shorewall6-tcrules5tcrulesShorewall6 Packet Marking rules file/etc/shorewall6/tcrulesDescriptionEntries in this file cause packets to be marked as a means of
classifying them for traffic control or policy routing.Unlike rules in the shorewall6-rules(5) file, evaluation
of rules in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.If you use multiple internet providers with the 'track' option, in
/etc/shorewall6/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html.Beginning with Shorewall 4.5.4, the tcrules file supports two
different formats:FORMAT 1 (default - deprecated)The older limited-function version of TPROXY is
supported.FORMAT 2The newer version of TPROXY is supported.The format is specified by a line as follows:
[?]FORMAT {1|2}
The optional '?' was introduced in Shorewall 4.5.11 and ?FORMAT is
the preferred form; the form without the '?' is deprecated.The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in
the alternate specification syntax).ACTION -
actionaction may assume one of the
following values.A mark value which is an integer in
the range 1-255.Normally will set the mark value. If preceded by a
vertical bar ("|"), the mark value will be logically ORed with
the current mark value to produce a new mark value. If preceded
by an ampersand ("&"), will be logically ANDed with the
current mark value to produce a new mark value.Both "|" and "&" require Extended MARK Target support
in your kernel and ip6tables; neither may be used with
connection marks (see below).May optionally be followed by :P, :F
or :T, :I
where :P indicates
that marking should occur in the PREROUTING chain, :F indicates that marking should occur in
the FORWARD chain, :I indicates
that marking should occur in the INPUT chain (added in Shorewall
4.4.13) and :T indicates that
marking should occur in the POSTROUTING chain. If neither
:P, :F nor :T follow the mark value then the chain
is determined as follows:- If the SOURCE is $FW[:address-or-range[,address-or-range]...],
then the rule is inserted into the OUTPUT chain. The behavior
changed in Shorewall6-perl 4.1. Only high mark values may be
assigned in this case. Packet marking rules for traffic shaping
of packets originating on the firewall must be coded in the
POSTROUTING chain (see below).- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in shorewall6.conf(5).Please note that :I is
included for completeness and affects neither traffic shaping
nor policy routing.If your kernel and ip6tables include CONNMARK support then
you can also mark the connection rather than the packet.The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection mark
to actually be set). When a mask is specified, the result of
logically ANDing the mark value with the mask must be the same
as the mark value.The mark and optional mask are then followed by one
of:+CMark the connection in the chain determined by the
setting of MARK_IN_FORWARD_CHAINCFMark the connection in the FORWARD chainCPMark the connection in the PREROUTING chain.CTMark the connection in the POSTROUTING chainCIMark the connection in the INPUT chain. This option
is included for completeness and has no applicability to
traffic shaping or policy routing.A mark range which is a pair of integers separated by a
dash ("-"). Added in Shorewall 4.5.9.May be optionally followed by a slash ("/") and a mask and
requires the Statistics Match capability
in iptables and kernel. Marks in the specified range are
assigned to packets on a round-robin fashion.When a mask is specified, the result of logically ANDing
each mark value with the mask must be the same as the mark
value. The least significant bit in the mask is used as an
increment. For example, if '0x200-0x400/0xff00' is specified,
then the assigned mark values are 0x200, 0x300 and 0x400 in
equal proportions. If no mask is specified, then ( 2 **
MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall6.conf(5)).May optionally be followed by :P, :F,:T or
:I where
:P indicates that marking should occur in the
PREROUTING chain, :F indicates
that marking should occur in the FORWARD chain, :I indicates that marking should occur in
the INPUT chain (added in Shorewall 4.4.13), and :T indicates that marking should occur in
the POSTROUTING chain. If neither :P, :F
nor :T follow the mark value
then the chain is determined as follows:- If the SOURCE is $FW[:address-or-range[,address-or-range]...],
then the rule is inserted into the OUTPUT chain. When
HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING
chain (see below).- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in shorewall.conf(5).Please note that :I is
included for completeness and affects neither traffic shaping
nor policy routing.If your kernel and iptables include CONNMARK support then
you can also mark the connection rather than the packet.The mark range may be optionally followed by "/" and a
mask value (used to determine those bits of the connection mark
to actually be set). When a mask is specified, the result of
logically ANDing the mark value with each of the masks must be
the same as the mark value.The mark range and optional mask may followed by one
of:CMark the connection in the chain determined by the
setting of MARK_IN_FORWARD_CHAINCFMark the connection in the FORWARD chainCPMark the connection in the PREROUTING chain.CTMark the connection in the POSTROUTING chainCIMark the connection in the INPUT chain. This option
is included for completeness and has no applicability to
traffic shaping or policy routing.A classification Id (classid) of the form
major:minor where
major and minor are
integers. Corresponds to the 'class' specification in these
traffic shaping modules: atm
cbq
dsmark
pfifo_fast
htb
prioClassification occurs in the POSTROUTING chain except when
the SOURCE is $FW[:address] in
which case classification occurs in the OUTPUT chain.When using Shorewall6's built-in traffic shaping tool, the
major class is the device number (the first
device in shorewall6-tcdevices(5)
is major class 1, the second device is major class 2, and so on)
and the minor class is the class's MARK
value in shorewall6-tcclasses(5)
preceded by the number 1 (MARK 1 corresponds to minor class 11,
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
minor class 122, etc.).Beginning with Shorewall 4.4.27, the classid may be
optionally followed by ':' and a capital letter designating the
chain where classification is to occur.FFORWARD chain.TPOSTROUTING chain (default).CHECKSUMAdded in Shorewall 4.5.9. Compute and fill in the checksum
in a packet that lacks a checksum. This is particularly useful
if you need to work around old applications, such as dhcp
clients, that do not work well with checksum offloads, but you
don't want to disable checksum offload in your device.Requires 'Checksum Target' support in your kernel and
ip6tables.[?]COMMENT -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of shorewall6
show mangleTo stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.Beginning with Shorewall 4.5.11, ?COMMENT is a synonym
for COMMENT and is preferred.CONTINUE Don't process
any more marking rules in the table.As in 1) above, may be followed by :P or :F. Currently, CONTINUE may not be used
with exclusion (see the SOURCE and DEST
columns below); that restriction will be removed when
ip6tables/Netfilter provides the necessary support.DIVERTAdded in Shorewall 4.5.3. Two DIVERT rule should precede
the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
PORT tcp 80 respectively (assuming that tcp port 80 is being
proxied). DIVERT avoids sending packets to the TPROXY target
once a socket connection to Squid3 has been established by
TPROXY. DIVERT marks the packet with a unique mark and exempts
it from any rules that follow.DROPAdded in Shorewall 4.5.21.4. Causes matching packets to be
discarded.DSCP(dscp)Added in Shorewall 4.5.1. Sets the
Differentiated Services Code Point field
in the IP header. The dscp value may
be given as an even number (hex or decimal) or as the name of a
DSCP class. Valid class names and their associated hex numeric
values are: CS0 => 0x00
CS1 => 0x08
CS2 => 0x10
CS3 => 0x18
CS4 => 0x20
CS5 => 0x28
CS6 => 0x30
CS7 => 0x38
BE => 0x00
AF11 => 0x0a
AF12 => 0x0c
AF13 => 0x0e
AF21 => 0x12
AF22 => 0x14
AF23 => 0x16
AF31 => 0x1a
AF32 => 0x1c
AF33 => 0x1e
AF41 => 0x22
AF42 => 0x24
AF43 => 0x26
EF => 0x2eTo indicate more than one class, add their hex values
together and specify the result.May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.FFORWARD chain.TPOSTROUTING chain.HL([-|+]number)Added in Shorewall 4.4.24.Prior to Shorewall 4.5.7.2, may be optionally followed by
:F but the resulting rule is
always added to the FORWARD chain. Beginning with Shorewall
4.5.7.s, it may be optionally followed by :P, in which case the rule is added to
the PREROUTING chain.If + is included, packets
matching the rule will have their HL (hop limit) incremented by
number. Similarly, if - is included, matching packets have
their HL decremented by number. If
neither + nor - is given, the HL of matching packets is
set to number. The valid range of
values for number is 1-255.IMQ(number)Added in Shorewall 4.5.1. Specifies that the packet should
be passed to the IMQ identified by
number. Requires IMQ Target support
in your kernel and ip6tables.INLINE[(action)]Added in Shorewall 4.6.0. Allows you to place your own
ip[6]tables matches at the end of the line following a semicolon
(";"). If an action is specified, the
compiler procedes as if that action
had been specified in this column. If no action is specified,
then you may include your own jump ("-j
target
[option] ...") after any matches
specified at the end of the rule. If the target is not one known
to Shorewall, then it must be defined as a builtin action in
shorewall6-actions
(5).The following rules are equivalent:2:P eth0 - tcp 22
INLINE(2):P eth0 - tcp 22
INLINE(2):P eth0 - ; -p tcp
INLINE eth0 - tcp 22 ; -j MARK --set-mark 2
INLINE eth0 - ; -p tcp -j MARK --set-mark 2RESTORE[/mask] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and ip6tables must include
CONNMARK support.As in 1) above, may be followed by :P or :FSAME (Added in Shorewall
4.3.5) -- Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some of
the connections are routed through one provider and some through
another. The SAME target allows you to work around that problem.
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that last packet was
sent.When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.SAVE[/mask] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and ip6tables must include CONNMARK
support.As in 1) above, may be followed by :P or :FSTATE {NEW|RELATED|ESTABLISHED|INVALID} [,...]Added in Shorewall 4.5.9. The rule will only match if the
packet's connection is in one of the listed states.TOS(tos[/mask])Added in Shorewall 4.5.1. Sets the Type of
Service field in the IP header. The
tos value may be given as an number
(hex or decimal) or as the name of a TOS type. Valid type names
and their associated hex numeric values are:Minimize-Delay => 0x10,
Maximize-Throughput => 0x08,
Maximize-Reliability => 0x04,
Minimize-Cost => 0x02,
Normal-Service => 0x00To indicate more than one class, add their hex values
together and specify the result.When tos is given as a number,
it may be optionally followed by '/' and a
mask. When no
mask is given, the value 0xff is
assumed. When tos is given as a type
name, the mask 0x3f is
assumed.The action performed is to zero out the bits specified by
the mask, then set the bits specified
by tos.May be optionally followed by ':' and a capital letter
designating the chain where classification is to occur.FFORWARD chain.TPOSTROUTING chain (default).TPROXY(mark[,[port][,[address]]])
-- FORMAT 1Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in shorewall6-providers(5).There are three parameters to TPROXY - only the first
(mark) is required:mark - the MARK value
corresponding to the local provider in shorewall6-providers(5).port - the port on which
the proxy server is listening. If omitted, the original
destination port.address - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.TPROXY([port][,[address]]])
-- FORMAT 2Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in shorewall6-providers(5).There are three parameters to TPROXY - only the first
(mark) is required:port - the port on which
the proxy server is listening. If omitted, the original
destination port.address - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.SOURCE - {-|{interface|$FW}|[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]>Source of the packet. A comma-separated list of interface
names, IP addresses, MAC addresses and/or subnets for packets being
routed through a common path. List elements may also consist of an
interface name followed by ":" and an address (e.g.,
eth1:<2002:ce7c:92b4::/48>). For example, all packets for
connections masqueraded to eth0 from other interfaces can be matched
in a single rule with several alternative SOURCE criteria. However,
a connection whose packets gets to eth0 in a different way, e.g.,
direct from the firewall itself, needs a different rule.Accordingly, use $FW in its
own separate rule for packets originating on the firewall. In such a
rule, the ACTION column may NOT specify either :P or :F
because marking for firewall-originated packets always occurs in the
OUTPUT chain.MAC addresses must be prefixed with "~" and use "-" as a
separator.Example: ~00-A0-C9-15-39-78When an interface is not specified, the angled brackets
('<' and '>') surrounding the address(es) may be
omitted.You may exclude certain hosts from the set already defined
through use of an exclusion (see shorewall6-exclusion(5)).DEST - {-|{interface|$FW}[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]>Destination of the packet. Comma separated list of IP
addresses and/or subnets. If your kernel and ip6tables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:<2002:ce7c:92b4::/48>). If the
ACTION column specifies a
classification of the form
major:minor then this
column may also contain an interface name.When an interface is not specified, the angled brackets
('<' and '>') surrounding the address(es) may be
omitted.Beginning with Shorewall 4.4.13, $FW may be given by itself or
qualified by an address list. This causes marking to occur in the
INPUT chain.You may exclude certain hosts from the set already defined
through use of an exclusion (see shorewall6-exclusion(5)).PROTO - {-|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]}Protocol - ipp2p requires
ipp2p match support in your kernel and ip6tables.Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...]Optional destination Ports. A comma-separated list of Port
names (from services(5)), port numbers or
port ranges; if the protocol is ipv6-icmp, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP.If the protocol is ipp2p,
this column is interpreted as an ipp2p option without the leading
"--" (example bit for bit-torrent).
If no PORT is given, ipp2p is
assumed.An entry in this field requires that the PROTO column specify
tcp (6), udp (17), ipv6-icmp (58), sctp (132) or udplite (136). Use
'-' if any of the following field is supplied.SOURCE PORT(S) (sport) -
[-|port-name-number-or-range[,port-name-number-or-range]...]Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma-separated list of port names, port
numbers or port ranges.An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
the following fields is supplied.Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S). Use of '=' requires multi-port match in your iptables
and kernel.USER - [!][user-name-or-number][:group-name-or-number]This optional column may only be non-empty if the SOURCE is
the firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
user and/or group
specified (or is NOT running under that id if "!" is given).Examples:joeprogram must be run by joe:kidsprogram must be run by a member of the 'kids'
group!:kidsprogram must not be run by a member of the 'kids'
groupTEST - [!]value[/mask][:C]Optional. Defines a test on the existing packet or connection
mark. The rule will match only if the test returns true.If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.!Inverts the test (not equal)valueValue of the packet or connection mark.maskA mask to be applied to the mark before testing.:CDesignates a connection mark. If omitted, the packet
mark's value is tested.LENGTH -
[length|[min]:[max]]Optional - packet payload length. This field, if present allow
you to match the length of a packet payload (Layer 4 data ) against
a specific value or range of values. You must have iptables length
support for this to work. A range is specified in the form
min:max where either
min or max (but not both)
may be omitted. If min is omitted, then 0 is
assumed; if max is omitted, than any packet
that is min or longer will match.TOS (Optional) -
tosType of service. Either a standard name, or a numeric value to
match.Minimize-Delay (16)
Maximize-Throughput (8)
Maximize-Reliability (4)
Minimize-Cost (2)
Normal-Service (0)CONNBYTES -
[!]min:[max[:{O|R|B}[:{B|P|A}]]]Optional connection Bytes; defines a byte or packet range that
the connection must fall within in order for the rule to
match.A packet matches if the the packet/byte count is within the
range defined by min and
max (unless ! is given in which case, a packet
matches if the packet/byte count is not within the range).
min is an integer which defines the beginning
of the byte/packet range. max is an integer
which defines the end of the byte/packet range; if omitted, only the
beginning of the range is checked. The first letter gives the
direction which the range refers to:
O - The original
direction of the connection.R - The opposite
direction from the original connection.B - The total of both
directions.
If omitted, B is
assumed.The second letter determines what the range refers
to.
B - BytesP - PacketsA - Average packet
size.
If omitted, B is
assumed.HELPER -
helperOptional. Names a Netfilter protocol
helper module such as ,
, , etc. A packet will
match if it was accepted by the named helper module.Example: Mark all FTP data connections with mark
4:#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
4 ::/0 ::/0 TCP - - - - - - - ftpHEADERS -
[!][any:|exactly:]header-list
(Optional - Added in Shorewall 4.4.15)The header-list consists of a
comma-separated list of headers from the following list.auth, ah, or 51Authentication Headers extension
header.esp, or 50Encrypted Security Payload
extension header.hop, hop-by-hop or 0Hop-by-hop options extension header.route, ipv6-route or 41IPv6 Route extension header.frag, ipv6-frag or 44IPv6 fragmentation extension header.none, ipv6-nonxt or 59No next headerproto, protocol or 255Any protocol header.If any: is specified, the
rule will match if any of the listed headers are present. If
exactly: is specified, the will
match packets that exactly include all specified headers. If neither
is given, any: is assumed.If ! is entered, the rule
will match those packets which would not be matched when ! is omitted.PROBABILITY -
[probability]Added in Shorewall 4.5.0. When non-empty, requires the
Statistics Match capability in your kernel
and ip6tables and causes the rule to match randomly but with the
given probability. The
probability is a number 0 <
probability <= 1 and may be expressed
at up to 8 decimal points of precision.ExampleExample 1:Mark all forwarded ICMP echo traffic with packet mark 1. Mark
all forwarded peer to peer traffic with packet mark 4.This is a little more complex than otherwise expected. Since
the ipp2p module is unable to determine all packets in a connection
are P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match.We assume packet/connection mark 0 means unclassified. #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
1 ::/0 ::/0 icmp echo-request
1 ::/0 ::/0 icmp echo-reply
RESTORE ::/0 ::/0 all - - - 0
CONTINUE ::/0 ::/0 all - - - !0
4 ::/0 ::/0 ipp2p:all
SAVE ::/0 ::/0 all - - - !0If a packet hasn't been classified (packet mark is 0), copy
the connection mark to the packet mark. If the packet mark is set,
we're done. If the packet is P2P, set the packet mark to 4. If the
packet mark has been set, save it to the connection mark.FILES/etc/shorewall6/tcrulesSee ALSOhttp://shorewall.net/traffic_shaping.htmhttp://shorewall.net/MultiISP.htmlhttp://shorewall.net/PacketMarking.htmlhttp://shorewall.net/configuration_file_basics.htm#Pairsshorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)