diff --git a/Shorewall/manpages/shorewall-marks.xml b/Shorewall/manpages/shorewall-marks.xml new file mode 100644 index 000000000..54ebc44d6 --- /dev/null +++ b/Shorewall/manpages/shorewall-marks.xml @@ -0,0 +1,1169 @@ + + + + + shorewall-marks + + 5 + + + + marks + + Shorewall Packet Marking rules file + + + + + /etc/shorewall/marks + + + + + Description + + This file was introduced in Shorewall 4.6.0 and is intended to + replace shorewall-tcrules(5). This file is only processed by the compiler + if: + + + + No file named 'tcrules' exists on the current CONFIG_PATH (see + shorewall.conf(5)); or + + + + The first file named 'tcrules' found on the CONFIG_PATH contains + no non-commentary entries. + + + + Entries in this file cause packets to be marked as a means of + classifying them for traffic control or policy routing. + + + Unlike rules in the shorewall-rules(5) file, evaluation + of rules in this file will continue after a match. So the final mark for + each packet will be the one assigned by the LAST tcrule that + matches. + + If you use multiple internet providers with the 'track' option, in + /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html. + + + The columns in the file are as follows (where the column name is + followed by a different name in parentheses, the different name is used in + the alternate specification syntax). + + + + ACTION - + command[(parameters)][:chain-designator] + + + The chain-specifier indicates the Netfilter chain that the + entry applies to and may be one of the following: + + + + P + + + PREROUTING chain. + + + + + F + + + FORWARD chain. + + + + + T + + + POSTROUTING chain. + + + + + I + + + INPUT chain. + + + + + Unless otherwise specified for the particular + command, the default chain is PREROUTING + when MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5), and FORWARD + when MARK_IN_FORWARD_CHAIN=Yes. + + A chain-designator may not be specified if the SOURCE or DEST + columns begin with '$FW'. When the SOURCE is $FW, the generated rule + is always placed in the OUTPUT chain.if DEST is '$FW', then the rule + is placed in the OUTPUT chain. + + Where a command takes parameteers, those parameters are + enclosed in parentheses ("(....)") and separated by commas. + + The command may be one of the + following. + + + + CHECKSUM + + + Compute and fill in the checksum in a packet that lacks + a checksum. This is particularly useful if you need to work + around old applications, such as dhcp clients, that do not + work well with checksum offloads, but you don't want to + disable checksum offload in your device. + + Requires 'Checksum Target' support in your kernel and + iptables. + + + + + CLASSIFY(classid) + + + A classification Id (classid) is of the form + major:minor where + major and minor are + integers. Corresponds to the 'class' specification in these + traffic shaping modules: + + atm + cbq + dsmark + pfifo_fast + htb + prio + + Classification occurs in the POSTROUTING chain except + when the SOURCE is $FW[:address] in + which case classification occurs in the OUTPUT chain. + + When using Shorewall's built-in traffic shaping tool, + the major class is the device number (the + first device in shorewall-tcdevices(5) + is major class 1, the second device is major class 2, and so + on) and the minor class is the class's + MARK value in shorewall-tcclasses(5) + preceded by the number 1 (MARK 1 corresponds to minor class + 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds + to minor class 122, etc.). + + + + + ?COMMENT + + + The rest of the line will be attached as a comment to + the Netfilter rule(s) generated by the following entries. The + comment will appear delimited by "/* ... */" in the output of + shorewall show mangle + + To stop the comment from being attached to further + rules, simply include COMMENT on a line by itself. + + + + + CONMARK({mark|range}) + + + Identical to MARK with the exception that the mark is + assigned to connection to which the packet belongs is marked + rather than to the packet itself. + + + + + CONTINUE + + + Don't process any more marking rules in the + table. + + Currently, CONTINUE may not be used with + exclusion (see the SOURCE and DEST + columns below); that restriction will be removed when + iptables/Netfilter provides the necessary support. + + + + + DIVERT + + + Two DIVERT rule should precede the TPROXY rule and + should select DEST PORT tcp 80 and SOURCE PORT tcp 80 + respectively (assuming that tcp port 80 is being proxied). + DIVERT avoids sending packets to the TPROXY target once a + socket connection to Squid3 has been established by TPROXY. + DIVERT marks the packet with a unique mark and exempts it from + any rules that follow. + + + + + DROP + + + Causes matching packets to be discarded. + + + + + DSCP(dscp) + + + Sets the Differentiated Services Code + Point field in the IP header. The + dscp value may be given as an even + number (hex or decimal) or as the name of a DSCP class. Valid + class names and their associated hex numeric values + are: + + CS0 => 0x00 + CS1 => 0x08 + CS2 => 0x10 + CS3 => 0x18 + CS4 => 0x20 + CS5 => 0x28 + CS6 => 0x30 + CS7 => 0x38 + BE => 0x00 + AF11 => 0x0a + AF12 => 0x0c + AF13 => 0x0e + AF21 => 0x12 + AF22 => 0x14 + AF23 => 0x16 + AF31 => 0x1a + AF32 => 0x1c + AF33 => 0x1e + AF41 => 0x22 + AF42 => 0x24 + AF43 => 0x26 + EF => 0x2e + + To indicate more than one class, add their hex values + together and specify the result. + + + + + IMQ(number) + + + Specifies that the packet should be passed to the IMQ + identified by number. Requires IMQ + Target support in your kernel and iptables. + + + + + INLINE[(action)] + + + Allows you to place your own ip[6]tables matches at the + end of the line following a semicolon (";"). If an + action is specified, the compiler + procedes as if that action had been + specified in this column. If no action is specified, then you + may include your own jump ("-j + target + [option] ...") after any matches + specified at the end of the rule. If the target is not one + known to Shorewall, then it must be defined as a builtin + action in shorewall-actions + (5). + + The following rules are equivalent: + + 2:P eth0 - tcp 22 +INLINE(2):P eth0 - tcp 22 +INLINE(2):P eth0 - ; -p tcp +INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 +INLINE eth0 - ; -p tcp -j MARK --set-mark 2 + + + If INLINE_MATCHES=Yes in shorewall6.conf(5) then the + third rule above can be specified as follows: + + 2:P eth0 - ; -p tcp + + + + + IPMARK + + + Assigns a mark to each matching packet based on the + either the source or destination IP address. By default, it + assigns a mark value equal to the low-order 8 bits of the + source address. Default values are: + + + src + + mask1 = 0xFF + + mask2 = 0x00 + + shift = 0 + + + 'src' and 'dst' specify whether the mark is to be based + on the source or destination address respectively. The + selected address is first shifted to the right by + shift bits. The result is then LANDed + with mask1 then LORed with + mask2. + + In a sense, the IPMARK target is more like an IPCLASSIFY + target in that the mark value is later interpreted as a class + ID. A packet mark is 32 bits wide; so is a class ID. The + <major> class occupies the high-order 16 bits and the + <minor> class occupies the low-order 16 bits. So the + class ID 1:4ff (remember that class IDs are always in hex) is + equivalent to a mark value of 0x104ff. Remember that Shorewall + uses the interface number as the <major> number where + the first interface in tcdevices has <major> number 1, + the second has <major> number 2, and so on. + + The IPMARK target assigns a mark to each matching packet + based on the either the source or destination IP address. By + default, it assigns a mark value equal to the low-order 8 bits + of the source address. The syntax is as follows: + +
+ [([{|}][,[mask1][,[mask2][,[shift]]]])] +
+ + Default values are: + + + + + mask1 = 0xFF + + mask2 = 0x00 + + shift = 0 + + + and specify + whether the mark is to be based on the source or destination + address respectively. The selected address is first shifted + right by shift, then LANDed with + mask1 and then LORed with + mask2. The + shift argument is intended to be + used primarily with IPv6 addresses. + + Example: + +
+ IPMARK(src,0xff,0x10100) + + + Suppose that the source IP address is 192.168.4.3 + = 0xc0a80403; then + + 0xc0a80403 >> 0 = 0xc0a80403 + + 0xc0a80403 LAND 0xFF = 0x03 + + 0x03 LOR 0x0x10100 = 0x10103 or class ID + 1:103 + +
+ + It is important to realize that, while class IDs are + composed of a major and a + minor value, the set of values must + be unique. That is, the same numeric value cannot be used as + both a major and a + minor number for the same interface + unless class nesting occurs (which is not currently possible + with Shorewall). You should keep this in mind when deciding + how to map IP addresses to class IDs. + + For example, suppose that your internal network is + 192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6). + Your first notion might be to use IPMARK(src,0xFF,0x10000) so + as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid + class ID since the major and + minor classes are equal. So you + might choose instead to use IPMARK(src,0xFF,0x10100) as in the + example above so that all of your + minor classes will have a value + > 256. +
+
+ + + MARK({mark|range}) + + + where mark is a packet mark + value. + + Normally will set the mark value. If preceded by a + vertical bar ("|"), the mark value will be logically ORed with + the current mark value to produce a new mark value. If + preceded by an ampersand ("&"), will be logically ANDed + with the current mark value to produce a new mark + value. + + Both "|" and "&" require Extended MARK Target + support in your kernel and iptables. + + The mark value may be optionally followed by "/" and a + mask value (used to determine those bits of the connection + mark to actually be set). When a mask is specified, the result + of logically ANDing the mark value with the mask must be the + same as the mark value. + + A mark range is a pair of + integers separated by a dash ("-"). + + May be optionally followed by a slash ("/") and a mask + and requires the Statistics Match + capability in iptables and kernel. Marks in the specified + range are assigned to packets on a round-robin fashion. + + When a mask is specified, the result of logically ANDing + each mark value with the mask must be the same as the mark + value. The least significant bit in the mask is used as an + increment. For example, if '0x200-0x400/0xff00' is specified, + then the assigned mark values are 0x200, 0x300 and 0x400 in + equal proportions. If no mask is specified, then ( 2 ** + MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall.conf(5)). + + + + + RESTORE[(/mask)] + + + Restore the packet's mark from the connection's mark + using the supplied mask if any. Your kernel and iptables must + include CONNMARK support. + + + + + SAME + + + Some websites run applications that require multiple + connections from a client browser. Where multiple 'balanced' + providers are configured, this can lead to problems when some + of the connections are routed through one provider and some + through another. The SAME target allows you to work around + that problem. SAME may be used in the PREROUTING and OUTPUT + chains. When used in PREROUTING, it causes matching + connections from an individual local system to all use the + same provider. For example: #ACTION SOURCE DEST PROTO DEST +# PORT(S) +SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 + If a host in 192.168.1.0/24 attempts a connection on TCP port + 80 or 443 and it has sent a packet on either of those ports in + the last five minutes then the new connection will use the + same provider as the connection over which that last packet + was sent. + + When used in the OUTPUT chain, it causes all matching + connections to an individual remote system to all use the same + provider. For example:#ACTION SOURCE DEST PROTO DEST +# PORT(S) +SAME $FW 0.0.0.0/0 tcp 80,443 + If the firewall attempts a connection on TCP port 80 or 443 + and it has sent a packet on either of those ports in the last + five minutes to the same remote system then the new connection + will use the same provider as the connection over which that + last packet was sent. + + + + + SAVE[(/mask)] + + + + Save the packet's mark to the connection's mark using + the supplied mask if any. Your kernel and iptables must + include CONNMARK support. + + + + + TOS(tos[/mask]) + + + Sets the Type of Service field in + the IP header. The tos value may be + given as an number (hex or decimal) or as the name of a TOS + type. Valid type names and their associated hex numeric values + are: + + Minimize-Delay => 0x10, +Maximize-Throughput => 0x08, +Maximize-Reliability => 0x04, +Minimize-Cost => 0x02, +Normal-Service => 0x00 + + To indicate more than one class, add their hex values + together and specify the result. + + When tos is given as a + number, it may be optionally followed by '/' and a + mask. When no + mask is given, the value 0xff is + assumed. When tos is given as a + type name, the mask 0x3f is + assumed. + + The action performed is to zero out the bits specified + by the mask, then set the bits + specified by tos. + + + + + TPROXY([port][,address]) + + + Transparently redirects a packet without altering the IP + header. Requires a tproxy provider to be defined in shorewall-providers(5). + + There are three parameters to TPROXY - neither is + required: + + + + port - the port on which + the proxy server is listening. If omitted, the original + destination port. + + + + address - a local (to the + firewall) IP address on which the proxy server is + listening. If omitted, the IP address of the interface on + which the request arrives. + + + + + + + TTL([-|+]number) + + + If + is included, + packets matching the rule will have their TTL incremented by + number. Similarly, if - is included, matching packets have + their TTL decremented by number. If + neither + nor - is given, the TTL of matching packets + is set to number. The valid range + of values for number is + 1-255. + + +
+ + + + TTL([-|+]number) + + Added in Shorewall 4.4.24. + + Prior to Shorewall 4.5.7.2, may be optionally followed by + :F but the resulting rule is + always added to the FORWARD chain. Beginning with Shorewall + 4.5.7.s, it may be optionally followed by :P, in which case the rule is added to + the PREROUTING chain. + + If + is included, packets + matching the rule will have their TTL incremented by + number. Similarly, if - is included, matching packets have + their TTL decremented by number. If + neither + nor - is given, the TTL of matching packets + is set to number. The valid range of + values for number is 1-255. + + +
+
+ + + SOURCE - {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion] + + + May be: + + + + An interface name - matches traffic entering the firewall + on the specified interface. May not be used in classify rules or + in rules using the :T chain qualifier. + + + + A comma-separated list of host or network IP addresses or + MAC addresses. This form will not match + traffic that originates on the firewall itself unless either + <major><minor> or the :T chain qualifier is used in + the ACTION column. + + Examples: + 0.0.0.0/0 + + + + 192.168.1.0/24, 172.20.4.0/24 + + + + + An interface name followed by a colon (":") followed by a + comma-separated list of host or network IP addresses or MAC + addresses. May not be used in classify rules or in rules using + the :T chain qualifier. + + + + $FW optionally followed by a colon (":") and a + comma-separated list of host or network IP addresses. Matches + packets originating on the firewall. May not be used with a + chain qualifier (:P, :F, etc.) in the ACTION column. + + + + MAC addresses must be prefixed with "~" and use "-" as a + separator. + + Example: ~00-A0-C9-15-39-78 + + You may exclude certain hosts from the set already defined + through use of an exclusion (see shorewall-exclusion(5)). + + + + + DEST - {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion] + + + May be: + + + + An interface name. May not be used in the PREROUTING chain + (:P in the mark column or no chain qualifier and + MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)). The + interface name may be optionally followed by a colon (":") and + an IP address list. + + + + A comma-separated list of host or network IP addresses. + The list may include ip address ranges if your kernel and + iptables include iprange support. + + + + Beginning with Shorewall 4.4.13, $FW may be specified by + itself or qualified by an address list. This causes marking to + occur in the INPUT chain. + + + + You may exclude certain hosts from the set already defined + through use of an exclusion (see shorewall-exclusion(5)). + + + + + PROTO - {-|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]} + + + Protocol - ipp2p requires + ipp2p match support in your kernel and iptables. + + Beginning with Shorewall 4.5.12, this column can accept a + comma-separated list of protocols. + + + + + PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...] + + + Optional destination Ports. A comma-separated list of Port + names (from services(5)), port numbers or + port ranges; if the protocol is icmp, this column is interpreted as the + destination icmp-type(s). ICMP types may be specified as a numeric + type, a numeric type and code separated by a slash (e.g., 3/4), or a + typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + + If the protocol is ipp2p, + this column is interpreted as an ipp2p option without the leading + "--" (example bit for bit-torrent). + If no PORT is given, ipp2p is + assumed. + + An entry in this field requires that the PROTO column specify + icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if + any of the following field is supplied. + + + + + SOURCE PORT(S) (sport) - + [-|port-name-number-or-range[,port-name-number-or-range]...] + + + Optional source port(s). If omitted, any source port is + acceptable. Specified as a comma-separated list of port names, port + numbers or port ranges. + + An entry in this field requires that the PROTO column specify + tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of + the following fields is supplied. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). Use of '=' requires multi-port match in your iptables + and kernel. + + + + + USER - [!][user-name-or-number][:group-name-or-number][+program-name] + + + This optional column may only be non-empty if the SOURCE is + the firewall itself. + + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + user and/or group + specified (or is NOT running under that id if "!" is given). + + Examples: + + + + joe + + + program must be run by joe + + + + + :kids + + + program must be run by a member of the 'kids' + group + + + + + !:kids + + + program must not be run by a member of the 'kids' + group + + + + + +upnpd + + + #program named upnpd + + + The ability to specify a program name was removed from + Netfilter in kernel version 2.6.14. + + + + + + + + + TEST - [!]value[/mask][:C] + + + Optional - Defines a test on the existing packet or connection + mark. The rule will match only if the test returns true. + + If you don't want to define a test but need to specify + anything in the following columns, place a "-" in this field. + + + + ! + + + Inverts the test (not equal) + + + + + value + + + Value of the packet or connection mark. + + + + + mask + + + A mask to be applied to the mark before testing. + + + + + :C + + + Designates a connection mark. If omitted, the packet + mark's value is tested. + + + + + + + + LENGTH - + [length|[min]:[max]] + + + Optional - packet payload length. This field, if present allow + you to match the length of a packet payload (Layer 4 data ) against + a specific value or range of values. You must have iptables length + support for this to work. A range is specified in the form + min:max where either + min or max (but not both) + may be omitted. If min is omitted, then 0 is + assumed; if max is omitted, than any packet + that is min or longer will match. + + + + + TOS - + tos + + + Type of service. Either a standard name, or a numeric value to + match. + + Minimize-Delay (16) + Maximize-Throughput (8) + Maximize-Reliability (4) + Minimize-Cost (2) + Normal-Service (0) + + + + + CONNBYTES - + [!]min:[max[:{O|R|B}[:{B|P|A}]]] + + + Optional connection Bytes; defines a byte or packet range that + the connection must fall within in order for the rule to + match. + + A packet matches if the the packet/byte count is within the + range defined by min and + max (unless ! is given in which case, a packet + matches if the packet/byte count is not within the range). + min is an integer which defines the beginning + of the byte/packet range. max is an integer + which defines the end of the byte/packet range; if omitted, only the + beginning of the range is checked. The first letter gives the + direction which the range refers to:
+ O - The original + direction of the connection. + + - The opposite direction from the original + connection. + + B - The total of both + directions. +
+ + If omitted, B is + assumed. + + The second letter determines what the range refers + to.
+ B - Bytes + + P - Packets + + A - Average packet + size. +
If omitted, B is + assumed.
+
+
+ + + HELPER - + helper + + + Names a Netfilter protocol helper + module such as , , + , etc. A packet will match if it was accepted + by the named helper module. + + Example: Mark all FTP data connections with mark + 4:#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +# PORT(S) +4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp + + + + + PROBABILITY - + [probability] + + + Added in Shorewall 4.5.0. When non-empty, requires the + Statistics Match capability in your kernel + and ip6tables and causes the rule to match randomly but with the + given probability. The + probability is a number 0 < + probability <= 1 and may be expressed + at up to 8 decimal points of precision. + + + + + DSCP - + [[!]dscp] + + + Added in Shorewall 4.5.1. When non-empty, match packets whose + Differentiated Service Code Point field + matches the supplied value (when '!' is given, the rule matches + packets whose DSCP field does not match the supplied value). The + dscp value may be given as an even number + (hex or decimal) or as the name of a DSCP class. Valid class names + and their associated hex numeric values are: + + CS0 => 0x00 + CS1 => 0x08 + CS2 => 0x10 + CS3 => 0x18 + CS4 => 0x20 + CS5 => 0x28 + CS6 => 0x30 + CS7 => 0x38 + BE => 0x00 + AF11 => 0x0a + AF12 => 0x0c + AF13 => 0x0e + AF21 => 0x12 + AF22 => 0x14 + AF23 => 0x16 + AF31 => 0x1a + AF32 => 0x1c + AF33 => 0x1e + AF41 => 0x22 + AF42 => 0x24 + AF43 => 0x26 + EF => 0x2e + + + + + STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...] + + + Added in Shorewall 4.5.9. The rule will only match if the + packet's connection is in one of the listed states. + + +
+
+ + + Example + + + + Example 1: + + + Mark all ICMP echo traffic with packet mark 1. Mark all peer + to peer traffic with packet mark 4. + + This is a little more complex than otherwise expected. Since + the ipp2p module is unable to determine all packets in a connection + are P2P packets, we mark the entire connection as P2P if any of the + packets are determined to match. + + We assume packet/connection mark 0 means unclassified. + + #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST + # PORT(S) + 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request + 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply + RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0 + CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 + 4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all + SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 + + If a packet hasn't been classified (packet mark is 0), copy + the connection mark to the packet mark. If the packet mark is set, + we're done. If the packet is P2P, set the packet mark to 4. If the + packet mark has been set, save it to the connection mark. + + + + + Example 2: + + + SNAT outgoing connections on eth0 from 192.168.1.0/24 in + round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 + (Shorewall 4.5.9 and later). + + /etc/shorewall/tcrules: + + #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST + # PORT(S) + 1-3:CF 192.168.1.0/24 eth0 ; state=NEW + +/etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS ... + eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C + eth0 192.168.1.0/24 1.1.1.3 ; mark=2:C + eth0 192.168.1.0/24 1.1.1.4 ; mark=3:C + + + + + + + FILES + + /etc/shorewall/tcrules + + + + See ALSO + + http://shorewall.net/traffic_shaping.htm + + http://shorewall.net/MultiISP.html + + http://shorewall.net/PacketMarking.html + + http://shorewall.net/configuration_file_basics.htm#Pairs + + shorewall(8), shorewall-accounting(5), shorewall-actions(5), + shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), + shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), + shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), + shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), + shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), + shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), + shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) + +