1SHOREWALL-TCRULES(5) [FIXME: manual] SHOREWALL-TCRULES(5)
2
6 tcrules - Shorewall Packet Marking rules file
7
9 /etc/shorewall/tcrules
10
12 Entries in this file cause packets to be marked as a means of
13 classifying them for traffic control or policy routing.
14 Important
16 Unlike rules in the shorewall-rules[1](5) file, evaluation of rules
17 in this file will continue after a match. So the final mark for
18 each packet will be the one assigned by the LAST tcrule that
19 matches.
20 If you use multiple internet providers with the 'track' option, in
22 /etc/shorewall/providers be sure to read the restrictions at
23 http://shorewall.net/MultiISP.html.
24 The columns in the file are as follows.
26 MARK/CLASSIFY - mark
28 Where mark may assume one of the following values.
29 1. A mark value which is an integer in the range 1-255.
31 Normally will set the mark value. If preceded by a vertical bar
33 ("|"), the mark value will be logically ORed with the current
34 mark value to produce a new mark value. If preceded by an
35 ampersand ("&"), will be logically ANDed with the current mark
36 value to produce a new mark value.
37 Both "|" and "&" require Extended MARK Target support in your
39 kernel and iptables; neither may be used with connection marks
40 (see below).
41 May optionally be followed by :P, :F,:T or :I where :P
43 indicates that marking should occur in the PREROUTING chain, :F
44 indicates that marking should occur in the FORWARD chain, :I
45 indicates that marking should occur in the INPUT chain (added
46 in Shorewall 4.4.13), and :T indicates that marking should
47 occur in the POSTROUTING chain. If neither :P, :F nor :T follow
48 the mark value then the chain is determined as follows:
49 - If the SOURCE is
51 $FW[:address-or-range[,address-or-range]...], then the rule is
52 inserted into the OUTPUT chain. When HIGH_ROUTE_MARKS=Yes, only
53 high mark values may be assigned there. Packet marking rules
54 for traffic shaping of packets originating on the firewall must
55 be coded in the POSTROUTING chain (see below).
56 - Otherwise, the chain is determined by the setting of
58 MARK_IN_FORWARD_CHAIN in shorewall.conf[2](5).
59 Please note that :I is included for completeness and affects
61 neither traffic shaping nor policy routing.
62 If your kernel and iptables include CONNMARK support then you
64 can also mark the connection rather than the packet.
65 The mark value may be optionally followed by "/" and a mask
67 value (used to determine those bits of the connection mark to
68 actually be set). The mark and optional mask are then followed
69 by one of:
70 C
72 Mark the connection in the chain determined by the setting
73 of MARK_IN_FORWARD_CHAIN
74 CF
76 Mark the connection in the FORWARD chain
77 CP
79 Mark the connection in the PREROUTING chain.
80 CT
82 Mark the connecdtion in the POSTROUTING chain
83 CI
85 Mark the connection in the INPUT chain. This option is
86 included for completeness and has no applicability to
87 traffic shaping or policy routing.
88 Special considerations for If HIGH_ROUTE_MARKS=Yes in
90 shorewall.conf[2](5).
91 If HIGH_ROUTE_MARKS=Yes, then you may also specify a value in
93 the range 0x0100-0xFF00 with the low-order byte being zero.
94 Such values may only be used in the PREROUTING chain (value
95 followed by :P or you have set MARK_IN_FORWARD_CHAIN=No in
96 shorewall.conf[2](5) and have not followed the value with :F)
97 or the OUTPUT chain (SOURCE is $FW). With HIGH_ROUTE_MARKS=Yes,
98 non-zero mark values less that 256 are not permitted. Shorewall
99 prohibits non-zero mark values less that 256 in the OUTPUT
100 chain when HIGH_ROUTE_MARKS=Yes. While earlier versions allow
101 such values in the OUTPUT chain, it is strongly recommended
102 that with HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain
103 to apply traffic shaping marks/classification.
104 2. A classification Id (classid) of the form major:minor where
106 major and minor are integers. Corresponds to the 'class'
107 specification in these traffic shaping modules:
108 atm
110 cbq
111 dsmark
112 pfifo_fast
113 htb
114 prio
115 Classification occurs in the POSTROUTING chain except when the
117 SOURCE is $FW[:address] in which case classification occurs in
118 the OUTPUT chain.
119 When using Shorewall's built-in traffic shaping tool, the major
121 class is the device number (the first device in
122 shorewall-tcdevices[3](5) is major class 1, the second device
123 is major class 2, and so on) and the minor class is the class's
124 MARK value in shorewall-tcclasses[4](5) preceded by the number
125 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to
126 minor class 15, MARK 22 corresponds to minor class 122, etc.).
127 3. RESTORE[/mask] -- restore the packet's mark from the
129 connection's mark using the supplied mask if any. Your kernel
130 and iptables must include CONNMARK support.
131 As in 1) above, may be followed by :P or :F
133 4. SAVE[/mask] -- save the packet's mark to the connection's mark
135 using the supplied mask if any. Your kernel and iptables must
136 include CONNMARK support.
137 As in 1) above, may be followed by :P or :F
139 5. CONTINUE Don't process any more marking rules –in the table.
141 As in 1) above, may be followed by :P or :F. Currently,
143 CONTINUE may not be used with exclusion (see the SOURCE and
144 DEST columns below); that restriction will be removed when
145 iptables/Netfilter provides the necessary support.
146 6. SAME Some websites run applications that require multiple
148 connections from a client browser. Where multiple 'balanced'
149 providers are configured, this can lead to problems when some
150 of the connections are routed through one provider and some
151 through another. The SAME target allows you to work around that
152 problem. SAME may be used in the PREROUTING and OUTPUT chains.
153 When used in PREROUTING, it causes matching connections from an
154 individual local system to all use the same provider. For
155 example:
156 #MARK/ SOURCE DEST PROTO DEST
158 #CLASSIFY PORT(S)
159 SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
160 If a host in 192.168.1.0/24 attempts a connection on TCP port
162 80 or 443 and it has sent a packet on either of those ports in
163 the last five minutes then the new connection will use the same
164 provider as the connection over which that last packet was
165 sent.
166 When used in the OUTPUT chain, it causes all matching
168 connections to an individual remote system to all use the same
169 provider. For example:
170 #MARK/ SOURCE DEST PROTO DEST
172 #CLASSIFY PORT(S)
173 SAME $FW 0.0.0.0/0 tcp 80,443
174 If the firewall attempts a connection on TCP port 80 or 443 and
176 it has sent a packet on either of those ports in the last five
177 minutes to the same remote system then the new connection will
178 use the same provider as the connection over which that last
179 packet was sent.
180 7. COMMENT -- the rest of the line will be attached as a comment
182 to the Netfilter rule(s) generated by the following entries.
183 The comment will appear delimited by "/* ... */" in the output
184 of shorewall show mangle
185 To stop the comment from being attached to further rules,
187 simply include COMMENT on a line by itself.
188 8. IPMARK – Assigns a mark to each matching packet based on the
190 either the source or destination IP address. By default, it
191 assigns a mark value equal to the low-order 8 bits of the
192 source address. Default values are:
193 src
194 mask1 = 0xFF
195 mask2 = 0x00
196 shift = 0
197 'src' and 'dst' specify whether the mark is to be based on the
198 source or destination address respectively. The selected
199 address is first shifted to the right by shift bits. The result
200 is then LANDed with mask1 then LORed with mask2.
201 In a sense, the IPMARK target is more like an IPCLASSIFY target
203 in that the mark value is later interpreted as a class ID. A
204 packet mark is 32 bits wide; so is a class ID. The <major>
205 class occupies the high-order 16 bits and the <minor> class
206 occupies the low-order 16 bits. So the class ID 1:4ff (remember
207 that class IDs are always in hex) is equivalent to a mark value
208 of 0x104ff. Remember that Shorewall uses the interface number
209 as the <major> number where the first interface in tcdevices
210 has <major> number 1, the second has <major> number 2, and so
211 on.
212 The IPMARK target assigns a mark to each matching packet based
214 on the either the source or destination IP address. By default,
215 it assigns a mark value equal to the low-order 8 bits of the
216 source address. The syntax is as follows:
217 IPMARK[([{src|dst}][,[mask1][,[mask2][,[shift]]]])] Default
218 values are:
219 src
220 mask1 = 0xFF
221 mask2 = 0x00
222 shift = 0
223 src and dst specify whether the mark is to be based on the
224 source or destination address respectively. The selected
225 address is first shifted right by shift, then LANDed with mask1
226 and then LORed with mask2. The shift argument is intended to be
227 used primarily with IPv6 addresses.
228 Example: IPMARK(src,0xff,0x10100)
230 Suppose that the source IP address is 192.168.4.3 =
231 0xc0a80403; then
232 0xc0a80403 >> 0 = 0xc0a80403
233 0xc0a80403 LAND 0xFF = 0x03
234 0x03 LOR 0x0x10100 = 0x10103 or class ID
235 1:103
236 It is important to realize that, while class IDs are composed
237 of a major and a minor value, the set of values must be unique.
238 That is, the same numeric value cannot be used as both a major
239 and a minor number for the same interface unless class nesting
240 occurs (which is not currently possible with Shorewall). You
241 should keep this in mind when deciding how to map IP addresses
242 to class IDs.
243 For example, suppose that your internal network is
245 192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
246 Your first notion might be to use IPMARK(src,0xFF,0x10000) so
247 as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
248 class ID since the major and minor classes are equal. So you
249 might chose instent to use IPMARK(src,0xFF,0x10100) as in the
250 example above so that all of your minor classes will have a
251 value > 256.
252 9. TPROXY(mark[/mask][,[port][,[address]]])
254 Transparently redirects a packet without altering the IP
256 header. Requires a local provider to be defined in
257 shorewall-providers[5](5).
258 There are three parameters to TPROXY - only the first (mark) is
260 required:
261 · mark - the MARK value corresponding to the local provider
263 in shorewall-providers[5](5).
264 · port - the port on which the proxy server is listening. If
266 omitted, the original destination port.
267 · address - a local (to the firewall) IP address on which the
269 proxy server is listening. If omitted, the IP address of
270 the interface on which the request arrives.
271 SOURCE -
273 {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]
274 May be:
275 1. An interface name - matches traffic entering the firewall on
277 the specified interface. May not be used in classify rules or
278 in rules using the :T chain qualifier.
279 2. A comma-separated list of host or network IP addresses or MAC
281 addresses. This form will not match traffic that originates on
282 the firewall itself unless either <major><minor> or the :T
283 chain qualifier is used in the MARK column.
284 Examples:.RS 4 0.0.0.0/0
286 192.168.1.0/24, 172.20.4.0/24
288 3. An interface name followed by a colon (":") followed by a
290 comma-separated list of host or network IP addresses or MAC
291 addresses. May not be used in classify rules or in rules using the
292 :T chain qualifier.
293 4. $FW optionally followed by a colon (":") and a comma-separated list
295 of host or network IP addresses. Matches packets originating on the
296 firewall. May not be used with a chain qualifier (:P, :F, etc.) in
297 the MARK column.
298 MAC addresses must be prefixed with "~" and use "-" as a separator.
300 Example: ~00-A0-C9-15-39-78
302 You may exclude certain hosts from the set already defined through use
304 of an exclusion (see shorewall-exclusion[6](5)).
305 DEST -
307 {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]
308 May be:
309 1. An interface name. May not be used in the PREROUTING chain (:P
311 in the mark column or no chain qualifier and
312 MARK_IN_FORWARD_CHAIN=No in shorewall.conf[7] (5)). The
313 interface name may be optionally followed by a colon (":") and
314 an IP address list.
315 2. A comma-separated list of host or network IP addresses. The
317 list may include ip address ranges if your kernel and iptables
318 include iprange support.
319 3. Beginning with Shorewall 4.4.13, $FW may be specified by itself
321 or qualified by an address list. This causes marking to occur
322 in the INPUT chain.
323 You may exclude certain hosts from the set already defined through
325 use of an exclusion (see shorewall-exclusion[6](5)).
326 PROTO -
328 {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
329 Protocol - ipp2p requires ipp2p match support in your kernel and
330 iptables.
331 PORT(S) (Optional) -
333 [-|port-name-number-or-range[,port-name-number-or-range]...]
334 Destination Ports. A comma-separated list of Port names (from
335 services(5)), port numbers or port ranges; if the protocol is icmp,
336 this column is interpreted as the destination icmp-type(s). ICMP
337 types may be specified as a numeric type, a numberic type and code
338 separated by a slash (e.g., 3/4), or a typename. See
339 http://www.shorewall.net/configuration_file_basics.htm#ICMP.
340 If the protocol is ipp2p, this column is interpreted as an ipp2p
342 option without the leading "--" (example bit for bit-torrent). If
343 no PORT is given, ipp2p is assumed.
344 An entry in this field requires that the PROTO column specify icmp
346 (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any
347 of the following field is supplied.
348 SOURCE PORT(S) (Optional) -
350 [-|port-name-number-or-range[,port-name-number-or-range]...]
351 Source port(s). If omitted, any source port is acceptable.
352 Specified as a comma-separated list of port names, port numbers or
353 port ranges.
354 An entry in this field requires that the PROTO column specify tcp
356 (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the
357 following fields is supplied.
358 USER (Optional) -
360 [!][user-name-or-number][:group-name-or-number][+program-name]
361 This column may only be non-empty if the SOURCE is the firewall
362 itself.
363 When this column is non-empty, the rule applies only if the program
365 generating the output is running under the effective user and/or
366 group specified (or is NOT running under that id if "!" is given).
367 Examples:
369 joe
371 program must be run by joe
372 :kids
374 program must be run by a member of the 'kids' group
375 !:kids
377 program must not be run by a member of the 'kids' group
378 +upnpd
380 #program named upnpd
381 Important
383 The ability to specify a program name was removed from
384 Netfilter in kernel version 2.6.14.
385 TEST (Optional) - [!]value[/mask][:C]
387 Defines a test on the existing packet or connection mark. The rule
388 will match only if the test returns true.
389 If you don't want to define a test but need to specify anything in
391 the following columns, place a "-" in this field.
392 !
394 Inverts the test (not equal)
395 value
397 Value of the packet or connection mark.
398 mask
400 A mask to be applied to the mark before testing.
401 :C
403 Designates a connection mark. If omitted, the packet mark's
404 value is tested.
405 LENGTH (Optional) - [length|[min]:[max]]
407 Packet Length. This field, if present allow you to match the length
408 of a packet against a specific value or range of values. You must
409 have iptables length support for this to work. A range is specified
410 in the form min:max where either min or max (but not both) may be
411 omitted. If min is omitted, then 0 is assumed; if max is omitted,
412 than any packet that is min or longer will match.
413 TOS (Optional) - tos
415 Type of service. Either a standard name, or a numeric value to
416 match.
417 Minimize-Delay (16)
419 Maximize-Throughput (8)
420 Maximize-Reliability (4)
421 Minimize-Cost (2)
422 Normal-Service (0)
423 CONNBYTES (Optional) - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
425 Connection Bytes; defines a byte or packet range that the
426 connection must fall within in order for the rule to match.
427 A packet matches if the the packet/byte count is within the range
429 defined by min and max (unless ! is given in which case, a packet
430 matches if the packet/byte count is not within the range). min is
431 an integer which defines the beginning of the byte/packet range.
432 max is an integer which defines the end of the byte/packet range;
433 if omitted, only the beginning of the range is checked. The first
434 letter gives the direction which the range refers to:O - The
435 original direction of the connection. .sp - The opposite direction
436 from the original connection. .sp B - The total of both directions.
437 If omitted, B is assumed.
439 The second letter determines what the range refers to.B - Bytes .sp
441 P - Packets .sp A - Average packet size.If omitted, B is assumed.
442 HELPER (Optional) - helper
444 Names a Netfiler protocol helper module such as ftp, sip, amanda,
445 etc. A packet will match if it was accepted by the named helper
446 module. You can also append "-" and a port number to the helper
447 module name (e.g., ftp-21) to specify the port number that the
448 original connection was made on.
449 Example: Mark all FTP data connections with mark 4:
451 #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
453 #CLASSIFY PORT(S)
454 4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
455
457 Example 1:
458 Mark all ICMP echo traffic with packet mark 1. Mark all peer to
459 peer traffic with packet mark 4.
460 This is a little more complex than otherwise expected. Since the
462 ipp2p module is unable to determine all packets in a connection are
463 P2P packets, we mark the entire connection as P2P if any of the
464 packets are determined to match.
465 We assume packet/connection mark 0 means unclassified.
467 #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
469 #CLASSIFY PORT(S)
470 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
471 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
472 RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
473 CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
474 4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
475 SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
476 If a packet hasn't been classifed (packet mark is 0), copy the
478 connection mark to the packet mark. If the packet mark is set,
479 we're done. If the packet is P2P, set the packet mark to 4. If the
480 packet mark has been set, save it to the connection mark.
481
483 /etc/shorewall/tcrules
484
486 http://shorewall.net/traffic_shaping.htm
487 http://shorewall.net/MultiISP.html
489 http://shorewall.net/PacketMarking.html
491 shorewall(8), shorewall-accounting(5), shorewall-actions(5),
493 shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
494 shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
495 shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
496 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
497 shorewall-providers(5), shorewall-proxyarp(5),
498 shorewall-route_rules(5), shorewall-routestopped(5),
499 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
500 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
501 shorewall-tunnels(5), shorewall-zones(5)
502
504 1. shorewall-rules
505 http://www.shorewall.net/manpages/shorewall-rules.html
506 2. shorewall.conf
508 http://www.shorewall.net/manpages/shorewall.conf.html
509 3. shorewall-tcdevices
511 http://www.shorewall.net/manpages/shorewall-tcdevices.html
512 4. shorewall-tcclasses
514 http://www.shorewall.net/manpages/shorewall-tcclasses.html
515 5. shorewall-providers
517 http://www.shorewall.net/manpages/shorewall-providers.html
518 6. shorewall-exclusion
520 http://www.shorewall.net/manpages/shorewall-exclusion.html
521 7. shorewall.conf
523 http://www.shorewall.net/manpages/shorewall.conf
524[FIXME: source] 09/16/2011 SHOREWALL-TCRULES(5)