diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 003d62f3c..8f5447203 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -247,7 +247,7 @@ DNAT net:address loc:local-IP-address You are trying to test from inside your firewall (no, that - won't work -- see ). + won't work -- see ). @@ -2267,9 +2267,10 @@ gateway:~# Answer: Suppose that you want all traffic to go out through ISP1 (mark 1) unless you specify otherwise. Then simply add these two rules as the first marking rules in your - /etc/shorewall/tcrules file: + /etc/shorewall/mangle + (/etc/shorewall/tcrules) file: - #MARK SOURCE DEST + #ACTION SOURCE DEST 1:P 0.0.0.0/0 1 $FW other MARK rules @@ -2974,7 +2975,7 @@ Shorewall has detected the following iptables/netfilter capabilities: Persistent SNAT: Available gateway:~# - +
diff --git a/docs/Helpers.xml b/docs/Helpers.xml index 673d3dc7a..b40503945 100644 --- a/docs/Helpers.xml +++ b/docs/Helpers.xml @@ -377,7 +377,8 @@ The iptables helper match is supported by Shorewall in the form of the HELPER column in shorewall-tcrules + url="manpages/shorewall-mangle.html">shorewall-mangle (5) and + shorewall-tcrules (5). The CT target is supported directly in /etc/shorewall/tcrules + /etc/shorewall/mangle + /etc/shorewall/accounting @@ -188,10 +191,10 @@ tcp 6 269712 ESTABLISHED src=192.168.3.8 dst=206.124.146.177 sport=50584 dp - These are implemented in the /etc/shorewall/tcrules file as - follows: + These are implemented in the /etc/shorewall/tcrules and + /etc/shorewall/mangle files as follows: - #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST + #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) RESTORE:P - - tcp CONTINUE:P - - tcp - - - !0 diff --git a/docs/IPv6Support.xml b/docs/IPv6Support.xml index e1b558606..c20ffe480 100644 --- a/docs/IPv6Support.xml +++ b/docs/IPv6Support.xml @@ -136,13 +136,13 @@ - IPv4 packet marking is controlled by - /etc/shorewall/tcrules + IPv4 packet marking is controlled by /etc/shorewall/mangle + (Shorewall 4.6.0 and later) or by /etc/shorewall/tcrules - IPv6 packet marking is controlled by - /etc/shorewall6/tcrules + IPv6 packet marking is controlled by /etc/shorewall6/mangle + (Shorewall 4.6.0 and later) or by /etc/shorewall6/tcrules
diff --git a/docs/Manpages.xml b/docs/Manpages.xml index 8acf20ca3..010a89250 100644 --- a/docs/Manpages.xml +++ b/docs/Manpages.xml @@ -106,6 +106,9 @@ maclist - Define MAC verification. + mangle - + Supercedes tcrules and describes packet/connection marking. + masq - Define Masquerade/SNAT @@ -181,7 +184,8 @@ state (added in Shorewall 4.5.8). tcrules - - Define packet marking rules, usually for traffic shaping. + Define packet marking rules, usually for traffic shaping. Superceded + by mangle (above) in Shorewall 4.6.0. tos - Define TOS field manipulation. diff --git a/docs/Manpages6.xml b/docs/Manpages6.xml index d0fb91f0d..5995c86ee 100644 --- a/docs/Manpages6.xml +++ b/docs/Manpages6.xml @@ -90,6 +90,12 @@ maclist - Define MAC verification. + mangle - + Supercedes tcrules and describes packet/connection marking. + + masq - + Define Masquerade/SNAT + modules - Specify which kernel modules to load. @@ -155,7 +161,8 @@ Classify traffic for simplified traffic shaping. tcrules - - Define packet marking rules, usually for traffic shaping. + - Define packet marking rules, usually for traffic shaping. Superceded + by mangle (above) in Shorewall 4.6.0. tos - Define TOS field manipulation. diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index f55c89ca1..e1f6683f5 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -145,7 +145,7 @@ Entries in /etc/shorewall/providers can specify that outgoing connections are to be load-balanced between the - two ISPs. Entries in /etc/shorewall/tcrules and + two ISPs. Entries in /etc/shorewall/mangle and /etc/shorewall/rtrules can be used to direct particular outgoing connections to one ISP or the other. Use of /etc/shorewall/tcrules is not required for @@ -153,6 +153,11 @@ cases, you must select a unique MARK value for each provider so Shorewall can set up the correct marking rules for you. + + /etc/shorewall/mangle superceded + /etc/shorewall/tcrules in Shorewall 4.6.0. + + When you use the track option in /etc/shorewall/providers, connections from the Internet are automatically routed back out of the correct interface and @@ -168,7 +173,7 @@ This feature uses packet marking to control the routing. As a consequence, there are some restrictions concerning entries in - /etc/shorewall/tcrules: + /etc/shorewall/mangle: @@ -230,11 +235,11 @@ MARK - A mark value used in your /etc/shorewall/tcrules file to - direct packets to this provider. Shorewall will also mark - connections that have seen input from this provider with this - value and will restore the packet mark in the PREROUTING CHAIN. - Mark values must be in the range 1-255. + A mark value used in your /etc/shorewall/mangle + file to direct packets to this provider. Shorewall will + also mark connections that have seen input from this provider with + this value and will restore the packet mark in the PREROUTING + CHAIN. Mark values must be in the range 1-255. Alternatively, you may set HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET > 0 with Shorewall 4.4.26 and later) in @@ -411,7 +416,7 @@ have multiple Internet connections, we recommend that you specify balance even if you don't need it. You can still use entries in - /etc/shorewall/tcrules and + /etc/shorewall/mangle and /etc/shorewall/rtrules to force all traffic to one provider or another. If you don't heed this advice then please read @@ -638,7 +643,7 @@ packets with a connection mark have their packet mark set to the value of the associated connection mark; packets marked in this way bypass any prerouting rules that you create in - /etc/shorewall/tcrules. This ensures that + /etc/shorewall/mangle. This ensures that packets associated with connections from outside are always routed out of the correct interface. @@ -675,7 +680,7 @@ The bottom line is that if you want traffic to go out through a particular provider then you must mark that traffic with the provider's MARK value in - /etc/shorewall/tcrules and you must do that marking + /etc/shorewall/mangle and you must do that marking in the PREROUTING chain; or, you must provide the appropriate rules in /etc/shorewall/rtrules. @@ -727,7 +732,7 @@ eth1 0.0.0.0/0 130.252.99.27 Entries in /etc/shorewall/masq have no effect on which ISP a particular connection will be sent through. That is rather the purpose of entries in - /etc/shorewall/tcrules and + /etc/shorewall/mangle and /etc/shorewall/rtrules. @@ -777,7 +782,7 @@ Feb 9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05: You are redirecting traffic from the firewall system out of one interface or the other using packet marking in your - /etc/shorewall/tcrules file. A better approach + /etc/shorewall/mangle file. A better approach is to configure the application to use the appropriate local IP address (the IP address of the interface that you want the application to use). See below. @@ -842,21 +847,21 @@ eth1 0.0.0.0/0 130.252.99.27 Now suppose that you want to route all outgoing SMTP traffic from your local network through ISP 2. You would make this entry in /etc/shorewall/tcrules (and if you are + url="traffic_shaping.htm">/etc/shorewall/mangle (and if you are running a version of Shorewall earlier than 3.0.0, you would set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf). - #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST + #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) -2:P <local network> 0.0.0.0/0 tcp 25 +MARK(2):P <local network> 0.0.0.0/0 tcp 25 Note that traffic from the firewall itself must be handled in a different rule: #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) -2 $FW 0.0.0.0/0 tcp 25 +MARK(2) $FW 0.0.0.0/0 tcp 25
@@ -940,7 +945,7 @@ eth3 0.0.0.0/0 16.105.78.4 particular provider As noted above, separate - entries in /etc/shorewall/tcrules are required for + entries in /etc/shorewall/mangle are required for traffic originating from the firewall. Experience has shown that in some cases, problems occur with @@ -986,7 +991,7 @@ lo - shorewall 1000 The rtrules file allows assigning certain traffic to a particular provider just as entries in the - tcrules file. The difference between the two files + mangle file. The difference between the two files is that entries in rtrules are independent of Netfilter. @@ -1690,7 +1695,7 @@ ISP2 2 2 - eth1 130.252.99.254 track except when you explicitly direct it to use the other provider via shorewall-rtrules (5) or shorewall-tcrules + url="manpages/shorewall-tcrules.html">shorewall-mangle (5). Example (send all traffic through the 'shorewall' provider unless @@ -1868,7 +1873,8 @@ ONBOOT=yes shorewall-providers (5) is available in the form of a PROBABILITY column in shorewall-tcrules (5). This feature requires the + url="manpages/shorewall-mangle.html">shorewall-mangle(5) (shorewall-tcrules) (5). This feature requires the Statistic Match capability in your iptables and kernel. @@ -2481,12 +2487,20 @@ wireless 3 3 - wlan0 172.20.1.1 track,o (only two are currently used) through the avvanta provider. - Here is the tcrules file (MARK_IN_FORWARD_CHAIN=No in - shorewall.conf):#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER + Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in + shorewall.conf):#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +# PORT(S) PORT(S) +MARK(2) $FW 0.0.0.0/0 tcp 21 +MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp +MARK(2) $FW 0.0.0.0/0 tcp 119 + + Here are the equivalent tcrules entries: + + #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) 2 $FW 0.0.0.0/0 tcp 21 2 $FW 0.0.0.0/0 tcp - - - - - - - ftp -2 $FW 0.0.0.0/0 tcp 119 +2 $FW 0.0.0.0/0 tcp 119 These rules: @@ -2769,7 +2783,7 @@ br0 - ComcastB 11000 32767: from all lookup default root@gateway:~# - /etc/shorewall/tcrules is not used to support + /etc/shorewall/mangle is not used to support Multi-ISP: #MARK SOURCE DEST PROTO DEST SOURCE @@ -2785,7 +2799,7 @@ SAME:P INT_IF - tcp 80,443 ?if $PROXYDMZ TPROXY(3129,172.20.1.254) br0 - tcp 80 ?endif -?endof +?endif
diff --git a/docs/PacketHandling.xml b/docs/PacketHandling.xml index e01559187..f1dcd5409 100644 --- a/docs/PacketHandling.xml +++ b/docs/PacketHandling.xml @@ -74,7 +74,8 @@ Packets are marked based on the contents of your - /etc/shorewall/tcrules file and the setting of + /etc/shorewall/mangle + (/etc/shorewall/tcrules) file and the setting of MARK_IN_FORWARD_CHAIN in /etc/shorewall/shorewall.conf. This occurs in the tcpre chain of the diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml index 455d2cebe..ee92d5ad1 100644 --- a/docs/PacketMarking.xml +++ b/docs/PacketMarking.xml @@ -5,7 +5,8 @@ - Packet Marking using /etc/shorewall/tcrules + Packet Marking using /etc/shorewall/mangle and + /etc/shorewall/tcrules @@ -42,6 +43,12 @@ earlier releases. + + /etc/shorewall/mangle superceded /etc/shorewall/tcruels in Shorewall + 4.6.0. /etc/shorwall/tcrules is still supported but its use is + deprecated. + +
Packet and Connection Marks @@ -103,21 +110,23 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= table. See the Netfilter Overview article. - You can think of entries in the tcrules file like instructions in a - program coded in a crude assembly language. The program gets executed for - each packet. + You can think of entries in the mangle and tcrules files like + instructions in a program coded in a crude assembly language. The program + gets executed for each packet. That is another way of saying that if you don't program, you may have difficulty making full use of Netfilter/Shorewall's Packet Marking. - Actually, the tcrules define several programs. Each program - corresponds to one of the built-in chains in the mangle table. + Actually, the mangle/tcrules files define several programs. Each + program corresponds to one of the built-in chains in the mangle + table. PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in shorewall.conf, then by default entries in + /etc/shorewall/mangle and /etc/shorewall/tcrules are part of the PREROUTING program. Entries specifying the ":P" suffix in the ACTION column are also part of the PREROUTING program. The PREROUTING program gets @@ -126,7 +135,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in - shorewall.conf, then by default entries in + shorewall.conf, then by default entries + in/etc/shorewall/mangle and /etc/shorewall/tcrules are part of the FORWARD program. Entries specifying the ":F" suffix in the ACTION column are also part of the FORWARD program. The FORWARD program gets executed @@ -254,8 +264,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= rules use a mask value that depends on which program the rule is part of, what the rule does, and the setting of HIGH_ROUTE_MARKS. - For entries in tcrules, the default mask value is 0xffff except in - these cases: + For entries in mangle and tcrules, the default mask value is 0xffff + except in these cases: @@ -415,12 +425,12 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= Shorewall-defined Chains in the Mangle Table Shorewall creates a set of chains in the mangle table to hold rules - defined in your /etc/shorewall/tcrules file. As - mentioned above, chains are like subroutines in the packet marking - programming language. By placing all of your rules in subroutines, - CONTINUE (which generates a Netfilter RETURN rule) can be used to stop - processing your rules while still allowing following Shorewall-generated - rules to be executed. + defined in your /etc/shorewall/mangle + (/etc/shorewall/tcrules) file. As mentioned above, + chains are like subroutines in the packet marking programming language. By + placing all of your rules in subroutines, CONTINUE (which generates a + Netfilter RETURN rule) can be used to stop processing your rules while + still allowing following Shorewall-generated rules to be executed. @@ -464,18 +474,18 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport= An Example Here's the example (slightly expanded) from the comments at the top - of the /etc/shorewall/tcrules file. + of the /etc/shorewall/mangle file. #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS # PORT(S) -1 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1 -1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2 -1 $FW 0.0.0.0/0 icmp echo-request #Rule 3 -1 $FW 0.0.0.0/0 icmp echo-reply #Rule 4 +MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1 +MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2 +MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3 +MARK(1) $FW 0.0.0.0/0 icmp echo-reply #Rule 4 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6 -4 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7 +MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7 SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 ##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE @@ -537,8 +547,8 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
Examining the Marking Programs on a Running System - You can see the tcrules in action using the shorewall show - mangle command. + You can see the mangle (tcrules) entries in action using the + shorewall show mangle command. The sample output from that command shown below has the following in /etc/shorewall/providers: @@ -548,13 +558,13 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - Here is /etc/shorewall/tcrules: + Here is /etc/shorewall/mangle: - #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST -# PORT(S) -1:110 192.168.0.0/22 eth3 #Our internal nets get priority + #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST +# PORT(S) +CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority #over the server -1:130 206.124.146.177 eth3 tcp - 873 +CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE @@ -676,7 +686,7 @@ Chain tcout (1 references) Chain tcpost (1 references) pkts bytes target prot opt in out source destination -<<<< The next two rules are the entries in the /etc/shorewall/tcrules file >>>> +<<<< The next two rules are the entries in the /etc/shorewall/mangle file >>>> 65061 11M CLASSIFY all -- * eth3 192.168.0.0/22 0.0.0.0/0 CLASSIFY set 1:110 2224 2272K CLASSIFY tcp -- * eth3 206.124.146.177 0.0.0.0/0 tcp spt:873 CLASSIFY set 1:130 diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml index 49284a5b4..d997f578e 100644 --- a/docs/Shorewall_Squid_Usage.xml +++ b/docs/Shorewall_Squid_Usage.xml @@ -240,7 +240,13 @@ Squid 1 202 - eth1 192.168.1.3 loose,no - In /etc/shorewall/tcrules add: + In /etc/shorewall/mangle add: + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80 + + Corresponding /etc/shorewall/tcrules entries are: #MARK SOURCE DEST PROTO DEST # PORT(S) @@ -304,7 +310,13 @@ Squid 1 202 - eth2 192.0.2.177 loose,no - In /etc/shorewall/tcrules add: + In /etc/shorewall/mangle add: + + #ACTION SOURCE DEST PROTO DEST +# PORT(S) +MARK(202):P eth1 0.0.0.0/0 tcp 80 + + Corresponding /etc/shorewall/tcrules entries are: #MARK SOURCE DEST PROTO DEST # PORT(S) @@ -376,8 +388,12 @@ ACCEPT $FW net tcp 80,443 Support for the TPROXY action in shorewall-tcrules(5) and the option in shorewall-providers(5) has been available since Shoreall 4.4.7. That support required additional rules - to be added in the 'start' extention script to make it work - reliably. + to be added in the 'start' extention script to make it work reliably. + Beginning with Shorewall 4.6.0, TPROXY in shorewall-tcrules(5) and + in shorewall-mangle(5) work as + described here. The following configuration works with Squid running on the firewall @@ -399,9 +415,17 @@ Tproxy 1 - - lo - tproxytproxy. - /etc/shorewall/tcrules (assume loc interface is + /etc/shorewall/mangle (assume loc interface is eth1 and net interface is eth0): + #ACTION SOURCE DEST PROTO DEST SOURCE +# PORT(S) PORT(S) +DIVERT eth0 0.0.0.0/0 tcp - 80 +TPROXY(3129) eth1 0.0.0.0/0 tcp 80 + + Corresponding /etc/shorewall/tcrules + are: + FORMAT 2 #MARK SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) diff --git a/docs/Shorewall_and_Routing.xml b/docs/Shorewall_and_Routing.xml index 408a7d3fa..7678a617b 100644 --- a/docs/Shorewall_and_Routing.xml +++ b/docs/Shorewall_and_Routing.xml @@ -89,9 +89,12 @@ Packets may be marked using entries in the /etc/shorewall/tcrules file. Entries in that file - containing ":P" in the mark column are applied here as are rules - that default to the MARK_IN_FORWARD_CHAIN=No setting in + url="manpages/shorewall-mangle.html">/etc/shorewall/mangle + (/etc/shorewall/tcrules) + file. Entries in that file containing ":P" in the mark column are + applied here as are rules that default to the + MARK_IN_FORWARD_CHAIN=No setting in /etc/shorewall/shorewall.conf. These marks may be used to specify that the packet should be routed using an alternate routing table; see the Packets may be marked using entries in the /etc/shorewall/tcrules file (rules with "$FW" in - the SOURCE column). These marks may be used to specify that the - packet should be re-routed using an alternate routing table. + url="manpages/shorewall-tcrules.html">/etc/shorewall/mangle + (/etc/shorewall/tcrules) + file (rules with "$FW" in the SOURCE column). These marks may be + used to specify that the packet should be re-routed using an + alternate routing table. diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index c461bd85e..acb276c3a 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -184,7 +184,9 @@ you set WIDE_TC_MARKS=Yes in shorewall.conf (5) ). You assign packet marks to different types of traffic using entries in the - /etc/shorewall/tcrules file. + /etc/shorewall/tcrules file (Shorewall 4.6.0 or + later) or /etc/shorewall/tcrules (Prior to + Shorewall 4.6.0). In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS @@ -192,7 +194,7 @@ The default is based on the setting of WIDE_TC_MARKS so as to provide upward compatibility. See the Packet Marking using - /etc/shorewall/tcrules article. + /etc/shorewall/mangle article. @@ -204,7 +206,8 @@ Netfilter also supports a mark value on each connection. You can assign connection mark values in - /etc/shorewall/tcrules, you can copy the current + /etc/shorewall/mangle + (/etc/shorewall/tcrules), you can copy the current packet's mark to the connection mark (SAVE), or you can copy the connection mark value to the current packet's mark (RESTORE). For more information, see this @@ -409,7 +412,8 @@ If specified, classification of traffic into the various classes is done by CLASSIFY entries in - /etc/shorewall/tcrules or by entries in + /etc/shorewall/mangle + (/etc/shorewall/tcrules) or by entries in /etc/shorewall/tcfilters. No MARK value will be associated with classes on this interface. @@ -545,11 +549,11 @@ ppp0 6000kbit 500kbit MARK - The mark value which is an integer in the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or set TC_BITS=14 in shorewall.conf (5) ). You - define these marks in the tcrules file, marking the traffic you want - to go into the queuing classes defined in here. You can use the same - marks for different Interfaces. You must specify "-' in this column - if the device specified in the INTERFACE column has the classify option in + define these marks in the mangle or tcrules file, marking the + traffic you want to go into the queuing classes defined in here. You + can use the same marks for different Interfaces. You must specify + "-' in this column if the device specified in the INTERFACE column + has the classify option in /etc/shorewall/tcdevices. @@ -648,9 +652,9 @@ ppp0 6000kbit 500kbit occurs=number - Typically used with - an IPMARK entry in tcrules. Causes the rule to be replicated for - a total of number rules. Each rule has a - successively class number and mark value. + an IPMARK entry in mangle or tcrules. Causes the rule to be + replicated for a total of number rules. + Each rule has a successively class number and mark value. When 'occurs' is used: @@ -679,7 +683,8 @@ ppp0 6000kbit 500kbit the class. So the total RATE represented by an entry with 'occurs' will be the listed RATE multiplied by number. For additional information, see - tcrules + mangle (5) + or tcrules (5). @@ -823,7 +828,7 @@ ppp0 6000kbit 500kbit
- /etc/shorewall/tcrules + /etc/shorewall/mangle and /etc/shorewall/rules Unlike rules in the either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F qualifier (see below). - Columns in the file are as follows: + See shorewall-mangle(5) and shorewall-tcrules(5) for a description + of the entries in these files. Note that the mangle file superceded the + tcrules file in Shorewall 4.6.0. - - - ACTION - ACTION (previously called MARK) specifies the mark - value is to be assigned in case of a match. This is an integer in - the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14 - in shorewall.conf - (5) ). - - - In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS - which specifies the width in bits of the traffic shaping mark - field. The default is based on the setting of WIDE_TC_MARKS so as - to provide upward compatibility. - - - This value may be optionally followed by : and - either F, P or "T" to designate that - the marking will occur in the FORWARD, PREROUTING or POSTROUTING - chains respectively. If this additional specification is omitted, - the chain used to mark packets will be determined as follows: - - - - If the SOURCE is - $FW[:<address>], then the rule is - inserted in the OUTPUT chain. - - - - Otherwise, the chain is determined by the setting of the - MARK_IN_FORWARD_CHAIN option in shorewall.conf. - - - - - Use the 'T' qualifier if you want the - rule to apply equally to traffic being routed through the firewall - and to traffic originating on the firewall - itself. - - - Normally, the mark is applied to the packet. If you follow the - mark value with ":" and "C", then the mark is applied to the - connection. "C" can be combined with "F", "P" or "T" to designate - that the connection should be marked in a particular chain (e.g., - "CF", "CP", "CT"). - - There are additional special values available: - - - - RESTORE[/mask] -- - restore the packet's mark from the connection's mark using the - supplied mask if any. Your kernel and iptables must include - CONNMARK support. - - As above, may be followed by :P, :F - or :T. - - - - SAVE[/mask] -- save - the packet's mark to the connection's mark using the supplied - mask if any. Your kernel and iptables must include CONNMARK - support. - - As above, may be followed by :P, :F - or :T. - - - - CONTINUE Don't process - any more marking rules in the table. - - As above, may be followed by :P, :F - or :T. - - - - COMMENT -- the rest of - the line will be attached as a comment to the Netfilter rule(s) - generated by the following entries. The comment will appear - delimited by "/* ... */" in the output of shorewall - show mangle - - To stop the comment from being attached to further rules, - simply include COMMENT on a line by itself. - - - - To use CLASSIFY, your kernel and iptables must include - CLASSIFY target support. In that case, this column contains a - classification (classid) of the form <major>:<minor> - where <major> and <minor> are integers. Corresponds to - the 'class' specification in these traffic shaping modules: - - - atm - - cbq - - dsmark - - pfifo_fast - - htb - - prio - - - Classification occurs in the POSTROUTING chain except when the SOURCE contains - $FW[:<address>] in which case, the - classify action takes place in the OUTPUT chain. When used with the - builtin traffic shaper, the <major> class is the interface - number and the <minor> class is either: - - - - Constructed by Shorewall. The method of construction - depends on the setting of WIDE_TC_MARKS (TC_BITS in shorewall - 4.4.26 and later) in (shorewall.conf - (5)). - - When WIDE_TC_MARKS=No (the default) or TC_BITS > 14, - the <minor> class is: - - - - the MARK value of the class preceded by the number "1" - or "10" (MARK value 1 is <minor> class 11, MARK value - 22 is <minor> class 122, and so on). "10" is used - where there are more than 10 devices defined in /etc/shorewall/tcdevices. - - - - When WIDE_TC_MARKS=Yes (TC_BITS >= 14), the - <minor> class is assigned sequentially beginning with - 2. - - - - The class number, if specified. - - - - - - SOURCE - Source of the packet. - - May be: - - - - An interface name - matches traffic entering the firewall - on the specified interface. May not be used in classify rules or - in rules using the :T chain qualifier. - - - - A comma-separated list of host or network IP addresses or - MAC addresses. This form will not match - traffic that originates on the firewall itself unless either - <major><minor> or the :T chain qualifier is used in - the ACTION column. - - Examples: - 0.0.0.0/0 - - - - 192.168.1.0/24, 172.20.4.0/24 - - - - - An interface name followed by a colon (":") followed by a - comma-separated list of host or network IP addresses or MAC - addresses. May not be used in classify rules or in rules using - the :T chain qualifier. - - - - $FW optionally followed by a colon (":") and a - comma-separated list of host or network IP addresses. matches - packets originating on the firewall. May not be used with a - chain qualifier (:P, :F, etc.) in the ACTION column. - - - - MAC addresses must be prefixed with "~" and use "-" as a - separator. - - Example: ~00-A0-C9-15-39-78 - - If your kernel includes iprange match support, then address - ranges may be included in the address lists. - - - - DEST - Destination of the packet. - - May be: - - - - An interface name. May not be used in the PREROUTING chain - (:P in the mark column or no chain qualifier and - MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)). The - interface name may be optionally followed by a colon (":") and - an IP address list. - - - - A comma-separated list of host or network IP addresses. - The list may include ip address ranges if your kernel and - iptables include iprange support. - - - - - - PROTO - Protocol - Must be "tcp", "udp", "icmp", "ipp2p", - "ipp2p:udp", "ipp2p:all" a number, or "all". "ipp2p" requires ipp2p - match support in your kernel and iptables. - - - - PORT(S) - Destination Ports. A comma-separated list of Port - names (from /etc/services), port numbers or port ranges; if the - protocol is "icmp", this column is interpreted as the destination - icmp-type(s). - - If the protocol is ipp2p, this column is interpreted as an - ipp2p option without the leading "--" (example "bit" for - bit-torrent). If no PORT is given, "ipp2p" is assumed. Note that the - xtables-addons version of IPP2P does not support the "ipp2p" option; - if the column is empty or contains "ipp2p" when using that version - of IPP2P, Shorewall will substitute "edk,kazaa,gnu,dc". - - This column is ignored if PROTOCOL = all but must be entered - if any of the following field is supplied. In that case, it is - suggested that this field contain "-" - - - - CLIENT PORT(S) - (Optional) Port(s) used by the client. If - omitted, any source port is acceptable. Specified as a - comma-separate list of port names, port numbers or port - ranges. - - - - USER/GROUP (Optional) This column may only be non-empty if the - SOURCE is the firewall itself. When this column is non-empty, the - rule applies only if the program generating the output is running - under the effective user and/or group. It may contain : - - [!][<user name or number>]:[<group name or - number>][+<program name>] - - The colon is optional when specifying only a user. - - Examples: - - joe #program must be run by joe -:kids #program must be run by a member of the 'kids' group -!:kids #program must not be run by a member of the 'kids' group -+upnpd #program named upnpd (This feature was removed from Netfilter in kernel version 2.6.14). - - - - TEST (Optional) Defines a test on the existing packet or - connection mark. The rule will match only if the test returns true. - Tests have the format [!]<value>[/<mask>][:C] - - Where: - - - ! Inverts the test (not equal) - - <value> Value of the packet or connection - mark. - - <mask> A mask to be applied to the mark before - testing - - :C Designates a connection mark. If omitted, the packet - mark's value is tested. - - - - - LENGTH (Optional) This field, if present, allows you to match - the length of a packet against a specific value or range of values. - A range is specified in the form <min>:<max> where - either <min> or <max> (but not both) may be omitted. If - <min> is omitted, then 0 is assumed; if <max> is - omitted, than any packet that is <min> or longer will - match. - - You must have iptables length support for this to work. If you - let it empty or place an "-" here, no length match will be - done. - - Examples: 1024, 64:1500, :100 - - - - TOS (Optional) Type of Service. Either a standard name, or a - numeric value to match. - -
- - Minimize-Delay (16) - - Maximize-Throughput (8) - - Maximize-Reliability (4) - - Minimize-Cost (2) - - Normal-Service (0) - -
- - - - HELPER (Optional). Names one of the Netfilter protocol helper - modules such as ftp, sip, - amanda, etc. - - - - HEADERS (Optioinal, Shorewall6 only, added in Shorewall - 4.4.15). List of IPv6 headers that may appear in packets. See shorewall6-tcrules - (5) for details. - - + The following examples are for the mangle file. @@ -1260,11 +920,11 @@ ppp0 6000kbit 500kbit packets arriving on eth2 and eth3 should be marked with 2. All packets originating on the firewall itself should be marked with 3. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) -1 eth1 0.0.0.0/0 all -2 eth2 0.0.0.0/0 all -2 eth3 0.0.0.0/0 all -3 $FW 0.0.0.0/0 all + #ACTION SOURCE DESTINATION PROTOCOL PORT(S) +MARK(1) eth1 0.0.0.0/0 all +MARK(2) eth2 0.0.0.0/0 all +MARK(2) eth3 0.0.0.0/0 all +MARK(3) $FW 0.0.0.0/0 all @@ -1273,8 +933,8 @@ ppp0 6000kbit 500kbit All GRE (protocol 47) packets destined for 155.186.235.151 should be marked with 12. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) -12:T 0.0.0.0/0 155.182.235.151 47 + #ACTION SOURCE DESTINATION PROTOCOL PORT(S) +MARK(12):T 0.0.0.0/0 155.182.235.151 47 @@ -1283,8 +943,8 @@ ppp0 6000kbit 500kbit All SSH request packets originating in 192.168.1.0/24 and destined for 155.186.235.151 should be marked with 22. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) -22:T 192.168.1.0/24 155.182.235.151 tcp 22 + #ACTION SOURCE DESTINATION PROTOCOL PORT(S) +MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22 @@ -1294,10 +954,10 @@ ppp0 6000kbit 500kbit /etc/shorewall/tcdevices should be assigned to the class with mark value 10. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT -# PORT(S) -1:110 0.0.0.0/0 0.0.0.0/0 tcp 22 -1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22 + #ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT +# PORT(S) +CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22 +CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22 @@ -1313,15 +973,15 @@ ppp0 6000kbit 500kbit means unclassified. Traffic originating on the firewall is not covered by this example. - #ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST -# PORT(S) GROUP -1 0.0.0.0/0 0.0.0.0/0 icmp echo-request -1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply + #ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST +# PORT(S) GROUP +MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request +MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply -RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 -CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 -4 0.0.0.0/0 0.0.0.0/0 ipp2p:all -SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 +RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 +CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 +MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all +SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 The last four rules can be translated as: @@ -1376,7 +1036,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - in the tcdevices, tcclasses and tcfilters files can be shared between Shorewall and Shorewall6. Only one of the products can control the configuration but the other can configure CLASSIFY rules in its own - tcrules file that refer to the shared classes. + mangle or tcrules file that refer to the shared classes. To defined the configuration in Shorewall and shared it with Shorewall6: @@ -1411,11 +1071,11 @@ ln -s ../shorewall/tcclasses /etc/shorewall6/tcclasses Shorewall6 compilations to have access to the tcdevices and tcclasses files although it will create no output. That access allows - CLASSIFY rules in /etc/shorewall6/tcrules to be validated against the TC + CLASSIFY rules in /etc/shorewall6/mangle to be validated against the TC configuration. In this configuration, it is Shorewall that controls TC - configuration (except for IPv6 tcrules). You can reverse the settings in + configuration (except for IPv6 mangle). You can reverse the settings in the files if you want to control the configuration using Shorewall6.
@@ -1451,7 +1111,8 @@ ln -s ../shorewall/tcclasses /etc/shorewall6/tcclasses An IPMARK MARKing command in - /etc/shorewall/tcrules. + /etc/shorewall/mangle + (/etc/shorewall/tcrules). @@ -1583,7 +1244,8 @@ eth0:101 - 1kbit 230kbit 4 occurs=6 The above defines 6 classes with class IDs 0x101-0x106. Each class has a guaranteed rate of 1kbit/second and a ceiling of 230kbit. - /etc/shoreall/tcrules: + /etc/shoreall/mangle or + /etc/shoreall/tcrules: #ACTION SOURCE DEST IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0 @@ -1683,6 +1345,16 @@ NOPRIOPORTDST="6662 6663" This would result in the following additional settings to the tcrules file: + MARK(3) 192.168.1.128/25 0.0.0.0/0 all +MARK(3) 192.168.3.28 0.0.0.0/0 all +MARK(3) 0.0.0.0/0 60.0.0.0/24 all +MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663 +MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663 +MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663 +MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663 + + Corresponding tcrules file entries are: + 3 192.168.1.128/25 0.0.0.0/0 all 3 192.168.3.28 0.0.0.0/0 all 3 0.0.0.0/0 60.0.0.0/24 all @@ -1727,7 +1399,16 @@ ppp0 4 90kbit 200kbit 3 default
- tcrules file + mangle file + + #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER +# PORT(S) +MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request +MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply +MARK(2):F 192.168.2.23 0.0.0.0/0 all +MARK(3):F 192.168.2.42 0.0.0.0/0 all + + Corresponding tcrules file: #ACTION SOURCE DEST PROTO PORT(S) CLIENT USER # PORT(S) @@ -1908,11 +1589,12 @@ eth0 - 1000kbit hfsc modprobe ifb numifbs=1 ip link set ifb0 up - Entries in /etc/shorewall/tcrules have no - effect on shaping traffic through an IFB. To allow classification of such - traffic, the /etc/shorewall/tcfilters file has been added. Entries in that - file create u32 - classification rules. + Entries in /etc/shorewall/mangle or + /etc/shorewall/tcrules have no effect on shaping + traffic through an IFB. To allow classification of such traffic, the + /etc/shorewall/tcfilters file has been added. Entries in that file create + u32 classification + rules.
/etc/shorewall/tcfilters @@ -1920,7 +1602,7 @@ ip link set ifb0 up While this file was created to allow shaping of traffic through an IFB, the file may be used for general traffic classification as well. The file is similar to shorewall-tcrules(5) with the + url="shorewall-tcrules.html">shorewall-mangle(5) with the following key exceptions: @@ -2391,7 +2073,7 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300 If your tcstart script uses the fwmark classifier, you can mark packets using entries in - /etc/shorewall/tcrules. + /etc/shorewall/mangle or /etc/shorewall/tcrules.
@@ -2412,7 +2094,8 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300 If your script uses the fwmark classifier, you - can mark packets using entries in /etc/shorewall/tcrules. + can mark packets using entries in /etc/shorewall/mangle or + /etc/shorewall/tcrules.