Add ?FORMAT 2 to Shorewall6 tcpri file

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50207
 
 if [ -z "$g_basedir" ]; then
     #
@@ -2878,6 +2878,7 @@ determine_capabilities() {
     NETMAP_TARGET=
     NFLOG_SIZE=
     RESTORE_WAIT_OPTION=
+    CONNMARK_ACTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -3245,6 +3246,10 @@ determine_capabilities() {
 	    BASIC_FILTER=Yes
 	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
 	fi
+
+	if $TC action add connmark help 2>&1 | grep -q ^Usage; then
+	    CONNMARK_ACTION=Yes
+	fi
     fi
 
     [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
@@ -3388,6 +3393,7 @@ report_capabilities_unsorted() {
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
     report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
     report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
+    report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3494,6 +3500,7 @@ report_capabilities_unsorted1() {
     report_capability1 NFLOG_SIZE
     report_capability1 RESTORE_WAIT_OPTION
     report_capability1 NAT_INPUT_CHAIN
+    report_capability1 CONNMARK_ACTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER

Shorewall/Perl/Shorewall/Config.pm

@@ -502,6 +502,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                  NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+		 CONNMARK_ACTION => 'TC connmark support',
 		 #
 		 # Helpers
 		 #
@@ -883,8 +884,8 @@ sub initialize($;$$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.4.1',
-		    CAPVERSION              => 50200 ,
+		    VERSION                 => '5.2.7-Beta1',
+		    CAPVERSION              => 50207 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -1178,6 +1179,7 @@ sub initialize($;$$$$) {
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       NAT_INPUT_CHAIN => undef,
+	       CONNMARK_ACTION => undef ,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -5052,6 +5054,10 @@ sub Basic_Filter() {
     $tc && system( "$tc filter add basic help 2>&1 | grep -q ^Usage" ) == 0;
 }
 
+sub Connmark_Action() {
+    $tc && system( "$tc action add connmark help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
 sub Basic_Ematch() {
     $tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0;
 }
@@ -5181,6 +5187,7 @@ our %detect_capability =
       COMMENTS => \&Comments,
       CONNLIMIT_MATCH => \&Connlimit_Match,
       CONNMARK => \&Connmark,
+      CONNMARK_ACTION => \&Connmark_Action,
       CONNMARK_MATCH => \&Connmark_Match,
       CONNTRACK_MATCH => \&Conntrack_Match,
       CPU_FANOUT => \&Cpu_Fanout,

Shorewall/Perl/Shorewall/Tc.pm

@@ -422,8 +422,8 @@ sub validate_tc_device( ) {
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
 
-    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
-	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);
+    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize, $connmark ) = 
+	(0,         0,      '',    'htb',  '',         0,         0,    0,    0,      0);
 
     if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -458,6 +458,9 @@ sub validate_tc_device( ) {
 		$tsize = numeric_value( $1 );
 		fatal_error "Invalid tsize ($1)" unless defined $tsize;
 		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
+	    } elsif ( $option eq 'connmark' ) {
+		require_capability( 'CONNMARK_ACTION', q(The 'connmark' option), 's' );
+		$connmark = 1;
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -470,7 +473,7 @@ sub validate_tc_device( ) {
 
     if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
-	$classify = 1;
+	$classify = 1 unless $connmark;
 
 	for my $rdevice ( @redirected ) {
 	    fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@@ -478,6 +481,8 @@ sub validate_tc_device( ) {
 	    fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
 	    fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} != 0;
 	}
+    } elsif ( $connmark ) {
+	fatal_error "Option connmark can only be used when setting up a IFB device";
     }
 
     $inband = process_in_bandwidth( $inband );
@@ -503,6 +508,7 @@ sub validate_tc_device( ) {
 			    mpu           => $mpu,
 			    tsize         => $tsize,
 			    filterpri     => 0,
+			    connmark      => $connmark,
 			  } ,
 
     push @tcdevices, $device;
@@ -661,6 +667,7 @@ sub validate_tc_class( ) {
 
     if ( $mark ne '-' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+	fatal_error "MARK may not be specified for an interface with the 'classify' option" if $devref->{classify};
 
 	( $mark, my $priority ) = split/:/, $mark, 2;
 
@@ -1639,8 +1646,8 @@ sub process_tcfilters() {
 #
 # Process a tcpri record
 #
-sub process_tc_priority1( $$$$$$ ) {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
+sub process_tc_priority1( $$$$$$$ ) {
+    my ( $band, $proto, $dports , $sports, $address, $interface, $helper ) = @_;
 
     my $val = numeric_value $band;
 
@@ -1651,7 +1658,7 @@ sub process_tc_priority1( $$$$$$ ) {
     $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
 
     if ( $interface ne '-' ) {
-	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $dports eq '-' && $sports eq '-';
 
 	my $forwardref = $mangle_table->{tcfor};
 
@@ -1662,41 +1669,57 @@ sub process_tc_priority1( $$$$$$ ) {
 	my $postref = $mangle_table->{tcpost};
 
 	if ( $address ne '-' ) {
-	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $dports eq '-' && $sports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
 	    add_rule( $postref ,
-		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      join( '', do_proto( $proto, $dports, $sports , 0 ) , $rule ) ,
 		      1 );
 
-	    if ( $ports ne '-' ) {
+	    if ( $dports ne '-' ) {
 		my $protocol = resolve_proto $proto;
 
 		if ( $proto =~ /^ipp2p/ ) {
 		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
 		    $ipp2p = 1;
+		} elsif ( $file_format == 1 ) {
+		    add_rule( $postref ,
+			      join( '' , do_proto( $proto, '-', $dports, 0 ) , $rule ) ,
+			      1 )
+			unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
 		}
-
-		add_rule( $postref ,
-			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
-			  1 )
-		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
 	    }
 	}
     }
 }
 
 sub process_tc_priority() {
-    my ( $band, $protos, $ports , $address, $interface, $helper ) =
-	split_line1( 'tcpri',
-		     { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
+    my ( $band, $protos, $dports , $sports, $address, $interface, $helper );
+
+    if ( $file_format == 1 ) {
+	( $band, $protos, $dports , $address, $interface, $helper ) =
+	    split_line2( 'tcpri',
+			 { band => 0, proto => 1, port => 2, dport => 2, address => 3, interface => 4, helper => 5 },
+			 {},
+			 6,
+			 1 );
+	$sports = '-';
+    } else {
+	( $band, $protos, $dports , $sports, $address, $interface, $helper ) =
+	    split_line2( 'tcpri',
+			 { band => 0, proto => 1, port => 2, dport => 2, sport => 3, address => 4, interface => 5, helper => 6 },
+			 {},
+			 7,
+			 1 );
+    };
 
     fatal_error 'BAND must be specified' if $band eq '-';
 
     fatal_error "Invalid tcpri entry" if ( $protos    eq '-' &&
-					   $ports     eq '-' &&
+					   $dports    eq '-' &&
+					   $sports    eq '-' &&
 					   $address   eq '-' &&
 					   $interface eq '-' &&
 					   $helper    eq '-' );
@@ -1706,7 +1729,7 @@ sub process_tc_priority() {
     fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
 
     for my $proto ( split_list $protos, 'Protocol' ) {
-	process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
+	process_tc_priority1( $band, $proto, $dports , $sports, $address, $interface, $helper );
     }
 }
 
@@ -1728,7 +1751,7 @@ sub process_tcinterfaces() {
 #
 sub process_tcpri() {
     my $fn  = find_file 'tcinterfaces';
-    my $fn1 = open_file 'tcpri', 1,1;
+    my $fn1 = open_file 'tcpri', 2,1,0,1;
 
     if ( $fn1 ) {
 	first_entry
@@ -1865,7 +1888,7 @@ sub process_traffic_shaping() {
 	    for my $rdev ( @{$devref->{redirected}} ) {
 		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
 	    }
 
 	    for my $class ( @tcclasses ) {

Shorewall/Shorewall-targetname

@@ -1 +1 @@
-5.2.6-RC1
+5.2.7-Beta1

Shorewall/configfiles/tcpri

@@ -6,5 +6,6 @@
 # See https://shorewall.org/simple_traffic_shaping.htm for additional
 # information.
 #
+?FORMAT 2
 ###############################################################################
-#BAND	PROTO	PORT		ADDRESS		INTERFACE	HELPER
+#BAND	PROTO	DPORT	SPORT	ADDRESS		INTERFACE	HELPER

Shorewall/manpages/shorewall-tcdevices.xml

@@ -200,6 +200,11 @@
           marks. You must do all classification using CLASSIFY rules in <ulink
           url="shorewall-mangle.html">shorewall-mangle</ulink>(5).</para>
 
+          <para><emphasis role="bold">connmark</emphasis> -- Added in
+          Shorewall 5.2.7. May only be specified if the REDIRECTED_INTERFACES
+          column is non-empty. It allows packet marks to be used to classify
+          traffic for these interfaces.</para>
+
           <para><option>htb</option> - Use the <firstterm>Hierarchical Token
           Bucket</firstterm> queuing discipline. This is the default.</para>
 
@@ -248,7 +253,9 @@
           enter each listed interface to be passed through the egress filters
           defined for this device, thus providing a form of incoming traffic
           shaping. When this column is non-empty, the <emphasis
-          role="bold">classify</emphasis> option is assumed.</para>
+          role="bold">classify</emphasis> option is assumed unless the
+          <emphasis role="bold">connmark</emphasis> option is
+          specified.</para>
         </listitem>
       </varlistentry>
     </variablelist>

Shorewall/manpages/shorewall-tcpri.xml

@@ -27,8 +27,11 @@
 
     <para>This file is used to specify the priority of traffic for simple
     traffic shaping (TC_ENABLED=Simple in <ulink
-    url="shorewall.conf.html">shorewall.conf</ulink>(5)). The
-    priority band of each packet is determined by the <emphasis
+    url="shorewall.conf.html">shorewall.conf</ulink>(5)). Beginning with
+    Shorewall 5.2.7, the file allows ?FORMAT 2 which inserts a SPORT column
+    immediately to the right of the DPORT column.</para>
+
+    <para>The priority band of each packet is determined by the <emphasis
     role="bold">last</emphasis> entry that the packet matches. If a packet
     doesn't match any entry in this file, then its priority will be determined
     by its TOS field. The default mapping is as follows but can be changed by
@@ -87,15 +90,36 @@
       </varlistentry>
 
       <varlistentry>
-        <term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
+        <term>DPORT - <replaceable>port</replaceable> [,...]</term>
 
         <listitem>
+          <para>This column was named PORT prior to Shorewall 5.2.7. Both
+          'port' and 'dport' may be used in the <ulink
+          url="../configuration_file_basics.htm#Pairs">alternate input
+          format</ulink>.</para>
+
           <para>Optional. May only be given if the the PROTO is TCP (6), UDP
           (17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
           port numbers or service names from /etc/services. Port ranges of the
           form
           <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
-          may also be included.</para>
+          may also be included. In format 1, packets whose source or
+          destination port matches the specified
+          <replaceable>port</replaceable>(s) are assigned to the band given in
+          the BAND column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SPORT - <replaceable>port</replaceable> [,...]</term>
+
+        <listitem>
+          <para>Only present in file format 2. Optional. May only be given if
+          the the PROTO is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
+          (136). A list of one or more port numbers or service names from
+          /etc/services. Port ranges of the form
+          <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
+          may also be included. </para>
         </listitem>
       </varlistentry>
 

Shorewall6/configfiles/tcpri

@@ -6,5 +6,6 @@
 # See https://shorewall.org/simple_traffic_shaping.htm for additional
 # information.
 #
+?FORMAT 2
 ###############################################################################
-#BAND	PROTO	PORT		ADDRESS		INTERFACE	HELPER
+#BAND	PROTO	DPORT	SPORT	ADDRESS		INTERFACE	HELPER

docs/FAQ.xml

@@ -2592,7 +2592,7 @@ eth0            External        50mbit:200kb            5.0mbit:100kb:200ms:100m
       <programlisting><emphasis role="bold">ethtool -K eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
     </section>
 
-    <section>
+    <section id="faq97a">
       <title>(FAQ 97a) I enable Shorewall traffic shaping and now my download
       rate is way below what I specified</title>
 

docs/SharedConfig.xml

@@ -1150,7 +1150,7 @@ TCPMSS(pmtu,none) { PROTO=tcp }
       <programlisting>#TYPE			ZONE		GATEWAY			GATEWAY_ZONE
 ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
 ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
-</programlisting>
+ipsecnat {ZONE=wlan, GATEWAY=$ALL, GATEWAY_ZONE=vpn }</programlisting>
     </section>
 
     <section>

docs/docs-targetname

@@ -1 +1 @@
-5.2.6.1
+5.2.7-RC1

docs/images/docs-images-targetname

@@ -1 +1 @@
-5.2.6.1
+5.2.7-Beta1

docs/simple_traffic_shaping.xml

@@ -187,8 +187,9 @@ eth0                   External</programlisting>
         <para>Assign traffic entering the firewall on a particular interface
         to a specific priority band:</para>
 
-        <programlisting>#BAND         PROTO         PORT(S)         ADDRESS             INTERFACE        HELPER
-2               -             -                -                eth1</programlisting>
+        <programlisting>?FORMAT 2
+#BAND         PROTO         DPORT    SPORT     ADDRESS             INTERFACE        HELPER
+2               -             -        -          -                eth1</programlisting>
 
         <para>In this example, traffic from eth1 will be assigned to priority
         band 2.</para>
@@ -203,15 +204,17 @@ eth0                   External</programlisting>
         <para>Assign traffic from a particular IP address to a specific
         priority band:</para>
 
-        <programlisting>#BAND         PROTO         DPORT           ADDRESS             INTERFACE        HELPER
-1               -             -             192.168.1.44</programlisting>
+        <programlisting>?FORMAT 2
+#BAND         PROTO         DPORT    SPORT     ADDRESS             INTERFACE        HELPER
+
+1               -             -        -       192.168.1.44</programlisting>
 
         <para>In this example, traffic from 192.168.1.44 will be assigned to
         priority band 1.</para>
 
         <note>
-          <para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
-          columns must be empty.</para>
+          <para>When an ADDRESS is specified, the PROTO, DPORT, SPORT and
+          INTERFACE columns must be empty.</para>
         </note>
       </listitem>
 
@@ -219,11 +222,19 @@ eth0                   External</programlisting>
         <para>Assign traffic to/from a particular application to a specific
         priority band:</para>
 
-        <programlisting>#BAND         PROTO         DPORT           ADDRESS             INTERFACE        HELPER
+        <programlisting>#BAND         PROTO         PORT            ADDRESS             INTERFACE        HELPER
 1             udp           1194</programlisting>
 
-        <para>In that example, OpenVPN traffic is assigned to priority band
-        1.</para>
+        <para>In that example, SSH traffic is assigned to priority band 1. In
+        file format 2, the above would be as follows:</para>
+
+        <programlisting>#BAND         PROTO         DPORT       SPORT     ADDRESS             INTERFACE        HELPER
+1             tcp           22
+1             tcp             -         22</programlisting>
+
+        <para>In other words, in file format 1, the compiler generates rules
+        for traffic from client to server and from server to client. In format
+        2, separate tcpri rules are required.</para>
       </listitem>
 
       <listitem>
@@ -355,5 +366,9 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
       <para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
       refers to them as bands 0-2.</para>
     </caution>
+
+    <para>If you encounter performance problems after enabling simple traffic
+    shaping, check out <ulink url="FAQ.htm#faq97">FAQ 97</ulink> and <ulink
+    url="FAQ.htm#faq97a">FAQ97a</ulink></para>
   </section>
 </article>

docs/traffic_shaping.xml

@@ -26,6 +26,8 @@
     <copyright>
       <year>2001-2013</year>
 
+      <year>2020</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -214,24 +216,6 @@
     article</ulink>.</para>
   </section>
 
-  <section id="Kernel">
-    <title>Linux Kernel Configuration</title>
-
-    <para>You will need at least kernel 2.4.18 for this to work, please take a
-    look at the following screenshot for what settings you need to enable. For
-    builtin support, you need the HTB scheduler, the Ingress scheduler, the
-    PRIO pseudoscheduler and SFQ queue. The other scheduler or queue
-    algorithms are not needed.</para>
-
-    <para>This screen shot shows how I configured QoS in a 2.6.16
-    Kernel:</para>
-
-    <graphic align="center" fileref="images/traffic_shaping2.6.png"/>
-
-    <para>And here's my recommendation for a 2.6.21 kernel:<graphic
-    align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
-  </section>
-
   <section id="Shorewall">
     <title>Enable TC support in Shorewall</title>
 
@@ -298,6 +282,15 @@
         <para>Assign traffic to HTB and/or HFSC classes based on packet mark
         value or based on packet contents.</para>
       </listitem>
+
+      <listitem>
+        <para>Throttle incoming traffic</para>
+      </listitem>
+
+      <listitem>
+        <para>Use an <emphasis>Intermediate functional block </emphasis>(IFB)
+        to shape incoming traffic<emphasis> </emphasis></para>
+      </listitem>
     </itemizedlist>
 
     <para>Those few features are really all that builtin traffic
@@ -482,6 +475,16 @@
                 </variablelist>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">connmark</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.7. May be specified on IFB
+                devices to enable use of firewall marks to select the
+                appropriate traffic shaping class.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
 
@@ -496,7 +499,8 @@
           column.</para>
 
           <para>IFB devices automatically get the <emphasis
-          role="bold">classify</emphasis> option.</para>
+          role="bold">classify</emphasis> option unless the <emphasis
+          role="bold">connmark</emphasis> option is specified.</para>
         </listitem>
       </itemizedlist>
 
@@ -1577,9 +1581,11 @@ ip link set ifb0 up</command></programlisting>
 
     <para>Entries in <filename>/etc/shorewall/mangle</filename> or
     <filename>/etc/shorewall/tcrules</filename> have no effect on shaping
-    traffic through an IFB. To allow classification of such traffic, the
-    /etc/shorewall/tcfilters file has been added. Entries in that file create
-    <ulink url="http://b42.cz/notes/u32_classifier/">u32 classification
+    traffic through an IFB unless the IFB is defined in shorewall-tcclasses(5)
+    with the <emphasis role="bold">connmark</emphasis> option. To allow
+    classification of such traffic, the /etc/shorewall/tcfilters file has been
+    added. Entries in that file create <ulink
+    url="http://b42.cz/notes/u32_classifier/">u32 classification
     rules</ulink>.</para>
 
     <section id="tcfilters">
@@ -1937,6 +1943,93 @@ filter parent 1: protocol ip pref 10 u32 <emphasis role="bold">fh 800:</emphasis
             role="bold">&lt;========= PROTO TCP</emphasis>
     offset 0f00&gt;&gt;6 at 0  eat </programlisting></para>
     </section>
+
+    <section>
+      <title>IFBs and SNAT/MASQUERADE</title>
+
+      <para>IFB traffic shaping takes place immediately after the traffic is
+      received by the incoming interface and before it has been passed to any
+      Netfilter hook. This has two consequences:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>There is no opportunity to mark the packets before they are
+          processed by the IFBs traffic shaping rules.</para>
+        </listitem>
+
+        <listitem>
+          <para>The DEST IP address is still the IP address of the external
+          interface on which the traffic arrived.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>As a result, in the tcdevices file description above, a <emphasis
+      role="bold">connmark</emphasis> option was added to that file in
+      Shorewall 5.2.7. The <emphasis role="bold">connmark</emphasis> option
+      allows firewall marks to be used to segregate traffic by DEST IP.</para>
+
+      <para>Example (based closely on one supplied by Rodrigo Araujo, who also
+      wrote much of the code supporting the <emphasis
+      role="bold">connmark</emphasis> option):</para>
+
+      <para><emphasis
+      role="bold">/etc/shorewall/shorewall.conf:</emphasis></para>
+
+      <programlisting>...
+TC_ENABLED=Internal
+...</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/interfaces:</emphasis></para>
+
+      <programlisting>##############################################################################
+?FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     NET_IF          dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/snat:</emphasis></para>
+
+      <programlisting>?FORMAT 2
+#ACTION       SOURCE      DEST    PROTO    PORT        IPSEC    MARK   
+USER    SWITCH    ORIGDEST    PROBABILITY
+MASQUERADE    -           NET_IF</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/tcdevices:</emphasis></para>
+
+      <programlisting>#INTERFACE	IN_BANDWITH	OUT_BANDWIDTH	OPTIONS		REDIRECT
+## net upload
+10:NET_IF	-               1000mbit         htb
+## net download
+11:ifb0         -               1000mbit         htb,connmark   NET_IF</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/tcclasses:</emphasis></para>
+
+      <programlisting>#INTERFACE	MARK	RATE		CEIL		PRIO	OPTIONS
+10:5000           111       500kbit            full       10     tcp-ack,tos-minimize-delay
+11:5000           110       500kbit            full       10     tcp-ack,tos-minimize-delay
+
+10:1000           100       full-50500         full       20      default
+11:1000           101       full-100500        full       20      default
+
+10:50             10        50mbit             50mbit     101     flow=nfct-src
+11:100            11        100mbit            100mbit    101     flow=dst</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/tcfilters:</emphasis></para>
+
+      <programlisting>#CLASS		SOURCE		DEST		PROTO	DPORT	SPORT	TOS	LENGTH
+## limit LAN upload - works
+10:50          10.100.100.0/24
+## limit LAN download - DOESN'T WORK BECAUSE OF MASQUERADE ON eth0 !!!! (snat file)
+#11:100        -                  10.100.100.0/24</programlisting>
+
+      <para><emphasis role="bold">/etc/shorewall/mangle:</emphasis></para>
+
+      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP	SWITCH
+## this only works with the aforementioned conntrack option
+## and LAN users' download traffic will get the 11:100 class (defined in tcclasses) applied
+CONNMARK(11):F       10.100.100.0/24    - { TEST=0x0/0xff }</programlisting>
+    </section>
   </section>
 
   <section id="show">