summaryrefslogtreecommitdiffstats
path: root/man/man8/tc-fw.8
diff options
context:
space:
mode:
Diffstat (limited to 'man/man8/tc-fw.8')
-rw-r--r--man/man8/tc-fw.8104
1 files changed, 104 insertions, 0 deletions
diff --git a/man/man8/tc-fw.8 b/man/man8/tc-fw.8
new file mode 100644
index 0000000..589505a
--- /dev/null
+++ b/man/man8/tc-fw.8
@@ -0,0 +1,104 @@
+.TH "Firewall mark classifier in tc" 8 "21 Oct 2015" "iproute2" "Linux"
+
+.SH NAME
+fw \- fwmark traffic control filter
+.SH SYNOPSIS
+.in +8
+.ti -8
+.BR tc " " filter " ... " fw " [ " classid
+.IR CLASSID " ] [ "
+.B action
+.IR ACTION_SPEC " ]"
+.SH DESCRIPTION
+the
+.B fw
+filter allows one to classify packets based on a previously set
+.BR fwmark " by " iptables .
+If the masked value of the
+.B fwmark
+matches the filter's masked
+.BR handle ,
+the filter matches. By default, all 32 bits of the
+.B handle
+and the
+.B fwmark
+are masked.
+.B iptables
+allows one to mark single packets with the
+.B MARK
+target, or whole connections using
+.BR CONNMARK .
+The benefit of using this filter instead of doing the
+heavy-lifting with
+.B tc
+itself is that on one hand it might be convenient to keep packet filtering and
+classification in one place, possibly having to match a packet just once, and on
+the other users familiar with
+.BR iptables " but not " tc
+will have a less hard time adding QoS to their setups.
+.SH OPTIONS
+.TP
+.BI classid " CLASSID"
+Push matching packets to the class identified by
+.IR CLASSID .
+.TP
+.BI action " ACTION_SPEC"
+Apply an action from the generic actions framework on matching packets.
+.SH EXAMPLES
+Take e.g. the following tc filter statement:
+
+.RS
+.EX
+tc filter add ... handle 6 fw classid 1:1
+.EE
+.RE
+
+will match if the packet's
+.B fwmark
+value is
+.BR 6 .
+This is a sample
+.B iptables
+statement marking packets coming in on eth0:
+
+.RS
+.EX
+iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6
+.EE
+.RE
+
+Specific bits of the packet's
+.B fwmark
+can be set using the
+.B skbedit
+action. For example, to only set one bit of the
+.B fwmark
+without changing any other bit:
+
+.RS
+.EX
+tc filter add ... action skbedit mark 0x8/0x8
+.EE
+.RE
+
+The
+.B fw
+filter can then be used to match on this bit by masking the
+.B handle:
+
+.RS
+.EX
+tc filter add ... handle 0x8/0x8 fw action drop
+.EE
+.RE
+
+This is useful when different bits of the
+.B fwmark
+are assigned different meanings.
+.EE
+.RE
+.SH SEE ALSO
+.BR tc (8),
+.BR iptables (8),
+.BR iptables-extensions (8),
+.BR tc-skbedit (8)
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-08 17:59:47 +0000