extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-02 20:06:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Clean up documentation

Browse Source
This commit is contained in:
Tom Eastep 2009-05-04 13:14:25 -07:00
parent 5b6769a722
commit c7352303f4
5 changed files with 91 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Shorewall/releasenotes.txt
View File

@ -537,15 +537,16 @@ None.
Example: Example:
IPMARK(dst, 0XFF00, 0x8000,8) IPMARK(src,0xff,0x10100)
Destination IP address is 192.168.4.3 = 0xc0a80403 Destination IP address is 192.168.4.3 = 0xc0a80403
0xc0a80403 LAND 0xFF00 = 0x0400 0xc0a80403 >> 0 = 0xc0a80403
0x0400 LOR 0x80 = 0x8400 0xc0a80403 LAND 0xFF = 0x03
0x8400 >> 8 = 0x84 0x03 LOR 0x10100 = 0x10103
Mark = 0x84 = 132 So the mark value is 0x10103 which corresponds to class id
1:103.
It is important to realize that, while class IDs are composed of a It is important to realize that, while class IDs are composed of a
<major> and a <minor> value, the set of values must be unique. That <major> and a <minor> value, the set of values must be unique. That
@ -559,8 +560,8 @@ None.
might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs
1:1 through 1:6. But 1:1 is an invalid class ID since the <major> 1:1 through 1:6. But 1:1 is an invalid class ID since the <major>
and <minor> classes are equal. So you might chose instent to use and <minor> classes are equal. So you might chose instent to use
IPMARK(src,0xFF,0x10100) so that all of your <minor> classes will IPMARK(src,0xFF,0x10100) as shown in the example above so that all
have a value > 256. of your <minor> classes will have a value > 256.
The 'occurs' option in /etc/shorewall/tcclasses causes the class The 'occurs' option in /etc/shorewall/tcclasses causes the class
definition to be replicated many times. The synax is: definition to be replicated many times. The synax is:

12
manpages/shorewall-tcclasses.xml
View File

@ -299,7 +299,7 @@
<emphasis>number</emphasis> rules. Each rule has a <emphasis>number</emphasis> rules. Each rule has a
successively class number and mark value.</para> successively class number and mark value.</para>
<para> When 'occurs' is used:</para> <para>When 'occurs' is used:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -315,12 +315,20 @@
<para>The class may not have any 'tos=' options (including <para>The class may not have any 'tos=' options (including
'tcp-ack').</para> 'tcp-ack').</para>
</listitem> </listitem>
<listitem>
<para>The class should not specify a MARK value. If one is
specified, it will be ignored with a warning
message.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>The 'RATE' and 'CEIL' parameters apply to each instance <para>The 'RATE' and 'CEIL' parameters apply to each instance
of the class. So the total RATE represented by an entry with of the class. So the total RATE represented by an entry with
'occurs' will be the listed RATE multiplied by 'occurs' will be the listed RATE multiplied by
<emphasis>number</emphasis>. </para> <emphasis>number</emphasis>. For additional information, see
<ulink url="shorewall-tcrules.html">tcrules</ulink>
(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

86
manpages/shorewall-tcrules.xml
View File

@ -299,31 +299,89 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<para>'src' and 'dst' specify whether the mark is to be based on <para>'src' and 'dst' specify whether the mark is to be based on
the source or destination address respectively. The selected the source or destination address respectively. The selected
address is first LANDed with <emphasis>mask1</emphasis> then address is first shifted to the right by
LORed with <emphasis>ma<emphasis>s</emphasis>k2</emphasis>. The <emphasis>shift</emphasis> bits. The result is then LANDed with
result is then shifted <emphasis>shift</emphasis> bits to the <emphasis>mask1</emphasis> then LORed with
right.</para> <emphasis>ma<emphasis>s</emphasis>k2</emphasis>.</para>
<para>In a sense, the IPMARK target is more like an IPCLASSIFY
target in that the mark value is later interpreted as a class
ID. A packet mark is 32 bits wide; so is a class ID. The
&lt;major&gt; class occupies the high-order 16 bits and the
&lt;minor&gt; class occupies the low-order 16 bits. So the class
ID 1:4ff (remember that class IDs are always in hex) is
equivalent to a mark value of 0x104ff. Remember that Shorewall
uses the interface number as the &lt;major&gt; number where the
first interface in tcdevices has &lt;major&gt; number 1, the
second has &lt;major&gt; number 2, and so on.</para>
<para>The IPMARK target assigns a mark to each matching packet
based on the either the source or destination IP address. By
default, it assigns a mark value equal to the low-order 8 bits
of the source address. The syntax is as follows:</para>
<blockquote>
<para><option>IPMARK</option>[([{<option>src</option>|<option>dst</option>}][,[<replaceable>mask1</replaceable>][,[<replaceable>mask2</replaceable>][,[<replaceable>shift</replaceable>]]]])]</para>
</blockquote>
<para>Default values are:</para>
<simplelist>
<member><option>src</option></member>
<member><replaceable>mask1</replaceable> = 0xFF</member>
<member><replaceable>mask2</replaceable> = 0x00</member>
<member><replaceable>shift</replaceable> = 0</member>
</simplelist>
<para> <option>src</option> and <option>dst</option> specify
whether the mark is to be based on the source or destination
address respectively. The selected address is first shifted
right by <replaceable>shift</replaceable>, then LANDed with
<replaceable>mask1</replaceable> and then LORed with
<replaceable>mask2</replaceable>. The
<replaceable>shift</replaceable> argument is intended to be used
primarily with IPv6 addresses.</para>
<para>Example:</para> <para>Example:</para>
<blockquote> <blockquote>
<para><simplelist> <para> IPMARK(src,0xff,0x10100)</para>
<member>IPMARK(dst, 0XFF00, 0x8000,8)</member>
<member>Destination IP address is 192.168.4.3 =
0xc0a80103</member>
</simplelist>Meaning:</para>
<simplelist> <simplelist>
<member>0xc0a80403 LAND 0xFF00 = 0x0400</member> <member>Suppose that the source IP address is 192.168.4.3 =
0xc0a80403; then</member>
<member>0x0400 LOR 0x80 = 0x8400</member> <member>0xc0a80403 &gt;&gt; 0 = 0xc0a80403</member>
<member>0x8400 &gt;&gt; 8 = 0x84</member> <member>0xc0a80403 LAND 0xFF = 0x03</member>
<member>Mark = 0x84 = 132</member> <member>0x03 LOR 0x0x10100 = 0x10103 or class ID
1:103</member>
</simplelist> </simplelist>
</blockquote> </blockquote>
<para>It is important to realize that, while class IDs are
composed of a <replaceable>major</replaceable> and a
<replaceable>minor</replaceable> value, the set of values must
be unique. That is, the same numeric value cannot be used as
both a <replaceable>major</replaceable> and a &lt;minor&gt;
number for the same interface unless class nesting occurs (which
is not currently possible with Shorewall). You should keep this
in mind when deciding how to map IP addresses to class
IDs.</para>
<para>For example, suppose that your internal network is
192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
Your first notion might be to use IPMARK(src,0xFF,0x10000) so as
to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
class ID since the <replaceable>major</replaceable> and
<replaceable>minor</replaceable> classes are equal. So you might
chose instent to use IPMARK(src,0xFF,0x10100) as in the example
above so that all of your <replaceable>minor</replaceable>
classes will have a value &gt; 256.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>

35
manpages6/shorewall6-tcclasses.xml
View File

@ -287,41 +287,6 @@
</note> </note>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">occurs</emphasis>=<emphasis>number</emphasis></term>
<listitem>
<para>Typically used with an IPMARK entry in tcrules. Causes
the rule to be replicated for a total of
<emphasis>number</emphasis> rules. Each rule has a
successively class number and mark value.</para>
<para>When 'occurs' is used:</para>
<itemizedlist>
<listitem>
<para>The associated device may not have the 'classify'
option.</para>
</listitem>
<listitem>
<para>The class may not be the default class.</para>
</listitem>
<listitem>
<para>The class may not have any 'tos=' options (including
'tcp-ack').</para>
</listitem>
</itemizedlist>
<para>The 'RATE' and 'CEIL' parameters apply to each instance
of the class. So the total RATE represented by an entry with
'occurs' will be the listed RATE multiplied by
<emphasis>number</emphasis>.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>

51
manpages6/shorewall6-tcrules.xml
View File

@ -50,10 +50,7 @@
role="bold">SAVE</emphasis>[<emphasis role="bold">SAVE</emphasis>[<emphasis
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis role="bold">CONTINUE</emphasis>|<emphasis
role="bold">COMMENT</emphasis>|<emphasis role="bold">COMMENT</emphasis>}[<emphasis
role="bold">IPMARK</emphasis>[([(<emphasis
role="bold">src</emphasis>|<emphasis
role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
@ -244,52 +241,6 @@
<para>To stop the comment from being attached to further rules, <para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para> simply include COMMENT on a line by itself.</para>
</listitem> </listitem>
<listitem>
<para><emphasis role="bold">IPMARK</emphasis> Assigns a mark
to each matching packet based on the either the source or
destination IP address. By default, it assigns a mark value
equal to the low-order 8 bits of the source address. Default
values are:</para>
<simplelist>
<member>src</member>
<member><emphasis>mask1</emphasis> = 0xFF</member>
<member><emphasis>mask2</emphasis> = 0x00</member>
<member><emphasis>shift</emphasis> = 0</member>
</simplelist>
<para>'src' and 'dst' specify whether the mark is to be based on
the source or destination address respectively. The selected
address is first LANDed with <emphasis>mask1</emphasis> then
LORed with <emphasis>ma<emphasis>s</emphasis>k2</emphasis>. The
result is then shifted <emphasis>shift</emphasis> bits to the
right.</para>
<para>Example:</para>
<blockquote>
<para><simplelist>
<member>IPMARK(dst, 0XFF00, 0x8000,8)</member>
<member>Destination IP address is 192.168.4.3 =
0xc0a80103</member>
</simplelist>Meaning:</para>
<simplelist>
<member>0xc0a80403 LAND 0xFF00 = 0x0400</member>
<member>0x0400 LOR 0x80 = 0x8400</member>
<member>0x8400 &gt;&gt; 8 = 0x84</member>
<member>Mark = 0x84 = 132</member>
</simplelist>
</blockquote>
</listitem>
</orderedlist> </orderedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>