holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update the packet marking article for 5.0

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 11:16:24 -08:00
parent 839f7f3329
commit b6af7a0ebb
1 changed files with 8 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docs/PacketMarking.xml
View File

@ -352,7 +352,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>The relationship between these options is shown in this <para>The relationship between these options is shown in this
diagram.</para> diagram.</para>
<graphic align="left" fileref="images/MarkGeometry.png" valign="top" /> <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
<para>The default values of these options are determined by the settings <para>The default values of these options are determined by the settings
of other options as follows:</para> of other options as follows:</para>
@ -476,8 +476,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<para>Here's the example (slightly expanded) from the comments at the top <para>Here's the example (slightly expanded) from the comments at the top
of the <filename>/etc/shorewall/mangle</filename> file.</para> of the <filename>/etc/shorewall/mangle</filename> file.</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS
# PORT(S)
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1
MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2
MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3 MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3
@ -486,8 +485,7 @@ MARK(1) $FW 0.0.0.0/0 icmp echo-reply #R
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6
MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7 MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8</programlisting>
##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>Let's take a look at each rule:</para> <para>Let's take a look at each rule:</para>
@ -554,33 +552,26 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
<filename>/etc/shorewall/providers</filename>:</para> <filename>/etc/shorewall/providers</filename>:</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY <programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1 Blarg 1 0x100 main eth3 206.124.146.254 track,balance br0,eth1</programlisting>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
<para>Here is <filename>/etc/shorewall/mangle</filename>:</para> <para>Here is <filename>/etc/shorewall/mangle</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# PORT(S)
CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority
#over the server #over the server
CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873 CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para>And here is <filename>/etc/shorewall/tcdevices</filename> and <para>And here is <filename>/etc/shorewall/tcdevices</filename> and
<filename>/etc/shorewall/tcclasses</filename>:</para> <filename>/etc/shorewall/tcclasses</filename>:</para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
eth3 1.3mbit 384kbit eth3 1.3mbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS #INTERFACE MARK RATE CEIL PRIORITY OPTIONS
eth3 10 full full 1 tcp-ack,tos-minimize-delay eth3 10 full full 1 tcp-ack,tos-minimize-delay
eth3 20 9*full/10 9*full/10 2 default eth3 20 9*full/10 9*full/10 2 default
eth3 30 6*full/10 6*full/10 3 eth3 30 6*full/10 6*full/10 3</programlisting>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para>I've annotated the following output with comments beginning with <para>I've annotated the following output with comments beginning with
"&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses "&lt;&lt;&lt;&lt;" and ending with "&gt;&gt;&gt;&gt;". This example uses