mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-24 14:39:04 +01:00
Implement statistical marking in the tcrules file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
d0e03bb03a
commit
e177916c12
@ -117,6 +117,7 @@ our %EXPORT_TAGS = (
|
|||||||
OPTIMIZE_RULESET_MASK
|
OPTIMIZE_RULESET_MASK
|
||||||
OPTIMIZE_MASK
|
OPTIMIZE_MASK
|
||||||
|
|
||||||
|
state_match
|
||||||
state_imatch
|
state_imatch
|
||||||
initialize_chain_table
|
initialize_chain_table
|
||||||
copy_rules
|
copy_rules
|
||||||
@ -3715,6 +3716,16 @@ sub port_count( $ ) {
|
|||||||
#
|
#
|
||||||
# Generate a state match
|
# Generate a state match
|
||||||
#
|
#
|
||||||
|
sub state_match( $ ) {
|
||||||
|
my $state = shift;
|
||||||
|
|
||||||
|
if ( $state eq 'ALL' ) {
|
||||||
|
''
|
||||||
|
} else {
|
||||||
|
have_capability 'CONNTRACK_MATCH' ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
sub state_imatch( $ ) {
|
sub state_imatch( $ ) {
|
||||||
my $state = shift;
|
my $state = shift;
|
||||||
|
|
||||||
|
@ -174,6 +174,12 @@ my $family;
|
|||||||
|
|
||||||
my $divertref; # DIVERT chain
|
my $divertref; # DIVERT chain
|
||||||
|
|
||||||
|
my %validstates = ( NEW => 0,
|
||||||
|
RELATED => 0,
|
||||||
|
ESTABLISHED => 0,
|
||||||
|
UNTRACKED => 0,
|
||||||
|
INVALID => 0,
|
||||||
|
);
|
||||||
#
|
#
|
||||||
# Rather than initializing globals in an INIT block or during declaration,
|
# Rather than initializing globals in an INIT block or during declaration,
|
||||||
# we initialize them in a function. This is done for two reasons:
|
# we initialize them in a function. This is done for two reasons:
|
||||||
@ -199,14 +205,14 @@ sub initialize( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub process_tc_rule( ) {
|
sub process_tc_rule( ) {
|
||||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
|
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
|
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
|
||||||
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
|
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { COMMENT => 0, FORMAT => 2 } , 15;
|
||||||
$headers = '-';
|
$headers = '-';
|
||||||
} else {
|
} else {
|
||||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
|
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
|
||||||
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, { COMMENT => 0, FORMAT => 2 }, 15;
|
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, { COMMENT => 0, FORMAT => 2 }, 16;
|
||||||
}
|
}
|
||||||
|
|
||||||
our @tccmd;
|
our @tccmd;
|
||||||
@ -259,6 +265,7 @@ sub process_tc_rule( ) {
|
|||||||
my $cmd;
|
my $cmd;
|
||||||
my $rest;
|
my $rest;
|
||||||
my $matches = '';
|
my $matches = '';
|
||||||
|
my $mark1;
|
||||||
|
|
||||||
my %processtcc = ( sticky => sub() {
|
my %processtcc = ( sticky => sub() {
|
||||||
if ( $chain eq 'tcout' ) {
|
if ( $chain eq 'tcout' ) {
|
||||||
@ -501,7 +508,7 @@ sub process_tc_rule( ) {
|
|||||||
|
|
||||||
$chain = $tcsref->{chain} if $tcsref->{chain};
|
$chain = $tcsref->{chain} if $tcsref->{chain};
|
||||||
$target = $tcsref->{target} if $tcsref->{target};
|
$target = $tcsref->{target} if $tcsref->{target};
|
||||||
$mark = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
|
$mark = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark} && $mark !~ m'/';
|
||||||
|
|
||||||
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
|
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
|
||||||
|
|
||||||
@ -584,6 +591,13 @@ sub process_tc_rule( ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $mark =~ /-/ ) {
|
||||||
|
( $mark, $mark1 ) = split /-/, $mark, 2;
|
||||||
|
validate_mark $mark;
|
||||||
|
fatal_error "Invalid mark range ($mark-$mark1)" if $mark =~ m'/';
|
||||||
|
validate_mark $mark1;
|
||||||
|
require_capability 'STATISTIC_MATCH', 'A mark range', 's';
|
||||||
|
} else {
|
||||||
validate_mark $mark;
|
validate_mark $mark;
|
||||||
|
|
||||||
if ( $config{PROVIDER_OFFSET} ) {
|
if ( $config{PROVIDER_OFFSET} ) {
|
||||||
@ -597,10 +611,72 @@ sub process_tc_rule( ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
|
fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );
|
||||||
|
|
||||||
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
|
if ( $state ne '-' ) {
|
||||||
|
my @state = split_list( $state, 'state' );
|
||||||
|
my %state = %validstates;
|
||||||
|
|
||||||
|
for ( @state ) {
|
||||||
|
fatal_error "Invalid STATE ($_)" unless exists $state{$_};
|
||||||
|
fatal_error "Duplicate STATE ($_)" if $state{$_};
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$state = 'ALL';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $mark1 ) {
|
||||||
|
#
|
||||||
|
# A Mark Range
|
||||||
|
#
|
||||||
|
my $chainref = ensure_chain( 'mangle', $chain );
|
||||||
|
|
||||||
|
( $mark1, my $mask ) = split( '/', $mark1 );
|
||||||
|
|
||||||
|
my ( $markval, $mark1val ) = ( numeric_value $mark, numeric_value $mark1 );
|
||||||
|
|
||||||
|
fatal_error "Invalid mark range ($mark-$mark1)" unless $markval < $mark1val;
|
||||||
|
|
||||||
|
$mask = $globals{TC_MASK} unless supplied $mask;
|
||||||
|
|
||||||
|
$mask = numeric_value $mask;
|
||||||
|
|
||||||
|
my $increment = 1;
|
||||||
|
|
||||||
|
$increment <<= 1 until $increment & $mask;
|
||||||
|
|
||||||
|
$mask = in_hex $mask;
|
||||||
|
|
||||||
|
my $marks = $mark1val - $markval + 1;
|
||||||
|
|
||||||
|
for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
|
||||||
|
my $match = "-m statistic --mode nth --every $marks --packet $packet ";
|
||||||
|
|
||||||
|
expand_rule( $chainref,
|
||||||
|
$restrictions{$chain} | $restriction,
|
||||||
|
$match .
|
||||||
|
do_user( $user ) .
|
||||||
|
do_test( $testval, $globals{TC_MASK} ) .
|
||||||
|
do_test( $testval, $globals{TC_MASK} ) .
|
||||||
|
do_length( $length ) .
|
||||||
|
do_tos( $tos ) .
|
||||||
|
do_connbytes( $connbytes ) .
|
||||||
|
do_helper( $helper ) .
|
||||||
|
do_headers( $headers ) .
|
||||||
|
do_probability( $probability ) .
|
||||||
|
do_dscp( $dscp ) .
|
||||||
|
state_match( $state ) ,
|
||||||
|
$source ,
|
||||||
|
$dest ,
|
||||||
|
'' ,
|
||||||
|
"$target " . join( '/', in_hex( $markval ) , $mask ) ,
|
||||||
|
'',
|
||||||
|
$target ,
|
||||||
|
'' );
|
||||||
|
}
|
||||||
|
} elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
|
||||||
$restrictions{$chain} | $restriction,
|
$restrictions{$chain} | $restriction,
|
||||||
do_proto( $proto, $ports, $sports) . $matches .
|
do_proto( $proto, $ports, $sports) . $matches .
|
||||||
do_user( $user ) .
|
do_user( $user ) .
|
||||||
@ -611,7 +687,8 @@ sub process_tc_rule( ) {
|
|||||||
do_helper( $helper ) .
|
do_helper( $helper ) .
|
||||||
do_headers( $headers ) .
|
do_headers( $headers ) .
|
||||||
do_probability( $probability ) .
|
do_probability( $probability ) .
|
||||||
do_dscp( $dscp ) ,
|
do_dscp( $dscp ) .
|
||||||
|
state_match( $state ) ,
|
||||||
$source ,
|
$source ,
|
||||||
$dest ,
|
$dest ,
|
||||||
'' ,
|
'' ,
|
||||||
|
@ -619,6 +619,29 @@
|
|||||||
eth0:+myset[dst] - 206.124.146.177</programlisting>
|
eth0:+myset[dst] - 206.124.146.177</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 7:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
|
||||||
|
round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
|
||||||
|
(Shorewall 4.5.9 and later).</para>
|
||||||
|
|
||||||
|
<programlisting>/etc/shorewall/tcrules:
|
||||||
|
|
||||||
|
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||||
|
# PORT(S)
|
||||||
|
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
|
||||||
|
|
||||||
|
/etc/shorewall/masq:
|
||||||
|
|
||||||
|
#INTERFACE SOURCE ADDRESS ...
|
||||||
|
eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
|
||||||
|
eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C
|
||||||
|
eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
@ -131,8 +131,12 @@
|
|||||||
|
|
||||||
<para>The mark value may be optionally followed by "/" and a
|
<para>The mark value may be optionally followed by "/" and a
|
||||||
mask value (used to determine those bits of the connection mark
|
mask value (used to determine those bits of the connection mark
|
||||||
to actually be set). The mark and optional mask are then
|
to actually be set). When a mask is specified, the result of
|
||||||
followed by one of:</para>
|
logically ANDing the mark value with the mask must be the same
|
||||||
|
as the mark value.</para>
|
||||||
|
|
||||||
|
<para>The mark and optional mask are then followed by one
|
||||||
|
of:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
@ -178,26 +182,114 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<para><emphasis role="bold">Special considerations for If
|
<listitem>
|
||||||
HIGH_ROUTE_MARKS=Yes in <ulink
|
<para>A mark range which is a pair of integers separated by a
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
|
dash ("-"). Added in Shorewall 4.5.9.</para>
|
||||||
|
|
||||||
<para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
|
<para>May be optionally followed by a slash ("/") and a mask and
|
||||||
in the range 0x0100-0xFF00 with the low-order byte being zero.
|
requires the <firstterm>Statistics Match</firstterm> capability
|
||||||
Such values may only be used in the PREROUTING chain (value
|
in iptables and kernel. Marks in the specified range are
|
||||||
followed by <emphasis role="bold">:P</emphasis> or you have set
|
assigned to packets on a round-robin fashion.</para>
|
||||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
|
||||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
|
<para>When a mask is specified, the result of logically ANDing
|
||||||
followed the value with <option>:F</option>) or the OUTPUT chain
|
the mark value with the mask must be the same as the mark value.
|
||||||
(SOURCE is <emphasis role="bold">$FW</emphasis>). With
|
The least significant bit in the mask is used as an increment.
|
||||||
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
|
For example, if '0x200-0x400/0xff00' is specified, then the
|
||||||
permitted. Shorewall prohibits non-zero mark values less that
|
assigned mark values are 0x200, 0x300 and 0x400 in equal
|
||||||
256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
|
proportions. If no mask is specified, then ( 2 ** MASK_BITS ) -
|
||||||
versions allow such values in the OUTPUT chain, it is strongly
|
1 is assumed (MASK_BITS is set in <ulink
|
||||||
recommended that with HIGH_ROUTE_MARKS=Yes, you use the
|
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||||
POSTROUTING chain to apply traffic shaping
|
|
||||||
marks/classification.</para>
|
<para>May optionally be followed by <emphasis
|
||||||
|
role="bold">:P</emphasis>, <emphasis
|
||||||
|
role="bold">:F</emphasis>,<emphasis role="bold">:T</emphasis> or
|
||||||
|
<emphasis role="bold">:I</emphasis> where<emphasis role="bold">
|
||||||
|
:P</emphasis> indicates that marking should occur in the
|
||||||
|
PREROUTING chain, <emphasis role="bold">:F</emphasis> indicates
|
||||||
|
that marking should occur in the FORWARD chain, <emphasis
|
||||||
|
role="bold">:I </emphasis>indicates that marking should occur in
|
||||||
|
the INPUT chain (added in Shorewall 4.4.13), and <emphasis
|
||||||
|
role="bold">:T</emphasis> indicates that marking should occur in
|
||||||
|
the POSTROUTING chain. If neither <emphasis
|
||||||
|
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
||||||
|
nor <emphasis role="bold">:T</emphasis> follow the mark value
|
||||||
|
then the chain is determined as follows:</para>
|
||||||
|
|
||||||
|
<para>- If the SOURCE is <emphasis
|
||||||
|
role="bold">$FW</emphasis>[<emphasis
|
||||||
|
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
|
||||||
|
then the rule is inserted into the OUTPUT chain. When
|
||||||
|
HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
|
||||||
|
there. Packet marking rules for traffic shaping of packets
|
||||||
|
originating on the firewall must be coded in the POSTROUTING
|
||||||
|
chain (see below).</para>
|
||||||
|
|
||||||
|
<para>- Otherwise, the chain is determined by the setting of
|
||||||
|
MARK_IN_FORWARD_CHAIN in <ulink
|
||||||
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
|
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||||
|
included for completeness and affects neither traffic shaping
|
||||||
|
nor policy routing.</para>
|
||||||
|
|
||||||
|
<para>If your kernel and iptables include CONNMARK support then
|
||||||
|
you can also mark the connection rather than the packet.</para>
|
||||||
|
|
||||||
|
<para>The mark range may be optionally followed by "/" and a
|
||||||
|
mask value (used to determine those bits of the connection mark
|
||||||
|
to actually be set). When a mask is specified, the result of
|
||||||
|
logically ANDing the mark value with each of the masks must be
|
||||||
|
the same as the mark value.</para>
|
||||||
|
|
||||||
|
<para>The mark and optional mask are then followed by one
|
||||||
|
of:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">C</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connection in the chain determined by the
|
||||||
|
setting of MARK_IN_FORWARD_CHAIN</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">CF</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connection in the FORWARD chain</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">CP</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connection in the PREROUTING chain.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>CT</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connecdtion in the POSTROUTING chain</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>CI</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connection in the INPUT chain. This option
|
||||||
|
is included for completeness and has no applicability to
|
||||||
|
traffic shaping or policy routing.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -530,6 +622,17 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
|||||||
role="bold">:F</emphasis></para>
|
role="bold">:F</emphasis></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">STATE</emphasis> {<emphasis
|
||||||
|
role="bold">NEW</emphasis>|<emphasis
|
||||||
|
role="bold">RELATED</emphasis>|<emphasis
|
||||||
|
role="bold">ESTABLISHED</emphasis>|<emphasis
|
||||||
|
role="bold">INVALID</emphasis>} [,...]</para>
|
||||||
|
|
||||||
|
<para>Added in Shorewall 4.5.9. The rule will only match if the
|
||||||
|
packet's connection is in one of the listed states.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis
|
<para><emphasis
|
||||||
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
|
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
|
||||||
@ -1124,6 +1227,29 @@ Normal-Service => 0x00</programlisting>
|
|||||||
mark has been set, save it to the connection mark.</para>
|
mark has been set, save it to the connection mark.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>Example 2:</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
|
||||||
|
round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
|
||||||
|
(Shorewall 4.5.9 and later).</para>
|
||||||
|
|
||||||
|
<programlisting>/etc/shorewall/tcrules:
|
||||||
|
|
||||||
|
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
|
||||||
|
# PORT(S)
|
||||||
|
1-3:CF 192.168.1.0/24 eth0 ; state=NEW
|
||||||
|
|
||||||
|
/etc/shorewall/masq:
|
||||||
|
|
||||||
|
#INTERFACE SOURCE ADDRESS ...
|
||||||
|
eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
|
||||||
|
eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C
|
||||||
|
eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
@ -131,8 +131,12 @@
|
|||||||
|
|
||||||
<para>The mark value may be optionally followed by "/" and a
|
<para>The mark value may be optionally followed by "/" and a
|
||||||
mask value (used to determine those bits of the connection mark
|
mask value (used to determine those bits of the connection mark
|
||||||
to actually be set). The mark and optional mask are then
|
to actually be set). When a mask is specified, the result of
|
||||||
followed by one of:+</para>
|
logically ANDing the mark value with the mask must be the same
|
||||||
|
as the mark value.</para>
|
||||||
|
|
||||||
|
<para>The mark and optional mask are then followed by one
|
||||||
|
of:+</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
@ -178,26 +182,114 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<para><emphasis role="bold">Special considerations for If
|
<listitem>
|
||||||
HIGH_ROUTE_MARKS=Yes in <ulink
|
<para>A mark range which is a pair of integers separated by a
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5</emphasis>).</para>
|
dash ("-"). Added in Shorewall 4.5.9.</para>
|
||||||
|
|
||||||
<para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
|
<para>May be optionally followed by a slash ("/") and a mask and
|
||||||
in the range 0x0100-0xFF00 with the low-order byte being zero.
|
requires the <firstterm>Statistics Match</firstterm> capability
|
||||||
Such values may only be used in the PREROUTING chain (value
|
in iptables and kernel. Marks in the specified range are
|
||||||
followed by <emphasis role="bold">:P</emphasis> or you have set
|
assigned to packets on a round-robin fashion.</para>
|
||||||
MARK_IN_FORWARD_CHAIN=No in <ulink
|
|
||||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5) and have
|
<para>When a mask is specified, the result of logically ANDing
|
||||||
not followed the value with <option>:F</option>) or the OUTPUT
|
the mark value with the mask must be the same as the mark value.
|
||||||
chain (SOURCE is <emphasis role="bold">$FW</emphasis>). With
|
The least significant bit in the mask is used as an increment.
|
||||||
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
|
For example, if '0x200-0x400/0xff00' is specified, then the
|
||||||
permitted. Shorewall6 prohibits non-zero mark values less that
|
assigned mark values are 0x200, 0x300 and 0x400 in equal
|
||||||
256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
|
proportions. If no mask is specified, then ( 2 ** MASK_BITS ) -
|
||||||
versions allow such values in the OUTPUT chain, it is strongly
|
1 is assumed (MASK_BITS is set in <ulink
|
||||||
recommended that with HIGH_ROUTE_MARKS=Yes, you use the
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||||
POSTROUTING chain to apply traffic shaping
|
|
||||||
marks/classification.</para>
|
<para>May optionally be followed by <emphasis
|
||||||
|
role="bold">:P</emphasis>, <emphasis
|
||||||
|
role="bold">:F</emphasis>,<emphasis role="bold">:T</emphasis> or
|
||||||
|
<emphasis role="bold">:I</emphasis> where<emphasis role="bold">
|
||||||
|
:P</emphasis> indicates that marking should occur in the
|
||||||
|
PREROUTING chain, <emphasis role="bold">:F</emphasis> indicates
|
||||||
|
that marking should occur in the FORWARD chain, <emphasis
|
||||||
|
role="bold">:I </emphasis>indicates that marking should occur in
|
||||||
|
the INPUT chain (added in Shorewall 4.4.13), and <emphasis
|
||||||
|
role="bold">:T</emphasis> indicates that marking should occur in
|
||||||
|
the POSTROUTING chain. If neither <emphasis
|
||||||
|
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
||||||
|
nor <emphasis role="bold">:T</emphasis> follow the mark value
|
||||||
|
then the chain is determined as follows:</para>
|
||||||
|
|
||||||
|
<para>- If the SOURCE is <emphasis
|
||||||
|
role="bold">$FW</emphasis>[<emphasis
|
||||||
|
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
|
||||||
|
then the rule is inserted into the OUTPUT chain. When
|
||||||
|
HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
|
||||||
|
there. Packet marking rules for traffic shaping of packets
|
||||||
|
originating on the firewall must be coded in the POSTROUTING
|
||||||
|
chain (see below).</para>
|
||||||
|
|
||||||
|
<para>- Otherwise, the chain is determined by the setting of
|
||||||
|
MARK_IN_FORWARD_CHAIN in <ulink
|
||||||
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||||
|
|
||||||
|
<para>Please note that <emphasis role="bold">:I</emphasis> is
|
||||||
|
included for completeness and affects neither traffic shaping
|
||||||
|
nor policy routing.</para>
|
||||||
|
|
||||||
|
<para>If your kernel and iptables include CONNMARK support then
|
||||||
|
you can also mark the connection rather than the packet.</para>
|
||||||
|
|
||||||
|
<para>The mark range may be optionally followed by "/" and a
|
||||||
|
mask value (used to determine those bits of the connection mark
|
||||||
|
to actually be set). When a mask is specified, the result of
|
||||||
|
logically ANDing the mark value with each of the masks must be
|
||||||
|
the same as the mark value.</para>
|
||||||
|
|
||||||
|
<para>The mark and optional mask are then followed by one
|
||||||
|
of:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">C</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connection in the chain determined by the
|
||||||
|
setting of MARK_IN_FORWARD_CHAIN</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">CF</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connection in the FORWARD chain</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">CP</emphasis></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connection in the PREROUTING chain.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>CT</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connecdtion in the POSTROUTING chain</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>CI</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connection in the INPUT chain. This option
|
||||||
|
is included for completeness and has no applicability to
|
||||||
|
traffic shaping or policy routing.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -451,6 +543,17 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
|||||||
role="bold">:F</emphasis></para>
|
role="bold">:F</emphasis></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">STATE</emphasis> {<emphasis
|
||||||
|
role="bold">NEW</emphasis>|<emphasis
|
||||||
|
role="bold">RELATED</emphasis>|<emphasis
|
||||||
|
role="bold">ESTABLISHED</emphasis>|<emphasis
|
||||||
|
role="bold">INVALID</emphasis>} [,...]</para>
|
||||||
|
|
||||||
|
<para>Added in Shorewall 4.5.9. The rule will only match if the
|
||||||
|
packet's connection is in one of the listed states.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><emphasis
|
<para><emphasis
|
||||||
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
|
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
|
||||||
|
@ -278,8 +278,9 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
|||||||
<para>Shorewall actually allows you to have complete control over the
|
<para>Shorewall actually allows you to have complete control over the
|
||||||
layout of the 32-bit mark using the following options in <ulink
|
layout of the 32-bit mark using the following options in <ulink
|
||||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (these
|
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (these
|
||||||
options were documents in the shorewall.conf manpage in Shorewall
|
options were documentrf in the <ulink
|
||||||
4.4.26):</para>
|
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) manpage in
|
||||||
|
Shorewall 4.4.26):</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
@ -339,9 +340,9 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
|||||||
<para>The relationship between these options is shown in this
|
<para>The relationship between these options is shown in this
|
||||||
diagram.</para>
|
diagram.</para>
|
||||||
|
|
||||||
<graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
|
<graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
|
||||||
|
|
||||||
<para/>
|
<para></para>
|
||||||
|
|
||||||
<para>The default values of these options are determined by the settings
|
<para>The default values of these options are determined by the settings
|
||||||
of other options as follows:</para>
|
of other options as follows:</para>
|
||||||
|
Loading…
Reference in New Issue
Block a user