extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 16:54:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update manpages for IPv6 tcfilters

Browse Source
This commit is contained in:
Tom Eastep 2010-11-14 13:50:18 -08:00
parent 5d0e719d03
commit a4bff9a2fa
2 changed files with 292 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
manpages/shorewall-tcfilters.xml
View File

@ -26,6 +26,37 @@
<para>Entries in this file cause packets to be classified for traffic
shaping.</para>
<para>Beginning with Shorewall 4.4.15, the file may contain entries for
both IPv4 and IPv6. By default, all rules apply to IPv4 but that can be
changed by inserting a line as follows:</para>
<variablelist>
<varlistentry>
<term>IPV4</term>
<listitem>
<para>Following entriess apply to IPv4.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IPV6</term>
<listitem>
<para>Following entries apply to IPv6</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ALL</term>
<listitem>
<para>Following entries apply to both IPv4 and IPv6. Each entry is
processed twice; once for IPv4 and once for IPv6.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The columns in the file are as follows.</para>
<variablelist>
@ -60,14 +91,9 @@
role="bold">-</emphasis>|<emphasis>address</emphasis>}}</term>
<listitem>
<para>Destination of the packet. Comma separated list of IP
addresses and/or subnets. If your kernel and iptables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:192.168.1.0/24). If the <emphasis
role="bold">MARK</emphasis> column specificies a classification of
the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
this column may also contain an interface name.</para>
<para>Destination of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not
allowed.</para>
<para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink
@ -173,12 +199,22 @@
<term>Example 1:</term>
<listitem>
<para>Place all ICMP echo traffic on interface 1 in class 10.</para>
<para>Place all 'ping' traffic on interface 1 in class 10. Note that
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
protocols.</para>
<programlisting> #CLASS SOURCE DEST PROTO DEST
# PORT
IPV4
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply</programlisting>
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
IPV6
1:10 ::/0 ::/0 icmp6 echo-request
1:10 ::/0 ::/0 icmp6 echo-reply</programlisting>
</listitem>
</varlistentry>
</variablelist>
@ -204,12 +240,12 @@
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>

239
manpages6/shorewall6-tcfilters.xml Normal file
View File

@ -0,0 +1,239 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-tcfilters</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>tcfilters</refname>
<refpurpose>shorewall6 u32 classifier rules file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/tcfilters</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>Entries in this file cause packets to be classified for traffic
shaping.</para>
<para>Beginning with Shorewall 4.4.15, the file may contain entries for
both IPv4 and IPv6. By default, all rules apply to IPv6 but that can be
changed by inserting a line as follows:</para>
<variablelist>
<varlistentry>
<term>IPV4</term>
<listitem>
<para>Following entriess apply to IPv4.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IPV6</term>
<listitem>
<para>Following entries apply to IPv6</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ALL</term>
<listitem>
<para>Following entries apply to both IPv4 and IPv6. Each entry is
processed twice; once for IPv4 and once for IPv6.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">CLASS</emphasis> -
<emphasis>interface</emphasis><emphasis
role="bold">:</emphasis><emphasis>class</emphasis></term>
<listitem>
<para>The name or number of an <returnvalue>interface</returnvalue>
defined in <ulink
url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
followed by a <replaceable>class</replaceable> number defined for
that interface in <ulink
url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}</term>
<listitem>
<para>Source of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}}</term>
<listitem>
<para>Destination of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not
allowed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
role="bold">all}</emphasis></term>
<listitem>
<para>Protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DEST PORT</emphasis> (Optional) -
[<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Destination Ports. A Port name (from services(5)) or a
<emphasis>port number</emphasis>; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) -
[<emphasis
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Source port.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">TOS</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis>tos</emphasis>]</term>
<listitem>
<para>Specifies the value of the TOS field. The
<replaceable>tos</replaceable> value can be any of the
following:</para>
<itemizedlist>
<listitem>
<para><option>tos-minimize-delay</option></para>
</listitem>
<listitem>
<para><option>tos-maximuze-throughput</option></para>
</listitem>
<listitem>
<para><option>tos-maximize-reliability</option></para>
</listitem>
<listitem>
<para><option>tos-minimize-cost</option></para>
</listitem>
<listitem>
<para><option>tos-normal-service</option></para>
</listitem>
<listitem>
<para><replaceable>hex-number</replaceable></para>
</listitem>
<listitem>
<para><replaceable>hex-number</replaceable>/<replaceable>hex-number</replaceable></para>
</listitem>
</itemizedlist>
<para>The <replaceable>hex-number</replaceable>s must be exactly two
digits (e.g., 0x04)x.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LENGTH</emphasis> (Optional) - [<emphasis
role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>
<listitem>
<para>Must be a power of 2 between 32 and 8192 inclusive. Packets
with a total length that is strictly less than the specified
<replaceable>number</replaceable> will match the rule.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Place all 'ping' traffic on interface 1 in class 10. Note that
ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
protocols.</para>
<programlisting> #CLASS SOURCE DEST PROTO DEST
# PORT
IPV4
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
IPV6
1:10 ::/0 ::/0 icmp6 echo-request
1:10 ::/0 ::/0 icmp6 echo-reply</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/tcfilters</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
<para><ulink
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
<para><ulink
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
<para></para>
</refsect1>
</refentry>