1SHOREWALL-MANGLE(5)           Configuration Files          SHOREWALL-MANGLE(5)
2
3
4

NAME

6       mangle - Shorewall Packet marking/mangling rules file
7

SYNOPSIS

9       /etc/shorewall[6]/mangle
10

DESCRIPTION

12       This file was introduced in Shorewall 4.6.0 and replaces
13       shorewall-tcrules(5)[1]. This file is only processed by the compiler
14       if:
15
16       Entries in this file cause packets to be marked as a means of
17       classifying them for traffic control or policy routing.
18
19           Important
20           Unlike rules in the shorewall-rules[2](5) file, evaluation of rules
21           in this file will continue after a match. So the final mark for
22           each packet will be the one assigned by the LAST tcrule that
23           matches.
24
25           If you use multiple internet providers with the 'track' option, in
26           /etc/shorewall/providers be sure to read the restrictions at
27           https://shorewall.org/MultiISP.html[3].
28
29       The columns in the file are as follows (where the column name is
30       followed by a different name in parentheses, the different name is used
31       in the alternate specification syntax).
32
33       ACTION - command[(parameters)][:chain-designator]
34           The chain-designator indicates the Netfilter chain that the entry
35           applies to and may be one of the following:
36
37           P
38               PREROUTING chain.
39
40           F
41               FORWARD chain.
42
43           T
44               POSTROUTING chain.
45
46           I
47               INPUT chain.
48
49           NP
50               PREROUTING chain in the nat table.
51
52           NI
53               INPUT chain in the nat table.
54
55           NO
56               OUTPUT chain in the nat table.
57
58           NT
59               POSTROUTING chain in the nat table.
60
61           The nat table designators were added in Shorewall 5.2.1. When a nat
62           table designator is given, only the CONNMARK, MARK, SAVE and
63           RESTORE commands may be used.
64
65           Unless otherwise specified for the particular command, the default
66           chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in
67           shorewall.conf(5)[4], and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.
68
69           A chain-designator may not be specified if the SOURCE or DEST
70           columns begin with '$FW'. When the SOURCE is $FW, the generated
71           rule is always placed in the OUTPUT chain. If DEST is '$FW', then
72           the rule is placed in the INPUT chain. Additionally, a
73           chain-designator may not be specified in an action body.
74
75           Where a command takes parameters, those parameters are enclosed in
76           parentheses ("(....)") and separated by commas.
77
78           The command may be one of the following.
79
80           action[([param[,...])]
81               Added in Shorewall 5.0.7.  action must be an action declared
82               with the mangle option in shorewall-actions(5)[5]. If the
83               action accepts parameters, they are specified as a
84               comma-separated list within parentheses following the action
85               name.
86
87           ADD(ipset:flags)
88               Added in Shorewall 4.6.7. Causes addresses and/or port numbers
89               to be added to the named ipset. The flags specify the address
90               or tuple to be added to the set and must match the type of
91               ipset involved. For example, for an iphash ipset, either the
92               SOURCE or DESTINATION address can be added using flags src or
93               dst respectively (see the -A command in ipset (8)).
94
95               ADD is non-terminating. Even if a packet matches the rule, it
96               is passed on to the next rule.
97
98           CHECKSUM
99               Compute and fill in the checksum in a packet that lacks a
100               checksum. This is particularly useful if you need to work
101               around old applications, such as dhcp clients, that do not work
102               well with checksum offloads, but you don't want to disable
103               checksum offload in your device.
104
105               Requires 'Checksum Target' support in your kernel and iptables.
106
107           CLASSIFY(classid)
108               A classification Id (classid) is of the form major:minor where
109               major and minor are integers. Corresponds to the 'class'
110               specification in these traffic shaping modules:
111
112                          atm
113                          cbq
114                          dsmark
115                          pfifo_fast
116                          htb
117                          prio
118
119               Classification occurs in the POSTROUTING chain except when the
120               SOURCE is $FW[:address] in which case classification occurs in
121               the OUTPUT chain.
122
123               When using Shorewall's built-in traffic shaping tool, the major
124               class is the device number (the first device in
125               shorewall-tcdevices[6](5) is major class 1, the second device
126               is major class 2, and so on) and the minor class is the class's
127               MARK value in shorewall-tcclasses[7](5) preceded by the number
128               1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to
129               minor class 15, MARK 22 corresponds to minor class 122, etc.).
130
131           ?COMMENT
132               The rest of the line will be attached as a comment to the
133               Netfilter rule(s) generated by the following entries. The
134               comment will appear delimited by "/* ... */" in the output of
135               shorewall show mangle
136
137               To stop the comment from being attached to further rules,
138               simply include ?COMMENT on a line by itself.
139
140           CONMARK({mark|range})
141               Identical to MARK with the exception that the mark is assigned
142               to connection to which the packet belongs is marked rather than
143               to the packet itself.
144
145           CONTINUE
146               Don't process any more marking rules in the table.
147
148               Currently, CONTINUE may not be used with exclusion (see the
149               SOURCE and DEST columns below); that restriction will be
150               removed when iptables/Netfilter provides the necessary support.
151
152           DEL(ipset:flags)
153               Added in Shorewall 4.6.7. Causes an entry to be deleted from
154               the named ipset. The flags specify the address or tuple to be
155               deleted from the set and must match the type of ipset involved.
156               For example, for an iphash ipset, either the SOURCE or
157               DESTINATION address can be deleted using flags src or dst
158               respectively (see the -D command in ipset (8)).
159
160               DEL is non-terminating. Even if a packet matches the rule, it
161               is passed on to the next rule.
162
163           DIVERT
164               Two DIVERT rule should precede the TPROXY rule and should
165               select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
166               (assuming that tcp port 80 is being proxied). DIVERT avoids
167               sending packets to the TPROXY target once a socket connection
168               to Squid3 has been established by TPROXY. DIVERT marks the
169               packet with a unique mark and exempts it from any rules that
170               follow.
171
172           DIVERTHA
173               Added in Shorewall 5.0.4. To setup the HAProxy configuration
174               described at
175               http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x,
176               place this entry in shorewall-providers(5)[8]:
177
178                   #NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
179                   TProxy   1        -       -          lo        -               tproxy
180
181               and use this DIVERTHA entry:
182
183                   #ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
184                   DIVERTHA        -               -               tcp
185
186           DROP
187               Causes matching packets to be discarded.
188
189           DSCP(dscp)
190               Sets the Differentiated Services Code Point field in the IP
191               header. The dscp value may be given as an even number (hex or
192               decimal) or as the name of a DSCP class. Valid class names and
193               their associated hex numeric values are:
194
195                       CS0  => 0x00
196                       CS1  => 0x08
197                       CS2  => 0x10
198                       CS3  => 0x18
199                       CS4  => 0x20
200                       CS5  => 0x28
201                       CS6  => 0x30
202                       CS7  => 0x38
203                       BE   => 0x00
204                       AF11 => 0x0a
205                       AF12 => 0x0c
206                       AF13 => 0x0e
207                       AF21 => 0x12
208                       AF22 => 0x14
209                       AF23 => 0x16
210                       AF31 => 0x1a
211                       AF32 => 0x1c
212                       AF33 => 0x1e
213                       AF41 => 0x22
214                       AF42 => 0x24
215                       AF43 => 0x26
216                       EF   => 0x2e
217
218               To indicate more than one class, add their hex values together
219               and specify the result. By default, DSCP rules are placed in
220               the POSTROUTING chain.
221
222           ECN
223               Added in Shorewall 5.0.6 as an alternative to entries in
224               shorewall-ecn(5)[9]. If a PROTO is specified, it must be 'tcp'
225               (6). If no PROTO is supplied, TCP is assumed. This action
226               causes all ECN bits in the TCP header to be cleared.
227
228           IMQ(number)
229               Specifies that the packet should be passed to the IMQ
230               identified by number. Requires IMQ Target support in your
231               kernel and iptables.
232
233           INLINE[(action)]
234               Allows you to place your own ip[6]tables matches at the end of
235               the line following a semicolon (";") (deprecated) or two
236               semicolons (";;") (preferred since Shoreall 5.0.0). If an
237               action is specified, the compiler proceeds as if that action
238               had been specified in this column. If no action is specified,
239               then you may include your own jump ("-j target [option] ...")
240               after any matches specified at the end of the rule. If the
241               target is not one known to Shorewall, then it must be defined
242               as a builtin action in shorewall-actions[10] (5).
243
244               The following rules are equivalent:
245
246                   2:P                   eth0              -         tcp 22
247                   INLINE(MARK(2)):P     eth0              -         tcp 22
248                   INLINE(MARK(2)):P     eth0              -                 ;; -p tcp
249                   INLINE                eth0              -         tcp 22  ;; -j MARK --set-mark 2
250                   INLINE                eth0              -                 ;; -p tcp -j MARK --set-mark 2
251
252           IPMARK
253               Assigns a mark to each matching packet based on the either the
254               source or destination IP address. By default, it assigns a mark
255               value equal to the low-order 8 bits of the source address.
256               Default values are:
257                   src
258                   mask1 = 0xFF
259                   mask2 = 0x00
260                   shift = 0
261               'src' and 'dst' specify whether the mark is to be based on the
262               source or destination address respectively. The selected
263               address is first shifted to the right by shift bits. The result
264               is then LANDed with mask1 then LORed with mask2.
265
266               In a sense, the IPMARK target is more like an IPCLASSIFY target
267               in that the mark value is later interpreted as a class ID. A
268               packet mark is 32 bits wide; so is a class ID. The <major>
269               class occupies the high-order 16 bits and the <minor> class
270               occupies the low-order 16 bits. So the class ID 1:4ff (remember
271               that class IDs are always in hex) is equivalent to a mark value
272               of 0x104ff. Remember that Shorewall uses the interface number
273               as the <major> number where the first interface in tcdevices
274               has <major> number 1, the second has <major> number 2, and so
275               on.
276
277               The IPMARK target assigns a mark to each matching packet based
278               on the either the source or destination IP address. By default,
279               it assigns a mark value equal to the low-order 8 bits of the
280               source address. The syntax is as follows:
281               IPMARK[([{src|dst}][,[mask1][,[mask2][,[shift]]]])] Default
282               values are:
283                   src
284                   mask1 = 0xFF
285                   mask2 = 0x00
286                   shift = 0
287               src and dst specify whether the mark is to be based on the
288               source or destination address respectively. The selected
289               address is first shifted right by shift, then LANDed with mask1
290               and then LORed with mask2. The shift argument is intended to be
291               used primarily with IPv6 addresses.
292
293               Example: IPMARK(src,0xff,0x10100)
294                   Suppose that the source IP address is 192.168.4.3
295                                       = 0xc0a80403; then
296                   0xc0a80403 >> 0 = 0xc0a80403
297                   0xc0a80403 LAND 0xFF = 0x03
298                   0x03 LOR 0x10100 = 0x10103 or class ID
299                                       1:103
300               It is important to realize that, while class IDs are composed
301               of a major and a minor value, the set of values must be unique.
302               That is, the same numeric value cannot be used as both a major
303               and a minor number for the same interface unless class nesting
304               occurs (which is not currently possible with Shorewall). You
305               should keep this in mind when deciding how to map IP addresses
306               to class IDs.
307
308               For example, suppose that your internal network is
309               192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
310               Your first notion might be to use IPMARK(src,0xFF,0x10000) so
311               as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
312               class ID since the major and minor classes are equal. So you
313               might choose instead to use IPMARK(src,0xFF,0x10100) as in the
314               example above so that all of your minor classes will have a
315               value > 256.
316
317           IP6TABLES({target [option ...])
318               IPv6 only.
319
320               This action allows you to specify an iptables target with
321               options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'. If the
322               target is not one recognized by Shorewall, the following error
323               message will be issued:
324                   ERROR: Unknown target
325                                     (target)
326               This error message may be eliminated by adding the target as a
327               builtin action in shorewall-actions(5)[10].
328
329           IPTABLES({target [option ...])
330               IPv4 only.
331
332               This action allows you to specify an iptables target with
333               options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the
334               target is not one recognized by Shorewall, the following error
335               message will be issued:
336                   ERROR: Unknown target
337                                     (target)
338               This error message may be eliminated by adding the target as a
339               builtin action in shorewall-actions(5)[10].
340
341           MARK({mark|range})
342               where mark is a packet mark value.
343
344               Normally will set the mark value. If preceded by a vertical bar
345               ("|"), the mark value will be logically ORed with the current
346               mark value to produce a new mark value. If preceded by an
347               ampersand ("&"), will be logically ANDed with the current mark
348               value to produce a new mark value.
349
350               Both "|" and "&" require Extended MARK Target support in your
351               kernel and iptables.
352
353               The mark value may be optionally followed by "/" and a mask
354               value (used to determine those bits of the connection mark to
355               actually be set). When a mask is specified, the result of
356               logically ANDing the mark value with the mask must be the same
357               as the mark value.
358
359               A mark range is a pair of integers separated by a dash ("-").
360
361               May be optionally followed by a slash ("/") and a mask and
362               requires the Statistics Match capability in iptables and
363               kernel. Marks in the specified range are assigned to packets on
364               a round-robin fashion.
365
366               When a mask is specified, the result of logically ANDing each
367               mark value with the mask must be the same as the mark value.
368               The least significant bit in the mask is used as an increment.
369               For example, if '0x200-0x400/0xff00' is specified, then the
370               assigned mark values are 0x200, 0x300 and 0x400 in equal
371               proportions. If no mask is specified, then ( 2 ** MASK_BITS ) -
372               1 is assumed (MASK_BITS is set in shorewall.conf[4](5)).
373
374           NFLOG[(nflog-parameters)]
375               Added in Shorewall 5.0.9. Logs matching packets using NFLOG.
376               The nflog-parameters are a comma-separated list of up to 3
377               numbers:
378
379               •   The first number specifies the netlink group (0-65535). If
380                   omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
381
382               •   The second number specifies the maximum number of bytes to
383                   copy. If omitted, 0 (no limit) is assumed.
384
385               •   The third number specifies the number of log messages that
386                   should be buffered in the kernel before they are sent to
387                   user space. The default is 1.
388
389           RESTORE[(mask)]
390               Restore the packet's mark from the connection's mark using the
391               supplied mask if any. Your kernel and iptables must include
392               CONNMARK support.
393
394           SAME[(timeout)]
395               Some websites run applications that require multiple
396               connections from a client browser. Where multiple 'balanced'
397               providers are configured, this can lead to problems when some
398               of the connections are routed through one provider and some
399               through another. The SAME target allows you to work around that
400               problem. SAME may be used in the PREROUTING and OUTPUT chains.
401               When used in PREROUTING, it causes matching connections from an
402               individual local system to all use the same provider. For
403               example:
404
405                   #ACTION           SOURCE         DEST         PROTO      DPORT
406                   SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443
407
408               If a host in 192.168.1.0/24 attempts a connection on TCP port
409               80 or 443 and it has sent a packet on either of those ports in
410               the last five minutes then the new connection will use the same
411               provider as the connection over which that last packet was
412               sent.
413
414               When used in the OUTPUT chain, it causes all matching
415               connections to an individual remote system to all use the same
416               provider. For example:
417
418                   #ACTION           SOURCE         DEST         PROTO      DPORT
419                   SAME              $FW            0.0.0.0/0    tcp        80,443
420
421               The optional timeout parameter was added in Shorewall 4.6.7 and
422               specifies a number of seconds . When not specified, a value of
423               300 seconds (5 minutes) is assumed. If the firewall attempts a
424               connection on TCP port 80 or 443 and it has sent a packet on
425               either of those ports in the last timeout seconds to the same
426               remote system then the new connection will use the same
427               provider as the connection over which that last packet was
428               sent.
429
430           SAVE[(mask)]
431               Save the packet's mark to the connection's mark using the
432               supplied mask if any. Your kernel and iptables must include
433               CONNMARK support.
434
435           TCPMSS([mss[,ipsec]])
436               Added in Shorewall 5.1.9. This target only applies to TCP
437               traffic and alters the MSS value in SYN packets. It may be used
438               in the FORWARD and POSTROUTING chains; the default is FORWARD.
439
440               The mss parameter may be either pmtu or an integer in the range
441               500:65533. The value pmtu automatically clamps the MSS value to
442               (path_MTU - 40 for IPv4; -60 for IPv6). This may not function
443               as desired where asymmetric routes with differing path MTU
444               exist — the kernel uses the path MTU which it would use to send
445               packets from itself to the source and destination IP addresses.
446               Prior to Linux 2.6.25, only the path MTU to the destination IP
447               address was considered by this option; subsequent kernels also
448               consider the path MTU to the source IP address. If an integer
449               is given, the MSS option is set to the specified value. If the
450               MSS of the packet is already lower than mss, it will not be
451               increased (from Linux 2.6.25 onwards) to avoid more problems
452               with hosts relying on a proper MSS. If mss is omitted, pmtu is
453               assumed.
454
455               The ipsec parameter determines whether the rule applies to
456               IPSEC traffic (ipsec is passed), non-IPSEC traffic (none is
457               passed) or both (all is passed). If omitted, all is assumed.
458
459           TOS(tos[/mask])
460               Sets the Type of Service field in the IP header. The tos value
461               may be given as an number (hex or decimal) or as the name of a
462               TOS type. Valid type names and their associated hex numeric
463               values are:
464
465                   Minimize-Delay       => 0x10,
466                   Maximize-Throughput  => 0x08,
467                   Maximize-Reliability => 0x04,
468                   Minimize-Cost        => 0x02,
469                   Normal-Service       => 0x00
470
471               To indicate more than one class, add their hex values together
472               and specify the result.
473
474               When tos is given as a number, it may be optionally followed by
475               '/' and a mask. When no mask is given, the value 0xff is
476               assumed. When tos is given as a type name, the mask 0x3f is
477               assumed.
478
479               The action performed is to zero out the bits specified by the
480               mask, then set the bits specified by tos.
481
482           TPROXY([port[,address]])
483               Transparently redirects a packet without altering the IP
484               header. Requires a tproxy provider to be defined in
485               shorewall-providers[8](5).
486
487               There are three parameters to TPROXY - neither is required:
488
489port - the port on which the proxy server is listening. If
490                   omitted, the original destination port.
491
492address - a local (to the firewall) IP address on which the
493                   proxy server is listening. If omitted, the IP address of
494                   the interface on which the request arrives.
495
496           TTL([-|+]number)
497               If + is included, packets matching the rule will have their TTL
498               incremented by number. Similarly, if - is included, matching
499               packets have their TTL decremented by number. If neither + nor
500               - is given, the TTL of matching packets is set to number. The
501               valid range of values for number is 1-255.
502
503       SOURCE - {-|source-spec[,...]}
504           where source-spec is one of:
505
506           [!]interface
507               where interface is the logical name of an interface defined in
508               shorewall-interfaces[11](5). Matches packets entering the
509               firewall from the named interface. May not be used in CLASSIFY
510               rules or in rules using the :T chain qualifier.
511
512               Beginning with Shorweall 5.2.1, the interface may be preceded
513               with '!' which matches all interfaces except the one specified.
514
515           address[,...][exclusion]
516               where address is: A host or network IP address.
517
518               The name of an ipset preceded by a plus sign ("+").
519
520               A MAC address in Shorewall format (preceded by a tilde ("~")
521               and using dash ("-") as a separator (e.g., ~00-A0-C9-15-39-78).
522               Matches traffic whose source IP address matches one of the
523               listed addresses and that does not match an address listed in
524               the exclusion (see shorewall-exclusion[12](5)).
525
526               This form will not match traffic that originates on the
527               firewall itself unless either <major><minor> or the :T chain
528               qualifier is used in the ACTION column.
529
530           [!]interface:address,[...][exclusion]
531               This form combines the preceding two forms and matches when
532               both the incoming interface and source IP address match.
533
534               Beginning with Shorweall 5.2.1, the interface may be preceded
535               with '!' which matches all interfaces except the one specified.
536
537           [!]interface:exclusion
538               This form matches packets arriving through the named interface
539               and whose source IP address does not match any of the addresses
540               in the exclusion.
541
542               Beginning with Shorweall 5.2.1, the interface may be preceded
543               with '!' which matches all interfaces except the one specified.
544
545           $FW
546               Matches packets originating on the firewall system. May not be
547               used with a chain qualifier (:P, :F, etc.) in the ACTION
548               column.
549
550           $FW:address[,...][exclusion]
551               where address is as above (MAC addresses are not permitted).
552               Matches packets originating on the firewall and whose source IP
553               address matches one of the listed addresses and does not match
554               any address listed in the exclusion. May not be used with a
555               chain qualifier (:P, :F, etc.) in the ACTION column.
556
557           $FW:exclusion
558               Matches traffic originating on the firewall, provided that the
559               source IP address does not match any address listed in the
560               exclusion.
561
562           Beginning with Shorewall 5.1.0, multiple source_specs, separated by
563           commas, may be given provided that the following alternative forms
564           are used: (address[,...][exclusion])
565
566           interface:(address[,...][exclusion])
567
568           interface:(exclusion)
569
570           $FW:(address[,...][exclusion])
571
572           $FW:(exclusion)
573
574       DEST - {-|dest-spec[,...]}
575           where dest-spec is one of:
576
577           interface
578               where interface is the logical name of an interface defined in
579               shorewall-interfaces[11](5). Matches packets leaving the
580               firewall through the named interface. May not be used in the
581               PREROUTING chain (:P in the mark column or no chain qualifier
582               and MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)).
583
584           address[,...][exclusion]
585               where address is: A host or network IP address.
586
587               The name of an ipset preceded by a plus sign ("+").
588
589               A MAC address in Shorewall format (preceded by a tilde ("~")
590               and using dash ("-") as a separator (e.g., ~00-A0-C9-15-39-78).
591               Matches traffic whose destination IP address matches one of the
592               listed addresses and that does not match an address listed in
593               the exclusion (see shorewall-exclusion[12](5)).
594
595           interface:address,[...][exclusion]
596               This form combines the preceding two forms and matches when
597               both the outgoing interface and destination IP address match.
598               May not be used in the PREROUTING chain (:P in the mark column
599               or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
600               shorewall.conf (5)).
601
602           interface:exclusion
603               This form matches packets leaving through the named interface
604               and whose destination IP address does not match any of the
605               addresses in the exclusion. May not be used in the PREROUTING
606               chain (:P in the mark column or no chain qualifier and
607               MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)).
608
609           $FW
610               Matches packets originating on the firewall system. May not be
611               used with a chain qualifier (:P, :F, etc.) in the ACTION
612               column.
613
614           $FW:address[,...][exclusion]
615               where address is as above (MAC addresses are not permitted).
616               Matches packets destined for the firewall and whose destination
617               IP address matches one of the listed addresses and does not
618               match any address listed in the exclusion. May not be used with
619               a chain qualifier (:P, :F, etc.) in the ACTION column.
620
621           $FW:exclusion
622               Matches traffic destined for the firewall, provided that the
623               destination IP address does not match any address listed in the
624               exclusion.
625
626           Beginning with Shorewall 5.1.0, multiple dest_specs, separated by
627           commas, may be given provided that the following alternative forms
628           are used: (address[,...][exclusion])
629
630           interface:(address[,...][exclusion])
631
632           interface:(exclusion)
633
634           $FW:(address[,...][exclusion])
635
636           $FW:(exclusion)
637
638       PROTO -
639       {-|{tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]}
640           See shorewall-rules(5)[2] for details.
641
642           Beginning with Shorewall 4.5.12, this column can accept a
643           comma-separated list of protocols.
644
645       DPORT-
646       {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
647           Optional destination Ports. A comma-separated list of Port names
648           (from services(5)), port numbers or port ranges; if the protocol is
649           icmp, this column is interpreted as the destination icmp-type(s).
650           ICMP types may be specified as a numeric type, a numeric type and
651           code separated by a slash (e.g., 3/4), or a typename. See
652           https://shorewall.org/configuration_file_basics.htm#ICMP[13].
653
654           If the protocol is ipp2p, this column is interpreted as an ipp2p
655           option without the leading "--" (example bit for bit-torrent). If
656           no PORT is given, ipp2p is assumed.
657
658           An entry in this field requires that the PROTO column specify icmp
659           (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any
660           of the following field is supplied.
661
662           Beginning with Shorewall 4.6.0, an ipset name can be specified in
663           this column. This is intended to be used with bitmap:port ipsets.
664
665           This column was formerly named DEST PORT(S).
666
667       SPORT -
668       {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
669           Optional source port(s). If omitted, any source port is acceptable.
670           Specified as a comma-separated list of port names, port numbers or
671           port ranges.
672
673           An entry in this field requires that the PROTO column specify tcp
674           (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the
675           following fields is supplied.
676
677           Beginning with Shorewall 4.5.15, you may place '=' in this column,
678           provided that the DPORT column is non-empty. This causes the rule
679           to match when either the source port or the destination port in a
680           packet matches one of the ports specified in DEST PORTS(S). Use of
681           '=' requires multi-port match in your iptables and kernel.
682
683           Beginning with Shorewall 4.6.0, an ipset name can be specified in
684           this column. This is intended to be used with bitmap:port ipsets.
685
686           This column was formerly labelled SOURCE PORT(S).
687
688       USER - [!][user-name-or-number][:group-name-or-number][+program-name]
689           This optional column may only be non-empty if the SOURCE is the
690           firewall itself.
691
692           When this column is non-empty, the rule applies only if the program
693           generating the output is running under the effective user and/or
694           group specified (or is NOT running under that id if "!" is given).
695
696           Examples:
697
698           joe
699               program must be run by joe
700
701           :kids
702               program must be run by a member of the 'kids' group
703
704           !:kids
705               program must not be run by a member of the 'kids' group
706
707           +upnpd
708               #program named upnpd
709
710                   Important
711                   The ability to specify a program name was removed from
712                   Netfilter in kernel version 2.6.14.
713
714       TEST - [!]value[/mask][:C]
715           Optional - Defines a test on the existing packet or connection
716           mark. The rule will match only if the test returns true.
717
718           If you don't want to define a test but need to specify anything in
719           the following columns, place a "-" in this field.
720
721           !
722               Inverts the test (not equal)
723
724           value
725               Value of the packet or connection mark.
726
727           mask
728               A mask to be applied to the mark before testing.
729
730           :C
731               Designates a connection mark. If omitted, the packet mark's
732               value is tested.
733
734       LENGTH - [length|[min]:[max]]
735           Optional - packet payload length. This field, if present allow you
736           to match the length of a packet payload (Layer 4 data ) against a
737           specific value or range of values. You must have iptables length
738           support for this to work. A range is specified in the form min:max
739           where either min or max (but not both) may be omitted. If min is
740           omitted, then 0 is assumed; if max is omitted, than any packet that
741           is min or longer will match.
742
743       TOS - tos
744           Type of service. Either a standard name, or a numeric value to
745           match.
746
747                        Minimize-Delay (16)
748                        Maximize-Throughput (8)
749                        Maximize-Reliability (4)
750                        Minimize-Cost (2)
751                        Normal-Service (0)
752
753       CONNBYTES - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
754           Optional connection Bytes; defines a byte or packet range that the
755           connection must fall within in order for the rule to match.
756
757           A packet matches if the the packet/byte count is within the range
758           defined by min and max (unless ! is given in which case, a packet
759           matches if the packet/byte count is not within the range).  min is
760           an integer which defines the beginning of the byte/packet range.
761           max is an integer which defines the end of the byte/packet range;
762           if omitted, only the beginning of the range is checked. The first
763           letter gives the direction which the range refers to:O - The
764           original direction of the connection. .sp - The opposite direction
765           from the original connection. .sp B - The total of both directions.
766
767           If omitted, B is assumed.
768
769           The second letter determines what the range refers to.B - Bytes .sp
770           P - Packets .sp A - Average packet size.If omitted, B is assumed.
771
772       HELPER - helper
773           Names a Netfilter protocol helper module such as ftp, sip, amanda,
774           etc. A packet will match if it was accepted by the named helper
775           module.
776
777           Example: Mark all FTP data connections with mark 4:
778
779               #ACTION   SOURCE    DEST      PROTO   DPORT      SPORT   USER TEST LENGTH TOS CONNBYTES HELPER
780               4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp
781
782       PROBABILITY - [probability]
783           Added in Shorewall 4.5.0. When non-empty, requires the Statistics
784           Match capability in your kernel and ip6tables and causes the rule
785           to match randomly but with the given probability. The probability
786           is a number 0 < probability <= 1 and may be expressed at up to 8
787           decimal points of precision.
788
789       DSCP - [[!]dscp]
790           Added in Shorewall 4.5.1. When non-empty, match packets whose
791           Differentiated Service Code Point field matches the supplied value
792           (when '!' is given, the rule matches packets whose DSCP field does
793           not match the supplied value). The dscp value may be given as an
794           even number (hex or decimal) or as the name of a DSCP class. Valid
795           class names and their associated hex numeric values are:
796
797                   CS0  => 0x00
798                   CS1  => 0x08
799                   CS2  => 0x10
800                   CS3  => 0x18
801                   CS4  => 0x20
802                   CS5  => 0x28
803                   CS6  => 0x30
804                   CS7  => 0x38
805                   BE   => 0x00
806                   AF11 => 0x0a
807                   AF12 => 0x0c
808                   AF13 => 0x0e
809                   AF21 => 0x12
810                   AF22 => 0x14
811                   AF23 => 0x16
812                   AF31 => 0x1a
813                   AF32 => 0x1c
814                   AF33 => 0x1e
815                   AF41 => 0x22
816                   AF42 => 0x24
817                   AF43 => 0x26
818                   EF   => 0x2e
819
820       STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...]
821           The rule will only match if the packet's connection is in one of
822           the listed states.
823
824       TIME - timeelement[&timeelement...]
825           Added in Shorewall 4.6.2.
826
827           May be used to limit the rule to a particular time period each day,
828           to particular days of the week or month, or to a range defined by
829           dates and times. Requires time match support in your kernel and
830           ip6tables.
831
832           timeelement may be:
833
834           timestart=hh:mm[:ss]
835               Defines the starting time of day.
836
837           timestop=hh:mm[:ss]
838               Defines the ending time of day.
839
840           contiguous
841               Added in Shoreawll 5.0.12. When timestop is smaller than
842               timestart value, match this as a single time period instead of
843               distinct intervals.
844
845           utc
846               Times are expressed in Greenwich Mean Time.
847
848           localtz
849               Deprecated by the Netfilter team in favor of kerneltz. Times
850               are expressed in Local Civil Time (default).
851
852           kerneltz
853               Added in Shorewall 4.5.2. Times are expressed in Local Kernel
854               Time (requires iptables 1.4.12 or later).
855
856           weekdays=ddd[,ddd]...
857               where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
858
859           monthdays=dd[,dd],...
860               where dd is an ordinal day of the month
861
862           datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
863               Defines the starting date and time.
864
865           datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
866               Defines the ending date and time.
867
868       SWITCH - [!]switch-name[={0|1}]
869           Added in Shorewall 5.1.0 and allows enabling and disabling the rule
870           without requiring shorewall reload.
871
872           The rule is enabled if the value stored in
873           /proc/net/nf_condition/switch-name is 1. The rule is disabled if
874           that file contains 0 (the default). If '!' is supplied, the test is
875           inverted such that the rule is enabled if the file contains 0.
876
877           Within the switch-name, '@0' and '@{0}' are replaced by the name of
878           the chain to which the rule is a added. The switch-name (after
879           '@...' expansion) must begin with a letter and be composed of
880           letters, decimal digits, underscores or hyphens. Switch names must
881           be 30 characters or less in length.
882
883           Switches are normally off. To turn a switch on:
884               echo 1 >
885                           /proc/net/nf_condition/switch-name
886           To turn it off again:
887               echo 0 >
888                           /proc/net/nf_condition/switch-name
889           Switch settings are retained over shorewall reload.
890
891           When the switch-name is followed by =0 or =1, then the switch is
892           initialized to off or on respectively by the start command. Other
893           commands do not affect the switch setting.
894

EXAMPLE

896       IPv4 Example 1:
897           Mark all ICMP echo traffic with packet mark 1. Mark all peer to
898           peer traffic with packet mark 4.
899
900           This is a little more complex than otherwise expected. Since the
901           ipp2p module is unable to determine all packets in a connection are
902           P2P packets, we mark the entire connection as P2P if any of the
903           packets are determined to match.
904
905           We assume packet/connection mark 0 means unclassified.
906
907                      #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
908                      MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
909                      MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
910                      RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
911                      CONTINUE:T 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
912                      MARK(4):T  0.0.0.0/0 0.0.0.0/0   ipp2p:all
913                      SAVE:T     0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0
914
915           If a packet hasn't been classified (packet mark is 0), copy the
916           connection mark to the packet mark. If the packet mark is set,
917           we're done. If the packet is P2P, set the packet mark to 4. If the
918           packet mark has been set, save it to the connection mark.
919
920       IPv4 Example 2:
921           SNAT outgoing connections on eth0 from 192.168.1.0/24 in
922           round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
923           (Shorewall 4.5.9 and later).
924
925               /etc/shorewall/mangle:
926
927                      #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
928                      CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW
929
930               /etc/shorewall/snat:
931
932                      #ACTION          SOURCE              DEST     ...
933                      SNAT(1.1.1.1)    eth0:192.168.1.0/24 - { mark=1:C }
934                      SNAT(1.1.1.3)    eth0:192.168.1.0/24 - { mark=2:C }
935                      SNAT(1.1.1.4)    eth0:192.168.1.0/24 - { mark=3:C }
936
937       IPv6 Example 1:
938           Mark all ICMP echo traffic with packet mark 1. Mark all peer to
939           peer traffic with packet mark 4.
940
941           This is a little more complex than otherwise expected. Since the
942           ipp2p module is unable to determine all packets in a connection are
943           P2P packets, we mark the entire connection as P2P if any of the
944           packets are determined to match.
945
946           We assume packet/connection mark 0 means unclassified.
947
948                      #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
949                      MARK(1):T  ::/0      ::/0         icmp    echo-request
950                      MARK(1):T  ::/0      ::/0         icmp    echo-reply
951                      RESTORE:T  ::/0      ::/0         all     -             -       -       0
952                      CONTINUE:T ::/0      ::/0         all     -             -       -       !0
953                      MARK(4):T  ::/0      ::/0         ipp2p:all
954                      SAVE:T     ::/0      ::/0         all     -             -       -       !0
955
956           If a packet hasn't been classified (packet mark is 0), copy the
957           connection mark to the packet mark. If the packet mark is set,
958           we're done. If the packet is P2P, set the packet mark to 4. If the
959           packet mark has been set, save it to the connection mark.
960

FILES

962       /etc/shorewall/mangle
963
964       /etc/shorewall6/mangle
965

SEE ALSO

967       https://shorewall.org/traffic_shaping.htm[14]
968
969       https://shorewall.org/MultiISP.html[3]
970
971       https://shorewall.org/PacketMarking.html[15]
972
973       https://shorewall.org/configuration_file_basics.htm#Pairs[16]
974
975       shorewall(8)
976

NOTES

978        1. shorewall-tcrules(5)
979           https://shorewall.org/manpages/shorewall-tcrules.html
980
981        2. shorewall-rules
982           https://shorewall.org/manpages/shorewall-rules.html
983
984        3. https://shorewall.org/MultiISP.html
985           https://shorewall.org/MultiISP.html
986
987        4. shorewall.conf(5)
988           https://shorewall.org/manpages/shorewall.conf.html
989
990        5. shorewall-actions(5)
991           https://shorewall.org/manpages/shorewall-actions.html
992
993        6. shorewall-tcdevices
994           https://shorewall.org/manpages/shorewall-tcdevices.html
995
996        7. shorewall-tcclasses
997           https://shorewall.org/manpages/shorewall-tcclasses.html
998
999        8. shorewall-providers(5)
1000           https://shorewall.org/manpages/shorewall-providers.html
1001
1002        9. shorewall-ecn(5)
1003           https://shorewall.org/manpages/shorewall-ecn.html
1004
1005       10. shorewall-actions
1006           https://shorewall.org/manpages/shorewall-actions.html
1007
1008       11. shorewall-interfaces
1009           https://shorewall.org/manpages/shorewall-interfaces.html
1010
1011       12. shorewall-exclusion
1012           https://shorewall.org/manpages/shorewall-exclusion.html
1013
1014       13. https://shorewall.org/configuration_file_basics.htm#ICMP
1015           https://shorewall.org/configuration_file_basics.htm#ICMP
1016
1017       14. https://shorewall.org/traffic_shaping.htm
1018           https://shorewall.org/traffic_shaping.htm
1019
1020       15. https://shorewall.org/PacketMarking.html
1021           https://shorewall.org/PacketMarking.html
1022
1023       16. https://shorewall.org/configuration_file_basics.htm#Pairs
1024           https://shorewall.org/configuration_file_basics.htm#Pairs
1025
1026
1027
1028Configuration Files               09/24/2020               SHOREWALL-MANGLE(5)
Impressum