mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 23:53:30 +01:00
09fda9eb6c
- interfaces: Clarify the 'bridge' option - rtrules: Warn about similar rules with same priority
202 lines
7.2 KiB
XML
202 lines
7.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall6-rtrules</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
<refmiscinfo>Configuration Files</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>rtrules</refname>
|
|
|
|
<refpurpose>Shorewall6 Routing Rules file</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>/etc/shorewall6/rtrules</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>Entries in this file cause traffic to be routed to one of the
|
|
providers listed in <ulink
|
|
url="/manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">SOURCE</emphasis> (Optional) - {<emphasis
|
|
role="bold">-</emphasis>|<emphasis>interface</emphasis>|<emphasis>address</emphasis>|<emphasis>interface</emphasis><firstterm>:</firstterm><emphasis><address</emphasis>>}</term>
|
|
|
|
<listitem>
|
|
<para>An ip <emphasis>address</emphasis> (network or host) that
|
|
matches the source IP address in a packet. May also be specified as
|
|
an <emphasis>interface</emphasis> name optionally followed by ":"
|
|
and an address. If the device <emphasis role="bold">lo</emphasis> is
|
|
specified, the packet must originate from the firewall
|
|
itself.</para>
|
|
|
|
<para>Beginning with Shorewall 4.5.0, you may specify
|
|
&<replaceable>interface</replaceable> in this column to indicate
|
|
that the source is the primary IP address of the named
|
|
interface.</para>
|
|
|
|
<para>Beginning with Shorewall 4.6.8, you may specify a
|
|
comma-separated list of addresses in this column.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">DEST</emphasis> (Optional) - {<emphasis
|
|
role="bold">-</emphasis>|<emphasis>address</emphasis>}</term>
|
|
|
|
<listitem>
|
|
<para>An ip address (network or host) that matches the destination
|
|
IP address in a packet.</para>
|
|
|
|
<para>If you choose to omit either <emphasis
|
|
role="bold">SOURCE</emphasis> or <emphasis
|
|
role="bold">DEST</emphasis>, place "-" in that column. Note that you
|
|
may not omit both <emphasis role="bold">SOURCE</emphasis> and
|
|
<emphasis role="bold">DEST</emphasis>.</para>
|
|
|
|
<para>Beginning with Shorewall 4.6.8, you may specify a
|
|
comma-separated list of addresses in this column.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">PROVIDER</emphasis> -
|
|
{<emphasis>provider-name</emphasis>|<emphasis>provider-number</emphasis>|<emphasis
|
|
role="bold">main</emphasis>}</term>
|
|
|
|
<listitem>
|
|
<para>The provider to route the traffic through. May be expressed
|
|
either as the provider name or the provider number. May also be
|
|
<emphasis role="bold">main</emphasis> or 254 for the main routing
|
|
table. This can be used in combination with VPN tunnels, see example
|
|
2 below.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">PRIORITY</emphasis> -
|
|
<emphasis>priority</emphasis><emphasis
|
|
role="bold">[!]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The rule's numeric <emphasis>priority</emphasis> which
|
|
determines the order in which the rules are processed. Rules with
|
|
equal priority are applied in the order in which they appear in the
|
|
file.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>1000-1999</term>
|
|
|
|
<listitem>
|
|
<para>Before Shorewall-generated 'MARK' rules</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>11000-11999</term>
|
|
|
|
<listitem>
|
|
<para>After 'MARK' rules but before Shorewall-generated rules
|
|
for ISP interfaces.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>26000-26999</term>
|
|
|
|
<listitem>
|
|
<para>After ISP interface rules but before 'default'
|
|
rule.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>Beginning with Shorewall 5.0.2, the priority may be followed
|
|
optionally by an exclaimation mark ("!"). This causes the rule to
|
|
remain in place if the interface is disabled.</para>
|
|
|
|
<caution>
|
|
<para>Be careful when using rules of the same PRIORITY as some
|
|
unexpected behavior can occur when multiple rules have the same
|
|
SOURCE. For example, in the following rules, the second rule
|
|
overwrites the first unless the priority in the second is changed
|
|
to 19001 or higher:</para>
|
|
|
|
<programlisting>2601:601:8b00:bf0::/64 2001:470:b:787::542 provider1 19000
|
|
2601:601:8b00:bf0::/64 - provider2 19000</programlisting>
|
|
</caution>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">MARK -
|
|
{-|<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>]}</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Optional -- added in Shorewall 4.4.25. For this rule to be
|
|
applied to a packet, the packet's mark value must match the
|
|
<replaceable>mark</replaceable> when logically anded with the
|
|
<replaceable>mask</replaceable>. If a
|
|
<replaceable>mask</replaceable> is not supplied, Shorewall supplies
|
|
a suitable provider mask.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Example 1:</term>
|
|
|
|
<listitem>
|
|
<para>You want all traffic coming in on eth1 to be routed to the
|
|
ISP1 provider.</para>
|
|
|
|
<programlisting> #SOURCE DEST PROVIDER PRIORITY MASK
|
|
eth1 - ISP1 1000
|
|
</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall6/rtrules</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para><ulink
|
|
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para>
|
|
|
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
|
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
|
shorewall6-policy(5), shorewall6-providers(5), shorewall6-routestopped(5),
|
|
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
|
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5),
|
|
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|