diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index eb30ad4d1..b71caec69 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -267,6 +267,97 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= Connection marking rules use a mask value of 0xff. + + Shorewall actually allows you to have complete control over the + layout of the 32-bit mark using the following options in shorewall.conf (5): + + + + TC_BITS + + + The number of bits at the low end of the mark to be used for + traffic shaping marking. May be zero. + + + + + PROVIDER_BITS + + + The number of bits in the mark to be used for provider + numbers. May be zero. + + + + + PROVIDER_OFFSET + + + The offset from the right (low-order end) of the provider + number field. If non-zero, must be >= TC_BITS (Shorewall + automatically adjusts PROVIDER_OFFSET's value). PROVIDER_OFFSET + + PROVIDER_BITS must be <= 32. + + + + + MASK_BITS + + + Number of bits on the right of the mark to be masked when + clearing the traffic shaping mark. Must be >= TC_BITS and <= + PROVIDER_OFFSET (if PROVIDER_OFFSET > 0) + + + + + The relationship between these options is shown in this + diagram. + + + + + + The default values of these options are determined by the settings + of other options as follows: + + + Default Values + + + + + WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No + + TC_BITS=8, PROVIDER_BITS=0, PROVIDER_OFFSET=0, + MASK_BITS=8 + + + + WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=Yes + + TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=8, + MASK_BITS=8 + + + + WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=No + + TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=0, + MASK_BITS=16 + + + + WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=Yes + + TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=16, + MASK_BITS=16 + + + +
diff --git a/docs/images/MarkGeometry.dia b/docs/images/MarkGeometry.dia new file mode 100644 index 000000000..9242cbfdb Binary files /dev/null and b/docs/images/MarkGeometry.dia differ diff --git a/docs/images/MarkGeometry.png b/docs/images/MarkGeometry.png new file mode 100644 index 000000000..471691884 Binary files /dev/null and b/docs/images/MarkGeometry.png differ diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index 5eacd4271..211fa6379 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -589,11 +589,6 @@ net all DROP infothen the chain name is 'net2all' You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and connection mark into two mark fields. - - From Shorewall 2.5.0 onward, this option is deprecated in - favor of the PROVIDER_OFFSET option. - - The width of the fields are determined by the setting of WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default): @@ -948,11 +943,11 @@ net all DROP infothen the chain name is 'net2all' If the value starts with 's:' then logging is limited per source IP. If the value starts with 'd:', then logging is limited - per destination IP. Otherwise, the overall logging rate is limited. - + per destination IP. Otherwise, the overall logging rate is + limited. If burst is not specified, then a - value of 5 is assumed. + value of 5 is assumed. @@ -1834,11 +1829,6 @@ net all DROP infothen the chain name is 'net2all' traffic shaping marks are 14 bytes wide (values 1-16383). The setting of WIDE_TC_MARKS also has an effect on the HIGH_ROUTE_MARKS option (see above). - - - From Shorewall 2.5.0 onware, this option is deprecated in - favor of the TC_BITS option. -