1shorewall-tcrules(5) shorewall-tcrules(5)
2
6 tcrules - Shorewall Packet Marking rules file
7
9 /etc/shorewall/
10
12 Entries in this file cause packets to be marked as a means of classify‐
13 ing them for traffic control or policy routing.
14 Important
15 Unlike rules in the shorewall-rules ⟨shorewall-rules.html⟩ (5)
17 file, evaluation of rules in this file will continue after a
18 match. So the final mark for each packet will be the one as‐
19 signed by the LAST tcrule that matches.
20 If you use multiple internet providers with the 'track' option,
22 in /etc/shorewall/providers be sure to read the restrictions at
23 ⟨http://shorewall.net/MultiISP.html⟩.
24 The columns in the file are as follows.
26 MARK/CLASSIFY — {value|major:minor|RESTORE[/mask]|SAVE[/mask]|CONTIN‐
28 UE|COMMENT}[:{C|F|P|T|CF|CP|CT}]
29 May assume one of the following values.
30 1. A mark value which is an integer in the range 1-255.
32 Normally will set the mark value. If preceded by a vertical
34 bar ("|"), the mark value will be logically ORed with the
35 current mark value to produce a new mark value. If preceded
36 by an ampersand ("&"), will be logically ANDed with the cur‐
37 rent mark value to produce a new mark value.
38 Both "|" and "&" require Extended MARK Target support in
40 your kernel and iptables; neither may be used with connec‐
41 tion marks (see below).
42 May optionally be followed by :P, :F or :T where :P indi‐
44 cates that marking should occur in the PREROUTING chain, :F
45 indicates that marking should occur in the FORWARD chain and
46 :T indicates that marking should occur in the POSTROUTING
47 chain. If neither :P, :F nor :T follow the mark value then
48 the chain is determined as follows:
49 - If the SOURCE is $FW[:address-or-range[,address-or-
51 range]...], then the rule is inserted into the OUTPUT chain.
52 - Otherwise, the chain is determined by the setting of
54 MARK_IN_FORWARD_CHAIN in shorewall.conf
55 ⟨shorewall.conf.html⟩ (5).
56 If your kernel and iptables include CONNMARK support then
58 you can also mark the connection rather than the packet.
59 The mark value may be optionally followed by "/" and a mask
61 value (used to determine those bits of the connection mark
62 to actually be set). The mark and optional mask are then
63 followed by one of:+
64 C Mark the connection in the chain determined by the
66 setting of MARK_IN_FORWARD_CHAIN
67 CF Mark the connection in the FORWARD chain
69 CP Mark the connection in the PREROUTING chain.
71 CT Mark the connecdtion in the POSTROUTING chain
73 Special considerations for If HIGH_ROUTE_MARKS=Yes in shore‐
75 wall.conf ⟨shorewall.conf.html⟩ (5).
76 If HIGH_ROUTE_MARKS=Yes, then you may also specify a value in
78 the range 0x0100-0xFF00 with the low-order byte being zero.
79 Such values may only be used in the PREROUTING chain (value fol‐
80 lowed by :P or you have set MARK_IN_FORWARD_CHAIN=No in shore‐
81 wall.conf ⟨shorewall.conf.html⟩ (5) and have not followed the
82 value with :F) or the OUTPUT chain (SOURCE is $FW). With
83 HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
84 permitted. Shorewall 4.1 and later versions prohibit non-zero
85 mark values less that 256 in the OUTPUT chain when
86 HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
87 in the OUTPUT chain, it is strongly recommended that with
88 HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
89 traffic shaping marks/classification.
90 2. A classification Id (classid) of the form major:minor where
92 major and minor are integers. Corresponds to the 'class'
93 specification in these traffic shaping modules:
94 atm
96 cbq
97 dsmark
98 pfifo_fast
99 htb
100 prio
101 Classification occurs in the POSTROUTING chain except when
103 the SOURCE is $FW[:address] in which case classification oc‐
104 curs in the OUTPUT chain.
105 When using Shorewall's built-in traffic shaping tool, the
107 major class is the device number (the first device in shore‐
108 wall-tcdevices ⟨shorewall-tcdevices.html⟩ (5) is major class
109 1, the second device is major class 2, and so on) and the
110 minor class is the class's MARK value in shorewall-tcclasses
111 ⟨shorewall-tcclasses.html⟩ (5) preceded by the number 1
112 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to
113 minor class 15, MARK 22 corresponds to minor class 122,
114 etc.).
115 3. RESTORE[/mask] -- restore the packet's mark from the connec‐
117 tion's mark using the supplied mask if any. Your kernel and
118 iptables must include CONNMARK support.
119 As in 1) above, may be followed by :P or :F
121 4. SAVE[/mask] -- save the packet's mark to the connection's
123 mark using the supplied mask if any. Your kernel and ipta‐
124 bles must include CONNMARK support.
125 As in 1) above, may be followed by :P or :F
127 5. CONTINUE Don't process any more marking rules in the table.
129 As in 1) above, may be followed by :P or :F. Currently, CON‐
131 TINUE may not be used with exclusion (see the SOURCE and
132 DEST columns below); that restriction will be removed when
133 iptables/Netfilter provides the necessary support.
134 6. COMMENT -- the rest of the line will be attached as a com‐
136 ment to the Netfilter rule(s) generated by the following en‐
137 tries. The comment will appear delimited by "/* ... */" in
138 the output of shorewall show mangle
139 To stop the comment from being attached to further rules,
141 simply include COMMENT on a line by itself.
142 SOURCE — {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,ad‐
144 dress-or-range]...}[exclusion]
145 Source of the packet. A comma-separated list of interface names,
146 IP addresses, MAC addresses and/or subnets for packets being
147 routed through a common path. List elements may also consist of
148 an interface name followed by ":" and an address (e.g.,
149 eth1:192.168.1.0/24). For example, all packets for connections
150 masqueraded to eth0 from other interfaces can be matched in a
151 single rule with several alternative SOURCE criteria. However, a
152 connection whose packets gets to eth0 in a different way, e.g.,
153 direct from the firewall itself, needs a different rule.
154 Accordingly, use $FW in its own separate rule for packets origi‐
156 nating on the firewall. In such a rule, the MARK column may NOT
157 specify either :P or :F because marking for firewall-originated
158 packets always occurs in the OUTPUT chain.
159 MAC addresses must be prefixed with "~" and use "-" as a separa‐
161 tor.
162 Example: ~00-A0-C9-15-39-78
164 You may exclude certain hosts from the set already defined
166 through use of an exclusion (see shorewall-exclusion
167 ⟨shorewall-exclusion.html⟩ (5)).
168 DEST — {-|{interface|[interface:]address-or-range[,address-or-
170 range]...}[exclusion]
171 Destination of the packet. Comma separated list of IP addresses
172 and/or subnets. If your kernel and iptables include iprange
173 match support, IP address ranges are also allowed. List elements
174 may also consist of an interface name followed by ":" and an ad‐
175 dress (e.g., eth1:192.168.1.0/24). If the MARK column specifi‐
176 cies a classification of the form major:minor then this column
177 may also contain an interface name.
178 You may exclude certain hosts from the set already defined
180 through use of an exclusion (see shorewall-exclusion
181 ⟨shorewall-exclusion.html⟩ (5)).
182 PROTO — {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-
184 name|all}
185 Protocol - ipp2p requires ipp2p match support in your kernel and
186 iptables.
187 PORT(S) (Optional) — [-|port-name-number-or-range[,port-name-number-or-
189 range]...]
190 Destination Ports. A comma-separated list of Port names (from
191 services(5)), port numbers or port ranges; if the protocol is
192 icmp, this column is interpreted as the destination icmp-
193 type(s).
194 If the protocol is ipp2p, this column is interpreted as an ipp2p
196 option without the leading "--" (example bit for bit-torrent).
197 If no PORT is given, ipp2p is assumed.
198 This column is ignored if PROTOCOL = all but must be entered if
200 any of the following field is supplied. In that case, it is sug‐
201 gested that this field contain "-"
202 SOURCE PORT(S) (Optional) — [-|port-name-number-or-range[,port-name-
204 number-or-range]...]
205 Source port(s). If omitted, any source port is acceptable.
206 Specified as a comma-separated list of port names, port numbers
207 or port ranges.
208 USER (Optional) — [!][user-name-or-number][:group-name-or-number][+pro‐
210 gram-name]
211 This column may only be non-empty if the SOURCE is the firewall
212 itself.
213 When this column is non-empty, the rule applies only if the pro‐
215 gram generating the output is running under the effective user
216 and/or group specified (or is NOT running under that id if "!"
217 is given).
218 Examples:
220 joe program must be run by joe
222 :kids program must be run by a member of the 'kids' group
224 !:kids program must not be run by a member of the 'kids' group
226 +upnpd #program named upnpd
228 Important
229 The ability to specify a program name was removed from
231 Netfilter in kernel version 2.6.14.
232 TEST — [!]value[/mask][:C]
234 Defines a test on the existing packet or connection mark. The
235 rule will match only if the test returns true.
236 If you don't want to define a test but need to specify anything
238 in the following columns, place a "-" in this field.
239 ! Inverts the test (not equal)
241 value Value of the packet or connection mark.
243 mask A mask to be applied to the mark before testing.
245 :C Designates a connection mark. If omitted, the packet
247 mark's value is tested.
248 LENGTH (Optional) - [length|[min]:[max]]
250 Packet Length. This field, if present allow you to match the
251 length of a packet against a specific value or range of values.
252 You must have iptables length support for this to work. A range
253 is specified in the form min:max where either min or max (but
254 not both) may be omitted. If min is omitted, then 0 is assumed;
255 if max is omitted, than any packet that is min or longer will
256 match.
257 TOS — tos
259 Type of service. Either a standard name, or a numeric value to
260 match.
261 Minimize-Delay (16)
263 Maximize-Throughput (8)
264 Maximize-Reliability (4)
265 Minimize-Cost (2)
266 Normal-Service (0)
267
269 Example 1:
270 Mark all ICMP echo traffic with packet mark 1. Mark all peer to
271 peer traffic with packet mark 4.
272 This is a little more complex than otherwise expected. Since the
274 ipp2p module is unable to determine all packets in a connection
275 are P2P packets, we mark the entire connection as P2P if any of
276 the packets are determined to match.
277 We assume packet/connection mark 0 means unclassified.
279 #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
281 #CLASSIFY PORT(S)
282 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
283 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
284 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
285 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
286 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all
287 SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0
288 If a packet hasn't been classifed (packet mark is 0), copy the
290 connection mark to the packet mark. If the packet mark is set,
291 we're done. If the packet is P2P, set the packet mark to 4. If
292 the packet mark has been set, save it to the connection mark.
293
295 /etc/shorewall/tcrules
296
298 ⟨http://shorewall.net/traffic_shaping.htm⟩
299 ⟨http://shorewall.net/MultiISP.html⟩
301 ⟨http://shorewall.net/PacketMarking.html⟩
303 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
305 blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), shorewall-
306 hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-
307 maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
308 shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
309 shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-
310 routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tc‐
311 classes(5), shorewall-tcdevices(5), shorewall-tos(5), shorewall-tun‐
312 nels(5), shorewall-zones(5)
313 19 May 2008 shorewall-tcrules(5)