Replace 'tcrules' with 'mangle' in the docs

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-12-28 17:31:51 -08:00
parent 8f6f0c94a4
commit 8b49641e07
12 changed files with 232 additions and 478 deletions

View File

@ -2267,9 +2267,10 @@ gateway:~# </programlisting>
<para><emphasis role="bold">Answer:</emphasis> Suppose that you want all <para><emphasis role="bold">Answer:</emphasis> Suppose that you want all
traffic to go out through ISP1 (mark 1) unless you specify otherwise. traffic to go out through ISP1 (mark 1) unless you specify otherwise.
Then simply add these two rules as the first marking rules in your Then simply add these two rules as the first marking rules in your
<filename>/etc/shorewall/tcrules</filename> file:</para> <filename>/etc/shorewall/mangle</filename>
(<filename>/etc/shorewall/tcrules</filename>) file:</para>
<programlisting>#MARK SOURCE DEST <programlisting>#ACTION SOURCE DEST
1:P 0.0.0.0/0 1:P 0.0.0.0/0
1 $FW 1 $FW
<emphasis>other MARK rules</emphasis></programlisting> <emphasis>other MARK rules</emphasis></programlisting>
@ -2974,7 +2975,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
Persistent SNAT: Available Persistent SNAT: Available
gateway:~# </programlisting> gateway:~# </programlisting>
<para/> <para></para>
</section> </section>
<section id="faq19"> <section id="faq19">

View File

@ -377,7 +377,8 @@
<para>The iptables helper match is supported by Shorewall in the form of <para>The iptables helper match is supported by Shorewall in the form of
the HELPER column in <ulink the HELPER column in <ulink
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink> url="manpages/shorewall-mangle.html">shorewall-mangle </ulink>(5) and
<ulink url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
(5).</para> (5).</para>
<para>The CT target is supported directly in <ulink <para>The CT target is supported directly in <ulink

View File

@ -69,6 +69,9 @@
<member><ulink <member><ulink
url="traffic_shaping.htm">/etc/shorewall/tcrules</ulink></member> url="traffic_shaping.htm">/etc/shorewall/tcrules</ulink></member>
<member><ulink
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink></member>
<member><ulink <member><ulink
url="Accounting.html">/etc/shorewall/accounting</ulink></member> url="Accounting.html">/etc/shorewall/accounting</ulink></member>
@ -188,10 +191,10 @@ tcp 6 269712 ESTABLISHED src=192.168.3.8 dst=206.124.146.177 sport=50584 dp
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>These are implemented in the /etc/shorewall/tcrules file as <para>These are implemented in the /etc/shorewall/tcrules and
follows:</para> /etc/shorewall/mangle files as follows:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)
RESTORE:P - - tcp RESTORE:P - - tcp
CONTINUE:P - - tcp - - - !0 CONTINUE:P - - tcp - - - !0

View File

@ -136,13 +136,13 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>IPv4 packet marking is controlled by <para>IPv4 packet marking is controlled by /etc/shorewall/mangle
/etc/shorewall/tcrules</para> (Shorewall 4.6.0 and later) or by /etc/shorewall/tcrules</para>
</listitem> </listitem>
<listitem> <listitem>
<para>IPv6 packet marking is controlled by <para>IPv6 packet marking is controlled by /etc/shorewall6/mangle
/etc/shorewall6/tcrules</para> (Shorewall 4.6.0 and later) or by /etc/shorewall6/tcrules</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

View File

@ -106,6 +106,9 @@
<member><ulink url="manpages/shorewall-maclist.html">maclist</ulink> - <member><ulink url="manpages/shorewall-maclist.html">maclist</ulink> -
Define MAC verification.</member> Define MAC verification.</member>
<member><ulink url="manpages/shorewall-mangle.html">mangle</ulink> -
Supercedes tcrules and describes packet/connection marking.</member>
<member><ulink url="manpages/shorewall-masq.html">masq</ulink> - <member><ulink url="manpages/shorewall-masq.html">masq</ulink> -
Define Masquerade/SNAT</member> Define Masquerade/SNAT</member>
@ -181,7 +184,8 @@
state (added in Shorewall 4.5.8).</member> state (added in Shorewall 4.5.8).</member>
<member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> - <member><ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> -
Define packet marking rules, usually for traffic shaping.</member> Define packet marking rules, usually for traffic shaping. Superceded
by mangle (above) in Shorewall 4.6.0.</member>
<member><ulink url="manpages/shorewall-tos.html">tos</ulink> - Define <member><ulink url="manpages/shorewall-tos.html">tos</ulink> - Define
TOS field manipulation.</member> TOS field manipulation.</member>

View File

@ -90,6 +90,12 @@
<member><ulink url="manpages6/shorewall6-maclist.html">maclist</ulink> <member><ulink url="manpages6/shorewall6-maclist.html">maclist</ulink>
- Define MAC verification.</member> - Define MAC verification.</member>
<member><ulink url="manpages6/shorewall-mangle.html">mangle</ulink> -
Supercedes tcrules and describes packet/connection marking.</member>
<member><ulink url="manpages/shorewall-masq.html">masq</ulink> -
Define Masquerade/SNAT</member>
<member><ulink url="manpages6/shorewall6-modules.html">modules</ulink> <member><ulink url="manpages6/shorewall6-modules.html">modules</ulink>
- Specify which kernel modules to load.</member> - Specify which kernel modules to load.</member>
@ -155,7 +161,8 @@
Classify traffic for simplified traffic shaping.</member> Classify traffic for simplified traffic shaping.</member>
<member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink> <member><ulink url="manpages6/shorewall6-tcrules.html">tcrules</ulink>
- Define packet marking rules, usually for traffic shaping.</member> - Define packet marking rules, usually for traffic shaping. Superceded
by mangle (above) in Shorewall 4.6.0.</member>
<member><ulink url="manpages6/shorewall6-tos.html">tos</ulink> - <member><ulink url="manpages6/shorewall6-tos.html">tos</ulink> -
Define TOS field manipulation.</member> Define TOS field manipulation.</member>

View File

@ -145,7 +145,7 @@
<para>Entries in <filename>/etc/shorewall/providers</filename> can <para>Entries in <filename>/etc/shorewall/providers</filename> can
specify that outgoing connections are to be load-balanced between the specify that outgoing connections are to be load-balanced between the
two ISPs. Entries in <filename>/etc/shorewall/tcrules</filename> and two ISPs. Entries in <filename>/etc/shorewall/mangle</filename> and
<filename>/etc/shorewall/rtrules</filename> can be used to direct <filename>/etc/shorewall/rtrules</filename> can be used to direct
particular outgoing connections to one ISP or the other. Use of particular outgoing connections to one ISP or the other. Use of
<filename>/etc/shorewall/tcrules</filename> is not required for <filename>/etc/shorewall/tcrules</filename> is not required for
@ -153,6 +153,11 @@
cases, you must select a unique MARK value for each provider so cases, you must select a unique MARK value for each provider so
Shorewall can set up the correct marking rules for you.</para> Shorewall can set up the correct marking rules for you.</para>
<important>
<para><filename>/etc/shorewall/mangle</filename> superceded
<filename>/etc/shorewall/tcrules</filename> in Shorewall 4.6.0.</para>
</important>
<para>When you use the <emphasis role="bold">track</emphasis> option in <para>When you use the <emphasis role="bold">track</emphasis> option in
<filename>/etc/shorewall/providers</filename>, connections from the <filename>/etc/shorewall/providers</filename>, connections from the
Internet are automatically routed back out of the correct interface and Internet are automatically routed back out of the correct interface and
@ -168,7 +173,7 @@
<para>This feature uses <ulink url="traffic_shaping.htm">packet <para>This feature uses <ulink url="traffic_shaping.htm">packet
marking</ulink> to control the routing. As a consequence, there are marking</ulink> to control the routing. As a consequence, there are
some restrictions concerning entries in some restrictions concerning entries in
<filename>/etc/shorewall/tcrules</filename>:</para> <filename>/etc/shorewall/mangle</filename>:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -230,11 +235,11 @@
<term>MARK</term> <term>MARK</term>
<listitem> <listitem>
<para>A mark value used in your /etc/shorewall/tcrules file to <para>A mark value used in your<filename> /etc/shorewall/mangle
direct packets to this provider. Shorewall will also mark </filename>file to direct packets to this provider. Shorewall will
connections that have seen input from this provider with this also mark connections that have seen input from this provider with
value and will restore the packet mark in the PREROUTING CHAIN. this value and will restore the packet mark in the PREROUTING
Mark values must be in the range 1-255.</para> CHAIN. Mark values must be in the range 1-255.</para>
<para>Alternatively, you may set HIGH_ROUTE_MARKS=Yes <para>Alternatively, you may set HIGH_ROUTE_MARKS=Yes
(PROVIDER_OFFSET &gt; 0 with Shorewall 4.4.26 and later) in (PROVIDER_OFFSET &gt; 0 with Shorewall 4.4.26 and later) in
@ -411,7 +416,7 @@
have multiple Internet connections, we recommend that you have multiple Internet connections, we recommend that you
specify <emphasis role="bold">balance</emphasis> even if specify <emphasis role="bold">balance</emphasis> even if
you don't need it. You can still use entries in you don't need it. You can still use entries in
<filename>/etc/shorewall/tcrules</filename> and <filename>/etc/shorewall/mangle</filename> and
<filename>/etc/shorewall/rtrules</filename> to force all <filename>/etc/shorewall/rtrules</filename> to force all
traffic to one provider or another.<note> traffic to one provider or another.<note>
<para>If you don't heed this advice then please read <para>If you don't heed this advice then please read
@ -638,7 +643,7 @@
packets with a connection mark have their packet mark set to the packets with a connection mark have their packet mark set to the
value of the associated connection mark; packets marked in this way value of the associated connection mark; packets marked in this way
bypass any prerouting rules that you create in bypass any prerouting rules that you create in
<filename>/etc/shorewall/tcrules</filename>. This ensures that <filename>/etc/shorewall/mangle</filename>. This ensures that
packets associated with connections from outside are always routed packets associated with connections from outside are always routed
out of the correct interface.</para> out of the correct interface.</para>
</listitem> </listitem>
@ -675,7 +680,7 @@
<para>The bottom line is that if you want traffic to go out through a <para>The bottom line is that if you want traffic to go out through a
particular provider then you <emphasis>must </emphasis>mark that traffic particular provider then you <emphasis>must </emphasis>mark that traffic
with the provider's MARK value in with the provider's MARK value in
<filename>/etc/shorewall/tcrules</filename> and you must do that marking <filename>/etc/shorewall/mangle</filename> and you must do that marking
in the PREROUTING chain; or, you must provide the appropriate rules in in the PREROUTING chain; or, you must provide the appropriate rules in
<filename>/etc/shorewall/rtrules</filename>.</para> <filename>/etc/shorewall/rtrules</filename>.</para>
</section> </section>
@ -727,7 +732,7 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
<para>Entries in <filename>/etc/shorewall/masq</filename> have no <para>Entries in <filename>/etc/shorewall/masq</filename> have no
effect on which ISP a particular connection will be sent through. That effect on which ISP a particular connection will be sent through. That
is rather the purpose of entries in is rather the purpose of entries in
<filename>/etc/shorewall/tcrules</filename> and <filename>/etc/shorewall/mangle</filename> and
<filename>/etc/shorewall/rtrules</filename>.</para> <filename>/etc/shorewall/rtrules</filename>.</para>
</warning> </warning>
</section> </section>
@ -777,7 +782,7 @@ Feb 9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:
<listitem> <listitem>
<para>You are redirecting traffic from the firewall system out of <para>You are redirecting traffic from the firewall system out of
one interface or the other using packet marking in your one interface or the other using packet marking in your
<filename>/etc/shorewall/tcrules</filename> file. A better approach <filename>/etc/shorewall/mangle</filename> file. A better approach
is to configure the application to use the appropriate local IP is to configure the application to use the appropriate local IP
address (the IP address of the interface that you want the address (the IP address of the interface that you want the
application to use). See <link linkend="Local">below</link>.</para> application to use). See <link linkend="Local">below</link>.</para>
@ -842,21 +847,21 @@ eth1 0.0.0.0/0 130.252.99.27</programlisting>
<para>Now suppose that you want to route all outgoing SMTP traffic from <para>Now suppose that you want to route all outgoing SMTP traffic from
your local network through ISP 2. You would make this entry in <ulink your local network through ISP 2. You would make this entry in <ulink
url="traffic_shaping.htm">/etc/shorewall/tcrules</ulink> (and if you are url="traffic_shaping.htm">/etc/shorewall/mangle</ulink> (and if you are
running a version of Shorewall earlier than 3.0.0, you would set running a version of Shorewall earlier than 3.0.0, you would set
TC_ENABLED=Yes in <ulink TC_ENABLED=Yes in <ulink
url="???">/etc/shorewall/shorewall.conf</ulink>).</para> url="???">/etc/shorewall/shorewall.conf</ulink>).</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)
2:P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting> MARK(2):P &lt;local network&gt; 0.0.0.0/0 tcp 25</programlisting>
<para>Note that traffic from the firewall itself must be handled in a <para>Note that traffic from the firewall itself must be handled in a
different rule:</para> different rule:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S) # PORT(S)
2 $FW 0.0.0.0/0 tcp 25</programlisting> MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
</section> </section>
<section id="PortForwarding"> <section id="PortForwarding">
@ -940,7 +945,7 @@ eth3 0.0.0.0/0 16.105.78.4</programlisting></para>
particular provider</title> particular provider</title>
<para>As <link linkend="Applications">noted above</link>, separate <para>As <link linkend="Applications">noted above</link>, separate
entries in <filename>/etc/shorewall/tcrules</filename> are required for entries in <filename>/etc/shorewall/mangle</filename> are required for
traffic originating from the firewall.</para> traffic originating from the firewall.</para>
<para>Experience has shown that in some cases, problems occur with <para>Experience has shown that in some cases, problems occur with
@ -986,7 +991,7 @@ lo - shorewall 1000</programlisting>
<para>The <filename>rtrules</filename> file allows assigning certain <para>The <filename>rtrules</filename> file allows assigning certain
traffic to a particular provider just as entries in the traffic to a particular provider just as entries in the
<filename>tcrules</filename> file. The difference between the two files <filename>mangle</filename> file. The difference between the two files
is that entries in <filename>rtrules</filename> are independent of is that entries in <filename>rtrules</filename> are independent of
Netfilter.</para> Netfilter.</para>
@ -1690,7 +1695,7 @@ ISP2 2 2 - eth1 130.252.99.254 track
except when you explicitly direct it to use the other provider via except when you explicitly direct it to use the other provider via
<ulink url="manpages/shorewall-rtrules.html">shorewall-rtrules</ulink> <ulink url="manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>
(5) or <ulink (5) or <ulink
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink> url="manpages/shorewall-tcrules.html">shorewall-mangle</ulink>
(5).</para> (5).</para>
<para>Example (send all traffic through the 'shorewall' provider unless <para>Example (send all traffic through the 'shorewall' provider unless
@ -1868,7 +1873,8 @@ ONBOOT=yes</programlisting>
<ulink <ulink
url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5) url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
is available in the form of a PROBABILITY column in <ulink is available in the form of a PROBABILITY column in <ulink
url="???">shorewall-tcrules</ulink> (5). This feature requires the url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
url="???">shorewall-tcrules</ulink>) (5). This feature requires the
<firstterm>Statistic Match</firstterm> capability in your iptables and <firstterm>Statistic Match</firstterm> capability in your iptables and
kernel.</para> kernel.</para>
@ -2481,12 +2487,20 @@ wireless 3 3 - wlan0 172.20.1.1 track,o
(only two are currently used) through the <emphasis (only two are currently used) through the <emphasis
role="bold">avvanta</emphasis> provider.</para> role="bold">avvanta</emphasis> provider.</para>
<para>Here is the tcrules file (MARK_IN_FORWARD_CHAIN=No in <para>Here is the mangle file (MARK_IN_FORWARD_CHAIN=No in
<filename>shorewall.conf</filename>):<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER <filename>shorewall.conf</filename>):<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) PORT(S)
MARK(2) $FW 0.0.0.0/0 tcp 21
MARK(2) $FW 0.0.0.0/0 tcp - - - - - - - ftp
MARK(2) $FW 0.0.0.0/0 tcp 119</programlisting></para>
<para>Here are the equivalent tcrules entries:</para>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S) # PORT(S)
2 $FW 0.0.0.0/0 tcp 21 2 $FW 0.0.0.0/0 tcp 21
2 $FW 0.0.0.0/0 tcp - - - - - - - ftp 2 $FW 0.0.0.0/0 tcp - - - - - - - ftp
2 $FW 0.0.0.0/0 tcp 119</programlisting></para> 2 $FW 0.0.0.0/0 tcp 119</programlisting>
<para>These rules:</para> <para>These rules:</para>
@ -2769,7 +2783,7 @@ br0 - ComcastB 11000
32767: from all lookup default 32767: from all lookup default
root@gateway:~# </programlisting> root@gateway:~# </programlisting>
<para><filename>/etc/shorewall/tcrules</filename> is not used to support <para><filename>/etc/shorewall/mangle</filename> is not used to support
Multi-ISP:</para> Multi-ISP:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE <programlisting>#MARK SOURCE DEST PROTO DEST SOURCE
@ -2785,7 +2799,7 @@ SAME:P INT_IF - tcp 80,443
?if $PROXYDMZ ?if $PROXYDMZ
TPROXY(3129,172.20.1.254) br0 - tcp 80 TPROXY(3129,172.20.1.254) br0 - tcp 80
?endif ?endif
?endof ?endif
</programlisting> </programlisting>
</section> </section>

View File

@ -74,7 +74,8 @@
<listitem> <listitem>
<para>Packets are marked based on the contents of your <para>Packets are marked based on the contents of your
<filename>/etc/shorewall/tcrules</filename> file and the setting of <filename>/etc/shorewall/mangle</filename>
(<filename>/etc/shorewall/tcrules</filename>) file and the setting of
MARK_IN_FORWARD_CHAIN in MARK_IN_FORWARD_CHAIN in
<filename>/etc/shorewall/shorewall.conf</filename>. This occurs in the <filename>/etc/shorewall/shorewall.conf</filename>. This occurs in the
<emphasis role="bold">tcpre</emphasis> chain of the <emphasis role="bold">tcpre</emphasis> chain of the

View File

@ -5,7 +5,8 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Packet Marking using /etc/shorewall/tcrules</title> <title>Packet Marking using /etc/shorewall/mangle and
/etc/shorewall/tcrules</title>
<authorgroup> <authorgroup>
<author> <author>
@ -42,6 +43,12 @@
earlier releases.</para> earlier releases.</para>
</caution> </caution>
<important>
<para>/etc/shorewall/mangle superceded /etc/shorewall/tcruels in Shorewall
4.6.0. /etc/shorwall/tcrules is still supported but its use is
deprecated.</para>
</important>
<section id="Marks"> <section id="Marks">
<title>Packet and Connection Marks</title> <title>Packet and Connection Marks</title>
@ -103,21 +110,23 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
table. See the <ulink url="NetfilterOverview.html">Netfilter table. See the <ulink url="NetfilterOverview.html">Netfilter
Overview</ulink> article.</para> Overview</ulink> article.</para>
<para>You can think of entries in the tcrules file like instructions in a <para>You can think of entries in the mangle and tcrules files like
program coded in a crude assembly language. The program gets executed for instructions in a program coded in a crude assembly language. The program
each packet.</para> gets executed for each packet.</para>
<para>That is another way of saying that <emphasis role="bold">if you <para>That is another way of saying that <emphasis role="bold">if you
don't program, you may have difficulty making full use of don't program, you may have difficulty making full use of
Netfilter/Shorewall's Packet Marking</emphasis>.</para> Netfilter/Shorewall's Packet Marking</emphasis>.</para>
<para>Actually, the tcrules define several programs. Each program <para>Actually, the mangle/tcrules files define several programs. Each
corresponds to one of the built-in chains in the mangle table.</para> program corresponds to one of the built-in chains in the mangle
table.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in <para>PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in
<filename>shorewall.conf</filename>, then by default entries in <filename>shorewall.conf</filename>, then by default entries in
<filename>/etc/shorewall/mangle</filename> and
<filename>/etc/shorewall/tcrules</filename> are part of the PREROUTING <filename>/etc/shorewall/tcrules</filename> are part of the PREROUTING
program. Entries specifying the ":P" suffix in the ACTION column are program. Entries specifying the ":P" suffix in the ACTION column are
also part of the PREROUTING program. The PREROUTING program gets also part of the PREROUTING program. The PREROUTING program gets
@ -126,7 +135,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<listitem> <listitem>
<para>FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in <para>FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in
<filename>shorewall.conf</filename>, then by default entries in <filename>shorewall.conf</filename>, then by default entries
in<filename>/etc/shorewall/mangle</filename> and
<filename>/etc/shorewall/tcrules</filename> are part of the FORWARD <filename>/etc/shorewall/tcrules</filename> are part of the FORWARD
program. Entries specifying the ":F" suffix in the ACTION column are program. Entries specifying the ":F" suffix in the ACTION column are
also part of the FORWARD program. The FORWARD program gets executed also part of the FORWARD program. The FORWARD program gets executed
@ -254,8 +264,8 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
rules use a mask value that depends on which program the rule is part of, rules use a mask value that depends on which program the rule is part of,
what the rule does, and the setting of HIGH_ROUTE_MARKS.</para> what the rule does, and the setting of HIGH_ROUTE_MARKS.</para>
<para>For entries in tcrules, the default mask value is 0xffff except in <para>For entries in mangle and tcrules, the default mask value is 0xffff
these cases:</para> except in these cases:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -415,12 +425,12 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<title>Shorewall-defined Chains in the Mangle Table</title> <title>Shorewall-defined Chains in the Mangle Table</title>
<para>Shorewall creates a set of chains in the mangle table to hold rules <para>Shorewall creates a set of chains in the mangle table to hold rules
defined in your <firstterm>/etc/shorewall/tcrules</firstterm> file. As defined in your <filename>/etc/shorewall/mangle</filename>
mentioned above, chains are like subroutines in the packet marking (<filename>/etc/shorewall/tcrules</filename>) file. As mentioned above,
programming language. By placing all of your rules in subroutines, chains are like subroutines in the packet marking programming language. By
CONTINUE (which generates a Netfilter RETURN rule) can be used to stop placing all of your rules in subroutines, CONTINUE (which generates a
processing your rules while still allowing following Shorewall-generated Netfilter RETURN rule) can be used to stop processing your rules while
rules to be executed.</para> still allowing following Shorewall-generated rules to be executed.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -464,18 +474,18 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<title>An Example</title> <title>An Example</title>
<para>Here's the example (slightly expanded) from the comments at the top <para>Here's the example (slightly expanded) from the comments at the top
of the <filename>/etc/shorewall/tcrules</filename> file.</para> of the <filename>/etc/shorewall/mangle</filename> file.</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS <programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS
# PORT(S) # PORT(S)
1 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request #Rule 1
1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2 MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply #Rule 2
1 $FW 0.0.0.0/0 icmp echo-request #Rule 3 MARK(1) $FW 0.0.0.0/0 icmp echo-request #Rule 3
1 $FW 0.0.0.0/0 icmp echo-reply #Rule 4 MARK(1) $FW 0.0.0.0/0 icmp echo-reply #Rule 4
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 #Rule 5
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 6
4 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7 MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all #Rule 7
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8 SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #Rule 8
##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> ##LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
@ -537,8 +547,8 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
<section id="Show"> <section id="Show">
<title>Examining the Marking Programs on a Running System</title> <title>Examining the Marking Programs on a Running System</title>
<para>You can see the tcrules in action using the <command>shorewall show <para>You can see the mangle (tcrules) entries in action using the
mangle</command> command.</para> <command>shorewall show mangle</command> command.</para>
<para>The sample output from that command shown below has the following in <para>The sample output from that command shown below has the following in
<filename>/etc/shorewall/providers</filename>:</para> <filename>/etc/shorewall/providers</filename>:</para>
@ -548,13 +558,13 @@ Blarg 1 0x100 main eth3 206.124.146.254 track,ba
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting> </programlisting>
<para>Here is <filename>/etc/shorewall/tcrules</filename>:</para> <para>Here is <filename>/etc/shorewall/mangle</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST <programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S) # PORT(S)
1:110 192.168.0.0/22 eth3 #Our internal nets get priority CLASSIFY(1:110) 192.168.0.0/22 eth3 #Our internal nets get priority
#over the server #over the server
1:130 206.124.146.177 eth3 tcp - 873 CLASSIFY(1:130) 206.124.146.177 eth3 tcp - 873
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting> </programlisting>
@ -676,7 +686,7 @@ Chain <emphasis role="bold">tcout</emphasis> (1 references)
Chain <emphasis role="bold">tcpost</emphasis> (1 references) Chain <emphasis role="bold">tcpost</emphasis> (1 references)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
&lt;&lt;&lt;&lt; The next two rules are the entries in the /etc/shorewall/tcrules file &gt;&gt;&gt;&gt; &lt;&lt;&lt;&lt; The next two rules are the entries in the /etc/shorewall/mangle file &gt;&gt;&gt;&gt;
65061 11M CLASSIFY all -- * eth3 192.168.0.0/22 0.0.0.0/0 CLASSIFY set 1:110 65061 11M CLASSIFY all -- * eth3 192.168.0.0/22 0.0.0.0/0 CLASSIFY set 1:110
2224 2272K CLASSIFY tcp -- * eth3 206.124.146.177 0.0.0.0/0 tcp spt:873 CLASSIFY set 1:130 2224 2272K CLASSIFY tcp -- * eth3 206.124.146.177 0.0.0.0/0 tcp spt:873 CLASSIFY set 1:130

View File

@ -240,7 +240,13 @@ Squid 1 202 - eth1 192.168.1.3 loose,no
</listitem> </listitem>
<listitem> <listitem>
<para>In <filename>/etc/shorewall/tcrules</filename> add:</para> <para>In <filename>/etc/shorewall/mangle</filename> add:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding /etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST <programlisting>#MARK SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
@ -304,7 +310,13 @@ Squid 1 202 - eth2 192.0.2.177 loose,no
</listitem> </listitem>
<listitem> <listitem>
<para>In <filename>/etc/shorewall/tcrules</filename> add:</para> <para>In <filename>/etc/shorewall/mangle</filename> add:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORT(S)
MARK(202):P eth1 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding /etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST <programlisting>#MARK SOURCE DEST PROTO DEST
# PORT(S) # PORT(S)
@ -376,8 +388,12 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
<para>Support for the TPROXY action in shorewall-tcrules(5) and the <para>Support for the TPROXY action in shorewall-tcrules(5) and the
<option>local</option> option in shorewall-providers(5) has been <option>local</option> option in shorewall-providers(5) has been
available since Shoreall 4.4.7. That support required additional rules available since Shoreall 4.4.7. That support required additional rules
to be added in the 'start' extention script to make it work to be added in the 'start' extention script to make it work reliably.
reliably.</para> Beginning with Shorewall 4.6.0, TPROXY in <ulink
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>(5) and
in <ulink
url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) work as
described here.</para>
</note> </note>
<para>The following configuration works with Squid running on the firewall <para>The following configuration works with Squid running on the firewall
@ -399,9 +415,17 @@ Tproxy 1 - - lo - tproxy</programli
that the only option is <option>tproxy</option>.</para> that the only option is <option>tproxy</option>.</para>
</note> </note>
<para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is <para><filename>/etc/shorewall/mangle</filename> (assume loc interface is
eth1 and net interface is eth0):</para> eth1 and net interface is eth0):</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
DIVERT eth0 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
<para>Corresponding <filename>/etc/shorewall/tcrules</filename>
are:</para>
<programlisting><emphasis role="bold">FORMAT 2</emphasis> <programlisting><emphasis role="bold">FORMAT 2</emphasis>
#MARK SOURCE DEST PROTO DEST SOURCE #MARK SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S) # PORT(S) PORT(S)

View File

@ -89,9 +89,12 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Packets may be marked using entries in the <ulink <para>Packets may be marked using entries in the <ulink
url="???">/etc/shorewall/tcrules</ulink> file. Entries in that file url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>
containing ":P" in the mark column are applied here as are rules (<ulink
that default to the MARK_IN_FORWARD_CHAIN=No setting in url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
file. Entries in that file containing ":P" in the mark column are
applied here as are rules that default to the
MARK_IN_FORWARD_CHAIN=No setting in
<filename>/etc/shorewall/shorewall.conf</filename>. These marks may <filename>/etc/shorewall/shorewall.conf</filename>. These marks may
be used to specify that the packet should be routed using an be used to specify that the packet should be routed using an
<firstterm>alternate routing table</firstterm>; see the <ulink <firstterm>alternate routing table</firstterm>; see the <ulink
@ -142,9 +145,12 @@
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>Packets may be marked using entries in the <ulink <para>Packets may be marked using entries in the <ulink
url="???">/etc/shorewall/tcrules</ulink> file (rules with "$FW" in url="manpages/shorewall-tcrules.html">/etc/shorewall/mangle</ulink>
the SOURCE column). These marks may be used to specify that the (<ulink
packet should be re-routed using an alternate routing table.</para> url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
file (rules with "$FW" in the SOURCE column). These marks may be
used to specify that the packet should be re-routed using an
alternate routing table.</para>
</listitem> </listitem>
<listitem> <listitem>

View File

@ -184,7 +184,9 @@
you set WIDE_TC_MARKS=Yes in <ulink you set WIDE_TC_MARKS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
assign packet marks to different types of traffic using entries in the assign packet marks to different types of traffic using entries in the
<filename>/etc/shorewall/tcrules</filename> file.</para> <filename>/etc/shorewall/tcrules</filename> file (Shorewall 4.6.0 or
later) or <filename>/etc/shorewall/tcrules</filename> (Prior to
Shorewall 4.6.0).</para>
<note> <note>
<para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS <para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
@ -192,7 +194,7 @@
The default is based on the setting of WIDE_TC_MARKS so as to The default is based on the setting of WIDE_TC_MARKS so as to
provide upward compatibility. See the <ulink provide upward compatibility. See the <ulink
url="PacketMarking.html#Values">Packet Marking using url="PacketMarking.html#Values">Packet Marking using
/etc/shorewall/tcrules</ulink> article.</para> /etc/shorewall/mangle</ulink> article.</para>
</note> </note>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -204,7 +206,8 @@
<para>Netfilter also supports a mark value on each connection. You can <para>Netfilter also supports a mark value on each connection. You can
assign connection mark values in assign connection mark values in
<filename>/etc/shorewall/tcrules</filename>, you can copy the current <filename>/etc/shorewall/mangle</filename>
(<filename>/etc/shorewall/tcrules</filename>), you can copy the current
packet's mark to the connection mark (SAVE), or you can copy the packet's mark to the connection mark (SAVE), or you can copy the
connection mark value to the current packet's mark (RESTORE). For more connection mark value to the current packet's mark (RESTORE). For more
information, see<ulink url="PacketMarking.html"> this information, see<ulink url="PacketMarking.html"> this
@ -409,7 +412,8 @@
<listitem> <listitem>
<para>If specified, classification of traffic into the various <para>If specified, classification of traffic into the various
classes is done by CLASSIFY entries in classes is done by CLASSIFY entries in
<filename>/etc/shorewall/tcrules</filename> or by entries in <filename>/etc/shorewall/mangle</filename>
(<filename>/etc/shorewall/tcrules</filename>) or by entries in
<filename>/etc/shorewall/tcfilters</filename>. No MARK value <filename>/etc/shorewall/tcfilters</filename>. No MARK value
will be associated with classes on this interface.</para> will be associated with classes on this interface.</para>
</listitem> </listitem>
@ -545,11 +549,11 @@ ppp0 6000kbit 500kbit</programlisting>
<para>MARK - The mark value which is an integer in the range 1-255 <para>MARK - The mark value which is an integer in the range 1-255
(1-16383 if you set WIDE_TC_MARKS=Yes or set TC_BITS=14 in <ulink (1-16383 if you set WIDE_TC_MARKS=Yes or set TC_BITS=14 in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
define these marks in the tcrules file, marking the traffic you want define these marks in the mangle or tcrules file, marking the
to go into the queuing classes defined in here. You can use the same traffic you want to go into the queuing classes defined in here. You
marks for different Interfaces. You must specify "-' in this column can use the same marks for different Interfaces. You must specify
if the device specified in the INTERFACE column has the <emphasis "-' in this column if the device specified in the INTERFACE column
role="bold">classify</emphasis> option in has the <emphasis role="bold">classify</emphasis> option in
<filename>/etc/shorewall/tcdevices</filename>.</para> <filename>/etc/shorewall/tcdevices</filename>.</para>
<note> <note>
@ -648,9 +652,9 @@ ppp0 6000kbit 500kbit</programlisting>
<listitem> <listitem>
<para>occurs=<emphasis>number</emphasis> - Typically used with <para>occurs=<emphasis>number</emphasis> - Typically used with
an IPMARK entry in tcrules. Causes the rule to be replicated for an IPMARK entry in mangle or tcrules. Causes the rule to be
a total of <emphasis>number</emphasis> rules. Each rule has a replicated for a total of <emphasis>number</emphasis> rules.
successively class number and mark value.</para> Each rule has a successively class number and mark value.</para>
<para>When 'occurs' is used:</para> <para>When 'occurs' is used:</para>
@ -679,7 +683,8 @@ ppp0 6000kbit 500kbit</programlisting>
the class. So the total RATE represented by an entry with the class. So the total RATE represented by an entry with
'occurs' will be the listed RATE multiplied by 'occurs' will be the listed RATE multiplied by
<emphasis>number</emphasis>. For additional information, see <emphasis>number</emphasis>. For additional information, see
<ulink url="manpages/shorewall-tcrules.html">tcrules</ulink> <ulink url="manpages/shorewall-mangle.html">mangle</ulink> (5)
or <ulink url="manpages/shorewall-tcrules.html">tcrules</ulink>
(5).</para> (5).</para>
</listitem> </listitem>
@ -823,7 +828,7 @@ ppp0 6000kbit 500kbit</programlisting>
</section> </section>
<section id="tcrules"> <section id="tcrules">
<title>/etc/shorewall/tcrules</title> <title>/etc/shorewall/mangle and /etc/shorewall/rules</title>
<important> <important>
<para>Unlike rules in the <ulink <para>Unlike rules in the <ulink
@ -902,356 +907,11 @@ ppp0 6000kbit 500kbit</programlisting>
either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F
qualifier (see below).</emphasis></para> qualifier (see below).</emphasis></para>
<para>Columns in the file are as follows:</para> <para>See shorewall-mangle(5) and shorewall-tcrules(5) for a description
of the entries in these files. Note that the mangle file superceded the
tcrules file in Shorewall 4.6.0.</para>
<itemizedlist> <para>The following examples are for the mangle file.</para>
<listitem>
<para>ACTION - ACTION (previously called MARK) specifies the mark
value is to be assigned in case of a match. This is an integer in
the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14
in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
(5) ).</para>
<note>
<para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
which specifies the width in bits of the traffic shaping mark
field. The default is based on the setting of WIDE_TC_MARKS so as
to provide upward compatibility.</para>
</note>
<para>This value may be optionally followed by <quote>:</quote> and
either <quote>F</quote>, <quote>P</quote> or "T" to designate that
the marking will occur in the FORWARD, PREROUTING or POSTROUTING
chains respectively. If this additional specification is omitted,
the chain used to mark packets will be determined as follows:</para>
<itemizedlist>
<listitem>
<para>If the SOURCE is
$FW[:&lt;<emphasis>address</emphasis>&gt;], then the rule is
inserted in the OUTPUT chain.</para>
</listitem>
<listitem>
<para>Otherwise, the chain is determined by the setting of the
MARK_IN_FORWARD_CHAIN option in shorewall.conf.</para>
</listitem>
</itemizedlist>
<note>
<para><emphasis role="bold">Use the 'T' qualifier if you want the
rule to apply equally to traffic being routed through the firewall
and to traffic originating on the firewall
itself.</emphasis></para>
</note>
<para>Normally, the mark is applied to the packet. If you follow the
mark value with ":" and "C", then the mark is applied to the
connection. "C" can be combined with "F", "P" or "T" to designate
that the connection should be marked in a particular chain (e.g.,
"CF", "CP", "CT").</para>
<para>There are additional special values available:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and iptables must include
CONNMARK support.</para>
<para>As above, may be followed by <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and iptables must include CONNMARK
support.</para>
<para>As above, may be followed by <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">CONTINUE</emphasis> Don't process
any more marking rules in the table.</para>
<para>As above, may be followed by <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall
show mangle</command></para>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
</orderedlist>
<para>To use CLASSIFY, your kernel and iptables must include
CLASSIFY target support. In that case, this column contains a
classification (classid) of the form &lt;major&gt;:&lt;minor&gt;
where &lt;major&gt; and &lt;minor&gt; are integers. Corresponds to
the 'class' specification in these traffic shaping modules:</para>
<simplelist>
<member>atm</member>
<member>cbq</member>
<member>dsmark</member>
<member>pfifo_fast</member>
<member>htb</member>
<member>prio</member>
</simplelist>
<para>Classification occurs in the POSTROUTING chain <emphasis
role="bold">except</emphasis> when the SOURCE contains
$FW[:&lt;<emphasis>address</emphasis>&gt;] in which case, the
classify action takes place in the OUTPUT chain. When used with the
builtin traffic shaper, the &lt;major&gt; class is the interface
number and the &lt;minor&gt; class is either:</para>
<orderedlist>
<listitem>
<para>Constructed by Shorewall. The method of construction
depends on the setting of WIDE_TC_MARKS (TC_BITS in shorewall
4.4.26 and later) in (<ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>
(5)).</para>
<para>When WIDE_TC_MARKS=No (the default) or TC_BITS &gt; 14,
the &lt;minor&gt; class is:</para>
<itemizedlist>
<listitem>
<para>the MARK value of the class preceded by the number "1"
or "10" (MARK value 1 is &lt;minor&gt; class 11, MARK value
22 is &lt;minor&gt; class 122, and so on). "10" is used
where there are more than 10 devices defined in <link
linkend="tcdevices">/etc/shorewall/tcdevices</link>.</para>
</listitem>
</itemizedlist>
<para>When WIDE_TC_MARKS=Yes (TC_BITS &gt;= 14), the
&lt;minor&gt; class is assigned sequentially beginning with
2.</para>
</listitem>
<listitem>
<para>The class number, if specified.</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>SOURCE - Source of the packet.</para>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name - matches traffic entering the firewall
on the specified interface. May not be used in classify rules or
in rules using the :T chain qualifier.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses or
MAC addresses. <emphasis role="bold">This form will not match
traffic that originates on the firewall itself unless either
&lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
the ACTION column.</emphasis></para>
<para>Examples:<simplelist>
<member>0.0.0.0/0</member>
</simplelist></para>
<para><simplelist>
<member>192.168.1.0/24, 172.20.4.0/24</member>
</simplelist></para>
</listitem>
<listitem>
<para>An interface name followed by a colon (":") followed by a
comma-separated list of host or network IP addresses or MAC
addresses. May not be used in classify rules or in rules using
the :T chain qualifier.</para>
</listitem>
<listitem>
<para>$FW optionally followed by a colon (":") and a
comma-separated list of host or network IP addresses. matches
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the ACTION column.</para>
</listitem>
</orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
<para>If your kernel includes iprange match support, then address
ranges may be included in the address lists.</para>
</listitem>
<listitem>
<para>DEST - Destination of the packet.</para>
<para>May be:</para>
<orderedlist>
<listitem>
<para>An interface name. May not be used in the PREROUTING chain
(:P in the mark column or no chain qualifier and
MARK_IN_FORWARD_CHAIN=No in <ulink
url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
interface name may be optionally followed by a colon (":") and
an IP address list.</para>
</listitem>
<listitem>
<para>A comma-separated list of host or network IP addresses.
The list may include ip address ranges if your kernel and
iptables include iprange support.</para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>PROTO - Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
"ipp2p:udp", "ipp2p:all" a number, or "all". "ipp2p" requires ipp2p
match support in your kernel and iptables.</para>
</listitem>
<listitem>
<para>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges; if the
protocol is "icmp", this column is interpreted as the destination
icmp-type(s).</para>
<para>If the protocol is ipp2p, this column is interpreted as an
ipp2p option without the leading "--" (example "bit" for
bit-torrent). If no PORT is given, "ipp2p" is assumed. Note that the
xtables-addons version of IPP2P does not support the "ipp2p" option;
if the column is empty or contains "ipp2p" when using that version
of IPP2P, Shorewall will substitute "edk,kazaa,gnu,dc".</para>
<para>This column is ignored if PROTOCOL = all but must be entered
if any of the following field is supplied. In that case, it is
suggested that this field contain "-"</para>
</listitem>
<listitem>
<para>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a
comma-separate list of port names, port numbers or port
ranges.</para>
</listitem>
<listitem>
<para>USER/GROUP (Optional) This column may only be non-empty if the
SOURCE is the firewall itself. When this column is non-empty, the
rule applies only if the program generating the output is running
under the effective user and/or group. It may contain :</para>
<para>[!][&lt;user name or number&gt;]:[&lt;group name or
number&gt;][+&lt;program name&gt;]</para>
<para>The colon is optional when specifying only a user.</para>
<para>Examples:</para>
<programlisting>joe #program must be run by joe
:kids #program must be run by a member of the 'kids' group
!:kids #program must not be run by a member of the 'kids' group
+upnpd #program named upnpd (This feature was removed from Netfilter in kernel version 2.6.14).</programlisting>
</listitem>
<listitem>
<para>TEST (Optional) Defines a test on the existing packet or
connection mark. The rule will match only if the test returns true.
Tests have the format [!]&lt;value&gt;[/&lt;mask&gt;][:C]</para>
<para>Where:</para>
<simplelist>
<member>! Inverts the test (not equal)</member>
<member>&lt;value&gt; Value of the packet or connection
mark.</member>
<member>&lt;mask&gt; A mask to be applied to the mark before
testing</member>
<member>:C Designates a connection mark. If omitted, the packet
mark's value is tested.</member>
</simplelist>
</listitem>
<listitem>
<para>LENGTH (Optional) This field, if present, allows you to match
the length of a packet against a specific value or range of values.
A range is specified in the form &lt;min&gt;:&lt;max&gt; where
either &lt;min&gt; or &lt;max&gt; (but not both) may be omitted. If
&lt;min&gt; is omitted, then 0 is assumed; if &lt;max&gt; is
omitted, than any packet that is &lt;min&gt; or longer will
match.</para>
<para>You must have iptables length support for this to work. If you
let it empty or place an "-" here, no length match will be
done.</para>
<para>Examples: 1024, 64:1500, :100</para>
</listitem>
<listitem>
<para>TOS (Optional) Type of Service. Either a standard name, or a
numeric value to match.</para>
<blockquote>
<simplelist>
<member>Minimize-Delay (16)</member>
<member>Maximize-Throughput (8)</member>
<member>Maximize-Reliability (4)</member>
<member>Minimize-Cost (2)</member>
<member>Normal-Service (0)</member>
</simplelist>
</blockquote>
</listitem>
<listitem>
<para>HELPER (Optional). Names one of the Netfilter protocol helper
modules such as <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
<emphasis>amanda</emphasis>, etc.</para>
</listitem>
<listitem>
<para>HEADERS (Optioinal, Shorewall6 only, added in Shorewall
4.4.15). List of IPv6 headers that may appear in packets. See <ulink
url="manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
(5) for details.</para>
</listitem>
</itemizedlist>
<example id="Example1"> <example id="Example1">
<title></title> <title></title>
@ -1261,10 +921,10 @@ ppp0 6000kbit 500kbit</programlisting>
originating on the firewall itself should be marked with 3.</para> originating on the firewall itself should be marked with 3.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
1 eth1 0.0.0.0/0 all MARK(1) eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all MARK(2) eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all MARK(2) eth3 0.0.0.0/0 all
3 $FW 0.0.0.0/0 all</programlisting> MARK(3) $FW 0.0.0.0/0 all</programlisting>
</example> </example>
<example id="Example2"> <example id="Example2">
@ -1274,7 +934,7 @@ ppp0 6000kbit 500kbit</programlisting>
should be marked with 12.</para> should be marked with 12.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
12:T 0.0.0.0/0 155.182.235.151 47</programlisting> MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example> </example>
<example id="Example3"> <example id="Example3">
@ -1284,7 +944,7 @@ ppp0 6000kbit 500kbit</programlisting>
destined for 155.186.235.151 should be marked with 22.</para> destined for 155.186.235.151 should be marked with 22.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S)
22:T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting> MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example> </example>
<example id="Example4"> <example id="Example4">
@ -1296,8 +956,8 @@ ppp0 6000kbit 500kbit</programlisting>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT <programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT
# PORT(S) # PORT(S)
1:110 0.0.0.0/0 0.0.0.0/0 tcp 22 CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp 22
1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting> CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
</example> </example>
<example id="Example5"> <example id="Example5">
@ -1315,12 +975,12 @@ ppp0 6000kbit 500kbit</programlisting>
<programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST <programlisting>#ACTION SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
# PORT(S) GROUP # PORT(S) GROUP
1 0.0.0.0/0 0.0.0.0/0 icmp echo-request MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply MARK(1) 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
4 0.0.0.0/0 0.0.0.0/0 ipp2p:all MARK(4) 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting> SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting>
<para>The last four rules can be translated as:</para> <para>The last four rules can be translated as:</para>
@ -1376,7 +1036,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
in the tcdevices, tcclasses and tcfilters files can be shared between in the tcdevices, tcclasses and tcfilters files can be shared between
Shorewall and Shorewall6. Only one of the products can control the Shorewall and Shorewall6. Only one of the products can control the
configuration but the other can configure CLASSIFY rules in its own configuration but the other can configure CLASSIFY rules in its own
tcrules file that refer to the shared classes.</para> mangle or tcrules file that refer to the shared classes.</para>
<para>To defined the configuration in Shorewall and shared it with <para>To defined the configuration in Shorewall and shared it with
Shorewall6:</para> Shorewall6:</para>
@ -1411,11 +1071,11 @@ ln -s ../shorewall/tcclasses /etc/shorewall6/tcclasses</programlisting>
<para>Shorewall6 compilations to have access to the tcdevices and <para>Shorewall6 compilations to have access to the tcdevices and
tcclasses files although it will create no output. That access allows tcclasses files although it will create no output. That access allows
CLASSIFY rules in /etc/shorewall6/tcrules to be validated against the TC CLASSIFY rules in /etc/shorewall6/mangle to be validated against the TC
configuration.</para> configuration.</para>
<para>In this configuration, it is Shorewall that controls TC <para>In this configuration, it is Shorewall that controls TC
configuration (except for IPv6 tcrules). You can reverse the settings in configuration (except for IPv6 mangle). You can reverse the settings in
the files if you want to control the configuration using the files if you want to control the configuration using
Shorewall6.</para> Shorewall6.</para>
</section> </section>
@ -1451,7 +1111,8 @@ ln -s ../shorewall/tcclasses /etc/shorewall6/tcclasses</programlisting>
<orderedlist> <orderedlist>
<listitem> <listitem>
<para>An IPMARK MARKing command in <para>An IPMARK MARKing command in
<filename>/etc/shorewall/tcrules</filename>.</para> <filename>/etc/shorewall/mangle</filename>
(<filename>/etc/shorewall/tcrules</filename>).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -1583,7 +1244,8 @@ eth0:101 - 1kbit 230kbit 4 occurs=6</programlisting>
<para>The above defines 6 classes with class IDs 0x101-0x106. Each class <para>The above defines 6 classes with class IDs 0x101-0x106. Each class
has a guaranteed rate of 1kbit/second and a ceiling of 230kbit.</para> has a guaranteed rate of 1kbit/second and a ceiling of 230kbit.</para>
<para><filename>/etc/shoreall/tcrules</filename>:</para> <para><filename>/etc/shoreall/mangle</filename> or
<filename>/etc/shoreall/tcrules</filename>:</para>
<programlisting>#ACTION SOURCE DEST <programlisting>#ACTION SOURCE DEST
IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting> IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
@ -1683,6 +1345,16 @@ NOPRIOPORTDST="6662 6663" </programlisting>
<para>This would result in the following additional settings to the <para>This would result in the following additional settings to the
tcrules file:</para> tcrules file:</para>
<programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all
MARK(3) 192.168.3.28 0.0.0.0/0 all
MARK(3) 0.0.0.0/0 60.0.0.0/24 all
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 udp - 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp 6662,6663
MARK(3) 0.0.0.0/0 0.0.0.0/0 tcp - 6662,6663</programlisting>
<para>Corresponding tcrules file entries are:</para>
<programlisting>3 192.168.1.128/25 0.0.0.0/0 all <programlisting>3 192.168.1.128/25 0.0.0.0/0 all
3 192.168.3.28 0.0.0.0/0 all 3 192.168.3.28 0.0.0.0/0 all
3 0.0.0.0/0 60.0.0.0/24 all 3 0.0.0.0/0 60.0.0.0/24 all
@ -1727,7 +1399,16 @@ ppp0 4 90kbit 200kbit 3 default</pro
</section> </section>
<section id="simpletcr"> <section id="simpletcr">
<title>tcrules file</title> <title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER
# PORT(S)
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
MARK(2):F 192.168.2.23 0.0.0.0/0 all
MARK(3):F 192.168.2.42 0.0.0.0/0 all</programlisting>
<para>Corresponding tcrules file:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER <programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S) # PORT(S)
@ -1908,11 +1589,12 @@ eth0 - 1000kbit hfsc</programlisting>
<programlisting><command>modprobe ifb numifbs=1 <programlisting><command>modprobe ifb numifbs=1
ip link set ifb0 up</command></programlisting> ip link set ifb0 up</command></programlisting>
<para>Entries in <filename>/etc/shorewall/tcrules</filename> have no <para>Entries in <filename>/etc/shorewall/mangle</filename> or
effect on shaping traffic through an IFB. To allow classification of such <filename>/etc/shorewall/tcrules</filename> have no effect on shaping
traffic, the /etc/shorewall/tcfilters file has been added. Entries in that traffic through an IFB. To allow classification of such traffic, the
file create <ulink url="http://b42.cz/notes/u32_classifier/">u32 /etc/shorewall/tcfilters file has been added. Entries in that file create
classification rules</ulink>.</para> <ulink url="http://b42.cz/notes/u32_classifier/">u32 classification
rules</ulink>.</para>
<section id="tcfilters"> <section id="tcfilters">
<title>/etc/shorewall/tcfilters</title> <title>/etc/shorewall/tcfilters</title>
@ -1920,7 +1602,7 @@ ip link set ifb0 up</command></programlisting>
<para>While this file was created to allow shaping of traffic through an <para>While this file was created to allow shaping of traffic through an
IFB, the file may be used for general traffic classification as well. IFB, the file may be used for general traffic classification as well.
The file is similar to <ulink The file is similar to <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) with the url="shorewall-tcrules.html">shorewall-mangle</ulink>(5) with the
following key exceptions:</para> following key exceptions:</para>
<itemizedlist> <itemizedlist>
@ -2391,7 +2073,7 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
<listitem> <listitem>
<para>If your tcstart script uses the <quote>fwmark</quote> <para>If your tcstart script uses the <quote>fwmark</quote>
classifier, you can mark packets using entries in classifier, you can mark packets using entries in
/etc/shorewall/tcrules.</para> /etc/shorewall/mangle or /etc/shorewall/tcrules.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
@ -2412,7 +2094,8 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
<listitem> <listitem>
<para>If your script uses the <quote>fwmark</quote> classifier, you <para>If your script uses the <quote>fwmark</quote> classifier, you
can mark packets using entries in /etc/shorewall/tcrules.</para> can mark packets using entries in /etc/shorewall/mangle or
/etc/shorewall/tcrules.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>