1SHOREWALL-TCFILTERS(5) Configuration Files SHOREWALL-TCFILTERS(5)
2
3
4
6 tcfilters - Shorewall u32/basic classifier rules file
7
9 /etc/shorewall[6]/tcfilters
10
12 Entries in this file cause packets to be classified for traffic
13 shaping.
14
15 Beginning with Shorewall 4.4.15, the file may contain entries for both
16 IPv4 and IPv6. By default, all rules apply to IPv4 but that can be
17 changed by inserting a line as follows:
18
19 IPV4
20 Following entries apply to IPv4.
21
22 IPV6
23 Following entries apply to IPv6
24
25 ALL
26 Following entries apply to both IPv4 and IPv6. Each entry is
27 processed twice; once for IPv4 and once for IPv6.
28
29 The columns in the file are as follows (where the column name is
30 followed by a different name in parentheses, the different name is used
31 in the alternate specification syntax).
32
33 CLASS - interface:class
34 The name or number of an interface defined in
35 shorewall-tcdevices[1](5) followed by a class number defined for
36 that interface in shorewall-tcclasses[2](5).
37
38 SOURCE - {-|address|+ipset}
39 Source of the packet. May be a host or network address. DNS names
40 are not allowed. Beginning with Shorewall 4.6.0, an ipset name
41 (prefixed with '+') may be used if your kernel and ip6tables have
42 the Basic Ematch capability and you set BASIC_FILTERS=Yes in
43 shorewall.conf (5)[3]. The ipset name may optionally be followed by
44 a number or a comma separated list of src and/or dst enclosed in
45 square brackets ([...]). See shorewall-ipsets(5)[4] for details.
46
47 DEST - {-|address|+ipset}
48 Destination of the packet. May be a host or network address. DNS
49 names are not allowed. Beginning with Shorewall 4.6.0, an ipset
50 name (prefixed with '+') may be used if your kernel and ip6tables
51 have the Basic Ematch capability and you set BASIC_FILTERS=Yes in
52 shorewall.conf (5)[3]. The ipset name may optionally be followed by
53 a number or a comma separated list of src and/or dst enclosed in
54 square brackets ([...]). See shorewall-ipsets(5)[4] for details.
55
56 You may exclude certain hosts from the set already defined through
57 use of an exclusion (see shorewall-exclusion[5](5)).
58
59 PROTO - {-|{protocol-number|protocol-name|all}[,...]}
60 Protocol.
61
62 Beginning with Shorewall 4.5.12, this column can accept a
63 comma-separated list of protocols.
64
65 DPORT - [-|port-name-or-number]
66 Optional destination Ports. A Port name (from services(5)) or a
67 port number; if the protocol is icmp, this column is interpreted as
68 the destination icmp-type(s).
69
70 This column was previously labelled DEST PORT(S).
71
72 SPORT - [-|port-name-or-number]
73 Optional source port.
74
75 This column was previously labelled SOURCE PORT(S).
76
77 TOS (Optional) - [-|tos]
78 Specifies the value of the TOS field. The tos value can be any of
79 the following:
80
81 · tos-minimize-delay
82
83 · tos-maximize-throughput
84
85 · tos-maximize-reliability
86
87 · tos-minimize-cost
88
89 · tos-normal-service
90
91 · hex-number
92
93 · hex-number/hex-number
94
95 The hex-numbers must be exactly two digits (e.g., 0x04)x.
96
97 LENGTH - [-|number]
98 Optional - Must be a power of 2 between 32 and 8192 inclusive.
99 Packets with a total length that is strictly less than the
100 specified number will match the rule.
101
102 PRIORITY - [-|priority]
103 Added in Shorewall 4.5.8. Specifies the rule priority. The priority
104 value must be > 0 and <= 65535.
105
106 When a priority is not given:
107
108 · For Shorewall versions prior to 4.5.8 - all filters have
109 priority 10.
110
111 · For Shorewall 4.5.8 and later - for each device, the compiler
112 maintains a high-water priority with an initial value of 0.
113 When a filter has no priority, the high-water priority is
114 incremented by 1 and assigned to the filter. When a priority
115 greater than the high-water priority is entered in this column,
116 the high-water priority is set to the specified priority. An
117 attempt to assign a priority value greater than 65535
118 (explicitly or implicitly) raises an error.
119
120 The default priority values used by other Shorewall-generated
121 filters are as follows:
122
123 · Classify by packet mark - ( class priority << 8 ) | 20.
124
125 · Ingress policing - 10
126
127 · Simple TC ACK packets - 1
128
129 · Complex TC ACK packets - ( class priority << 8 ) | 10.
130
131 · Classify by TOS - ( class priority << 8 ) | 15.
132
133 · Class with 'occurs' - 65535
134
136 IPv4 Example 1:
137 Place all 'ping' traffic on interface 1 in class 10. Note that ALL
138 cannot be used because IPv4 ICMP and IPv6 ICMP are two different
139 protocols.
140
141 #CLASS SOURCE DEST PROTO DPORT
142
143 IPV4
144
145 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request
146 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
147
148 IPV6
149
150 1:10 ::/0 ::/0 icmp6 echo-request
151 1:10 ::/0 ::/0 icmp6 echo-reply
152
153 IPv4 Example 2:
154 Add two filters with priority 10 (Shorewall 4.5.8 or later).
155
156 #CLASS SOURCE DEST PROTO DPORT PRIORITY
157
158 IPV4
159
160 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request 10
161 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 10
162
163 IPv6 Example 1:
164 Add two filters with priority 10 (Shorewall 4.5.8 or later).
165
166 #CLASS SOURCE DEST PROTO DPORT PRIORITY
167
168 IPV6
169
170 1:10 ::/0 ::/0 icmp echo-request 10
171 1:10 ::/0 ::/0 icmp echo-reply 10
172
174 /etc/shorewall/tcfilters
175
176 /etc/shorewall6/tcfilters
177
179 http://www.shorewall.net/traffic_shaping.htm[6]
180
181 http://www.shorewall.net/MultiISP.html[7]
182
183 http://www.shorewall.net/PacketMarking.html[8]
184
185 http://www.shorewall.net/configuration_file_basics.htm#Pairs[9]
186
187 shorewall(8)
188
190 1. shorewall-tcdevices
191 http://www.shorewall.net/manpages/shorewall-tcdevices.html
192
193 2. shorewall-tcclasses
194 http://www.shorewall.net/manpages/shorewall-tcclasses.html
195
196 3. shorewall.conf (5)
197 http://www.shorewall.net/manpages/shorewall.conf.html
198
199 4. shorewall-ipsets(5)
200 http://www.shorewall.net/manpages/shorewall-ipsets.html
201
202 5. shorewall-exclusion
203 http://www.shorewall.net/manpages/shorewall-exclusion.html
204
205 6. http://www.shorewall.net/traffic_shaping.htm
206 http://www.shorewall.net/traffic_shaping.htm
207
208 7. http://www.shorewall.net/MultiISP.html
209 http://www.shorewall.net/MultiISP.html
210
211 8. http://www.shorewall.net/PacketMarking.html
212 http://www.shorewall.net/PacketMarking.html
213
214 9. http://www.shorewall.net/configuration_file_basics.htm#Pairs
215 http://www.shorewall.net/configuration_file_basics.htm#Pairs
216
217
218
219Configuration Files 01/17/2019 SHOREWALL-TCFILTERS(5)