Rename MARK/CLASSIFY column to ACTION

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-04-10 18:58:25 +02:00 · 2012-03-16 10:09:13 -07:00 · 2012-03-16 10:09:13 -07:00 · b7465262ca
commit b7465262ca
parent ab13fbe95e
6 changed files with 70 additions and 70 deletions
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@ -10,6 +10,6 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##########################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@ -44,7 +44,7 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
+        <term><emphasis role="bold">ACTION</emphasis> (mark) -
        <replaceable>mark</replaceable></term>
        <listitem>
@ -271,8 +271,8 @@
              target allows you to work around that problem. SAME may be used
              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
@ -282,8 +282,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
@ -600,7 +600,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              MAC addresses. <emphasis role="bold">This form will not match
              traffic that originates on the firewall itself unless either
              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the MARK column.</emphasis></para>
+              the ACTION column.</emphasis></para>
              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
@ -622,7 +622,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              <para>$FW optionally followed by a colon (":") and a
              comma-separated list of host or network IP addresses. Matches
              packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>
@ -938,8 +938,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          original connection was made on.</para>
          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+#                                                PORT(S)
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
@ -1017,8 +1017,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>We assume packet/connection mark 0 means unclassified.</para>
-          <programlisting>       #MARK/     SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                               PORT(S)
+       #                                                       PORT(S)
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
--- a/Shorewall6/configfiles/tcrules
+++ b/Shorewall6/configfiles/tcrules
@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ###################################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@ -44,11 +44,11 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
+        <term><emphasis role="bold">ACTION</emphasis> -
-        <replaceable>mark</replaceable></term>
+        <replaceable>action</replaceable></term>
        <listitem>
-          <para><replaceable>mark</replaceable> may assume one of the
+          <para><replaceable>action</replaceable> may assume one of the
          following values.</para>
          <orderedlist numeration="arabic">
@ -272,8 +272,8 @@
              SAME may be used in the PREROUTING and OUTPUT chains. When used
              in PREROUTING, it causes matching connections from an individual
              local system to all use the same provider. For example:
-              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
@ -283,8 +283,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
@ -495,7 +495,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
          own separate rule for packets originating on the firewall. In such a
-          rule, the MARK column may NOT specify either <emphasis
+          rule, the ACTION column may NOT specify either <emphasis
          role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
          because marking for firewall-originated packets always occurs in the
          OUTPUT chain.</para>
@ -526,7 +526,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          iprange match support, IP address ranges are also allowed. List
          elements may also consist of an interface name followed by ":" and
          an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
-          <emphasis role="bold">MARK</emphasis> column specificies a
+          <emphasis role="bold">ACTION</emphasis> column specificies a
          classification of the form
          <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
          column may also contain an interface name.</para>
@ -795,8 +795,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          that the original connection was made on.</para>
          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+#                                                PORT(S)
 4         ::/0      ::/0      TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
@ -930,8 +930,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>We assume packet/connection mark 0 means unclassified.</para>
-          <programlisting>       #MARK/    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+          <programlisting>       #ACTION   SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                              PORT(S)
+       #                                                      PORT(S)
       1         ::/0      ::/0         icmp    echo-request
       1         ::/0      ::/0         icmp    echo-reply
       RESTORE   ::/0      ::/0         all     -             -       -       0
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@ -117,7 +117,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
        <para>PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in
        <filename>shorewall.conf</filename>, then by default entries in
        <filename>/etc/shorewall/tcrules</filename> are part of the PREROUTING
-        program. Entries specifying the ":P" suffix in the MARK column are
+        program. Entries specifying the ":P" suffix in the ACTION column are
        also part of the PREROUTING program. The PREROUTING program gets
        executed for each packet entering the firewall.</para>
      </listitem>
@ -126,7 +126,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
        <para>FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in
        <filename>shorewall.conf</filename>, then by default entries in
        <filename>/etc/shorewall/tcrules</filename> are part of the FORWARD
-        program. Entries specifying the ":F" suffix in the MARK column are
+        program. Entries specifying the ":F" suffix in the ACTION column are
        also part of the FORWARD program. The FORWARD program gets executed
        for each packet forwarded by the firewall.</para>
      </listitem>
@ -138,12 +138,12 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
      </listitem>
      <listitem>
-        <para>POSTROUTING program — Entries with a class-id in the MARK column
+        <para>POSTROUTING program — Entries with a class-id in the ACTION
-        (and that don't specify $FW in the SOURCE column) are part of the
+        column (and that don't specify $FW in the SOURCE column) are part of
-        POSTROUTING program. These rules are executed for each packet leaving
+        the POSTROUTING program. These rules are executed for each packet
-        the firewall. Entries specifying the ":T" suffix in the MARK column
+        leaving the firewall. Entries specifying the ":T" suffix in the ACTION
-        are also part of the POSTROUTING program (Shorewall version 3.4.0 and
+        column are also part of the POSTROUTING program (Shorewall version
-        later).</para>
+        3.4.0 and later).</para>
      </listitem>
      <listitem>
@ -180,25 +180,25 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
          <listitem>
            <para>the connection to which the current packet belongs receives
-            a new mark value (":C", ":CF" or ":CP" suffix in the MARK column);
+            a new mark value (":C", ":CF" or ":CP" suffix in the ACTION
-            or</para>
+            column); or</para>
          </listitem>
          <listitem>
            <para>the packet is classified for traffic shaping (class-id in
-            the MARK column); or</para>
+            the ACTION column); or</para>
          </listitem>
          <listitem>
            <para>the packet mark in the current packet is moved to the
            connection mark for the connection that the current packet is part
-            of ("SAVE" in the MARK column); or</para>
+            of ("SAVE" in the ACTION column); or</para>
          </listitem>
          <listitem>
            <para>the connection mark value for the connection that the
            current packet is part of is moved to the current packet's mark
-            ("RESTORE" in the MARK column); or</para>
+            ("RESTORE" in the ACTION column); or</para>
          </listitem>
          <listitem>
@ -207,7 +207,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
          </listitem>
          <listitem>
-            <para>exit the current subroutine ("CONTINUE" in the MARK
+            <para>exit the current subroutine ("CONTINUE" in the ACTION
            column).</para>
          </listitem>
        </orderedlist>
@ -339,9 +339,9 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>The relationship between these options is shown in this
    diagram.</para>
-    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
-    <para></para>
+    <para/>
    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
@ -455,7 +455,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Here's the example (slightly expanded) from the comments at the top
    of the <filename>/etc/shorewall/tcrules</filename> file.</para>
-    <programlisting>#MARK    SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
+    <programlisting>#ACTION  SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
 #                                                        PORT(S)
 1        0.0.0.0/0       0.0.0.0/0       icmp    echo-request                 #Rule 1
 1        0.0.0.0/0       0.0.0.0/0       icmp    echo-reply                   #Rule 2
@ -539,7 +539,7 @@ Blarg   1       0x100   main            eth3            206.124.146.254 track,ba
    <para>Here is <filename>/etc/shorewall/tcrules</filename>:</para>
-    <programlisting>#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+    <programlisting>#ACTION SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
 #                                                       PORT(S)
 1:110   192.168.0.0/22  eth3                                            #Our internal nets get priority
                                                                        #over the server
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@ -223,10 +223,10 @@
    <para>This screen shot shows how I configured QoS in a 2.6.16
    Kernel:</para>
-    <graphic align="center" fileref="images/traffic_shaping2.6.png" />
+    <graphic align="center" fileref="images/traffic_shaping2.6.png"/>
    <para>And here's my recommendation for a 2.6.21 kernel:<graphic
-    align="center" fileref="images/traffic_shaping2.6.21.png" /></para>
+    align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
  </section>
  <section id="Shorewall">
@ -445,7 +445,7 @@
      </itemizedlist>
      <example id="Example0">
-        <title></title>
+        <title/>
        <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
        interface for this. The device has an outgoing bandwidth of 500kbit
@ -829,11 +829,11 @@ ppp0           6000kbit         500kbit</programlisting>
      <itemizedlist>
        <listitem>
-          <para>MARK or CLASSIFY - MARK specifies the mark value is to be
+          <para>ACTION - ACTION (previously called MARK) specifies the mark
-          assigned in case of a match. This is an integer in the range 1-255
+          value is to be assigned in case of a match. This is an integer in
-          (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14 in <ulink
+          the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14
-          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
+          in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
-          ).</para>
+          (5) ).</para>
          <note>
            <para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
@ -998,7 +998,7 @@ ppp0           6000kbit         500kbit</programlisting>
              MAC addresses. <emphasis role="bold">This form will not match
              traffic that originates on the firewall itself unless either
              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the MARK column.</emphasis></para>
+              the ACTION column.</emphasis></para>
              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
@ -1020,7 +1020,7 @@ ppp0           6000kbit         500kbit</programlisting>
              <para>$FW optionally followed by a colon (":") and a
              comma-separated list of host or network IP addresses. matches
              packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>
@ -1177,13 +1177,13 @@ ppp0           6000kbit         500kbit</programlisting>
      </itemizedlist>
      <example id="Example1">
-        <title></title>
+        <title/>
        <para>All packets arriving on eth1 should be marked with 1. All
        packets arriving on eth2 and eth3 should be marked with 2. All packets
        originating on the firewall itself should be marked with 3.</para>
-        <programlisting>#MARK   SOURCE    DESTINATION    PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE    DESTINATION    PROTOCOL   PORT(S)
 1       eth1      0.0.0.0/0      all
 2       eth2      0.0.0.0/0      all
 2       eth3      0.0.0.0/0      all
@ -1191,40 +1191,40 @@ ppp0           6000kbit         500kbit</programlisting>
      </example>
      <example id="Example2">
-        <title></title>
+        <title/>
        <para>All GRE (protocol 47) packets destined for 155.186.235.151
        should be marked with 12.</para>
-        <programlisting>#MARK   SOURCE    DESTINATION     PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE    DESTINATION     PROTOCOL   PORT(S)
 12:T    0.0.0.0/0 155.182.235.151 47</programlisting>
      </example>
      <example id="Example3">
-        <title></title>
+        <title/>
        <para>All SSH request packets originating in 192.168.1.0/24 and
        destined for 155.186.235.151 should be marked with 22.</para>
-        <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE         DESTINATION     PROTOCOL   PORT(S)
 22:T    192.168.1.0/24 155.182.235.151 tcp        22</programlisting>
      </example>
      <example id="Example4">
-        <title></title>
+        <title/>
        <para>All SSH packets packets going out of the first device in in
        /etc/shorewall/tcdevices should be assigned to the class with mark
        value 10.</para>
-        <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   PORT(S)         CLIENT
+        <programlisting>#ACTION SOURCE         DESTINATION     PROTOCOL   PORT(S)         CLIENT
 #                                                                 PORT(S)
 1:110   0.0.0.0/0      0.0.0.0/0       tcp        22
 1:110   0.0.0.0/0      0.0.0.0/0       tcp        -               22</programlisting>
      </example>
      <example id="Example5">
-        <title></title>
+        <title/>
        <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
        peer traffic with packet mark 4.</para>
@ -1236,7 +1236,7 @@ ppp0           6000kbit         500kbit</programlisting>
        means unclassified. Traffic originating on the firewall is not covered
        by this example.</para>
-        <programlisting>#MARK    SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST
+        <programlisting>#ACTION  SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST
 #                                                                PORT(S)  GROUP
 1        0.0.0.0/0      0.0.0.0/0       icmp       echo-request
 1        0.0.0.0/0      0.0.0.0/0       icmp       echo-reply
@ -1257,13 +1257,13 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
      </example>
      <example>
-        <title></title>
+        <title/>
        <para>Mark all forwarded VOIP connections with connection mark 1 and
        ensure that all VOIP packets also receive that mark (assumes that
        nf_conntrack_sip is loaded).</para>
-        <programlisting>#MARK    SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST      CONNBYTES      TOS      HELPER
+        <programlisting>#ACTION  SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST      CONNBYTES      TOS      HELPER
 #                                                                PORT(S)  GROUP
 RESTORE  0.0.0.0/0      0.0.0.0/0       all        -             -        -         0
 CONTINUE 0.0.0.0/0      0.0.0.0/0       all        -             -        -         !0
@ -1508,8 +1508,8 @@ eth0:101     - 1kbit 230kbit        4    occurs=6</programlisting>
      <para><filename>/etc/shoreall/tcrules</filename>:</para>
-      <programlisting>#MARK                      SOURCE         DEST
+      <programlisting>#ACTION                          SOURCE             DEST
-IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
+IPMARK(src,0xff,0x10100):F       192.168.1.0/29     eth0</programlisting>
      <para>This facility also alters the way in which Shorewall generates a
      class number when none is given. Prior to the implementation of this
@ -1568,7 +1568,7 @@ ppp0            3       2*full/10       8*full/10       2</programlisting>
        <section id="realtcr">
          <title>tcrules file</title>
-          <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT   USER
+          <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT   USER
 #                                                              PORT(S)
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
@ -1652,7 +1652,7 @@ ppp0            4       90kbit          200kbit         3           default</pro
        <section id="simpletcr">
          <title>tcrules file</title>
-          <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
+          <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
 #                                                                    PORT(S)
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply