shorewall-mangle5Configuration FilesmangleShorewall Packet marking/mangling rules file/etc/shorewall[6]/mangleDescriptionThis file was introduced in Shorewall 4.6.0 and replaces shorewall-tcrules(5). This
file is only processed by the compiler if:Entries in this file cause packets to be marked as a means of
classifying them for traffic control or policy routing.Unlike rules in the shorewall-rules(5) file,
evaluation of rules in this file will continue after a match. So the
final mark for each packet will be the one assigned by the LAST tcrule
that matches.If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at http://www.shorewall.net/MultiISP.html.The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).ACTION -
command[(parameters)][:chain-designator]The chain-designator indicates the
Netfilter chain that the entry applies to and may be one of the
following:PPREROUTING chain.FFORWARD chain.TPOSTROUTING chain.IINPUT chain.Unless otherwise specified for the particular
command, the default chain is PREROUTING
when MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5), and
FORWARD when MARK_IN_FORWARD_CHAIN=Yes.A chain-designator may not be
specified if the SOURCE or DEST columns begin with '$FW'. When the
SOURCE is $FW, the generated rule is always placed in the OUTPUT
chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
Additionally, a chain-designator may not
be specified in an action body.Where a command takes parameters, those parameters are
enclosed in parentheses ("(....)") and separated by commas.The command may be one of the
following.action[([param[,...])]Added in Shorewall 5.0.7.
action must be an action declared
with the option in shorewall-actions(5).
If the action accepts parameters, they are specified as a
comma-separated list within parentheses following the
action name.ADD(ipset:flags)Added in Shorewall 4.6.7. Causes addresses and/or port
numbers to be added to the named
ipset. The
flags specify the address or tuple
to be added to the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be added using
flagssrc or dst respectively (see the -A command in
ipset (8)).ADD is non-terminating. Even if a packet matches the
rule, it is passed on to the next rule.CHECKSUMCompute and fill in the checksum in a packet that lacks
a checksum. This is particularly useful if you need to work
around old applications, such as dhcp clients, that do not
work well with checksum offloads, but you don't want to
disable checksum offload in your device.Requires 'Checksum Target' support in your kernel and
iptables.CLASSIFY(classid)A classification Id (classid) is of the form
major:minor where
major and minor are
integers. Corresponds to the 'class' specification in these
traffic shaping modules: atm
cbq
dsmark
pfifo_fast
htb
prioClassification occurs in the POSTROUTING chain except
when the SOURCE is $FW[:address] in
which case classification occurs in the OUTPUT chain.When using Shorewall's built-in traffic shaping tool,
the major class is the device number (the
first device in shorewall-tcdevices(5)
is major class 1, the second device is major class 2, and so
on) and the minor class is the class's
MARK value in shorewall-tcclasses(5)
preceded by the number 1 (MARK 1 corresponds to minor class
11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
to minor class 122, etc.).?COMMENTThe rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of
shorewall show mangleTo stop the comment from being attached to further
rules, simply include ?COMMENT on a line by itself.CONMARK({mark|range})Identical to MARK with the exception that the mark is
assigned to connection to which the packet belongs is marked
rather than to the packet itself.CONTINUEDon't process any more marking rules in the
table.Currently, CONTINUE may not be used with
exclusion (see the SOURCE and DEST
columns below); that restriction will be removed when
iptables/Netfilter provides the necessary support.DEL(ipset:flags)Added in Shorewall 4.6.7. Causes an entry to be deleted
from the named ipset. The
flags specify the address or tuple
to be deleted from the set and must match the type of ipset
involved. For example, for an iphash ipset, either the SOURCE
or DESTINATION address can be deleted using
flagssrc or dst respectively (see the -D command in
ipset (8)).DEL is non-terminating. Even if a packet matches the
rule, it is passed on to the next rule.DIVERTTwo DIVERT rule should precede the TPROXY rule and
should select DEST PORT tcp 80 and SOURCE PORT tcp 80
respectively (assuming that tcp port 80 is being proxied).
DIVERT avoids sending packets to the TPROXY target once a
socket connection to Squid3 has been established by TPROXY.
DIVERT marks the packet with a unique mark and exempts it from
any rules that follow.DIVERTHAAdded in Shorewall 5.0.4. To setup the HAProxy
configuration described at http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x,
place this entry in shorewall-providers(5):#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
TProxy 1 - - lo - tproxyand use this DIVERTHA entry:#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
DIVERTHA - - tcpDROPCauses matching packets to be discarded.DSCP(dscp)Sets the Differentiated Services Code
Point field in the IP header. The
dscp value may be given as an even
number (hex or decimal) or as the name of a DSCP class. Valid
class names and their associated hex numeric values
are: CS0 => 0x00
CS1 => 0x08
CS2 => 0x10
CS3 => 0x18
CS4 => 0x20
CS5 => 0x28
CS6 => 0x30
CS7 => 0x38
BE => 0x00
AF11 => 0x0a
AF12 => 0x0c
AF13 => 0x0e
AF21 => 0x12
AF22 => 0x14
AF23 => 0x16
AF31 => 0x1a
AF32 => 0x1c
AF33 => 0x1e
AF41 => 0x22
AF42 => 0x24
AF43 => 0x26
EF => 0x2eTo indicate more than one class, add their hex values
together and specify the result. By default, DSCP rules are
placed in the POSTROUTING chain.ECNAdded in Shorewall 5.0.6 as an alternative to entries in
shorewall-ecn(5).
If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
supplied, TCP is assumed. This action causes all ECN bits in
the TCP header to be cleared.IMQ(number)Specifies that the packet should be passed to the IMQ
identified by number. Requires IMQ
Target support in your kernel and iptables.INLINE[(action)]Allows you to place your own ip[6]tables matches at the
end of the line following a semicolon (";") (deprecated) or
two semicolons (";;") (preferred since Shoreall 5.0.0). If an
action is specified, the compiler
proceeds as if that action had been
specified in this column. If no action is specified, then you
may include your own jump ("-j
target
[option] ...") after any matches
specified at the end of the rule. If the target is not one
known to Shorewall, then it must be defined as a builtin
action in shorewall-actions
(5).The following rules are equivalent:2:P eth0 - tcp 22
INLINE(MARK(2)):P eth0 - tcp 22
INLINE(MARK(2)):P eth0 - ;; -p tcp
INLINE eth0 - tcp 22 ;; -j MARK --set-mark 2
INLINE eth0 - ;; -p tcp -j MARK --set-mark 2
IPMARKAssigns a mark to each matching packet based on the
either the source or destination IP address. By default, it
assigns a mark value equal to the low-order 8 bits of the
source address. Default values are:srcmask1 = 0xFFmask2 = 0x00shift = 0'src' and 'dst' specify whether the mark is to be based
on the source or destination address respectively. The
selected address is first shifted to the right by
shift bits. The result is then LANDed
with mask1 then LORed with
mask2.In a sense, the IPMARK target is more like an IPCLASSIFY
target in that the mark value is later interpreted as a class
ID. A packet mark is 32 bits wide; so is a class ID. The
<major> class occupies the high-order 16 bits and the
<minor> class occupies the low-order 16 bits. So the
class ID 1:4ff (remember that class IDs are always in hex) is
equivalent to a mark value of 0x104ff. Remember that Shorewall
uses the interface number as the <major> number where
the first interface in tcdevices has <major> number 1,
the second has <major> number 2, and so on.The IPMARK target assigns a mark to each matching packet
based on the either the source or destination IP address. By
default, it assigns a mark value equal to the low-order 8 bits
of the source address. The syntax is as follows:
[([{|}][,[mask1][,[mask2][,[shift]]]])]
Default values are:mask1 = 0xFFmask2 = 0x00shift = 0 and specify
whether the mark is to be based on the source or destination
address respectively. The selected address is first shifted
right by shift, then LANDed with
mask1 and then LORed with
mask2. The
shift argument is intended to be
used primarily with IPv6 addresses.Example:
IPMARK(src,0xff,0x10100)Suppose that the source IP address is 192.168.4.3
= 0xc0a80403; then0xc0a80403 >> 0 = 0xc0a804030xc0a80403 LAND 0xFF = 0x030x03 LOR 0x10100 = 0x10103 or class ID
1:103
It is important to realize that, while class IDs are
composed of a major and a
minor value, the set of values must
be unique. That is, the same numeric value cannot be used as
both a major and a
minor number for the same interface
unless class nesting occurs (which is not currently possible
with Shorewall). You should keep this in mind when deciding
how to map IP addresses to class IDs.For example, suppose that your internal network is
192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
Your first notion might be to use IPMARK(src,0xFF,0x10000) so
as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
class ID since the major and
minor classes are equal. So you
might choose instead to use IPMARK(src,0xFF,0x10100) as in the
example above so that all of your
minor classes will have a value
> 256.IP6TABLES({target
[option ...])IPv6 only.This action allows you to specify an iptables target
with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'.
If the target is not one recognized by Shorewall, the
following error message will be issued:ERROR: Unknown target
(target)This error message may be eliminated by adding the
target as a builtin action in
shorewall-actions(5).IPTABLES({target
[option ...])IPv4 only.This action allows you to specify an iptables target
with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
the target is not one recognized by Shorewall, the following
error message will be issued:ERROR: Unknown target
(target)This error message may be eliminated by adding the
target as a builtin action in
shorewall-actions(5).MARK({mark|range})where mark is a packet mark
value.Normally will set the mark value. If preceded by a
vertical bar ("|"), the mark value will be logically ORed with
the current mark value to produce a new mark value. If
preceded by an ampersand ("&"), will be logically ANDed
with the current mark value to produce a new mark
value.Both "|" and "&" require Extended MARK Target
support in your kernel and iptables.The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection
mark to actually be set). When a mask is specified, the result
of logically ANDing the mark value with the mask must be the
same as the mark value.A mark range is a pair of
integers separated by a dash ("-").May be optionally followed by a slash ("/") and a mask
and requires the Statistics Match
capability in iptables and kernel. Marks in the specified
range are assigned to packets on a round-robin fashion.When a mask is specified, the result of logically ANDing
each mark value with the mask must be the same as the mark
value. The least significant bit in the mask is used as an
increment. For example, if '0x200-0x400/0xff00' is specified,
then the assigned mark values are 0x200, 0x300 and 0x400 in
equal proportions. If no mask is specified, then ( 2 **
MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall.conf(5)).NFLOG[(nflog-parameters)]Added in Shorewall 5.0.9. Logs matching packets using
NFLOG. The nflog-parameters are a
comma-separated list of up to 3 numbers:The first number specifies the netlink group
(0-65535). If omitted (e.g., NFLOG(,0,10)) then a value of
0 is assumed.The second number specifies the maximum number of
bytes to copy. If omitted, 0 (no limit) is assumed.The third number specifies the number of log
messages that should be buffered in the kernel before they
are sent to user space. The default is 1.RESTORE[(mask)]Restore the packet's mark from the connection's mark
using the supplied mask if any. Your kernel and iptables must
include CONNMARK support.SAME[(timeout)]Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some
of the connections are routed through one provider and some
through another. The SAME target allows you to work around
that problem. SAME may be used in the PREROUTING and OUTPUT
chains. When used in PREROUTING, it causes matching
connections from an individual local system to all use the
same provider. For example: #ACTION SOURCE DEST PROTO DPORT
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
If a host in 192.168.1.0/24 attempts a connection on TCP port
80 or 443 and it has sent a packet on either of those ports in
the last five minutes then the new connection will use the
same provider as the connection over which that last packet
was sent.When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:#ACTION SOURCE DEST PROTO DPORT
SAME $FW 0.0.0.0/0 tcp 80,443The
optional timeout parameter was
added in Shorewall 4.6.7 and specifies a number of seconds .
When not specified, a value of 300 seconds (5 minutes) is
assumed. If the firewall attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in
the last timeout seconds to the
same remote system then the new connection will use the same
provider as the connection over which that last packet was
sent.SAVE[(mask)]
Save the packet's mark to the connection's mark using
the supplied mask if any. Your kernel and iptables must
include CONNMARK support.TCPMSS([mss[,ipsec]])Added in Shorewall 5.1.9. This target only applies to
TCP traffic and alters the MSS value in SYN packets. It may be
used in the FORWARD and POSTROUTING chains; the default is
FORWARD.The mss parameter may be
either or an integer in the range
500:65533. The value automatically
clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
IPv6). This may not function as desired where asymmetric
routes with differing path MTU exist — the kernel uses the
path MTU which it would use to send packets from itself to the
source and destination IP addresses. Prior to Linux 2.6.25,
only the path MTU to the destination IP address was considered
by this option; subsequent kernels also consider the path MTU
to the source IP address. If an integer is given, the MSS
option is set to the specified value. If the MSS of the packet
is already lower than mss, it will
not be increased (from Linux 2.6.25 onwards) to avoid more
problems with hosts relying on a proper MSS. If
mss is omitted,
is assumed.The ipsec parameter
determines whether the rule applies to IPSEC traffic
( is passed), non-IPSEC traffic
( is passed) or both
( is passed). If omitted,
is assumed.TOS(tos[/mask])Sets the Type of Service field in
the IP header. The tos value may be
given as an number (hex or decimal) or as the name of a TOS
type. Valid type names and their associated hex numeric values
are:Minimize-Delay => 0x10,
Maximize-Throughput => 0x08,
Maximize-Reliability => 0x04,
Minimize-Cost => 0x02,
Normal-Service => 0x00To indicate more than one class, add their hex values
together and specify the result.When tos is given as a
number, it may be optionally followed by '/' and a
mask. When no
mask is given, the value 0xff is
assumed. When tos is given as a
type name, the mask 0x3f is
assumed.The action performed is to zero out the bits specified
by the mask, then set the bits
specified by tos.TPROXY([port[,address]])Transparently redirects a packet without altering the IP
header. Requires a tproxy provider to be defined in shorewall-providers(5).There are three parameters to TPROXY - neither is
required:port - the port on which
the proxy server is listening. If omitted, the original
destination port.address - a local (to the
firewall) IP address on which the proxy server is
listening. If omitted, the IP address of the interface on
which the request arrives.TTL([-|+]number)If + is included,
packets matching the rule will have their TTL incremented by
number. Similarly, if - is included, matching packets have
their TTL decremented by number. If
neither + nor - is given, the TTL of matching packets
is set to number. The valid range
of values for number is
1-255.SOURCE -
{-|source-spec[,...]}where source-spec is one of:interfacewhere interface is the
logical name of an interface defined in shorewall-interfaces(5).
Matches packets entering the firewall from the named
interface. May not be used in CLASSIFY rules or in rules using
the :T chain qualifier.address[,...][exclusion]where address is:
A host or network IP address.The name of an ipset preceded by a plus sign
("+").A MAC address in Shorewall format (preceded by a tilde
("~") and using dash ("-") as a separator (e.g.,
~00-A0-C9-15-39-78).
Matches traffic whose source IP address matches one of
the listed addresses and that does not match an address listed
in the exclusion (see shorewall-exclusion(5)).This form will not match traffic
that originates on the firewall itself unless either
<major><minor> or the :T chain qualifier is used
in the ACTION column.interface:address,[...][exclusion]This form combines the preceding two forms and matches
when both the incoming interface and source IP address
match.interface:exclusionThis form matches packets arriving through the named
interface and whose source IP
address does not match any of the addresses in the
exclusion.$FWMatches packets originating on the firewall system. May
not be used with a chain qualifier (:P, :F, etc.) in the
ACTION column.$FW:address[,...][exclusion]where address is as above
(MAC addresses are not permitted). Matches packets originating
on the firewall and whose source IP address matches one of the
listed addresses and does not match any address listed in the
exclusion. May not be used with a
chain qualifier (:P, :F, etc.) in the ACTION column.$FW:exclusionMatches traffic originating on the firewall, provided
that the source IP address does not match any address listed
in the exclusion.Beginning with Shorewall 5.1.0, multiple
source_specs, separated by commas, may be
given provided that the following alternative forms are used:
DEST -
{-|dest-spec[,...]}where dest-spec is one of:interfacewhere interface is the
logical name of an interface defined in shorewall-interfaces(5).
Matches packets leaving the firewall through the named
interface. May not be used in the PREROUTING chain (:P in the
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
in shorewall.conf
(5)).address[,...][exclusion]where address is:
A host or network IP address.The name of an ipset preceded by a plus sign
("+").A MAC address in Shorewall format (preceded by a tilde
("~") and using dash ("-") as a separator (e.g.,
~00-A0-C9-15-39-78).
Matches traffic whose destination IP address matches one
of the listed addresses and that does not match an address
listed in the exclusion (see shorewall-exclusion(5)).interface:address,[...][exclusion]This form combines the preceding two forms and matches
when both the outgoing interface and destination IP address
match. May not be used in the PREROUTING chain (:P in the mark
column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
shorewall.conf
(5)).interface:exclusionThis form matches packets leaving through the named
interface and whose destination IP
address does not match any of the addresses in the
exclusion. May not be used in the
PREROUTING chain (:P in the mark column or no chain qualifier
and MARK_IN_FORWARD_CHAIN=No in shorewall.conf
(5)).$FWMatches packets originating on the firewall system. May
not be used with a chain qualifier (:P, :F, etc.) in the
ACTION column.$FW:address[,...][exclusion]where address is as above
(MAC addresses are not permitted). Matches packets destined
for the firewall and whose destination IP address matches one
of the listed addresses and does not match any address listed
in the exclusion. May not be used
with a chain qualifier (:P, :F, etc.) in the ACTION
column.$FW:exclusionMatches traffic destined for the firewall, provided that
the destination IP address does not match any address listed
in the exclusion.Beginning with Shorewall 5.1.0, multiple
dest_specs, separated by commas, may be
given provided that the following alternative forms are used:
PROTO - {-|{tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]}See shorewall-rules(5) for
details.Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.DPORT- {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}Optional destination Ports. A comma-separated list of Port
names (from services(5)), port numbers or
port ranges; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP.If the protocol is ipp2p,
this column is interpreted as an ipp2p option without the leading
"--" (example bit for bit-torrent).
If no PORT is given, ipp2p is
assumed.An entry in this field requires that the PROTO column specify
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
any of the following field is supplied.Beginning with Shorewall 4.6.0, an
ipset name can be specified in this
column. This is intended to be used with
bitmap:port ipsets.This column was formerly named DEST PORT(S).SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma-separated list of port names, port
numbers or port ranges.An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
the following fields is supplied.Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DPORT column is non-empty. This causes the
rule to match when either the source port or the destination port in
a packet matches one of the ports specified in DEST PORTS(S). Use of
'=' requires multi-port match in your iptables and kernel.Beginning with Shorewall 4.6.0, an
ipset name can be specified in this
column. This is intended to be used with
bitmap:port ipsets.This column was formerly labelled SOURCE PORT(S).USER - [!][user-name-or-number][:group-name-or-number][+program-name]This optional column may only be non-empty if the SOURCE is
the firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
user and/or group
specified (or is NOT running under that id if "!" is given).Examples:joeprogram must be run by joe:kidsprogram must be run by a member of the 'kids'
group!:kidsprogram must not be run by a member of the 'kids'
group+upnpd#program named upnpdThe ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.TEST - [!]value[/mask][:C]Optional - Defines a test on the existing packet or connection
mark. The rule will match only if the test returns true.If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.!Inverts the test (not equal)valueValue of the packet or connection mark.maskA mask to be applied to the mark before testing.:CDesignates a connection mark. If omitted, the packet
mark's value is tested.LENGTH -
[length|[min]:[max]]Optional - packet payload length. This field, if present allow
you to match the length of a packet payload (Layer 4 data ) against
a specific value or range of values. You must have iptables length
support for this to work. A range is specified in the form
min:max where either
min or max (but not both)
may be omitted. If min is omitted, then 0 is
assumed; if max is omitted, than any packet
that is min or longer will match.TOS -
tosType of service. Either a standard name, or a numeric value to
match.Minimize-Delay (16)
Maximize-Throughput (8)
Maximize-Reliability (4)
Minimize-Cost (2)
Normal-Service (0)CONNBYTES -
[!]min:[max[:{O|R|B}[:{B|P|A}]]]Optional connection Bytes; defines a byte or packet range that
the connection must fall within in order for the rule to
match.A packet matches if the the packet/byte count is within the
range defined by min and
max (unless ! is given in which case, a packet
matches if the packet/byte count is not within the range).
min is an integer which defines the beginning
of the byte/packet range. max is an integer
which defines the end of the byte/packet range; if omitted, only the
beginning of the range is checked. The first letter gives the
direction which the range refers to:
O - The original
direction of the connection.- The opposite direction from the original
connection.B - The total of both
directions.
If omitted, B is
assumed.The second letter determines what the range refers
to.
B - BytesP - PacketsA - Average packet
size.
If omitted, B is
assumed.HELPER -
helperNames a Netfilter protocol helper
module such as , ,
, etc. A packet will match if it was accepted
by the named helper module.Example: Mark all FTP data connections with mark
4:#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftpPROBABILITY -
[probability]Added in Shorewall 4.5.0. When non-empty, requires the
Statistics Match capability in your kernel
and ip6tables and causes the rule to match randomly but with the
given probability. The
probability is a number 0 <
probability <= 1 and may be expressed
at up to 8 decimal points of precision.DSCP -
[[!]dscp]Added in Shorewall 4.5.1. When non-empty, match packets whose
Differentiated Service Code Point field
matches the supplied value (when '!' is given, the rule matches
packets whose DSCP field does not match the supplied value). The
dscp value may be given as an even number
(hex or decimal) or as the name of a DSCP class. Valid class names
and their associated hex numeric values are: CS0 => 0x00
CS1 => 0x08
CS2 => 0x10
CS3 => 0x18
CS4 => 0x20
CS5 => 0x28
CS6 => 0x30
CS7 => 0x38
BE => 0x00
AF11 => 0x0a
AF12 => 0x0c
AF13 => 0x0e
AF21 => 0x12
AF22 => 0x14
AF23 => 0x16
AF31 => 0x1a
AF32 => 0x1c
AF33 => 0x1e
AF41 => 0x22
AF42 => 0x24
AF43 => 0x26
EF => 0x2eSTATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...]The rule will only match if the packet's connection is in one
of the listed states.TIME -
timeelement[&timeelement...]Added in Shorewall 4.6.2.May be used to limit the rule to a particular time period each
day, to particular days of the week or month, or to a range defined
by dates and times. Requires time match support in your kernel and
ip6tables.timeelement may be:timestart=hh:mm[:ss]Defines the starting time of day.timestop=hh:mm[:ss]Defines the ending time of day.contiguousAdded in Shoreawll 5.0.12. When timestop is smaller than timestart value, match this as a single
time period instead of distinct intervals.utcTimes are expressed in Greenwich Mean Time.localtzDeprecated by the Netfilter team in favor of kerneltz. Times are expressed in Local
Civil Time (default).kerneltzAdded in Shorewall 4.5.2. Times are expressed in Local
Kernel Time (requires iptables 1.4.12 or later).weekdays=ddd[,ddd]...where ddd is one of
, ,
, ,
, or
monthdays=dd[,dd],...where dd is an ordinal day of
the monthdatestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]]Defines the starting date and time.datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]]Defines the ending date and time.SWITCH -
[!]switch-name[={0|1}]Added in Shorewall 5.1.0 and allows enabling and disabling the
rule without requiring shorewall restart.The rule is enabled if the value stored in
/proc/net/nf_condition/switch-name
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.Within the switch-name, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a
added. The switch-name (after '@...'
expansion) must begin with a letter and be composed of letters,
decimal digits, underscores or hyphens. Switch names must be 30
characters or less in length.Switches are normally off. To
turn a switch on:echo 1 >
/proc/net/nf_condition/switch-nameTo turn it off again:echo 0 >
/proc/net/nf_condition/switch-nameSwitch settings are retained over shorewall
restart.When the switch-name is followed by
or , then the switch is
initialized to off or on respectively by the
start command. Other commands do not affect the
switch setting.ExampleIPv4 Example 1:Mark all ICMP echo traffic with packet mark 1. Mark all peer
to peer traffic with packet mark 4.This is a little more complex than otherwise expected. Since
the ipp2p module is unable to determine all packets in a connection
are P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match.We assume packet/connection mark 0 means unclassified. #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
MARK(4):T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0If a packet hasn't been classified (packet mark is 0), copy
the connection mark to the packet mark. If the packet mark is set,
we're done. If the packet is P2P, set the packet mark to 4. If the
packet mark has been set, save it to the connection mark.IPv4 Example 2:SNAT outgoing connections on eth0 from 192.168.1.0/24 in
round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
(Shorewall 4.5.9 and later)./etc/shorewall/mangle:
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
/etc/shorewall/snat:
#ACTION SOURCE DEST ...
SNAT(1.1.1.1) eth0:192.168.1.0/24 - { mark=1:C }
SNAT(1.1.1.3) eth0:192.168.1.0/24 - { mark=2:C }
SNAT(1.1.1.4) eth0:192.168.1.0/24 - { mark=3:C }IPv6 Example 1:Mark all ICMP echo traffic with packet mark 1. Mark all peer
to peer traffic with packet mark 4.This is a little more complex than otherwise expected. Since
the ipp2p module is unable to determine all packets in a connection
are P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match.We assume packet/connection mark 0 means unclassified. #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(1):T ::/0 ::/0 icmp echo-request
MARK(1):T ::/0 ::/0 icmp echo-reply
RESTORE:T ::/0 ::/0 all - - - 0
CONTINUE:T ::/0 ::/0 all - - - !0
MARK(4):T ::/0 ::/0 ipp2p:all
SAVE:T ::/0 ::/0 all - - - !0If a packet hasn't been classified (packet mark is 0), copy
the connection mark to the packet mark. If the packet mark is set,
we're done. If the packet is P2P, set the packet mark to 4. If the
packet mark has been set, save it to the connection mark.FILES/etc/shorewall/mangle/etc/shorewall6/mangleSee ALSOhttp://www.shorewall.net/traffic_shaping.htmhttp://www.shorewall.net/MultiISP.htmlhttp://www.shorewall.net/PacketMarking.htmlhttp://www.shorewall.net/configuration_file_basics.htm#Pairsshorewall(8)