extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-08-18 12:47:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rename MARK/CLASSIFY column to ACTION

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
2012-03-16 10:09:13 -07:00
parent ab13fbe95e
commit b7465262ca
6 changed files with 70 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docs/PacketMarking.xml
View File

@@ -117,7 +117,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in
<filename>shorewall.conf</filename>, then by default entries in
<filename>/etc/shorewall/tcrules</filename> are part of the PREROUTING
program. Entries specifying the ":P" suffix in the MARK column are
program. Entries specifying the ":P" suffix in the ACTION column are
also part of the PREROUTING program. The PREROUTING program gets
executed for each packet entering the firewall.</para>
</listitem>
@@ -126,7 +126,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in
<filename>shorewall.conf</filename>, then by default entries in
<filename>/etc/shorewall/tcrules</filename> are part of the FORWARD
program. Entries specifying the ":F" suffix in the MARK column are
program. Entries specifying the ":F" suffix in the ACTION column are
also part of the FORWARD program. The FORWARD program gets executed
for each packet forwarded by the firewall.</para>
</listitem>
@@ -138,12 +138,12 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
</listitem>
<listitem>
<para>POSTROUTING program — Entries with a class-id in the MARK column
(and that don't specify $FW in the SOURCE column) are part of the
POSTROUTING program. These rules are executed for each packet leaving
the firewall. Entries specifying the ":T" suffix in the MARK column
are also part of the POSTROUTING program (Shorewall version 3.4.0 and
later).</para>
<para>POSTROUTING program — Entries with a class-id in the ACTION
column (and that don't specify $FW in the SOURCE column) are part of
the POSTROUTING program. These rules are executed for each packet
leaving the firewall. Entries specifying the ":T" suffix in the ACTION
column are also part of the POSTROUTING program (Shorewall version
3.4.0 and later).</para>
</listitem>
<listitem>
@@ -180,25 +180,25 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<listitem>
<para>the connection to which the current packet belongs receives
a new mark value (":C", ":CF" or ":CP" suffix in the MARK column);
or</para>
a new mark value (":C", ":CF" or ":CP" suffix in the ACTION
column); or</para>
</listitem>
<listitem>
<para>the packet is classified for traffic shaping (class-id in
the MARK column); or</para>
the ACTION column); or</para>
</listitem>
<listitem>
<para>the packet mark in the current packet is moved to the
connection mark for the connection that the current packet is part
of ("SAVE" in the MARK column); or</para>
of ("SAVE" in the ACTION column); or</para>
</listitem>
<listitem>
<para>the connection mark value for the connection that the
current packet is part of is moved to the current packet's mark
("RESTORE" in the MARK column); or</para>
("RESTORE" in the ACTION column); or</para>
</listitem>
<listitem>
@@ -207,7 +207,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
</listitem>
<listitem>
<para>exit the current subroutine ("CONTINUE" in the MARK
<para>exit the current subroutine ("CONTINUE" in the ACTION
column).</para>
</listitem>
</orderedlist>
@@ -339,9 +339,9 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>The relationship between these options is shown in this
diagram.</para>
<graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
<graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
<para></para>
<para/>
<para>The default values of these options are determined by the settings
of other options as follows:</para>
@@ -455,7 +455,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>Here's the example (slightly expanded) from the comments at the top
of the <filename>/etc/shorewall/tcrules</filename> file.</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
# PORT(S)
1 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1
1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2
@@ -539,7 +539,7 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba
<para>Here is <filename>/etc/shorewall/tcrules</filename>:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 eth3 #Our internal nets get priority
#over the server

52
docs/traffic_shaping.xml
View File

@@ -223,10 +223,10 @@
<para>This screen shot shows how I configured QoS in a 2.6.16
Kernel:</para>
<graphic align="center" fileref="images/traffic_shaping2.6.png" />
<graphic align="center" fileref="images/traffic_shaping2.6.png"/>
<para>And here's my recommendation for a 2.6.21 kernel:<graphic
align="center" fileref="images/traffic_shaping2.6.21.png" /></para>
align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
</section>
<section id="Shorewall">
@@ -445,7 +445,7 @@
</itemizedlist>
<example id="Example0">
<title></title>
<title/>
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
interface for this. The device has an outgoing bandwidth of 500kbit
@@ -829,11 +829,11 @@ ppp0 6000kbit 500kbit</programlisting>
<itemizedlist>
<listitem>
<para>MARK or CLASSIFY - MARK specifies the mark value is to be
assigned in case of a match. This is an integer in the range 1-255
(1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14 in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
).</para>
<para>ACTION - ACTION (previously called MARK) specifies the mark
value is to be assigned in case of a match. This is an integer in
the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14
in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
(5) ).</para>
<note>
<para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
@@ -998,7 +998,7 @@ ppp0 6000kbit 500kbit</programlisting>
MAC addresses. <emphasis role="bold">This form will not match
traffic that originates on the firewall itself unless either
&lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
the MARK column.</emphasis></para>
the ACTION column.</emphasis></para>
<para>Examples:<simplelist>
<member>0.0.0.0/0</member>
@@ -1020,7 +1020,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>$FW optionally followed by a colon (":") and a
comma-separated list of host or network IP addresses. matches
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.</para>
chain qualifier (:P, :F, etc.) in the ACTION column.</para>
</listitem>
</orderedlist>
@@ -1177,13 +1177,13 @@ ppp0 6000kbit 500kbit</programlisting>
</itemizedlist>
<example id="Example1">
<title></title>
<title/>
<para>All packets arriving on eth1 should be marked with 1. All
packets arriving on eth2 and eth3 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
1 eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all
@@ -1191,40 +1191,40 @@ ppp0 6000kbit 500kbit</programlisting>
</example>
<example id="Example2">
<title></title>
<title/>
<para>All GRE (protocol 47) packets destined for 155.186.235.151
should be marked with 12.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
12:T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example>
<example id="Example3">
<title></title>
<title/>
<para>All SSH request packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
22:T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example>
<example id="Example4">
<title></title>
<title/>
<para>All SSH packets packets going out of the first device in in
/etc/shorewall/tcdevices should be assigned to the class with mark
value 10.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
# PORT(S)
1:110 0.0.0.0/0 0.0.0.0/0 tcp 22
1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
</example>
<example id="Example5">
<title></title>
<title/>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
peer traffic with packet mark 4.</para>
@@ -1236,7 +1236,7 @@ ppp0 6000kbit 500kbit</programlisting>
means unclassified. Traffic originating on the firewall is not covered
by this example.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
# PORT(S) GROUP
1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
@@ -1257,13 +1257,13 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
</example>
<example>
<title></title>
<title/>
<para>Mark all forwarded VOIP connections with connection mark 1 and
ensure that all VOIP packets also receive that mark (assumes that
nf_conntrack_sip is loaded).</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
# PORT(S) GROUP
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
@@ -1508,8 +1508,8 @@ eth0:101 - 1kbit 230kbit 4 occurs=6</programlisting>
<para><filename>/etc/shoreall/tcrules</filename>:</para>
<programlisting>#MARK SOURCE DEST
IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
<programlisting>#ACTION SOURCE DEST
IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
<para>This facility also alters the way in which Shorewall generates a
class number when none is given. Prior to the implementation of this
@@ -1568,7 +1568,7 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
<section id="realtcr">
<title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
@@ -1652,7 +1652,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
<section id="simpletcr">
<title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply