From a5c25bea19f4ebdb9a9b02758707573275c47e6b Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 19 Apr 2009 20:41:46 +0000 Subject: [PATCH] More documentation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9941 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/releasenotes.txt | 2 +- manpages/shorewall-tcclasses.xml | 39 +++++++++++++++++++++- manpages/shorewall-tcrules.xml | 56 +++++++++++++++++++++++++++++--- 3 files changed, 91 insertions(+), 6 deletions(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index ff6a7d0b7..71334f738 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -178,7 +178,7 @@ None. Example: - IPMASK(dst, 0XFF00, 0x8000,8) + IPMARK(dst, 0XFF00, 0x8000,8) Destination IP address is 192.168.4.3 = 0xc0a80103 diff --git a/manpages/shorewall-tcclasses.xml b/manpages/shorewall-tcclasses.xml index 771eeb9fb..31abf0163 100644 --- a/manpages/shorewall-tcclasses.xml +++ b/manpages/shorewall-tcclasses.xml @@ -1,4 +1,6 @@ + shorewall-tcclasses @@ -286,6 +288,41 @@ + + + occurs=number + + + Typically used with an IPMARK entry in tcrules. Causes + the rule to be replicated for a total of + number rules. Each rule has a + successively class number and mark value. + + When 'occurs' is used: + + + + The associated device may not have the 'classify' + option. + + + + The class may not be the default class. + + + + The class may not have any 'tos=' options (including + 'tcp-ack'). + + + + The 'RATE' and 'CEIL' parameters apply to each instance + of the class. So the total RATE represented by an entry with + 'occurs' will be the listed RATE multiplied by + number. + + @@ -365,4 +402,4 @@ shorewall.conf(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) - \ No newline at end of file + diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index 34e86a4eb..d635b9a51 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -50,7 +50,9 @@ role="bold">SAVE[/mask]|CONTINUE|SAME|COMMENT}[COMMENT|IPMARK[([(src|dst}][,[mask1][,[mask2][,[shift]]]]])]}[:{C|F|P|T|CF| CONTINUE Don't process - any more marking rules in the table. + any more marking rules ‒in the table. As in 1) above, may be followed by :P or If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the last five minutes then the new connection will use the same - provider as the connection over which that last packet was + provider as the connection over which that ‒‒last packet was sent. When used in the OUTPUT chain, it causes all matching @@ -262,7 +264,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443 it has sent a packet on either of those ports in the last five minutes to the same remote system then the new connection will use the same provider as the connection over which that last - packet was sent. + packet was sent. @@ -275,6 +277,52 @@ SAME $FW 0.0.0.0/0 tcp 80,443 To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + IPMARK ‒ Assigns a mark + to each matching packet based on the either the source or + destination IP address. By default, it assigns a mark value + equal to the low-order 8 bits of the source address. Default + values are: + + + src + + mask1 = 0xFF + + mask2 = 0x00 + + shift = 0 + + + 'src' and 'dst' specify whether the mark is to be based on + the source or destination address respectively. The selected + address is first LANDed with mask1 then + LORed with mask2. The + result is then shifted shift bits to the + right. + + Example: + +
+ + IPMARK(dst, 0XFF00, 0x8000,8) + + Destination IP address is 192.168.4.3 = + 0xc0a80103 + Meaning: + + + 0xc0a80403 LAND 0xFF00 = 0x0400 + + 0x0400 LOR 0x80 = 0x8400 + + 0x8400 >> 8 = 0x84 + + Mark = 0x84 = 132 + +
+