1SHOREWALL-TCFILTERS(5)        Configuration Files       SHOREWALL-TCFILTERS(5)
2
3
4

NAME

6       tcfilters - Shorewall u32/basic classifier rules file
7

SYNOPSIS

9       /etc/shorewall[6]/tcfilters
10

DESCRIPTION

12       Entries in this file cause packets to be classified for traffic
13       shaping.
14
15       Beginning with Shorewall 4.4.15, the file may contain entries for both
16       IPv4 and IPv6. By default, all rules apply to IPv4 but that can be
17       changed by inserting a line as follows:
18
19       IPV4
20           Following entries apply to IPv4.
21
22       IPV6
23           Following entries apply to IPv6
24
25       ALL
26           Following entries apply to both IPv4 and IPv6. Each entry is
27           processed twice; once for IPv4 and once for IPv6.
28
29       The columns in the file are as follows (where the column name is
30       followed by a different name in parentheses, the different name is used
31       in the alternate specification syntax).
32
33       CLASS - interface:class
34           The name or number of an interface defined in
35           shorewall-tcdevices[1](5) followed by a class number defined for
36           that interface in shorewall-tcclasses[2](5).
37
38       SOURCE - {-|address|+ipset}
39           Source of the packet. May be a host or network address. DNS names
40           are not allowed. Beginning with Shorewall 4.6.0, an ipset name
41           (prefixed with '+') may be used if your kernel and ip6tables have
42           the Basic Ematch capability and you set BASIC_FILTERS=Yes in
43           shorewall.conf (5)[3]. The ipset name may optionally be followed by
44           a number or a comma separated list of src and/or dst enclosed in
45           square brackets ([...]). See shorewall-ipsets(5)[4] for details.
46
47       DEST - {-|address|+ipset}
48           Destination of the packet. May be a host or network address. DNS
49           names are not allowed. Beginning with Shorewall 4.6.0, an ipset
50           name (prefixed with '+') may be used if your kernel and ip6tables
51           have the Basic Ematch capability and you set BASIC_FILTERS=Yes in
52           shorewall.conf (5)[3]. The ipset name may optionally be followed by
53           a number or a comma separated list of src and/or dst enclosed in
54           square brackets ([...]). See shorewall-ipsets(5)[4] for details.
55
56           You may exclude certain hosts from the set already defined through
57           use of an exclusion (see shorewall-exclusion[5](5)).
58
59       PROTO - {-|{protocol-number|protocol-name|all}[,...]}
60           Protocol.
61
62           Beginning with Shorewall 4.5.12, this column can accept a
63           comma-separated list of protocols.
64
65       DPORT - [-|port-name-or-number]
66           Optional destination Ports. A Port name (from services(5)) or a
67           port number; if the protocol is icmp, this column is interpreted as
68           the destination icmp-type(s).
69
70           This column was previously labelled DEST PORT(S).
71
72       SPORT - [-|port-name-or-number]
73           Optional source port.
74
75           This column was previously labelled SOURCE PORT(S).
76
77       TOS (Optional) - [-|tos]
78           Specifies the value of the TOS field. The tos value can be any of
79           the following:
80
81           ·   tos-minimize-delay
82
83           ·   tos-maximize-throughput
84
85           ·   tos-maximize-reliability
86
87           ·   tos-minimize-cost
88
89           ·   tos-normal-service
90
91           ·   hex-number
92
93           ·   hex-number/hex-number
94
95           The hex-numbers must be exactly two digits (e.g., 0x04)x.
96
97       LENGTH - [-|number]
98           Optional - Must be a power of 2 between 32 and 8192 inclusive.
99           Packets with a total length that is strictly less than the
100           specified number will match the rule.
101
102       PRIORITY - [-|priority]
103           Added in Shorewall 4.5.8. Specifies the rule priority. The priority
104           value must be > 0 and <= 65535.
105
106           When a priority is not given:
107
108           ·   For Shorewall versions prior to 4.5.8 - all filters have
109               priority 10.
110
111           ·   For Shorewall 4.5.8 and later - for each device, the compiler
112               maintains a high-water priority with an initial value of 0.
113               When a filter has no priority, the high-water priority is
114               incremented by 1 and assigned to the filter. When a priority
115               greater than the high-water priority is entered in this column,
116               the high-water priority is set to the specified priority. An
117               attempt to assign a priority value greater than 65535
118               (explicitly or implicitly) raises an error.
119
120           The default priority values used by other Shorewall-generated
121           filters are as follows:
122
123           ·   Classify by packet mark - ( class priority << 8 ) | 20.
124
125           ·   Ingress policing - 10
126
127           ·   Simple TC ACK packets - 1
128
129           ·   Complex TC ACK packets - ( class priority << 8 ) | 10.
130
131           ·   Classify by TOS - ( class priority << 8 ) | 15.
132
133           ·   Class with 'occurs' - 65535
134

EXAMPLE

136       IPv4 Example 1:
137           Place all 'ping' traffic on interface 1 in class 10. Note that ALL
138           cannot be used because IPv4 ICMP and IPv6 ICMP are two different
139           protocols.
140
141                      #CLASS    SOURCE    DEST         PROTO   DPORT
142
143                      IPV4
144
145                      1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-request
146                      1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
147
148                      IPV6
149
150                      1:10      ::/0      ::/0         icmp6   echo-request
151                      1:10      ::/0      ::/0         icmp6   echo-reply
152
153       IPv4 Example 2:
154           Add two filters with priority 10 (Shorewall 4.5.8 or later).
155
156                      #CLASS    SOURCE    DEST         PROTO   DPORT           PRIORITY
157
158                      IPV4
159
160                      1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-request    10
161                      1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply      10
162
163       IPv6 Example 1:
164           Add two filters with priority 10 (Shorewall 4.5.8 or later).
165
166                      #CLASS    SOURCE    DEST         PROTO   DPORT           PRIORITY
167
168                      IPV6
169
170                      1:10      ::/0      ::/0         icmp    echo-request    10
171                      1:10      ::/0      ::/0         icmp    echo-reply      10
172

FILES

174       /etc/shorewall/tcfilters
175
176       /etc/shorewall6/tcfilters
177

SEE ALSO

179       http://www.shorewall.net/traffic_shaping.htm[6]
180
181       http://www.shorewall.net/MultiISP.html[7]
182
183       http://www.shorewall.net/PacketMarking.html[8]
184
185       http://www.shorewall.net/configuration_file_basics.htm#Pairs[9]
186
187       shorewall(8)
188

NOTES

190        1. shorewall-tcdevices
191           http://www.shorewall.net/manpages/shorewall-tcdevices.html
192
193        2. shorewall-tcclasses
194           http://www.shorewall.net/manpages/shorewall-tcclasses.html
195
196        3. shorewall.conf (5)
197           http://www.shorewall.net/manpages/shorewall.conf.html
198
199        4. shorewall-ipsets(5)
200           http://www.shorewall.net/manpages/shorewall-ipsets.html
201
202        5. shorewall-exclusion
203           http://www.shorewall.net/manpages/shorewall-exclusion.html
204
205        6. http://www.shorewall.net/traffic_shaping.htm
206           http://www.shorewall.net/traffic_shaping.htm
207
208        7. http://www.shorewall.net/MultiISP.html
209           http://www.shorewall.net/MultiISP.html
210
211        8. http://www.shorewall.net/PacketMarking.html
212           http://www.shorewall.net/PacketMarking.html
213
214        9. http://www.shorewall.net/configuration_file_basics.htm#Pairs
215           http://www.shorewall.net/configuration_file_basics.htm#Pairs
216
217
218
219Configuration Files               01/17/2019            SHOREWALL-TCFILTERS(5)
Impressum