diff --git a/manpages/shorewall-routestopped.xml b/manpages/shorewall-routestopped.xml
new file mode 100644
index 000000000..bc24eb61f
--- /dev/null
+++ b/manpages/shorewall-routestopped.xml
@@ -0,0 +1,158 @@
+
+
+
+ shorewall-routestopped
+
+ 5
+
+
+
+ routestopped
+
+ The Shorewall file that governs what traffic flows through the
+ firewall while it is in 'stopped' state.
+
+
+
+
+ /etc/shorewall/routestopped
+
+
+
+
+ Description
+
+ This file is used to define the hosts that are accessible when the
+ firewall is stopped or when it is in the process of being
+ [re]started.
+
+ The columns in the file are as follows.
+
+
+
+ INTERFACE
+
+
+ Interface through which host(s) communicate with the
+ firewall
+
+
+
+
+ HOST(S) (Optional)
+
+
+ Comma-separated list of IP/subnet addresses. If your kernel
+ and iptables include iprange match support, IP address ranges are
+ also allowed.
+
+ If left empty or supplied as "-", 0.0.0.0/0 is assumed.
+
+
+
+
+ OPTIONS (Optional)
+
+
+ A comma-separated list of options. The order of the options is
+ not important but the list can contain no embedded whitespace. The
+ currently-supported options are:
+
+
+
+ routeback
+
+
+ Set up a rule to ACCEPT traffic from these hosts back to
+ themselves.
+
+
+
+
+ source
+
+
+ Allow traffic from these hosts to ANY destination.
+ Without this option or the dest option, only traffic from this
+ host to other listed hosts (and the firewall) is allowed. If
+ source is specified then
+ routeback is
+ redundant.
+
+
+
+
+ dest
+
+
+ Allow traffic to these hosts from ANY source. Without
+ this option or the source
+ option, only traffic from this host to other listed hosts (and
+ the firewall) is allowed. If dest is specified then routeback is redundant.
+
+
+
+
+ critical
+
+
+ Allow traffic between the firewall and these hosts
+ throughout '[re]start', 'stop' and 'clear'. Specifying
+ critical on one or more
+ entries will cause your firewall to be "totally open" for a
+ brief window during each of those operations.
+
+
+
+
+
+ The source and dest options work best when used in
+ conjunction with ADMINISABSENTMINDED=Yes in
+ shorewall.conf(5).
+
+
+
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ #INTERFACE HOST(S) OPTIONS
+ eth2 192.168.1.0/24
+ eth0 192.0.2.44
+ br0 - routeback
+ eth3 - source
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/routestopped
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-tcclasses.xml b/manpages/shorewall-tcclasses.xml
new file mode 100644
index 000000000..bc111e8bd
--- /dev/null
+++ b/manpages/shorewall-tcclasses.xml
@@ -0,0 +1,337 @@
+
+
+
+ shorewall-tcclasses
+
+ 5
+
+
+
+ tcclasses
+
+ Shorewall file to define HTB classes
+
+
+
+
+ /etc/shorewall/tcclasses
+
+
+
+
+ Description
+
+ A note on the rate/bandwidth definitions used in this file:
+
+
+
+ don't use a space between the integer value and the unit: 30kbit
+ is valid while 30 kbit is NOT.
+
+
+
+ you can use one of the following units:
+
+
+
+ kpbs
+
+
+ Kilobytes per second.
+
+
+
+
+ mbps
+
+
+ Megabytes per second.
+
+
+
+
+ kbit
+
+
+ Kilobits per second.
+
+
+
+
+ mbit
+
+
+ Megabits per second.
+
+
+
+
+ bps or number
+
+
+ Bytes per second.
+
+
+
+
+
+
+ if you want the values to be calculated for you depending on the
+ output bandwidth setting defined for an interface in tcdevices, you
+ can use expressions like the following:
+
+
+
+ full/3
+
+
+ causes the bandwidth to be calculated as 1/3 of the full
+ outgoing speed that is defined.
+
+
+
+
+ full*9/10
+
+
+ will set this bandwidth to 9/10 of the full
+ bandwidth
+
+
+
+
+ DO NOT add a unit to the rate if it is calculated !
+
+
+
+ The columns in the file are as follows.
+
+
+
+ INTERFACE
+
+
+ Name of interface. Each interface may be listed only once in
+ this file. You may NOT specify the name of an alias (e.g., eth0:0)
+ here; see http://www.shorewall.net/FAQ.htm#faq18
+
+ You may NOT specify wildcards here, e.g. if you have multiple
+ ppp interfaces, you need to put them all in here!
+
+ Please note that you can only use interface names in here that
+ have a bandwidth defined in the tcdevices file
+
+
+
+
+ MARK
+
+
+ The mark value which is an integer in the range 1-255. You
+ define this marks in the tcrules file, marking the traffic you want
+ to fit in the classes defined in here.
+
+ You can use the same marks for different interfaces.
+
+
+
+
+ RATE
+
+
+ The minimum bandwidth this class should get, when the traffic
+ load rises. If the sum of the rates in this column exceed the
+ INTERFACE's OUT-BANDWIDTH, then the OUT-BANDWIDTH limit may not be
+ honored.
+
+
+
+
+ CEIL
+
+
+ The maximum bandwidth this class is allowed to use when the
+ link is idle. Useful if you have traffic which can get full speed
+ when more needed services (e.g. ssh) are not used.
+
+ You can use the value "full" in here for setting the maximum
+ bandwidth to the defined output bandwidth of that interface.
+
+
+
+
+ PRIORITY
+
+
+ The priority in which classes will be serviced by the packet
+ shaping scheduler and also the priority in which bandwidth in excess
+ of the rate will be given to each class.
+
+ Higher priority classes will experience less delay since they
+ are serviced first. Priority values are serviced in ascending order
+ (e.g. 0 is higher priority than 1).
+
+ Classes may be set to the same priority, in which case they
+ will be serviced as equals.
+
+
+
+
+ OPTIONS
+
+
+ A comma-separated list of options including the
+ following:
+
+
+
+ default
+
+
+ This is the default class for that interface where all
+ traffic should go, that is not classified otherwise.
+
+
+ You must define default for exactly one class per
+ interface.
+
+
+
+
+
+ tos=0xvalue[/0xmask]
+ (mask defaults to 0xff)
+
+
+ This lets you define a classifier for the given
+ value/mask
+ combination of the IP packet's TOS/Precedence/DiffSrv octet
+ (aka the TOS byte). Please note note classifiers override all
+ mark settings, so if you define a classifer for a class, all
+ traffic having that mark will go in it regardless of any mark
+ set on the packet by a firewall/mangle filter.
+
+
+
+
+ tos-tosname
+
+
+ Aliases for the following TOS octet value and mask
+ encodings. TOS encodings of the "TOS byte" have been
+ deprecated in favor of diffserve classes, but programs like
+ ssh, rlogin, and ftp still use them.
+
+ tos-minimize-delay 0x10/0x10
+ tos-maximize-throughput 0x08/0x08
+ tos-maximize-reliability 0x04/0x04
+ tos-minimize-cost 0x02/0x02
+ tos-normal-service 0x00/0x1e
+
+
+ Each of this options is only valid for ONE class per
+ interface.
+
+
+
+
+
+ tcp-ack
+
+
+ If defined causes an tc filter to be created that puts
+ all tcp ack packets on that interface that have an size of
+ <=64 Bytes to go in this class. This is useful for speeding
+ up downloads. Please note that the size of the ack packets is
+ limited to 64 bytes as some applications (p2p for example) use
+ to make every packet an ack packet which would cause them all
+ into here. We want only packets WITHOUT payload to match, so
+ the size limit.
+
+
+ This option is only valid for ONE class per
+ interface.
+
+
+
+
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1:
+
+
+ Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
+ interface for this. You have 4 classes here, the first you can use
+ for voice over IP traffic, the second interactive traffic (e.g.
+ ssh/telnet but not scp), the third will be for all unclassified
+ traffic, and the forth is for low priority traffic (e.g.
+ peer-to-peer).
+
+ The voice traffic in the first class will be guaranteed a
+ minimum of 100kbps and always be serviced first (because of the low
+ priority number, giving less delay) and will be granted excess
+ bandwidth (up to 180kbps, the class ceiling) first, before any other
+ traffic. A single VOIP stream, depending upon codecs, after
+ encapsulation, can take up to 80kbps on a PPOE/DSL link, so we pad a
+ little bit just in case. (TOS byte values 0xb8 and 0x68 are DiffServ
+ classes EF and AFF3-1 respectively and are often used by VOIP
+ devices).
+
+ Interactive traffic (tos-minimum-delay) and TCP acks (and ICMP
+ echo traffic if you use the example in tcrules) and any packet with
+ a mark of 2 will be guaranteed 1/4 of the link bandwidth, and may
+ extend up to full speed of the link.
+
+ Unclassified traffic and packets marked as 3 will be
+ guaranteed 1/4th of the link bandwidth, and may extend to the full
+ speed of the link.
+
+ Packets marked with 4 will be treated as low priority packets.
+ (The tcrules example marks p2p traffic as such.) If the link is
+ congested, they're only guaranteed 1/8th of the speed, and even if
+ the link is empty, can only expand to 80% of link bandwidth just as
+ a precaution in case there are upstream queues we didn't account
+ for. This is the last class to get additional bandwidth and the last
+ to get serviced by the scheduler because of the low priority.
+
+ #INTERFACE MARK RATE CEIL MARK OPTIONS
+ ppp0 1 100kbit 180kbit 1 tos=0x68/0xfc,tos=0xb8/0xfc
+ ppp0 2 full/4 full 2 tcp-ack,tos-minimize-delay
+ ppp0 3 full/4 full 3 default
+ ppp0 4 full/8 full*8/10 4
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tcclasses
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-tcdevices.xml b/manpages/shorewall-tcdevices.xml
new file mode 100644
index 000000000..2d79ebd43
--- /dev/null
+++ b/manpages/shorewall-tcdevices.xml
@@ -0,0 +1,126 @@
+
+
+
+ shorewall-tcdevices
+
+ 5
+
+
+
+ tcdevices
+
+ Shorewall Traffic Shaping Devices file
+
+
+
+
+ /etc/shorewall/tcdevices
+
+
+
+
+ Description
+
+ Entries in this file define the bandwidth for interfaces on which
+ you want traffic shaping to be enabled.
+
+ If you do not plan to use traffic shaping for a device, don't put
+ it in here as it limits the troughput of that device to the limits you set
+ here.
+
+ The columns in the file are as follows.
+
+
+
+ INTERFACES
+
+
+ Name of interface. Each interface may be listed only once in
+ this file. You may NOT specify the name of an alias (e.g., eth0:0)
+ here; see http://www.shorewall.net/FAQ.htm#faq18
+
+ You man NOT specify wildcards here, e.g. if you have multiple
+ ppp interfaces, you need to put them all in here!
+
+ If the device doesn't exist, a warning message will be issued
+ during "shorewall [re]start" and "shorewall refresh" and traffic
+ shaping configuration will be skipped for that device.
+
+
+
+
+ IN-BANDWIDTH
+
+
+ The incoming Bandwidth of that interface. Please note that you
+ are not able to do traffic shaping on incoming traffic, as the
+ traffic is already received before you could do so. But this allows
+ you to define the maximum traffic allowed for this interface in
+ total, if the rate is exceeded, the packets are dropped. You want
+ this mainly if you have a DSL or Cable connection to avoid queuing
+ at your providers side.
+
+ If you don't want any traffic to be dropped, set this to a
+ value to zero in which case Shorewall will not create an ingress
+ qdisc.
+
+ Use kbit or kbps(for Kilobytes per second) for speed, and make
+ sure there is NO space between the number and the unit.
+
+
+
+
+ OUT-BANDWIDTH
+
+
+ The outgoing Bandwidth of that interface. This is the maximum
+ speed you connection can handle. It is also the speed you can refer
+ as "full" if you define the tc classes. Outgoing traffic above this
+ rate will be dropped.
+
+ Use kbit or kbps(for Kilobytes per second) for speed, and
+ make sure there is NO space between the number and the unit.
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1:
+
+
+ Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
+ interface for this. The device has an outgoing bandwidth of 500kbit
+ and an incoming bandwidth of 6000kbit
+
+ #INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
+ ppp0 6000kbit 500kbit
+
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tcdevices
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
new file mode 100644
index 000000000..03cb8c1b4
--- /dev/null
+++ b/manpages/shorewall-tcrules.xml
@@ -0,0 +1,478 @@
+
+
+
+ shorewall-tcrules
+
+ 5
+
+
+
+ tcrules
+
+ Shorewall Packet Marking rules file
+
+
+
+
+ /etc/shorewall/
+
+
+
+
+ Description
+
+ Entries in this file cause packets to be marked as a means of
+ classifying them for traffic control or policy routing.
+
+
+ Unlike rules in the shorewall-rules(5) file, evaluation of rules
+ in this file will continue after a match. So the final mark for each
+ packet will be the one assigned by the LAST tcrule that matches.
+
+ If you use multiple internet providers with the 'track' option, in
+ /etc/shorewall/providers be sure to read the restrictions at
+ http://shorewall.net/MultiISP.html.
+
+
+ The columns in the file are as follows.
+
+
+
+ MARK/CLASSIFY
+
+
+
+
+ A mark value which is an integer in the range
+ 1-255.
+
+ Normally will set the mark value. If preceded by a
+ vertical bar ("|"), the mark value will be logically ORed with
+ the current mark value to produce a new mark value. If preceded
+ by an ampersand ("&"), will be logically ANDed with the
+ current mark value to produce a new mark value.
+
+ Both "|" and "&" require Extended MARK Target support
+ in your kernel and iptables; neither may be used with connection
+ marks (see below).
+
+ If HIGH_ROUTE_MARKS=Yes in shorewall.conf then you may
+ also specify a value in the range 0x0100-0xFF00 with the
+ low-order byte being zero. Such values may only be used in the
+ PREROUTING chain(value followed by :F or you have set
+ MARK_IN_FORWARD_CHAIN=Yes in shorewall conf and have not
+ followed the value with :P) or the OUTPUT chain (SOURCE is
+ $FW).
+
+ May optionally be followed by :P or :F
+ where :P indicates that marking
+ should occur in the PREROUTING chain and :F indicates that marking should occur in
+ the FORWARD chain. If neither :P nor :F follow the mark value then the chain
+ is determined by the setting of MARK_IN_FORWARD_CHAIN in
+ shorewall.conf(5).
+
+ If your kernel and iptables include CONNMARK support then
+ you can also mark the connection rather than the packet.
+
+ The mark value may be optionally followed by "/" and a
+ mask value (used to determine those bits of the connection mark
+ to actually be set). The mark and optional mask are then
+ followed by one of:
+
+
+
+ C
+
+
+ Mark the connection in the chain determined by the
+ setting of MARK_IN_FORWARD_CHAIN
+
+
+
+
+ CF
+
+
+ Mark the connection in the FORWARD chain
+
+
+
+
+ CP
+
+
+ Mark the connection in the PREROUTING chain.
+
+
+
+
+
+
+ A classification (classid) of the form
+ major:minor where
+ major and minor are
+ integers. Corresponds to the 'class' specification in these
+ traffic shaping modules:
+
+ atm
+ cbq
+ dsmark
+ pfifo_fast
+ htb
+ prio
+
+ Classification occurs in the POSTROUTING chain except when
+ the SOURCE is $FW[:address] in
+ which case marking occurs in the OUTPUT chain.
+
+
+
+ RESTORE[/mask] --
+ restore the packet's mark from the connection's mark using the
+ supplied mask if any. Your kernel and iptables must include
+ CONNMARK support.
+
+ As in a) above, may be followed by :P or :F
+
+
+
+ SAVE[/mask] -- save
+ the packet's mark to the connection's mark using the supplied
+ mask if any. Your kernel and iptables must include CONNMARK
+ support.
+
+ As in a) above, may be followed by :P or :F
+
+
+
+ CONTINUE Don't process
+ any more marking rules in the table.
+
+ As in a) above, may be followed by :P or :F
+
+
+
+ COMMENT -- the rest of
+ the line will be attached as a comment to the Netfilter rule(s)
+ generated by the following entries. The comment will appear
+ delimited by "/* ... */" in the output of shorewall
+ show mangle
+
+ To stop the comment from being attached to further rules,
+ simply include COMMENT on a line by itself.
+
+
+
+
+
+
+ SOURCE
+
+
+ Source of the packet. A comma-separated list of interface
+ names, IP addresses, MAC addresses and/or subnets for packets being
+ routed through a common path. List elements may also consist of an
+ interface name followed by ":" and an address (e.g.,
+ eth1:192.168.1.0/24). For example, all packets for connections
+ masqueraded to eth0 from other interfaces can be matched in a single
+ rule with several alternative SOURCE criteria. However, a connection
+ whose packets gets to eth0 in a different way, e.g., direct from the
+ firewall itself, needs a different rule.
+
+ Accordingly, use $FW in its
+ own separate rule for packets originating on the firewall. In such a
+ rule, the MARK column may NOT specify either :P or :F
+ because marking for firewall-originated packets always occurs in the
+ OUTPUT chain.
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+
+
+
+ DEST
+
+
+ Destination of the packet. Comma separated list of IP
+ addresses and/or subnets. If your kernel and iptables include
+ iprange match support, IP address ranges are also allowed. List
+ elements may also consist of an interface name followed by ":" and
+ an address (e.g., eth1:192.168.1.0/24). If the MARK column specificies a classification of
+ the form major:minor then
+ this column may also contain an interface name.
+
+
+
+
+ PROTO
+
+
+ Protocol - Must be tcp,
+ udp, icmp, ipp2p,
+ ipp2p:udp, ipp2p:all a
+ number, or all. ipp2p
+ requires ipp2p match support in your kernel and iptables.
+
+
+
+
+ PORT(S)
+
+
+ Destination Ports. A comma-separated list of Port names (from
+ services(5)), port numbers or port
+ ranges; if the protocol is icmp, this column is interpreted as the
+ destination icmp-type(s).
+
+ If the protocol is ipp2p,
+ this column is interpreted as an ipp2p option without the leading
+ "--" (example bit for bit-torrent).
+ If no PORT is given, ipp2p is
+ assumed.
+
+ This column is ignored if PROTOCOL = all but must be entered
+ if any of the following field is supplied. In that case, it is
+ suggested that this field contain "-"
+
+
+
+
+ SOURCE PORT(S)
+ (Optional)
+
+
+ Source port(s). If omitted, any source port is acceptable.
+ Specified as a comma-separated list of port names, port numbers or
+ port ranges.
+
+
+
+
+ USER
+
+
+ This column may only be non-empty if the SOURCE is the
+ firewall itself.
+
+ The column may contain:
+
+ [!][user name or number][:group
+ name or number][+program
+ name]
+
+ When this column is non-empty, the rule applies only if the
+ program generating the output is running under the effective
+ user and/or group
+ specified (or is NOT running under that id if "!" is given).
+
+ Examples:
+
+
+
+ joe
+
+
+ program must be run by joe
+
+
+
+
+ :kids
+
+
+ program must be run by a member of the 'kids'
+ group
+
+
+
+
+ !:kids
+
+
+ program must not be run by a member of the 'kids'
+ group
+
+
+
+
+ +upnpd
+
+
+ #program named upnpd
+
+
+ The ability to specify a program name was removed from
+ Netfilter in kernel version 2.6.14.
+
+
+
+
+
+
+
+
+ TEST
+
+
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true. Tests have the format
+
+
+ [!]value[/mask][:C]
+
+ Where:
+
+
+
+ !
+
+
+ Inverts the test (not equal)
+
+
+
+
+ value
+
+
+ Value of the packet or connection mark.
+
+
+
+
+ mask
+
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the packet
+ mark's value is tested.
+
+
+
+
+ If you don't want to define a test but need to specify
+ anything in the following columns, place a "-" in this field.
+
+
+
+
+ LENGTH (Optional)
+
+
+ Packet Length. This field, if present allow you to match the
+ length of a packet against a specific value or range of values. You
+ must have iptables length support for this to work. A range is
+ specified in the form
+ min:max where either
+ min or max (but not both)
+ may be omitted. If min is omitted, then 0 is
+ assumed; if max is omitted, than any packet
+ that is min or longer will match.
+
+
+
+
+ TOS
+
+
+ Type of service. Either a standard name, or a numeric value to
+ match.
+
+ Minimize-Delay (16)
+ Maximize-Throughput (8)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0)
+
+
+
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Mark all ICMP echo traffic with packet mark 1. Mark all peer
+ to peer traffic with packet mark 4.
+
+ This is a little more complex than otherwise expected. Since
+ the ipp2p module is unable to determine all packets in a connection
+ are P2P packets, we mark the entire connection as P2P if any of the
+ packets are determined to match.
+
+ We assume packet/connection mark 0 to means
+ unclassified.
+
+ #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
+ #CLASSIFY PORT(S)
+ 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
+ 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
+ RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
+ CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
+ 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all
+ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0
+
+ If a packet hasn't been classifed (packet mark is 0), copy the
+ connection mark to the packet mark. If the packet mark is set, we're
+ done. If the packet is P2P, set the packet mark to 4. If the packet
+ mark has been set, save it to the connection mark.
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/tcrules
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file