extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 08:44:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rename MARK/CLASSIFY column to ACTION

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-03-16 10:09:13 -07:00
parent ab13fbe95e
commit b7465262ca
6 changed files with 70 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/configfiles/tcrules
View File

@ -10,6 +10,6 @@
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
##########################################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
# PORT(S) PORT(S)

22
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -44,7 +44,7 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
<term><emphasis role="bold">ACTION</emphasis> (mark) -
<replaceable>mark</replaceable></term>
<listitem>
@ -271,8 +271,8 @@
target allows you to work around that problem. SAME may be used
in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
causes matching connections from an individual local system to
all use the same provider. For example: <programlisting>#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
all use the same provider. For example: <programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
@ -282,8 +282,8 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
@ -600,7 +600,7 @@ Normal-Service =&gt; 0x00</programlisting>
MAC addresses. <emphasis role="bold">This form will not match
traffic that originates on the firewall itself unless either
&lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
the MARK column.</emphasis></para>
the ACTION column.</emphasis></para>
<para>Examples:<simplelist>
<member>0.0.0.0/0</member>
@ -622,7 +622,7 @@ Normal-Service =&gt; 0x00</programlisting>
<para>$FW optionally followed by a colon (":") and a
comma-separated list of host or network IP addresses. Matches
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.</para>
chain qualifier (:P, :F, etc.) in the ACTION column.</para>
</listitem>
</orderedlist>
@ -938,8 +938,8 @@ Normal-Service =&gt; 0x00</programlisting>
original connection was made on.</para>
<para>Example: Mark all FTP data connections with mark
4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
#CLASSIFY PORT(S)
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
</listitem>
</varlistentry>
@ -1017,8 +1017,8 @@ Normal-Service =&gt; 0x00</programlisting>
<para>We assume packet/connection mark 0 means unclassified.</para>
<programlisting> #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
#CLASSIFY PORT(S)
<programlisting> #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0

2
Shorewall6/configfiles/tcrules
View File

@ -10,5 +10,5 @@
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
###################################################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
# PORT(S) PORT(S)

26
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -44,11 +44,11 @@
<variablelist>
<varlistentry>
<term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
<replaceable>mark</replaceable></term>
<term><emphasis role="bold">ACTION</emphasis> -
<replaceable>action</replaceable></term>
<listitem>
<para><replaceable>mark</replaceable> may assume one of the
<para><replaceable>action</replaceable> may assume one of the
following values.</para>
<orderedlist numeration="arabic">
@ -272,8 +272,8 @@
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
<programlisting>#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
@ -283,8 +283,8 @@ SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
<para>When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:<programlisting>#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
provider. For example:<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
@ -495,7 +495,7 @@ Normal-Service =&gt; 0x00</programlisting>
<para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
own separate rule for packets originating on the firewall. In such a
rule, the MARK column may NOT specify either <emphasis
rule, the ACTION column may NOT specify either <emphasis
role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
because marking for firewall-originated packets always occurs in the
OUTPUT chain.</para>
@ -526,7 +526,7 @@ Normal-Service =&gt; 0x00</programlisting>
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
<emphasis role="bold">MARK</emphasis> column specificies a
<emphasis role="bold">ACTION</emphasis> column specificies a
classification of the form
<emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
column may also contain an interface name.</para>
@ -795,8 +795,8 @@ Normal-Service =&gt; 0x00</programlisting>
that the original connection was made on.</para>
<para>Example: Mark all FTP data connections with mark
4:<programlisting>#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
#CLASSIFY PORT(S)
4:<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
4 ::/0 ::/0 TCP - - - - - - - ftp</programlisting></para>
</listitem>
</varlistentry>
@ -930,8 +930,8 @@ Normal-Service =&gt; 0x00</programlisting>
<para>We assume packet/connection mark 0 means unclassified.</para>
<programlisting> #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
#CLASSIFY PORT(S)
<programlisting> #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
1 ::/0 ::/0 icmp echo-request
1 ::/0 ::/0 icmp echo-reply
RESTORE ::/0 ::/0 all - - - 0

36
docs/PacketMarking.xml
View File

@ -117,7 +117,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in
<filename>shorewall.conf</filename>, then by default entries in
<filename>/etc/shorewall/tcrules</filename> are part of the PREROUTING
program. Entries specifying the ":P" suffix in the MARK column are
program. Entries specifying the ":P" suffix in the ACTION column are
also part of the PREROUTING program. The PREROUTING program gets
executed for each packet entering the firewall.</para>
</listitem>
@ -126,7 +126,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in
<filename>shorewall.conf</filename>, then by default entries in
<filename>/etc/shorewall/tcrules</filename> are part of the FORWARD
program. Entries specifying the ":F" suffix in the MARK column are
program. Entries specifying the ":F" suffix in the ACTION column are
also part of the FORWARD program. The FORWARD program gets executed
for each packet forwarded by the firewall.</para>
</listitem>
@ -138,12 +138,12 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
</listitem>
<listitem>
<para>POSTROUTING program — Entries with a class-id in the MARK column
(and that don't specify $FW in the SOURCE column) are part of the
POSTROUTING program. These rules are executed for each packet leaving
the firewall. Entries specifying the ":T" suffix in the MARK column
are also part of the POSTROUTING program (Shorewall version 3.4.0 and
later).</para>
<para>POSTROUTING program — Entries with a class-id in the ACTION
column (and that don't specify $FW in the SOURCE column) are part of
the POSTROUTING program. These rules are executed for each packet
leaving the firewall. Entries specifying the ":T" suffix in the ACTION
column are also part of the POSTROUTING program (Shorewall version
3.4.0 and later).</para>
</listitem>
<listitem>
@ -180,25 +180,25 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<listitem>
<para>the connection to which the current packet belongs receives
a new mark value (":C", ":CF" or ":CP" suffix in the MARK column);
or</para>
a new mark value (":C", ":CF" or ":CP" suffix in the ACTION
column); or</para>
</listitem>
<listitem>
<para>the packet is classified for traffic shaping (class-id in
the MARK column); or</para>
the ACTION column); or</para>
</listitem>
<listitem>
<para>the packet mark in the current packet is moved to the
connection mark for the connection that the current packet is part
of ("SAVE" in the MARK column); or</para>
of ("SAVE" in the ACTION column); or</para>
</listitem>
<listitem>
<para>the connection mark value for the connection that the
current packet is part of is moved to the current packet's mark
("RESTORE" in the MARK column); or</para>
("RESTORE" in the ACTION column); or</para>
</listitem>
<listitem>
@ -207,7 +207,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
</listitem>
<listitem>
<para>exit the current subroutine ("CONTINUE" in the MARK
<para>exit the current subroutine ("CONTINUE" in the ACTION
column).</para>
</listitem>
</orderedlist>
@ -339,9 +339,9 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>The relationship between these options is shown in this
diagram.</para>
<graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
<graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
<para></para>
<para/>
<para>The default values of these options are determined by the settings
of other options as follows:</para>
@ -455,7 +455,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>Here's the example (slightly expanded) from the comments at the top
of the <filename>/etc/shorewall/tcrules</filename> file.</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
# PORT(S)
1 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1
1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2
@ -539,7 +539,7 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba
<para>Here is <filename>/etc/shorewall/tcrules</filename>:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 eth3 #Our internal nets get priority
#over the server

52
docs/traffic_shaping.xml
View File

@ -223,10 +223,10 @@
<para>This screen shot shows how I configured QoS in a 2.6.16
Kernel:</para>
<graphic align="center" fileref="images/traffic_shaping2.6.png" />
<graphic align="center" fileref="images/traffic_shaping2.6.png"/>
<para>And here's my recommendation for a 2.6.21 kernel:<graphic
align="center" fileref="images/traffic_shaping2.6.21.png" /></para>
align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
</section>
<section id="Shorewall">
@ -445,7 +445,7 @@
</itemizedlist>
<example id="Example0">
<title></title>
<title/>
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
interface for this. The device has an outgoing bandwidth of 500kbit
@ -829,11 +829,11 @@ ppp0 6000kbit 500kbit</programlisting>
<itemizedlist>
<listitem>
<para>MARK or CLASSIFY - MARK specifies the mark value is to be
assigned in case of a match. This is an integer in the range 1-255
(1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14 in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
).</para>
<para>ACTION - ACTION (previously called MARK) specifies the mark
value is to be assigned in case of a match. This is an integer in
the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14
in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
(5) ).</para>
<note>
<para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
@ -998,7 +998,7 @@ ppp0 6000kbit 500kbit</programlisting>
MAC addresses. <emphasis role="bold">This form will not match
traffic that originates on the firewall itself unless either
&lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
the MARK column.</emphasis></para>
the ACTION column.</emphasis></para>
<para>Examples:<simplelist>
<member>0.0.0.0/0</member>
@ -1020,7 +1020,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>$FW optionally followed by a colon (":") and a
comma-separated list of host or network IP addresses. matches
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.</para>
chain qualifier (:P, :F, etc.) in the ACTION column.</para>
</listitem>
</orderedlist>
@ -1177,13 +1177,13 @@ ppp0 6000kbit 500kbit</programlisting>
</itemizedlist>
<example id="Example1">
<title></title>
<title/>
<para>All packets arriving on eth1 should be marked with 1. All
packets arriving on eth2 and eth3 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
1 eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all
@ -1191,40 +1191,40 @@ ppp0 6000kbit 500kbit</programlisting>
</example>
<example id="Example2">
<title></title>
<title/>
<para>All GRE (protocol 47) packets destined for 155.186.235.151
should be marked with 12.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
12:T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example>
<example id="Example3">
<title></title>
<title/>
<para>All SSH request packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S)
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
22:T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example>
<example id="Example4">
<title></title>
<title/>
<para>All SSH packets packets going out of the first device in in
/etc/shorewall/tcdevices should be assigned to the class with mark
value 10.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
# PORT(S)
1:110 0.0.0.0/0 0.0.0.0/0 tcp 22
1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
</example>
<example id="Example5">
<title></title>
<title/>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
peer traffic with packet mark 4.</para>
@ -1236,7 +1236,7 @@ ppp0 6000kbit 500kbit</programlisting>
means unclassified. Traffic originating on the firewall is not covered
by this example.</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
# PORT(S) GROUP
1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
@ -1257,13 +1257,13 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
</example>
<example>
<title></title>
<title/>
<para>Mark all forwarded VOIP connections with connection mark 1 and
ensure that all VOIP packets also receive that mark (assumes that
nf_conntrack_sip is loaded).</para>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST CONNBYTES TOS HELPER
# PORT(S) GROUP
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
@ -1508,8 +1508,8 @@ eth0:101 - 1kbit 230kbit 4 occurs=6</programlisting>
<para><filename>/etc/shoreall/tcrules</filename>:</para>
<programlisting>#MARK SOURCE DEST
IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
<programlisting>#ACTION SOURCE DEST
IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
<para>This facility also alters the way in which Shorewall generates a
class number when none is given. Prior to the implementation of this
@ -1568,7 +1568,7 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
<section id="realtcr">
<title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
@ -1652,7 +1652,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
<section id="simpletcr">
<title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply