diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf
index 19e555ec2..ab4ee27c4 100644
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No
+WIDE_TC_MARKS=Yes
+
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf
index 72803a79d..d9b75c693 100644
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No
+WIDE_TC_MARKS=Yes
+
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf
index a86fde804..71706010c 100644
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No
+WIDE_TC_MARKS=Yes
+
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf
index 789be9c3f..3b81dae77 100644
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -137,6 +137,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No
+WIDE_TC_MARKS=Yes
+
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf
index f07e36e71..df0faa3c6 100644
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -137,6 +137,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No
+WIDE_TC_MARKS=Yes
+
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf
index ecf9d18dd..092be2273 100644
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -137,6 +137,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No
+WIDE_TC_MARKS=Yes
+
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 4e23a88fb..f8f68e2a4 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1482,19 +1482,34 @@ sub mac_match( $ ) {
#
sub verify_mark( $ ) {
my $mark = $_[0];
- my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF;
+ my $limit;
+ my $mask;
my $value = numeric_value( $mark );
+ if ( $config{HIGH_ROUTE_MARKS} ) {
+ if ( $config{WIDE_TC_MARKS} ) {
+ $limit = 0xFFFFFF;
+ $mask = 0xFFFF;
+ } else {
+ $limit = 0xFFFF;
+ $mask = 0xFF;
+ }
+ } elsif ( $config{WIDE_TC_MARKS} ) {
+ $limit = $mask = 0x3FFF;
+ } else {
+ $limit = $mask = 0xFF;
+ }
+
fatal_error "Invalid Mark or Mask value ($mark)"
unless defined( $value ) && $value <= $limit;
fatal_error "Invalid High Mark or Mask value ($mark)"
- if ( $value > 0xFF && $value & 0xFF );
+ if ( $value > $mask && $value & $mask );
}
sub verify_small_mark( $ ) {
verify_mark ( (my $mark) = $_[0] );
- fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > 0xFF;
+ fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x03FF : 0xFF );
}
sub validate_mark( $ ) {
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index ca46af6ae..130051d0e 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -434,6 +434,7 @@ sub initialize( $ ) {
RESTORE_DEFAULT_ROUTE => undef ,
FAST_STOP => undef ,
AUTOMAKE => undef ,
+ WIDE_TC_MARKS => undef,
#
# Packet Disposition
#
@@ -536,6 +537,7 @@ sub initialize( $ ) {
AUTO_COMMENT => undef,
MANGLE_ENABLED => undef ,
AUTOMAKE => undef ,
+ WIDE_TC_MARKS => undef,
#
# Packet Disposition
#
@@ -733,15 +735,19 @@ sub assert( $ ) {
# Convert value to decimal number
#
sub numeric_value ( $ ) {
+ no warnings;
my $mark = lc $_[0];
return undef unless $mark =~ /^-?(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/;
$mark =~ /^0/ ? oct $mark : $mark;
+ use warnings;
}
sub numeric_value1 ( $ ) {
+ no warnings;
my $val = numeric_value $_[0];
fatal_error "Invalid Number ($_[0])" unless defined $val;
$val;
+ use warnings;
}
#
@@ -2286,6 +2292,7 @@ sub get_configuration( $ ) {
default_yes_no 'USE_DEFAULT_RT' , '';
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
default_yes_no 'AUTOMAKE' , '';
+ default_yes_no 'WIDE_TC_MARKS' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index ae9dda2f0..12d94a563 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -93,7 +93,7 @@ INIT {
# Set up marking for 'tracked' interfaces.
#
sub setup_route_marking() {
- my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
+ my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' );
@@ -264,26 +264,25 @@ sub add_a_provider( $$$$$$$$ ) {
fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
- my $provider = chain_base $table;
- my $base = uc chain_base $interface;
+ my $provider = chain_base $table;
+ my $base = uc chain_base $interface;
+ my $gatewaycase = '';
if ( $gateway eq 'detect' ) {
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
$gateway = get_interface_gateway $interface;
- start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+ $gatewaycase = 'detect';
+ } elsif ( $gateway && $gateway ne '-' ) {
+ validate_address $gateway, 0;
+ $gatewaycase = 'specified';
} else {
- start_provider( $table, $number, "if interface_is_usable $interface; then" );
-
- if ( $gateway && $gateway ne '-' ) {
- validate_address $gateway, 0;
- } else {
- fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
- $gateway = '';
- emit "run_ip route add default dev $interface table $number";
- }
+ $gatewaycase = 'none';
+ fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
+ $gateway = '';
}
my $val = 0;
+ my $pref;
if ( $mark ne '-' ) {
@@ -293,23 +292,21 @@ sub add_a_provider( $$$$$$$$ ) {
verify_mark $mark;
- if ( $val < 256) {
+ if ( $val < 65535 ) {
+ fatal_error "Invalid Mark Value ($mark) with WIDE_TC_MARKS=No" unless $config{WIDE_TC_MARKS};
+ fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" unless $config{HIGH_ROUTE_MARKS};
+ } elsif ( $val < 256) {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
} else {
- fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS};
+ fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" unless $config{HIGH_ROUTE_MARKS};
}
for my $providerref ( values %providers ) {
- fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val;
+ fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
}
- my $pref = 10000 + $number - 1;
+ $pref = 10000 + $number - 1;
- emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
-
- emit ( "run_ip rule add fwmark $mark pref $pref table $number",
- "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
- );
}
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
@@ -360,7 +357,7 @@ sub add_a_provider( $$$$$$$$ ) {
$providers{$table} = { provider => $table,
number => $number ,
- mark => $val ,
+ mark => $val ? in_hex($val) : $val ,
interface => $interface ,
optional => $optional ,
gateway => $gateway ,
@@ -384,8 +381,22 @@ sub add_a_provider( $$$$$$$$ ) {
my $realm = '';
if ( $shared ) {
- $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+ my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
$realm = "realm $number";
+ start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
+ } elsif ( $gatewaycase eq 'detect' ) {
+ start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+ } else {
+ start_provider( $table, $number, "if interface_is_usable $interface; then" );
+ emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
+ }
+
+ if ( $mark ne '-' ) {
+ emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
+
+ emit ( "run_ip rule add fwmark $mark pref $pref table $number",
+ "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
+ );
}
if ( $duplicate ne '-' ) {
@@ -461,10 +472,19 @@ sub add_a_provider( $$$$$$$$ ) {
emit 'else';
if ( $optional ) {
- emit ( " error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"",
- " ${base}_IS_UP=" );
+ if ( $shared ) {
+ emit ( " error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
+ } else {
+ emit ( " error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+ }
+
+ emit( " ${base}_IS_UP=" );
} else {
- emit( " fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+ if ( $shared ) {
+ emit( " fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
+ } else {
+ emit( " fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+ }
}
emit "fi\n";
@@ -765,7 +785,7 @@ sub lookup_provider( $ ) {
#
sub handle_stickiness( $ ) {
my $havesticky = shift;
- my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
+ my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
my $setstickyref = $mangle_table->{setsticky};
my $setstickoref = $mangle_table->{setsticko};
my $tcpreref = $mangle_table->{tcpre};
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 80ca3a98a..031614369 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -316,19 +316,19 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
if ( defined $m1 && $m1 ne '' ) {
$val = numeric_value ($m1);
- fatal_error "Invalid Mask ($m1)" unless defined $val;
+ fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
$mask1 = $m1;
}
if ( defined $m2 && $m2 ne '' ) {
$val = numeric_value ($m2);
- fatal_error "Invalid Mask ($m2)" unless defined $val;
+ fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
$mask2 = $m2;
}
if ( defined $s ) {
$val = numeric_value ($s);
- fatal_error "Invalid Shift Bits ($s)" unless defined $val;
+ fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128;
$shift = $s;
}
} else {
@@ -361,8 +361,9 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
if ( $config{HIGH_ROUTE_MARKS} ) {
my $val = numeric_value( $cmd );
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
- fatal_error 'Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes'
- if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= 0xFF;
+ my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
+ fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+ if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
}
}
}
@@ -598,7 +599,7 @@ sub validate_tc_class( $$$$$$ ) {
$markval = numeric_value( $mark );
fatal_error "Invalid MARK ($markval)" unless defined $markval;
- $classnumber = ( $devref->{number} << 10 ) | $mark;
+ $classnumber = $config{WIDE_TC_MARKS} ? ( $devref->{number} << 10 ) | $mark : $devref->{number} . $mark;
fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
}
} else {
@@ -1007,7 +1008,7 @@ sub setup_tc() {
my $mark_part = '';
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
- $mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
+ $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
for my $interface ( @routemarked_interfaces ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
@@ -1024,7 +1025,7 @@ sub setup_tc() {
if ( $config{HIGH_ROUTE_MARKS} ) {
for my $chain qw(INPUT FORWARD POSTROUTING) {
- insert_rule1 $mangle_table->{$chain}, 0, '-j MARK --and-mark 0xFF';
+ insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0x03FF' : '-j MARK --and-mark 0xFF';
}
}
}
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 30ba0ac62..b1dd65e91 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,6 +1,8 @@
Changes in Shorewall 4.3.10
-None.
+1) Fix handling of shared optional providers.
+
+2) Add WIDE_TC_MARKS option.
Changes in Shorewall 4.3.9
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 558184d3d..e3694ba8e 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -197,6 +197,8 @@ FAST_STOP=No
AUTOMAKE=No
+WIDE_TC_MARKS=No
+
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 70bb6c4c2..107885791 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -59,7 +59,12 @@ released late in 2009.
P R O B L E M S C O R R E C T E D I N 4 . 3 . 10
----------------------------------------------------------------------------
-None.
+1. When Shorewall could not determine the MAC address of of a gateway
+ router where multiple providers are configured through the same
+ interface, invalid iptables-restore input was generated. This
+ resulted in an error message similar to the following:
+
+ iptables-restore v1.3.5: Bad mac address `-j'
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
@@ -71,7 +76,29 @@ None.
N E W F E A T U R E S I N 4 . 3 . 10
----------------------------------------------------------------------------
-None.
+1. The change that implemented IPMARK support in 4.3.9 resulted in a
+ lack of upward compatibility which could break some
+ configurations. The incompatibility stems from the way in which
+ Shorewall generates a TC class Id from a mark value.
+
+ - Prior to 4.3.9, the class number was constructed by concatinating
+ the device number with the mark value.
+
+ - Beginning with 4.3.9, the class number is constructed by shifting
+ the device number left by 10 bits and logically ORing the result
+ with the mark value.
+
+ The WIDE_TC_MARKS option in shorewall.conf selects which
+ construction to use. WIDE_TC_MARKS=No (the default) produces
+ pre-4.3.9 behavior. WIDE_TC_MARKS=Yes produces the new behavior.
+
+ In addition to determining the method of constructing class Ids,
+ WIDE_TC_MARKS=Yes provides for larger mark values for traffic
+ shaping. Traffic shaping marks may have values up to 1023 with
+ WIDE_TC_MARKS=Yes. This means that when both WIDE_TC_MARKS=Yes and
+ HIGH_ROUTE_MARKS=Yes, routing marks (/etc/shorewall/providers MARK
+ column) must be >= 65536 (0x10000) and must be a multiple of 65536
+ (0x1000, 0x20000, 0x30000, ...).
----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3
@@ -436,7 +463,7 @@ None.
IPMARK(dst, 0XFF00, 0x8000,8)
- Destination IP address is 192.168.4.3 = 0xc0a80103
+ Destination IP address is 192.168.4.3 = 0xc0a80403
0xc0a80403 LAND 0xFF00 = 0x0400
0x0400 LOR 0x80 = 0x8400
diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base
index aa5d85753..25ae588f9 100644
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,12 +33,12 @@
#
SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40205
+SHOREWALL_CAPVERSION=40309
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
[ -n "${CONFDIR:=/etc/shorewall6}" ]
-PERLSHAREDIR=/usr/share/shorewall
+[ -n "${PERLSHAREDIR:=/usr/share/shorewall}" ]
#
# Message to stderr
@@ -735,6 +735,7 @@ determine_capabilities() {
CONNLIMIT_MATCH=
TIME_MATCH=
GOTO_TARGET=
+ IPMARK_TARGET=
chain=fooX$$
@@ -828,6 +829,7 @@ determine_capabilities() {
fi
qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
+ qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
qt $IP6TABLES -t mangle -F $chain
qt $IP6TABLES -t mangle -X $chain
qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -919,6 +921,7 @@ report_capabilities() {
report_capability "Connlimit Match" $CONNLIMIT_MATCH
report_capability "Time Match" $TIME_MATCH
report_capability "Goto Support" $GOTO_TARGET
+ report_capability "IPMARK Target" $IPMARK_TARGET
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -972,6 +975,7 @@ report_capabilities1() {
report_capability1 CONNLIMIT_MATCH
report_capability1 TIME_MATCH
report_capability1 GOTO_TARGET
+ report_capability1 IPMARK_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION
}
diff --git a/Shorewall6/shorewall6.conf b/Shorewall6/shorewall6.conf
index 238b92d4e..19b00b3b3 100644
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -143,6 +143,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No
+WIDE_TC_MARKS=No
+
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
diff --git a/docs/GettingStarted.xml b/docs/GettingStarted.xml
index 60a052d66..b4038bab0 100644
--- a/docs/GettingStarted.xml
+++ b/docs/GettingStarted.xml
@@ -173,6 +173,12 @@
+
+ Operating
+ Shorewall and Shorewall Lite contains a lot of useful
+ operational hints.
+
+
PPPPPPPS ( or, Paul's Principles for Practical Provision of Packet
Processing with Shorewall ) I highly recommend that you review the Common Configuration File Features
page -- it contains helpful tips about Shorewall features than
- make administering your firewall easier.
+ make administering your firewall easier. Also, Operating Shorewall and
+ Shorewall Lite contains a lot of useful operational hints.
diff --git a/docs/three-interface.xml b/docs/three-interface.xml
index c780bb8de..6897d832d 100644
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -1151,6 +1151,8 @@ ACCEPT net $FW tcp 80 I highly recommend that you review the Common Configuration File
Features page -- it contains helpful tips about Shorewall features
- than make administering your firewall easier.
+ than make administering your firewall easier. Also, Operating Shorewall and
+ Shorewall Lite contains a lot of useful operational hints.
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index 004a99ec4..165781027 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -173,8 +173,10 @@
MARK - Netfilter has a facility for
marking packets. Packet marks have a numeric
- value which is limited in Shorewall to the values 1-255. You assign
- packet marks to different types of traffic using entries in the
+ value which is limited in Shorewall to the values 1-255 (1-1023 if you
+ set WIDE_TC_MARKS=Yes in shorewall.conf (5) ). You
+ assign packet marks to different types of traffic using entries in the
/etc/shorewall/tcrules file.
@@ -431,12 +433,14 @@ ppp0 6000kbit 500kbit
- MARK - The mark value which is an integer in the range 1-255.
- You define these marks in the tcrules file, marking the traffic you
- want to go into the queuing classes defined in here. You can use the
- same marks for different Interfaces. You must specify "-' in this
- column if the device specified in the INTERFACE column has the
- classify option in
+ MARK - The mark value which is an integer in the range 1-255
+ (1-1023 if you set WIDE_TC_MARKS=Yes in shorewall.conf (5) ). You
+ define these marks in the tcrules file, marking the traffic you want
+ to go into the queuing classes defined in here. You can use the same
+ marks for different Interfaces. You must specify "-' in this column
+ if the device specified in the INTERFACE column has the classify option in
/etc/shorewall/tcdevices.
@@ -610,7 +614,9 @@ ppp0 6000kbit 500kbit
MARK or CLASSIFY - MARK specifies the mark value is to be
- assigned in case of a match. This is an integer in the range 1-255.
+ assigned in case of a match. This is an integer in the range 1-255
+ (1-1023 if you set WIDE_TC_MARKS=Yes in shorewall.conf (5) ).
This value may be optionally followed by : and either
F, P or "T" to designate that the
marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
@@ -716,12 +722,54 @@ ppp0 6000kbit 500kbit
$FW[:<address>] in which case, the
classify action takes place in the OUTPUT chain. When used with the
builtin traffic shaper, the <major> class is the interface
- number and the <minor> class is either a) the MARK value of
- the class preceded by the number "1" (MARK value 1 is <minor>
- class 11, MARK value 22 is <minor> class 122, and so on) or b)
- The class number (if the classify
- option was specified in for the interface
- /etc/shorewall/interfaces)
+ number and the <minor> class is either:
+
+
+
+ Constructed from the mark. The method of construction
+ depends on the setting of WIDE_TC_MARKS (shorewall.conf
+ (5)).
+
+ When WIDE_TC_MARKS=No (the default), the <minor>
+ class is:
+
+
+
+ the MARK value of the class preceded by the number "1"
+ (MARK value 1 is <minor> class 11, MARK value 22 is
+ <minor> class 122, and so on)
+
+
+
+ When SIDE_TC_MARKS=Yes, the <minor> class is:
+
+
+
+ The number shifted 10 bits to the left (multiplied by
+ 1024) and logically ORed with the MARK value. The
+ shorewall encode and shorewall
+ decode commands (shorewall (8)) may be
+ used to translate a device number/mark pair to/from a
+ <minor> class.
+
+ Examples:
+
+ $ shorewall encode 1 100
+Class Number = 1124
+$ shorewall decode 1124
+Device = 1 Mark = 100
+
+
+
+
+
+ The class number (if the classify option was specified in for the
+ interface /etc/shorewall/interfaces)
+
+
diff --git a/docs/two-interface.xml b/docs/two-interface.xml
index ad3a86411..28f7b844a 100644
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -1070,7 +1070,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to workI highly recommend that you review the Common Configuration File Features
page -- it contains helpful tips about Shorewall features than
- make administering your firewall easier.
+ make administering your firewall easier. Also, Operating Shorewall and
+ Shorewall Lite contains a lot of useful operational hints.
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index ffa69d22f..b8308072c 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -598,14 +598,15 @@ net all DROP infothen the chain name is 'net2all'
Prior to version 3.2.0, it was not possible to use connection
marking in shorewall-tcrules(5) if you
- have a multi-ISP configuration that uses the track option.
+ url="shorewall-tcrules.html">shorewall-tcrules(5) if you had
+ a multi-ISP configuration that uses the track option.
- Beginning with release 3.2.0, you may now set
- HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and
- connection mark into two 8-byte mark fields.
+ Beginning with release 3.2.0, you may set HIGH_ROUTE_MARKS=Yes
+ in to effectively divide the packet mark and connection mark into
+ two mark fields.
- When you do this:
+ The width of the fields are determined by the setting of
+ WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default):
@@ -625,13 +626,33 @@ net all DROP infothen the chain name is 'net2all'
of 1-255 and may still not be set in the PREROUTING
chain.
+
+
+ When WIDE_TC_MARKS=Yes:
+
+
+
+ The MARK field in the providers file must have a value
+ that is a multiple of 65536 (using hex representation, the
+ values are 0x010000-0xFF0000 with the low-order 16 bits being
+ zero).
+
- When you SAVE or RESTORE in tcrules, only the TC mark
- value is saved or restored. Shorewall handles saving and
- restoring the routing (provider) marks.
+ You may only set those mark values in the PREROUTING
+ chain.
+
+
+
+ Marks used for traffic shaping must be in the range of
+ 1-1023 and may still not be set in the PREROUTING chain.
+
+ Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
+ RESTORE in tcrules, only the TC mark value is saved or restored.
+ Shorewall handles saving and restoring the routing (provider)
+ marks.
@@ -1700,6 +1721,19 @@ net all DROP infothen the chain name is 'net2all'
If not specified, then 2 is assumed.
+
+
+ WIDE_ROUTE_MARKS={Yes|No}
+
+
+ When set to No (the default), traffic shaping marks are 8
+ bytes wide (possible values are 1-255). When WIDE_ROUTE_MARKS=Yes,
+ traffic shaping marks are 10 bytes wide (values 1-1023). The setting
+ of WIDE_ROUTE_MARKS also has an effect on the HIGH_ROUTE_MARKS
+ option (see above).
+
+
diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml
index 9479957fc..426447d74 100644
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@@ -456,9 +456,12 @@ net all DROP infothen the chain name is 'net2all'
You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
- packet mark and connection mark into two 8-byte mark fields.
+ packet mark and connection mark into two mark fields.
- When you do this:
+ The width of the fields are determined by the setting of the
+ WIDE_TC_MARKS option.
+
+ When WIDE_TC_MARKS=No (the default):
@@ -478,13 +481,33 @@ net all DROP infothen the chain name is 'net2all'
of 1-255 and may still not be set in the PREROUTING
chain.
+
+
+ When WIDE_TC_MARKS=Yes:
+
+
+
+ The MARK field in the providers file must have a value
+ that is a multiple of 65536 (using hex representation, the
+ values are 0x010000-0xFF0000 with the low-order 16 bits being
+ zero).
+
- When you SAVE or RESTORE in tcrules, only the TC mark
- value is saved or restored. Shorewall6 handles saving and
- restoring the routing (provider) marks.
+ You may only set those mark values in the PREROUTING
+ chain.
+
+
+
+ Marks used for traffic shaping must be in the range of
+ 1-1023 and may still not be set in the PREROUTING chain.
+
+ Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
+ RESTORE in tcrules, only the TC mark value is saved or restored.
+ Shorewall handles saving and restoring the routing (provider)
+ marks.
@@ -1187,6 +1210,19 @@ net all DROP infothen the chain name is 'net2all'
If not specified, then 2 is assumed.
+
+
+ WIDE_ROUTE_MARKS={Yes|No}
+
+
+ When set to No (the default), traffic shaping marks are 8
+ bytes wide (possible values are 1-255). When WIDE_ROUTE_MARKS=Yes,
+ traffic shaping marks are 10 bytes wide (values 1-1023). The setting
+ of WIDE_ROUTE_MARKS also has an effect on the HIGH_ROUTE_MARKS
+ option (see above).
+
+
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm
index 0de147214..0a1f05949 100644
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@@ -47,7 +47,7 @@
-2009-04-17
+2009-04-19