1SHOREWALL6-TCRULES(5) [FIXME: manual] SHOREWALL6-TCRULES(5)
2
6 tcrules - Shorewall6 Packet Marking rules file
7
9 /etc/shorewall6/tcrules
10
12 Entries in this file cause packets to be marked as a means of
13 classifying them for traffic control or policy routing.
14 Important
16 Unlike rules in the shorewall6-rules[1](5) file, evaluation of
17 rules in this file will continue after a match. So the final mark
18 for each packet will be the one assigned by the LAST tcrule that
19 matches.
20 If you use multiple internet providers with the 'track' option, in
22 /etc/shorewall6/providers be sure to read the restrictions at
23 http://shorewall.net/MultiISP.html.
24 The columns in the file are as follows.
26 MARK/CLASSIFY - mark
28 mark may assume one of the following values.
29 1. A mark value which is an integer in the range 1-255.
31 Normally will set the mark value. If preceded by a vertical bar
33 ("|"), the mark value will be logically ORed with the current
34 mark value to produce a new mark value. If preceded by an
35 ampersand ("&"), will be logically ANDed with the current mark
36 value to produce a new mark value.
37 Both "|" and "&" require Extended MARK Target support in your
39 kernel and ip6tables; neither may be used with connection marks
40 (see below).
41 May optionally be followed by :P, :F or :T, :I where :P
43 indicates that marking should occur in the PREROUTING chain, :F
44 indicates that marking should occur in the FORWARD chain, :I
45 indicates that marking should occur in the INPUT chain (added
46 in Shorewall 4.4.13) and :T indicates that marking should occur
47 in the POSTROUTING chain. If neither :P, :F nor :T follow the
48 mark value then the chain is determined as follows:
49 - If the SOURCE is
51 $FW[:address-or-range[,address-or-range]...], then the rule is
52 inserted into the OUTPUT chain. The behavior changed in
53 Shorewall6-perl 4.1. Only high mark values may be assigned in
54 this case. Packet marking rules for traffic shaping of packets
55 originating on the firewall must be coded in the POSTROUTING
56 chain (see below).
57 - Otherwise, the chain is determined by the setting of
59 MARK_IN_FORWARD_CHAIN in shorewall6.conf[2](5).
60 Please note that :I is included for completeness and affects
62 neither traffic shaping nor policy routing.
63 If your kernel and ip6tables include CONNMARK support then you
65 can also mark the connection rather than the packet.
66 The mark value may be optionally followed by "/" and a mask
68 value (used to determine those bits of the connection mark to
69 actually be set). The mark and optional mask are then followed
70 by one of:+
71 C
73 Mark the connection in the chain determined by the setting
74 of MARK_IN_FORWARD_CHAIN
75 CF
77 Mark the connection in the FORWARD chain
78 CP
80 Mark the connection in the PREROUTING chain.
81 CT
83 Mark the connection in the POSTROUTING chain
84 CI
86 Mark the connection in the INPUT chain. This option is
87 included for completeness and has no applicability to
88 traffic shaping or policy routing.
89 Special considerations for If HIGH_ROUTE_MARKS=Yes in
91 shorewall6.conf[2](5).
92 If HIGH_ROUTE_MARKS=Yes, then you may also specify a value in
94 the range 0x0100-0xFF00 with the low-order byte being zero.
95 Such values may only be used in the PREROUTING chain (value
96 followed by :P or you have set MARK_IN_FORWARD_CHAIN=No in
97 shorewall6.conf[2](5) and have not followed the value with :F)
98 or the OUTPUT chain (SOURCE is $FW). With HIGH_ROUTE_MARKS=Yes,
99 non-zero mark values less that 256 are not permitted.
100 Shorewall6 prohibits non-zero mark values less that 256 in the
101 OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier versions
102 allow such values in the OUTPUT chain, it is strongly
103 recommended that with HIGH_ROUTE_MARKS=Yes, you use the
104 POSTROUTING chain to apply traffic shaping
105 marks/classification.
106 2. A classification Id (classid) of the form major:minor where
108 major and minor are integers. Corresponds to the 'class'
109 specification in these traffic shaping modules:
110 atm
112 cbq
113 dsmark
114 pfifo_fast
115 htb
116 prio
117 Classification occurs in the POSTROUTING chain except when the
119 SOURCE is $FW[:address] in which case classification occurs in
120 the OUTPUT chain.
121 When using Shorewall6's built-in traffic shaping tool, the
123 major class is the device number (the first device in
124 shorewall6-tcdevices[3](5) is major class 1, the second device
125 is major class 2, and so on) and the minor class is the class's
126 MARK value in shorewall6-tcclasses[4](5) preceded by the number
127 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to
128 minor class 15, MARK 22 corresponds to minor class 122, etc.).
129 3. RESTORE[/mask] -- restore the packet's mark from the
131 connection's mark using the supplied mask if any. Your kernel
132 and ip6tables must include CONNMARK support.
133 As in 1) above, may be followed by :P or :F
135 4. SAVE[/mask] -- save the packet's mark to the connection's mark
137 using the supplied mask if any. Your kernel and ip6tables must
138 include CONNMARK support.
139 As in 1) above, may be followed by :P or :F
141 5. CONTINUE Don't process any more marking rules in the table.
143 As in 1) above, may be followed by :P or :F. Currently,
145 CONTINUE may not be used with exclusion (see the SOURCE and
146 DEST columns below); that restriction will be removed when
147 ip6tables/Netfilter provides the necessary support.
148 6. SAME (Added in Shorewall 4.3.5) -- Some websites run
150 applications that require multiple connections from a client
151 browser. Where multiple 'balanced' providers are configured,
152 this can lead to problems when some of the connections are
153 routed through one provider and some through another. The SAME
154 target allows you to work around that problem. SAME may be used
155 in the PREROUTING and OUTPUT chains. When used in PREROUTING,
156 it causes matching connections from an individual local system
157 to all use the same provider. For example:
158 #MARK/ SOURCE DEST PROTO DEST
160 #CLASSIFY PORT(S)
161 SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
162 If a host in 192.168.1.0/24 attempts a connection on TCP port
164 80 or 443 and it has sent a packet on either of those ports in
165 the last five minutes then the new connection will use the same
166 provider as the connection over which that last packet was
167 sent.
168 When used in the OUTPUT chain, it causes all matching
170 connections to an individual remote system to all use the same
171 provider. For example:
172 #MARK/ SOURCE DEST PROTO DEST
174 #CLASSIFY PORT(S)
175 SAME $FW 0.0.0.0/0 tcp 80,443
176 If the firewall attempts a connection on TCP port 80 or 443 and
178 it has sent a packet on either of those ports in the last five
179 minutes to the same remote system then the new connection will
180 use the same provider as the connection over which that last
181 packet was sent.
182 7. COMMENT -- the rest of the line will be attached as a comment
184 to the Netfilter rule(s) generated by the following entries.
185 The comment will appear delimited by "/* ... */" in the output
186 of shorewall6 show mangle
187 To stop the comment from being attached to further rules,
189 simply include COMMENT on a line by itself.
190 8. TPROXY(mark[/mask][,[port][,[address]]])
192 Transparently redirects a packet without altering the IP
194 header. Requires a local provider to be defined in
195 shorewall6-providers[5](5).
196 There are three parameters to TPROXY - only the first (mark) is
198 required:
199 · mark - the MARK value corresponding to the local provider
201 in shorewall6-providers[5](5).
202 · port - the port on which the proxy server is listening. If
204 omitted, the original destination port.
205 · address - a local (to the firewall) IP address on which the
207 proxy server is listening. If omitted, the IP address of
208 the interface on which the request arrives.
209 SOURCE -
211 {-|{interface|$FW}|[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]>
212 Source of the packet. A comma-separated list of interface names, IP
213 addresses, MAC addresses and/or subnets for packets being routed
214 through a common path. List elements may also consist of an
215 interface name followed by ":" and an address (e.g.,
216 eth1:<2002:ce7c:92b4::/48>). For example, all packets for
217 connections masqueraded to eth0 from other interfaces can be
218 matched in a single rule with several alternative SOURCE criteria.
219 However, a connection whose packets gets to eth0 in a different
220 way, e.g., direct from the firewall itself, needs a different rule.
221 Accordingly, use $FW in its own separate rule for packets
223 originating on the firewall. In such a rule, the MARK column may
224 NOT specify either :P or :F because marking for firewall-originated
225 packets always occurs in the OUTPUT chain.
226 MAC addresses must be prefixed with "~" and use "-" as a separator.
228 Example: ~00-A0-C9-15-39-78
230 When an interface is not specified, the angled brackets ('<' and
232 '>') surrounding the address(es) may be omitted.
233 You may exclude certain hosts from the set already defined through
235 use of an exclusion (see shorewall6-exclusion[6](5)).
236 DEST -
238 {-|{interface|$FW}[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]>
239 Destination of the packet. Comma separated list of IP addresses
240 and/or subnets. If your kernel and ip6tables include iprange match
241 support, IP address ranges are also allowed. List elements may also
242 consist of an interface name followed by ":" and an address (e.g.,
243 eth1:<2002:ce7c:92b4::/48>). If the MARK column specificies a
244 classification of the form major:minor then this column may also
245 contain an interface name.
246 When an interface is not specified, the angled brackets ('<' and
248 '>') surrounding the address(es) may be omitted.
249 Beginning with Shorewall 4.4.13, $FW may be given by itself or
251 qualified by an address list. This causes marking to occur in the
252 INPUT chain.
253 You may exclude certain hosts from the set already defined through
255 use of an exclusion (see shorewall6-exclusion[6](5)).
256 PROTO -
258 {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
259 Protocol - ipp2p requires ipp2p match support in your kernel and
260 ip6tables.
261 PORT(S) (Optional) -
263 [-|port-name-number-or-range[,port-name-number-or-range]...]
264 Destination Ports. A comma-separated list of Port names (from
265 services(5)), port numbers or port ranges; if the protocol is
266 ipv6-icmp, this column is interpreted as the destination
267 icmp-type(s). ICMP types may be specified as a numeric type, a
268 numberic type and code separated by a slash (e.g., 3/4), or a
269 typename. See
270 http://www.shorewall.net/configuration_file_basics.htm#ICMP.
271 If the protocol is ipp2p, this column is interpreted as an ipp2p
273 option without the leading "--" (example bit for bit-torrent). If
274 no PORT is given, ipp2p is assumed.
275 An entry in this field requires that the PROTO column specify tcp
277 (6), udp (17), ipv6-icmp (58), sctp (132) or udplite (136). Use '-'
278 if any of the following field is supplied.
279 SOURCE PORT(S) (Optional) -
281 [-|port-name-number-or-range[,port-name-number-or-range]...]
282 Source port(s). If omitted, any source port is acceptable.
283 Specified as a comma-separated list of port names, port numbers or
284 port ranges.
285 An entry in this field requires that the PROTO column specify tcp
287 (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the
288 following fields is supplied.
289 USER (Optional) - [!][user-name-or-number][:group-name-or-number]
291 This column may only be non-empty if the SOURCE is the firewall
292 itself.
293 When this column is non-empty, the rule applies only if the program
295 generating the output is running under the effective user and/or
296 group specified (or is NOT running under that id if "!" is given).
297 Examples:
299 joe
301 program must be run by joe
302 :kids
304 program must be run by a member of the 'kids' group
305 !:kids
307 program must not be run by a member of the 'kids' group
308 TEST(Optional) - [!]value[/mask][:C]
310 Defines a test on the existing packet or connection mark. The rule
311 will match only if the test returns true.
312 If you don't want to define a test but need to specify anything in
314 the following columns, place a "-" in this field.
315 !
317 Inverts the test (not equal)
318 value
320 Value of the packet or connection mark.
321 mask
323 A mask to be applied to the mark before testing.
324 :C
326 Designates a connection mark. If omitted, the packet mark's
327 value is tested.
328 LENGTH (Optional) - [length|[min]:[max]]
330 Packet Length. This field, if present allow you to match the length
331 of a packet against a specific value or range of values. You must
332 have ip6tables length support for this to work. A range is
333 specified in the form min:max where either min or max (but not
334 both) may be omitted. If min is omitted, then 0 is assumed; if max
335 is omitted, than any packet that is min or longer will match.
336 TOS (Optional) - tos
338 Type of service. Either a standard name, or a numeric value to
339 match.
340 Minimize-Delay (16)
342 Maximize-Throughput (8)
343 Maximize-Reliability (4)
344 Minimize-Cost (2)
345 Normal-Service (0)
346 CONNBYTES (Optional) - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
348 Connection Bytes; defines a byte or packet range that the
349 connection must fall within in order for the rule to match.
350 A packet matches if the the packet/byte count is within the range
352 defined by min and max (unless ! is given in which case, a packet
353 matches if the packet/byte count is not within the range). min is
354 an integer which defines the beginning of the byte/packet range.
355 max is an integer which defines the end of the byte/packet range;
356 if omitted, only the beginning of the range is checked. The first
357 letter gives the direction which the range refers to:O - The
358 original direction of the connection. .sp R - The opposite
359 direction from the original connection. .sp B - The total of both
360 directions.
361 If omitted, B is assumed.
363 The second letter determines what the range refers to.B - Bytes .sp
365 P - Packets .sp A - Average packet size.If omitted, B is assumed.
366 HELPER (Optional) - helper
368 Names a Netfiler protocol helper module such as ftp, sip, amanda,
369 etc. A packet will match if it was accepted by the named helper
370 module. You can also append "-" and a port number to the helper
371 module name (e.g., ftp-21) to specify the port number that the
372 original connection was made on.
373 Example: Mark all FTP data connections with mark 4:
375 #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
377 #CLASSIFY PORT(S)
378 4 ::/0 ::/0 TCP - - - - - - - ftp
379 HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
381 4.4.15)
382 The header-list consists of a comma-separated list of headers from
383 the following list.
384 auth, ah, or 51
386 Authentication Headers extension header.
387 esp, or 50
389 Encrypted Security Payload extension header.
390 hop, hop-by-hop or 0
392 Hop-by-hop options extension header.
393 route, ipv6-route or 41
395 IPv6 Route extension header.
396 frag, ipv6-frag or 44
398 IPv6 fragmentation extension header.
399 none, ipv6-nonxt or 59
401 No next header
402 proto, protocol or 255
404 Any protocol header.
405 If any: is specified, the rule will match if any of the listed
407 headers are present. If exactly: is specified, the will match
408 packets that exactly include all specified headers. If neither is
409 given, any: is assumed.
410 If ! is entered, the rule will match those packets which would not
412 be matched when ! is omitted.
413
415 Example 1:
416 Mark all forwarded ICMP echo traffic with packet mark 1. Mark all
417 forwarded peer to peer traffic with packet mark 4.
418 This is a little more complex than otherwise expected. Since the
420 ipp2p module is unable to determine all packets in a connection are
421 P2P packets, we mark the entire connection as P2P if any of the
422 packets are determined to match.
423 We assume packet/connection mark 0 means unclassified.
425 #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
427 #CLASSIFY PORT(S)
428 1 ::/0 ::/0 icmp echo-request
429 1 ::/0 ::/0 icmp echo-reply
430 RESTORE ::/0 ::/0 all - - - 0
431 CONTINUE ::/0 ::/0 all - - - !0
432 4 ::/0 ::/0 ipp2p:all
433 SAVE ::/0 ::/0 all - - - !0
434 If a packet hasn't been classifed (packet mark is 0), copy the
436 connection mark to the packet mark. If the packet mark is set,
437 we're done. If the packet is P2P, set the packet mark to 4. If the
438 packet mark has been set, save it to the connection mark.
439
441 /etc/shorewall6/tcrules
442
444 http://shorewall.net/traffic_shaping.htm
445 http://shorewall.net/MultiISP.html
447 http://shorewall.net/PacketMarking.html
449 shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
451 shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
452 shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
453 shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
454 shorewall6-route_rules(5), shorewall6-routestopped(5),
455 shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
456 shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tos(5),
457 shorewall6-tunnels(5), shorewall6-zones(5)
458
460 1. shorewall6-rules
461 http://www.shorewall.net/manpages6/shorewall6-rules.html
462 2. shorewall6.conf
464 http://www.shorewall.net/manpages6/shorewall6.conf.html
465 3. shorewall6-tcdevices
467 http://www.shorewall.net/manpages6/shorewall6-tcdevices.html
468 4. shorewall6-tcclasses
470 http://www.shorewall.net/manpages6/shorewall6-tcclasses.html
471 5. shorewall6-providers
473 http://www.shorewall.net/manpages6/shorewall6-providers.html
474 6. shorewall6-exclusion
476 http://www.shorewall.net/manpages6/shorewall6-exclusion.html
477[FIXME: source] 09/16/2011 SHOREWALL6-TCRULES(5)