diff --git a/extensions/libxt_CHAOS.man b/extensions/libxt_CHAOS.man index 302e69f..0430c66 100644 --- a/extensions/libxt_CHAOS.man +++ b/extensions/libxt_CHAOS.man @@ -16,3 +16,6 @@ connections than they can. .PP The randomness factor of not replying vs. replying can be set during load-time of the xt_CHAOS module or during runtime in /sys/modules/xt_CHAOS/parameters. +.PP +See http://jengelh.medozas.de/projects/chaostables/ for more information +about CHAOS, DELUDE and portscan. diff --git a/extensions/libxt_IPMARK.man b/extensions/libxt_IPMARK.man index 34eba24..ac4a532 100644 --- a/extensions/libxt_IPMARK.man +++ b/extensions/libxt_IPMARK.man @@ -7,31 +7,31 @@ This target is to be used inside the \fBmangle\fP table. \fB--addr\fP {\fBsrc\fP|\fBdst\fP} Select source or destination IP address as a basis for the mark. .TP -.BI "--and-mask " "mask" -Perform bitwise `and' on the IP address and this mask. +\fB--and-mask\fP \fImask\fP +Perform bitwise AND on the IP address and this bitmask. .TP -.BI "--or-mask " "mask" -Perform bitwise `or' on the IP address and this mask. +\fB--or-mask\fP \fImask\fP +Perform bitwise OR on the IP address and this bitmask. .TP \fB--shift\fP \fIvalue\fP Shift addresses to the right by the given number of bits before taking it as a mark. (This is done before ANDing or ORing it.) This option is needed to select part of an IPv6 address, because marks are only 32 bits in size. -.P +.PP The order of IP address bytes is reversed to meet "human order of bytes": -192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then -`or'. - +192.168.0.1 is 0xc0a80001. At first the "AND" operation is performed, then +"OR". +.PP Examples: - +.PP We create a queue for each user, the queue number is adequate to the IP address of the user, e.g.: all packets going to/from 192.168.5.2 are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc. - +.PP We have one classifier rule: .IP tc filter add dev eth3 parent 1:0 protocol ip fw -.P +.PP Earlier we had many rules just like below: .IP iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK @@ -39,12 +39,12 @@ iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK .IP iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK --set-mark 0x10503 -.P +.PP Using IPMARK target we can replace all the mangle/mark rules with only one: .IP -iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst ---and-mask=0xffff --or-mask=0x10000 -.P +iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr dst +--and-mask 0xffff --or-mask 0x10000 +.PP On the routers with hundreds of users there should be significant load decrease (e.g. twice). .PP