in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses (5)</ulink> must
be &lt; 2**TC_BITS.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>|<emphasis
role="bold">Internal</emphasis>]</term>
role="bold">Internal</emphasis>|<emphasis
role="bold">Simple</emphasis>]</term>
<listitem>
<para>If you say <emphasis role="bold">Yes</emphasis> or <emphasis
@ -1424,6 +1514,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">no</emphasis> then traffic shaping is not
enabled.</para>
<para>If you set TC_ENABLED=Simple (Shorewall 4.5.0 and later),
simple traffic shaping using <ulink
url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
enabled.</para>
<para>If you set TC_ENABLED=Internal or internal or leave the option
empty then Shorewall will use its builtin traffic shaper
(tc4shorewall written by Arne Bernin.</para>
@ -1445,6 +1541,24 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TC_PRIOMAP</emphasis>=<emphasis>map</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. Determines the mapping of a packet's
TOS field to priority bands. See <ulink
url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5). The
<emphasis>map</emphasis> consists of 16 space-separated digits with
values 1, 2 or 3. The first entry corresponds to Linux priority 9,
the second to Linux priority 1, the third to Linux Priority 2, and
so on. See tc-prio(8) for additional information.</para>
<para>The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2
2 2".</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TCP_FLAGS_DISPOSITION=</emphasis>[<emphasis
@ -1576,6 +1690,11 @@ net all DROP info</programlisting>then the chain name is 'net2all'
traffic shaping marks are 14 bytes wide (values 1-16383). The
setting of WIDE_TC_MARKS also has an effect on the HIGH_ROUTE_MARKS
option (see above).</para>
<note>
<para>From Shorewall 2.5.0 onware, this option is deprecated in
favor of the TC_BITS option.</para>
</note>
</listitem>
</varlistentry>
@ -1607,7 +1726,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcinterfaces(5),
shorewall-tcpri(5), shorewall-tcrules(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

103
manpages6/shorewall6-tcinterfaces.xml Normal file
View File

@ -0,0 +1,103 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tcinterfaces</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>tcinterfaces</refname>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tcinterfaces</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file lists the interfaces that are subject to simple traffic
shaping. Simple traffic shaping is enabled by setting TC_ENABLED=Simple in
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">INTERFACE</emphasis></term>
<listitem>
<para>The logical name of an interface. If you run both IPv4 and
IPv6 Shorewall firewalls, a given interface should only be listed in
one of the two configurations.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TYPE</emphasis> - [<emphasis
role="bold">external</emphasis>|<emphasis
role="bold">internal</emphasis>]</term>
<listitem>
<para>Optional. If given specifies whether the interface is
<emphasis role="bold">external</emphasis> (facing toward the
Internet) or <emphasis role="bold">internal</emphasis> (facing
toward a local network) and enables SFQ flow classification.</para>
<note>
<para>Simple traffic shaping is only useful on interfaces where
queuing occurs. As a consequence, internal interfaces seldom
benefit from simple traffic shaping. VPN interfaces are an
exception because the encapsulated packets are later transferred
over a slower external link.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term>IN-BANDWIDTH - [<replaceable>rate</replaceable>]</term>
<listitem>
<para>Optional. If specified, enables ingress policing on the
interface. If incoming traffic exceeds the given
<replaceable>rate</replaceable>, received packets are dropped
randomly. With some DSL and Cable links, large queues can build up
in the ISP's gateway router. While this insures maximum throughput,
it kills interactive response time. By setting IN-BANDWIDTH, you can
eliminate these queues.</para>
<para>To pick an appropriate setting, we recommend that you start by
setting it significantly below your measured download bandwidth (20%
or so). While downloading, measure the ping response time from the
firewall to the upstream router as you gradually increase the
setting.The optimal setting is at the point beyond which the ping
time increases sharply as you increase the setting.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tcinterfaces.</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcpri,
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

157
manpages6/shorewall6-tcpri.xml Normal file
View File

@ -0,0 +1,157 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tcpri</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>tcpri</refname>
<refpurpose>Shorewall6 file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tcpri</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to specify the priority band of traffic for simple
traffic shaping (TC_ENABLED=Simple in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)). The priority band
of each packet is determined by the <emphasis role="bold">last</emphasis>
entry that the packet matches. If a packet doesn't match any entry in this
file, then its priority will be determined by its TOS field. The default
mapping is as follows but can be changed by setting the TC_PRIOMAP option
in <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<programlisting>TOS Bits Means Linux Priority BAND
------------------------------------------------------------
0x0 0 Normal Service 0 Best Effort 2
0x2 1 Minimize Monetary Cost 1 Filler 3
0x4 2 Maximize Reliability 0 Best Effort 2
0x6 3 mmc+mr 0 Best Effort 2
0x8 4 Maximize Throughput 2 Bulk 3
0xa 5 mmc+mt 2 Bulk 3
0xc 6 mr+mt 2 Bulk 3
0xe 7 mmc+mr+mt 2 Bulk 3
0x10 8 Minimize Delay 6 Interactive 1
0x12 9 mmc+md 6 Interactive 1
0x14 10 mr+md 6 Interactive 1
0x16 11 mmc+mr+md 6 Interactive 1
0x18 12 mt+md 4 Int. Bulk 2
0x1a 13 mmc+mt+md 4 Int. Bulk 2
0x1c 14 mr+mt+md 4 Int. Bulk 2
0x1e 15 mmc+mr+mt+md 4 Int. Bulk 2</programlisting>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">BAND</emphasis> - {<emphasis
role="bold">1</emphasis>|<emphasis role="bold">2</emphasis>|<emphasis
role="bold">3</emphasis>}</term>
<listitem>
<para>Classifies matching traffic as High Priority (1), Medium
Priority (2) or Low Priority (3). For those interfaces listed in
<ulink
url="shorewall6-tcinterfaces.html">shorewall6-tcinterfaces</ulink>(5),
Priority 2 traffic will be deferred so long and there is Priority 1
traffic queued and Priority 3 traffic will be deferred so long as
there is Priority 1 or Priority 2 traffic to send.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> -
<replaceable>protocol</replaceable></term>
<listitem>
<para>Optional. The name or number of an IPv4
<replaceable>protocol</replaceable>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
<listitem>
<para>Optional. May only be given if the the PROTO is tcp (6) or udp
(17). A list of one or more port numbers or service names from
/etc/services. Port ranges of the form
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
may also be included.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ADDRESS - [<replaceable>address</replaceable>]</term>
<listitem>
<para>Optional. The IP or MAC address that the traffic originated
from. MAC addresses must be given in Shorewall format. If this
column contains an address, then the PROTO, PORT(S) and INTERFACE
column must be empty ("-").</para>
</listitem>
</varlistentry>
<varlistentry>
<term>INTERFACE - [<replaceable>interface</replaceable>]</term>
<listitem>
<para>Optional. The logical name of an
<replaceable>interface</replaceable> that traffic arrives from. If
given, the PROTO, PORT(S) and ADDRESS columns must be empty
("-").</para>
<note>
<para>INTERFACE classification of packets occurs before
classification by PROTO/PORT(S)/ADDRESS. So it is highly
recommended to place entries that specify INTERFACE at the top of
the file so that the rule about <emphasis>last entry
matches</emphasis> is preserved.</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">HELPER</emphasis> -
[<replaceable>helper</replaceable>]</term>
<listitem>
<para>Optional. Names a Netfiler protocol helper module such as ftp,
sip, amanda, etc. A packet will match if it was accepted by the
named helper module. You can also append "-" and a port number to
the helper module name (e.g., ftp-21) to specify the port number
that the original connection was made on.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tcpri</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para>PRIO(8), shorewall6(8), shorewall6-accounting(5),
shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5) </para>
</refsect1>
</refentry>

107
manpages6/shorewall6.conf.xml
View File

@ -167,6 +167,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ACCOUNTING=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.0. If set to Yes, Shorewall6 accounting
is enabled (see <ulink
url="shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).
If not specified or set to the empty value, ACCOUNTING=Yes is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ADMINISABSENTMINDED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -868,6 +881,24 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">MASK_BITS</emphasis>=<emphasis>bits</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. This option specifies the number of
<emphasis>bits</emphasis> to use as a mask for traffic shaping marks
and must be greater than or equal to TC_BITS. The default value
depends on the setting of WIDE_TC_MARKS:</para>
<simplelist>
<member>WIDE_TC_MARKS=No - 8 bits.</member>
<member>WIDE_TC_MARKS=Yes - 16 bits.</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">MODULE_SUFFIX=</emphasis>[<emphasis
role="bold">"</emphasis><emphasis>extension</emphasis> ...<emphasis
@ -947,6 +978,42 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">PROVIDER_BITS</emphasis>=<emphasis>bits</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. Specifies the number of bits of the
packet/connection mark to use for the provider (routing) mark.
Provider mark values must be &gt;= 2**PROVIDER_OFFSET and less than
2**(PROVIDER_OFFSET + PROVIDER_BITS). The default value is 8
bits.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">PROVIDER_OFFSET</emphasis>=<emphasis>offset</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. Specifies the
<emphasis>offset</emphasis> in bits from the least significate bit
of the packet/connection mark where the Provider Mark value is
stored. The default is based on the settings of HIGH_ROUTE_MARKS and
WIDE_TC_MARKS:</para>
<simplelist>
<member>HIGH_ROUTE_MARKS=No - 0 bits.</member>
<member>HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=No - 8
bits.</member>
<member>HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes - 16
bits.</member>
</simplelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RCP_COMMAND="</emphasis><replaceable>command</replaceable><emphasis
@ -1105,6 +1172,28 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TC_BITS</emphasis>=<emphasis>bits</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. This option replaces WIDE_TC_MARKS
by allowing you to specify the number of <emphasis>bits</emphasis>
of the 32-bit packet/connection mark to be used for traffic shaping.
The default value is based on the settings of WIDE_TC_MARKS:</para>
<simplelist>
<member>WIDE_TC_MARKS=No - 8 bits.</member>
<member>WIDE_TC_MARKS=Yes - 14 bits.</member>
</simplelist>
<para>Mark values specified in <ulink
url="shorewall6-tcclasses.html">shorewall6-tcclasses (5)</ulink>
must be &lt; 2**TC_BITS.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TC_ENABLED=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis
@ -1150,6 +1239,24 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TC_PRIOMAP</emphasis>=<emphasis>map</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.0. Determines the mapping of a packet's
TOS field to priority bands. See <ulink
url="shorewall6-tcpri.html">shorewall6-tcpri</ulink>(5). The
<emphasis>map</emphasis> consists of 16 space-separated digits with
values 1, 2 or 3. The first entry corresponds to Linux priority 9,
the second to Linux priority 1, the third to Linux Priority 2, and
so on. See tc-prio(8) for additional information.</para>
<para>The default setting is TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2
2 2".</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TCP_FLAGS_DISPOSITION=</emphasis>[<emphasis