From b6af7a0ebb812b11e8c17a952dfdd40b175e3fdc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 19 Feb 2016 11:16:24 -0800 Subject: [PATCH] Update the packet marking article for 5.0 Signed-off-by: Tom Eastep --- docs/PacketMarking.xml | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index 3d0acc2a1..96d86e75c 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -352,7 +352,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= The relationship between these options is shown in this diagram. - + The default values of these options are determined by the settings of other options as follows: @@ -476,8 +476,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= Here's the example (slightly expanded) from the comments at the top of the /etc/shorewall/mangle file. - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2 MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3 @@ -486,8 +485,7 @@ MARK(1) $FW 0.0.0.0/0 icmp echo-reply #R RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6 MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7 -SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 -##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 Let's take a look at each rule: @@ -554,33 +552,26 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R /etc/shorewall/providers: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY -Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1 -#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - +Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1 Here is /etc/shorewall/mangle: - #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST -# PORT(S) + #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority #over the server -CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - +CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873 And here is /etc/shorewall/tcdevices and /etc/shorewall/tcclasses: - #INTERFACE IN-BANDWITH OUT-BANDWIDTH + #INTERFACE IN_BANDWITH OUT_BANDWIDTH eth3 1.3mbit 384kbit #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth3 10 full full 1 tcp-ack,tos-minimize-delay eth3 20 9*full/10 9*full/10 2 default -eth3 30 6*full/10 6*full/10 3 -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - +eth3 30 6*full/10 6*full/10 3 I've annotated the following output with comments beginning with "<<<<" and ending with ">>>>". This example uses