1SHOREWALL-MANGLE(5) Configuration Files SHOREWALL-MANGLE(5)
2
6 mangle - Shorewall Packet marking/mangling rules file
7
9 /etc/shorewall[6]/mangle
10
12 This file was introduced in Shorewall 4.6.0 and replaces
13 shorewall-tcrules(5)[1]. This file is only processed by the compiler
14 if:
15 Entries in this file cause packets to be marked as a means of
17 classifying them for traffic control or policy routing.
18 Important
20 Unlike rules in the shorewall-rules[2](5) file, evaluation of rules
21 in this file will continue after a match. So the final mark for
22 each packet will be the one assigned by the LAST tcrule that
23 matches.
24 If you use multiple internet providers with the 'track' option, in
26 /etc/shorewall/providers be sure to read the restrictions at
27 http://www.shorewall.net/MultiISP.html[3].
28 The columns in the file are as follows (where the column name is
30 followed by a different name in parentheses, the different name is used
31 in the alternate specification syntax).
32 ACTION - command[(parameters)][:chain-designator]
34 The chain-designator indicates the Netfilter chain that the entry
35 applies to and may be one of the following:
36 P
38 PREROUTING chain.
39 F
41 FORWARD chain.
42 T
44 POSTROUTING chain.
45 I
47 INPUT chain.
48 Unless otherwise specified for the particular command, the default
50 chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in
51 shorewall.conf(5)[4], and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.
52 A chain-designator may not be specified if the SOURCE or DEST
54 columns begin with '$FW'. When the SOURCE is $FW, the generated
55 rule is always placed in the OUTPUT chain. If DEST is '$FW', then
56 the rule is placed in the INPUT chain. Additionally, a
57 chain-designator may not be specified in an action body.
58 Where a command takes parameters, those parameters are enclosed in
60 parentheses ("(....)") and separated by commas.
61 The command may be one of the following.
63 action[([param[,...])]
65 Added in Shorewall 5.0.7. action must be an action declared
66 with the mangle option in shorewall-actions(5)[5]. If the
67 action accepts parameters, they are specified as a
68 comma-separated list within parentheses following the action
69 name.
70 ADD(ipset:flags)
72 Added in Shorewall 4.6.7. Causes addresses and/or port numbers
73 to be added to the named ipset. The flags specify the address
74 or tuple to be added to the set and must match the type of
75 ipset involved. For example, for an iphash ipset, either the
76 SOURCE or DESTINATION address can be added using flags src or
77 dst respectively (see the -A command in ipset (8)).
78 ADD is non-terminating. Even if a packet matches the rule, it
80 is passed on to the next rule.
81 CHECKSUM
83 Compute and fill in the checksum in a packet that lacks a
84 checksum. This is particularly useful if you need to work
85 around old applications, such as dhcp clients, that do not work
86 well with checksum offloads, but you don't want to disable
87 checksum offload in your device.
88 Requires 'Checksum Target' support in your kernel and iptables.
90 CLASSIFY(classid)
92 A classification Id (classid) is of the form major:minor where
93 major and minor are integers. Corresponds to the 'class'
94 specification in these traffic shaping modules:
95 atm
97 cbq
98 dsmark
99 pfifo_fast
100 htb
101 prio
102 Classification occurs in the POSTROUTING chain except when the
104 SOURCE is $FW[:address] in which case classification occurs in
105 the OUTPUT chain.
106 When using Shorewall's built-in traffic shaping tool, the major
108 class is the device number (the first device in
109 shorewall-tcdevices[6](5) is major class 1, the second device
110 is major class 2, and so on) and the minor class is the class's
111 MARK value in shorewall-tcclasses[7](5) preceded by the number
112 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to
113 minor class 15, MARK 22 corresponds to minor class 122, etc.).
114 ?COMMENT
116 The rest of the line will be attached as a comment to the
117 Netfilter rule(s) generated by the following entries. The
118 comment will appear delimited by "/* ... */" in the output of
119 shorewall show mangle
120 To stop the comment from being attached to further rules,
122 simply include ?COMMENT on a line by itself.
123 CONMARK({mark|range})
125 Identical to MARK with the exception that the mark is assigned
126 to connection to which the packet belongs is marked rather than
127 to the packet itself.
128 CONTINUE
130 Don't process any more marking rules in the table.
131 Currently, CONTINUE may not be used with exclusion (see the
133 SOURCE and DEST columns below); that restriction will be
134 removed when iptables/Netfilter provides the necessary support.
135 DEL(ipset:flags)
137 Added in Shorewall 4.6.7. Causes an entry to be deleted from
138 the named ipset. The flags specify the address or tuple to be
139 deleted from the set and must match the type of ipset involved.
140 For example, for an iphash ipset, either the SOURCE or
141 DESTINATION address can be deleted using flags src or dst
142 respectively (see the -D command in ipset (8)).
143 DEL is non-terminating. Even if a packet matches the rule, it
145 is passed on to the next rule.
146 DIVERT
148 Two DIVERT rule should precede the TPROXY rule and should
149 select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
150 (assuming that tcp port 80 is being proxied). DIVERT avoids
151 sending packets to the TPROXY target once a socket connection
152 to Squid3 has been established by TPROXY. DIVERT marks the
153 packet with a unique mark and exempts it from any rules that
154 follow.
155 DIVERTHA
157 Added in Shorewall 5.0.4. To setup the HAProxy configuration
158 described at
159 http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x,
160 place this entry in shorewall-providers(5)[8]:
161 #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
163 TProxy 1 - - lo - tproxy
164 and use this DIVERTHA entry:
166 #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
168 DIVERTHA - - tcp
169 DROP
171 Causes matching packets to be discarded.
172 DSCP(dscp)
174 Sets the Differentiated Services Code Point field in the IP
175 header. The dscp value may be given as an even number (hex or
176 decimal) or as the name of a DSCP class. Valid class names and
177 their associated hex numeric values are:
178 CS0 => 0x00
180 CS1 => 0x08
181 CS2 => 0x10
182 CS3 => 0x18
183 CS4 => 0x20
184 CS5 => 0x28
185 CS6 => 0x30
186 CS7 => 0x38
187 BE => 0x00
188 AF11 => 0x0a
189 AF12 => 0x0c
190 AF13 => 0x0e
191 AF21 => 0x12
192 AF22 => 0x14
193 AF23 => 0x16
194 AF31 => 0x1a
195 AF32 => 0x1c
196 AF33 => 0x1e
197 AF41 => 0x22
198 AF42 => 0x24
199 AF43 => 0x26
200 EF => 0x2e
201 To indicate more than one class, add their hex values together
203 and specify the result. By default, DSCP rules are placed in
204 the POSTROUTING chain.
205 ECN
207 Added in Shorewall 5.0.6 as an alternative to entries in
208 shorewall-ecn(5)[9]. If a PROTO is specified, it must be 'tcp'
209 (6). If no PROTO is supplied, TCP is assumed. This action
210 causes all ECN bits in the TCP header to be cleared.
211 IMQ(number)
213 Specifies that the packet should be passed to the IMQ
214 identified by number. Requires IMQ Target support in your
215 kernel and iptables.
216 INLINE[(action)]
218 Allows you to place your own ip[6]tables matches at the end of
219 the line following a semicolon (";") (deprecated) or two
220 semicolons (";;") (preferred since Shoreall 5.0.0). If an
221 action is specified, the compiler proceeds as if that action
222 had been specified in this column. If no action is specified,
223 then you may include your own jump ("-j target [option] ...")
224 after any matches specified at the end of the rule. If the
225 target is not one known to Shorewall, then it must be defined
226 as a builtin action in shorewall-actions[10] (5).
227 The following rules are equivalent:
229 2:P eth0 - tcp 22
231 INLINE(MARK(2)):P eth0 - tcp 22
232 INLINE(MARK(2)):P eth0 - ;; -p tcp
233 INLINE eth0 - tcp 22 ;; -j MARK --set-mark 2
234 INLINE eth0 - ;; -p tcp -j MARK --set-mark 2
235 IPMARK
237 Assigns a mark to each matching packet based on the either the
238 source or destination IP address. By default, it assigns a mark
239 value equal to the low-order 8 bits of the source address.
240 Default values are:
241 src
242 mask1 = 0xFF
243 mask2 = 0x00
244 shift = 0
245 'src' and 'dst' specify whether the mark is to be based on the
246 source or destination address respectively. The selected
247 address is first shifted to the right by shift bits. The result
248 is then LANDed with mask1 then LORed with mask2.
249 In a sense, the IPMARK target is more like an IPCLASSIFY target
251 in that the mark value is later interpreted as a class ID. A
252 packet mark is 32 bits wide; so is a class ID. The <major>
253 class occupies the high-order 16 bits and the <minor> class
254 occupies the low-order 16 bits. So the class ID 1:4ff (remember
255 that class IDs are always in hex) is equivalent to a mark value
256 of 0x104ff. Remember that Shorewall uses the interface number
257 as the <major> number where the first interface in tcdevices
258 has <major> number 1, the second has <major> number 2, and so
259 on.
260 The IPMARK target assigns a mark to each matching packet based
262 on the either the source or destination IP address. By default,
263 it assigns a mark value equal to the low-order 8 bits of the
264 source address. The syntax is as follows:
265 IPMARK[([{src|dst}][,[mask1][,[mask2][,[shift]]]])] Default
266 values are:
267 src
268 mask1 = 0xFF
269 mask2 = 0x00
270 shift = 0
271 src and dst specify whether the mark is to be based on the
272 source or destination address respectively. The selected
273 address is first shifted right by shift, then LANDed with mask1
274 and then LORed with mask2. The shift argument is intended to be
275 used primarily with IPv6 addresses.
276 Example: IPMARK(src,0xff,0x10100)
278 Suppose that the source IP address is 192.168.4.3
279 = 0xc0a80403; then
280 0xc0a80403 >> 0 = 0xc0a80403
281 0xc0a80403 LAND 0xFF = 0x03
282 0x03 LOR 0x10100 = 0x10103 or class ID
283 1:103
284 It is important to realize that, while class IDs are composed
285 of a major and a minor value, the set of values must be unique.
286 That is, the same numeric value cannot be used as both a major
287 and a minor number for the same interface unless class nesting
288 occurs (which is not currently possible with Shorewall). You
289 should keep this in mind when deciding how to map IP addresses
290 to class IDs.
291 For example, suppose that your internal network is
293 192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
294 Your first notion might be to use IPMARK(src,0xFF,0x10000) so
295 as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
296 class ID since the major and minor classes are equal. So you
297 might choose instead to use IPMARK(src,0xFF,0x10100) as in the
298 example above so that all of your minor classes will have a
299 value > 256.
300 IP6TABLES({target [option ...])
302 IPv6 only.
303 This action allows you to specify an iptables target with
305 options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'. If the
306 target is not one recognized by Shorewall, the following error
307 message will be issued:
308 ERROR: Unknown target
309 (target)
310 This error message may be eliminated by adding the target as a
311 builtin action in shorewall-actions(5)[10].
312 IPTABLES({target [option ...])
314 IPv4 only.
315 This action allows you to specify an iptables target with
317 options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the
318 target is not one recognized by Shorewall, the following error
319 message will be issued:
320 ERROR: Unknown target
321 (target)
322 This error message may be eliminated by adding the target as a
323 builtin action in shorewall-actions(5)[10].
324 MARK({mark|range})
326 where mark is a packet mark value.
327 Normally will set the mark value. If preceded by a vertical bar
329 ("|"), the mark value will be logically ORed with the current
330 mark value to produce a new mark value. If preceded by an
331 ampersand ("&"), will be logically ANDed with the current mark
332 value to produce a new mark value.
333 Both "|" and "&" require Extended MARK Target support in your
335 kernel and iptables.
336 The mark value may be optionally followed by "/" and a mask
338 value (used to determine those bits of the connection mark to
339 actually be set). When a mask is specified, the result of
340 logically ANDing the mark value with the mask must be the same
341 as the mark value.
342 A mark range is a pair of integers separated by a dash ("-").
344 May be optionally followed by a slash ("/") and a mask and
346 requires the Statistics Match capability in iptables and
347 kernel. Marks in the specified range are assigned to packets on
348 a round-robin fashion.
349 When a mask is specified, the result of logically ANDing each
351 mark value with the mask must be the same as the mark value.
352 The least significant bit in the mask is used as an increment.
353 For example, if '0x200-0x400/0xff00' is specified, then the
354 assigned mark values are 0x200, 0x300 and 0x400 in equal
355 proportions. If no mask is specified, then ( 2 ** MASK_BITS ) -
356 1 is assumed (MASK_BITS is set in shorewall.conf[4](5)).
357 NFLOG[(nflog-parameters)]
359 Added in Shorewall 5.0.9. Logs matching packets using NFLOG.
360 The nflog-parameters are a comma-separated list of up to 3
361 numbers:
362 · The first number specifies the netlink group (0-65535). If
364 omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
365 · The second number specifies the maximum number of bytes to
367 copy. If omitted, 0 (no limit) is assumed.
368 · The third number specifies the number of log messages that
370 should be buffered in the kernel before they are sent to
371 user space. The default is 1.
372 RESTORE[(mask)]
374 Restore the packet's mark from the connection's mark using the
375 supplied mask if any. Your kernel and iptables must include
376 CONNMARK support.
377 SAME[(timeout)]
379 Some websites run applications that require multiple
380 connections from a client browser. Where multiple 'balanced'
381 providers are configured, this can lead to problems when some
382 of the connections are routed through one provider and some
383 through another. The SAME target allows you to work around that
384 problem. SAME may be used in the PREROUTING and OUTPUT chains.
385 When used in PREROUTING, it causes matching connections from an
386 individual local system to all use the same provider. For
387 example:
388 #ACTION SOURCE DEST PROTO DPORT
390 SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
391 If a host in 192.168.1.0/24 attempts a connection on TCP port
393 80 or 443 and it has sent a packet on either of those ports in
394 the last five minutes then the new connection will use the same
395 provider as the connection over which that last packet was
396 sent.
397 When used in the OUTPUT chain, it causes all matching
399 connections to an individual remote system to all use the same
400 provider. For example:
401 #ACTION SOURCE DEST PROTO DPORT
403 SAME $FW 0.0.0.0/0 tcp 80,443
404 The optional timeout parameter was added in Shorewall 4.6.7 and
406 specifies a number of seconds . When not specified, a value of
407 300 seconds (5 minutes) is assumed. If the firewall attempts a
408 connection on TCP port 80 or 443 and it has sent a packet on
409 either of those ports in the last timeout seconds to the same
410 remote system then the new connection will use the same
411 provider as the connection over which that last packet was
412 sent.
413 SAVE[(mask)]
415 Save the packet's mark to the connection's mark using the
416 supplied mask if any. Your kernel and iptables must include
417 CONNMARK support.
418 TCPMSS([mss[,ipsec]])
420 Added in Shorewall 5.1.9. This target only applies to TCP
421 traffic and alters the MSS value in SYN packets. It may be used
422 in the FORWARD and POSTROUTING chains; the default is FORWARD.
423 The mss parameter may be either pmtu or an integer in the range
425 500:65533. The value pmtu automatically clamps the MSS value to
426 (path_MTU - 40 for IPv4; -60 for IPv6). This may not function
427 as desired where asymmetric routes with differing path MTU
428 exist — the kernel uses the path MTU which it would use to send
429 packets from itself to the source and destination IP addresses.
430 Prior to Linux 2.6.25, only the path MTU to the destination IP
431 address was considered by this option; subsequent kernels also
432 consider the path MTU to the source IP address. If an integer
433 is given, the MSS option is set to the specified value. If the
434 MSS of the packet is already lower than mss, it will not be
435 increased (from Linux 2.6.25 onwards) to avoid more problems
436 with hosts relying on a proper MSS. If mss is omitted, pmtu is
437 assumed.
438 The ipsec parameter determines whether the rule applies to
440 IPSEC traffic (ipsec is passed), non-IPSEC traffic (none is
441 passed) or both (all is passed). If omitted, all is assumed.
442 TOS(tos[/mask])
444 Sets the Type of Service field in the IP header. The tos value
445 may be given as an number (hex or decimal) or as the name of a
446 TOS type. Valid type names and their associated hex numeric
447 values are:
448 Minimize-Delay => 0x10,
450 Maximize-Throughput => 0x08,
451 Maximize-Reliability => 0x04,
452 Minimize-Cost => 0x02,
453 Normal-Service => 0x00
454 To indicate more than one class, add their hex values together
456 and specify the result.
457 When tos is given as a number, it may be optionally followed by
459 '/' and a mask. When no mask is given, the value 0xff is
460 assumed. When tos is given as a type name, the mask 0x3f is
461 assumed.
462 The action performed is to zero out the bits specified by the
464 mask, then set the bits specified by tos.
465 TPROXY([port[,address]])
467 Transparently redirects a packet without altering the IP
468 header. Requires a tproxy provider to be defined in
469 shorewall-providers[8](5).
470 There are three parameters to TPROXY - neither is required:
472 · port - the port on which the proxy server is listening. If
474 omitted, the original destination port.
475 · address - a local (to the firewall) IP address on which the
477 proxy server is listening. If omitted, the IP address of
478 the interface on which the request arrives.
479 TTL([-|+]number)
481 If + is included, packets matching the rule will have their TTL
482 incremented by number. Similarly, if - is included, matching
483 packets have their TTL decremented by number. If neither + nor
484 - is given, the TTL of matching packets is set to number. The
485 valid range of values for number is 1-255.
486 SOURCE - {-|source-spec[,...]}
488 where source-spec is one of:
489 interface
491 where interface is the logical name of an interface defined in
492 shorewall-interfaces[11](5). Matches packets entering the
493 firewall from the named interface. May not be used in CLASSIFY
494 rules or in rules using the :T chain qualifier.
495 address[,...][exclusion]
497 where address is: A host or network IP address.
498 The name of an ipset preceded by a plus sign ("+").
500 A MAC address in Shorewall format (preceded by a tilde ("~")
502 and using dash ("-") as a separator (e.g., ~00-A0-C9-15-39-78).
503 Matches traffic whose source IP address matches one of the
504 listed addresses and that does not match an address listed in
505 the exclusion (see shorewall-exclusion[12](5)).
506 This form will not match traffic that originates on the
508 firewall itself unless either <major><minor> or the :T chain
509 qualifier is used in the ACTION column.
510 interface:address,[...][exclusion]
512 This form combines the preceding two forms and matches when
513 both the incoming interface and source IP address match.
514 interface:exclusion
516 This form matches packets arriving through the named interface
517 and whose source IP address does not match any of the addresses
518 in the exclusion.
519 $FW
521 Matches packets originating on the firewall system. May not be
522 used with a chain qualifier (:P, :F, etc.) in the ACTION
523 column.
524 $FW:address[,...][exclusion]
526 where address is as above (MAC addresses are not permitted).
527 Matches packets originating on the firewall and whose source IP
528 address matches one of the listed addresses and does not match
529 any address listed in the exclusion. May not be used with a
530 chain qualifier (:P, :F, etc.) in the ACTION column.
531 $FW:exclusion
533 Matches traffic originating on the firewall, provided that the
534 source IP address does not match any address listed in the
535 exclusion.
536 Beginning with Shorewall 5.1.0, multiple source_specs, separated by
538 commas, may be given provided that the following alternative forms
539 are used: (address[,...][exclusion])
540 interface:(address[,...][exclusion])
542 interface:(exclusion)
544 $FW:(address[,...][exclusion])
546 $FW:(exclusion)
548 DEST - {-|dest-spec[,...]}
550 where dest-spec is one of:
551 interface
553 where interface is the logical name of an interface defined in
554 shorewall-interfaces[11](5). Matches packets leaving the
555 firewall through the named interface. May not be used in the
556 PREROUTING chain (:P in the mark column or no chain qualifier
557 and MARK_IN_FORWARD_CHAIN=No in shorewall.conf[13] (5)).
558 address[,...][exclusion]
560 where address is: A host or network IP address.
561 The name of an ipset preceded by a plus sign ("+").
563 A MAC address in Shorewall format (preceded by a tilde ("~")
565 and using dash ("-") as a separator (e.g., ~00-A0-C9-15-39-78).
566 Matches traffic whose destination IP address matches one of the
567 listed addresses and that does not match an address listed in
568 the exclusion (see shorewall-exclusion[12](5)).
569 interface:address,[...][exclusion]
571 This form combines the preceding two forms and matches when
572 both the outgoing interface and destination IP address match.
573 May not be used in the PREROUTING chain (:P in the mark column
574 or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
575 shorewall.conf[13] (5)).
576 interface:exclusion
578 This form matches packets leaving through the named interface
579 and whose destination IP address does not match any of the
580 addresses in the exclusion. May not be used in the PREROUTING
581 chain (:P in the mark column or no chain qualifier and
582 MARK_IN_FORWARD_CHAIN=No in shorewall.conf[13] (5)).
583 $FW
585 Matches packets originating on the firewall system. May not be
586 used with a chain qualifier (:P, :F, etc.) in the ACTION
587 column.
588 $FW:address[,...][exclusion]
590 where address is as above (MAC addresses are not permitted).
591 Matches packets destined for the firewall and whose destination
592 IP address matches one of the listed addresses and does not
593 match any address listed in the exclusion. May not be used with
594 a chain qualifier (:P, :F, etc.) in the ACTION column.
595 $FW:exclusion
597 Matches traffic destined for the firewall, provided that the
598 destination IP address does not match any address listed in the
599 exclusion.
600 Beginning with Shorewall 5.1.0, multiple dest_specs, separated by
602 commas, may be given provided that the following alternative forms
603 are used: (address[,...][exclusion])
604 interface:(address[,...][exclusion])
606 interface:(exclusion)
608 $FW:(address[,...][exclusion])
610 $FW:(exclusion)
612 PROTO -
614 {-|{tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]}
615 See shorewall-rules(5)[2] for details.
616 Beginning with Shorewall 4.5.12, this column can accept a
618 comma-separated list of protocols.
619 DPORT-
621 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
622 Optional destination Ports. A comma-separated list of Port names
623 (from services(5)), port numbers or port ranges; if the protocol is
624 icmp, this column is interpreted as the destination icmp-type(s).
625 ICMP types may be specified as a numeric type, a numeric type and
626 code separated by a slash (e.g., 3/4), or a typename. See
627 http://www.shorewall.net/configuration_file_basics.htm#ICMP[14].
628 If the protocol is ipp2p, this column is interpreted as an ipp2p
630 option without the leading "--" (example bit for bit-torrent). If
631 no PORT is given, ipp2p is assumed.
632 An entry in this field requires that the PROTO column specify icmp
634 (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any
635 of the following field is supplied.
636 Beginning with Shorewall 4.6.0, an ipset name can be specified in
638 this column. This is intended to be used with bitmap:port ipsets.
639 This column was formerly named DEST PORT(S).
641 SPORT -
643 {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
644 Optional source port(s). If omitted, any source port is acceptable.
645 Specified as a comma-separated list of port names, port numbers or
646 port ranges.
647 An entry in this field requires that the PROTO column specify tcp
649 (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the
650 following fields is supplied.
651 Beginning with Shorewall 4.5.15, you may place '=' in this column,
653 provided that the DPORT column is non-empty. This causes the rule
654 to match when either the source port or the destination port in a
655 packet matches one of the ports specified in DEST PORTS(S). Use of
656 '=' requires multi-port match in your iptables and kernel.
657 Beginning with Shorewall 4.6.0, an ipset name can be specified in
659 this column. This is intended to be used with bitmap:port ipsets.
660 This column was formerly labelled SOURCE PORT(S).
662 USER - [!][user-name-or-number][:group-name-or-number][+program-name]
664 This optional column may only be non-empty if the SOURCE is the
665 firewall itself.
666 When this column is non-empty, the rule applies only if the program
668 generating the output is running under the effective user and/or
669 group specified (or is NOT running under that id if "!" is given).
670 Examples:
672 joe
674 program must be run by joe
675 :kids
677 program must be run by a member of the 'kids' group
678 !:kids
680 program must not be run by a member of the 'kids' group
681 +upnpd
683 #program named upnpd
684 Important
686 The ability to specify a program name was removed from
687 Netfilter in kernel version 2.6.14.
688 TEST - [!]value[/mask][:C]
690 Optional - Defines a test on the existing packet or connection
691 mark. The rule will match only if the test returns true.
692 If you don't want to define a test but need to specify anything in
694 the following columns, place a "-" in this field.
695 !
697 Inverts the test (not equal)
698 value
700 Value of the packet or connection mark.
701 mask
703 A mask to be applied to the mark before testing.
704 :C
706 Designates a connection mark. If omitted, the packet mark's
707 value is tested.
708 LENGTH - [length|[min]:[max]]
710 Optional - packet payload length. This field, if present allow you
711 to match the length of a packet payload (Layer 4 data ) against a
712 specific value or range of values. You must have iptables length
713 support for this to work. A range is specified in the form min:max
714 where either min or max (but not both) may be omitted. If min is
715 omitted, then 0 is assumed; if max is omitted, than any packet that
716 is min or longer will match.
717 TOS - tos
719 Type of service. Either a standard name, or a numeric value to
720 match.
721 Minimize-Delay (16)
723 Maximize-Throughput (8)
724 Maximize-Reliability (4)
725 Minimize-Cost (2)
726 Normal-Service (0)
727 CONNBYTES - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
729 Optional connection Bytes; defines a byte or packet range that the
730 connection must fall within in order for the rule to match.
731 A packet matches if the the packet/byte count is within the range
733 defined by min and max (unless ! is given in which case, a packet
734 matches if the packet/byte count is not within the range). min is
735 an integer which defines the beginning of the byte/packet range.
736 max is an integer which defines the end of the byte/packet range;
737 if omitted, only the beginning of the range is checked. The first
738 letter gives the direction which the range refers to:O - The
739 original direction of the connection. .sp - The opposite direction
740 from the original connection. .sp B - The total of both directions.
741 If omitted, B is assumed.
743 The second letter determines what the range refers to.B - Bytes .sp
745 P - Packets .sp A - Average packet size.If omitted, B is assumed.
746 HELPER - helper
748 Names a Netfilter protocol helper module such as ftp, sip, amanda,
749 etc. A packet will match if it was accepted by the named helper
750 module.
751 Example: Mark all FTP data connections with mark 4:
753 #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
755 4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
756 PROBABILITY - [probability]
758 Added in Shorewall 4.5.0. When non-empty, requires the Statistics
759 Match capability in your kernel and ip6tables and causes the rule
760 to match randomly but with the given probability. The probability
761 is a number 0 < probability <= 1 and may be expressed at up to 8
762 decimal points of precision.
763 DSCP - [[!]dscp]
765 Added in Shorewall 4.5.1. When non-empty, match packets whose
766 Differentiated Service Code Point field matches the supplied value
767 (when '!' is given, the rule matches packets whose DSCP field does
768 not match the supplied value). The dscp value may be given as an
769 even number (hex or decimal) or as the name of a DSCP class. Valid
770 class names and their associated hex numeric values are:
771 CS0 => 0x00
773 CS1 => 0x08
774 CS2 => 0x10
775 CS3 => 0x18
776 CS4 => 0x20
777 CS5 => 0x28
778 CS6 => 0x30
779 CS7 => 0x38
780 BE => 0x00
781 AF11 => 0x0a
782 AF12 => 0x0c
783 AF13 => 0x0e
784 AF21 => 0x12
785 AF22 => 0x14
786 AF23 => 0x16
787 AF31 => 0x1a
788 AF32 => 0x1c
789 AF33 => 0x1e
790 AF41 => 0x22
791 AF42 => 0x24
792 AF43 => 0x26
793 EF => 0x2e
794 STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...]
796 The rule will only match if the packet's connection is in one of
797 the listed states.
798 TIME - timeelement[&timeelement...]
800 Added in Shorewall 4.6.2.
801 May be used to limit the rule to a particular time period each day,
803 to particular days of the week or month, or to a range defined by
804 dates and times. Requires time match support in your kernel and
805 ip6tables.
806 timeelement may be:
808 timestart=hh:mm[:ss]
810 Defines the starting time of day.
811 timestop=hh:mm[:ss]
813 Defines the ending time of day.
814 contiguous
816 Added in Shoreawll 5.0.12. When timestop is smaller than
817 timestart value, match this as a single time period instead of
818 distinct intervals.
819 utc
821 Times are expressed in Greenwich Mean Time.
822 localtz
824 Deprecated by the Netfilter team in favor of kerneltz. Times
825 are expressed in Local Civil Time (default).
826 kerneltz
828 Added in Shorewall 4.5.2. Times are expressed in Local Kernel
829 Time (requires iptables 1.4.12 or later).
830 weekdays=ddd[,ddd]...
832 where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
833 monthdays=dd[,dd],...
835 where dd is an ordinal day of the month
836 datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
838 Defines the starting date and time.
839 datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
841 Defines the ending date and time.
842 SWITCH - [!]switch-name[={0|1}]
844 Added in Shorewall 5.1.0 and allows enabling and disabling the rule
845 without requiring shorewall restart.
846 The rule is enabled if the value stored in
848 /proc/net/nf_condition/switch-name is 1. The rule is disabled if
849 that file contains 0 (the default). If '!' is supplied, the test is
850 inverted such that the rule is enabled if the file contains 0.
851 Within the switch-name, '@0' and '@{0}' are replaced by the name of
853 the chain to which the rule is a added. The switch-name (after
854 '@...' expansion) must begin with a letter and be composed of
855 letters, decimal digits, underscores or hyphens. Switch names must
856 be 30 characters or less in length.
857 Switches are normally off. To turn a switch on:
859 echo 1 >
860 /proc/net/nf_condition/switch-name
861 To turn it off again:
862 echo 0 >
863 /proc/net/nf_condition/switch-name
864 Switch settings are retained over shorewall restart.
865 When the switch-name is followed by =0 or =1, then the switch is
867 initialized to off or on respectively by the start command. Other
868 commands do not affect the switch setting.
869
871 IPv4 Example 1:
872 Mark all ICMP echo traffic with packet mark 1. Mark all peer to
873 peer traffic with packet mark 4.
874 This is a little more complex than otherwise expected. Since the
876 ipp2p module is unable to determine all packets in a connection are
877 P2P packets, we mark the entire connection as P2P if any of the
878 packets are determined to match.
879 We assume packet/connection mark 0 means unclassified.
881 #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
883 MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
884 MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
885 RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
886 CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
887 MARK(4):T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
888 SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
889 If a packet hasn't been classified (packet mark is 0), copy the
891 connection mark to the packet mark. If the packet mark is set,
892 we're done. If the packet is P2P, set the packet mark to 4. If the
893 packet mark has been set, save it to the connection mark.
894 IPv4 Example 2:
896 SNAT outgoing connections on eth0 from 192.168.1.0/24 in
897 round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
898 (Shorewall 4.5.9 and later).
899 /etc/shorewall/mangle:
901 #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
903 CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
904 /etc/shorewall/snat:
906 #ACTION SOURCE DEST ...
908 SNAT(1.1.1.1) eth0:192.168.1.0/24 - { mark=1:C }
909 SNAT(1.1.1.3) eth0:192.168.1.0/24 - { mark=2:C }
910 SNAT(1.1.1.4) eth0:192.168.1.0/24 - { mark=3:C }
911 IPv6 Example 1:
913 Mark all ICMP echo traffic with packet mark 1. Mark all peer to
914 peer traffic with packet mark 4.
915 This is a little more complex than otherwise expected. Since the
917 ipp2p module is unable to determine all packets in a connection are
918 P2P packets, we mark the entire connection as P2P if any of the
919 packets are determined to match.
920 We assume packet/connection mark 0 means unclassified.
922 #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
924 MARK(1):T ::/0 ::/0 icmp echo-request
925 MARK(1):T ::/0 ::/0 icmp echo-reply
926 RESTORE:T ::/0 ::/0 all - - - 0
927 CONTINUE:T ::/0 ::/0 all - - - !0
928 MARK(4):T ::/0 ::/0 ipp2p:all
929 SAVE:T ::/0 ::/0 all - - - !0
930 If a packet hasn't been classified (packet mark is 0), copy the
932 connection mark to the packet mark. If the packet mark is set,
933 we're done. If the packet is P2P, set the packet mark to 4. If the
934 packet mark has been set, save it to the connection mark.
935
937 /etc/shorewall/mangle
938 /etc/shorewall6/mangle
940
942 http://www.shorewall.net/traffic_shaping.htm[15]
943 http://www.shorewall.net/MultiISP.html[3]
945 http://www.shorewall.net/PacketMarking.html[16]
947 http://www.shorewall.net/configuration_file_basics.htm#Pairs[17]
949 shorewall(8)
951
953 1. shorewall-tcrules(5)
954 http://www.shorewall.net/manpages/shorewall-tcrules.html
955 2. shorewall-rules
957 http://www.shorewall.net/manpages/shorewall-rules.html
958 3. http://www.shorewall.net/MultiISP.html
960 http://www.shorewall.net/MultiISP.html
961 4. shorewall.conf(5)
963 http://www.shorewall.net/manpages/shorewall.conf.html
964 5. shorewall-actions(5)
966 http://www.shorewall.netmanpages/shorewall-actions.html
967 6. shorewall-tcdevices
969 http://www.shorewall.net/manpages/shorewall-tcdevices.html
970 7. shorewall-tcclasses
972 http://www.shorewall.net/manpages/shorewall-tcclasses.html
973 8. shorewall-providers(5)
975 http://www.shorewall.net/manpages/shorewall-providers.html
976 9. shorewall-ecn(5)
978 http://www.shorewall.net/manpages/shorewall-ecn.html
979 10. shorewall-actions
981 http://www.shorewall.net/manpages/shorewall-actions.html
982 11. shorewall-interfaces
984 http://www.shorewall.net/manpages/shorewall-interfaces.html
985 12. shorewall-exclusion
987 http://www.shorewall.net/manpages/shorewall-exclusion.html
988 13. shorewall.conf
990 http://www.shorewall.net/manpages/shorewall.conf
991 14. http://www.shorewall.net/configuration_file_basics.htm#ICMP
993 http://www.shorewall.net/configuration_file_basics.htm#ICMP
994 15. http://www.shorewall.net/traffic_shaping.htm
996 http://www.shorewall.net/traffic_shaping.htm
997 16. http://www.shorewall.net/PacketMarking.html
999 http://www.shorewall.net/PacketMarking.html
1000 17. http://www.shorewall.net/configuration_file_basics.htm#Pairs
1002 http://www.shorewall.net/configuration_file_basics.htm#Pairs
1003Configuration Files 08/05/2018 SHOREWALL-MANGLE(5)