diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index e9c9e985d..a02dc0575 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -165,7 +165,7 @@ sub initialize( $ ) { $divertref = 0; } -sub process_mark_rule1( $$$$$$$$$$$$$$$$ ) { +sub process_mangle_rule1( $$$$$$$$$$$$$$$$ ) { our ( $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_; use constant { @@ -1449,16 +1449,16 @@ sub process_tc_rule( ) { } } -sub process_mark_rule( ) { +sub process_mangle_rule( ) { my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = - split_line2( 'marks file', + split_line2( 'mangle file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16, 1 ); for my $proto (split_list( $protos, 'Protocol' ) ) { - process_mark_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); + process_mangle_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); } } @@ -3207,14 +3207,14 @@ sub setup_tc() { } - if ( -f find_file 'marks' ) { + if ( -f find_file 'mangle' ) { if ( $have_tcrules ) { - warning_message "The 'tcrules' file is non-empty -- 'marks' file ignored"; - } elsif ( my $fn = open_file( 'marks', 2, 1 ) ) { + warning_message "The 'tcrules' file is non-empty -- 'mangle' file ignored"; + } elsif ( my $fn = open_file( 'mangle', 2, 1 ) ) { first_entry "$doing $fn..."; - process_mark_rule while read_a_line( NORMAL_READ ); + process_mangle_rule while read_a_line( NORMAL_READ ); } } diff --git a/Shorewall/manpages/shorewall-marks.xml b/Shorewall/manpages/shorewall-mangle.xml similarity index 98% rename from Shorewall/manpages/shorewall-marks.xml rename to Shorewall/manpages/shorewall-mangle.xml index e42fcb30b..ea9d11e2e 100644 --- a/Shorewall/manpages/shorewall-marks.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> - shorewall-marks + shorewall-mangle 5 @@ -11,12 +11,12 @@ marks - Shorewall Packet Marking rules file + Shorewall Packet marking/mangling rules file - /etc/shorewall/marks + /etc/shorewall/mangle @@ -24,8 +24,8 @@ Description This file was introduced in Shorewall 4.6.0 and is intended to - replace shorewall-tcrules(5). This file is only processed by the compiler - if: + replace shorewall-tcrules(5). + This file is only processed by the compiler if: @@ -110,7 +110,7 @@ A chain-designator may not be specified if the SOURCE or DEST columns begin with '$FW'. When the SOURCE is $FW, the generated rule is always placed in the OUTPUT chain. If DEST is '$FW', then the - rule is placed in the OUTPUT chain. + rule is placed in the INPUT chain. Where a command takes parameters, those parameters are enclosed in parentheses ("(....)") and separated by commas. @@ -1069,8 +1069,8 @@ Normal-Service => 0x00 role="bold">INVALID} [,...] - Added in Shorewall 4.5.9. The rule will only match if the - packet's connection is in one of the listed states. + The rule will only match if the packet's connection is in one + of the listed states. @@ -1138,7 +1138,7 @@ Normal-Service => 0x00 FILES - /etc/shorewall/tcrules + /etc/shorewall/mangle diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml new file mode 100644 index 000000000..8b21a6013 --- /dev/null +++ b/Shorewall6/manpages/shorewall6-mangle.xml @@ -0,0 +1,1148 @@ + + + + + shorewall6-mangle + + 5 + + + + marks + + Shorewall Packet marking/mangling rules file + + + + + /etc/shorewall6/mangle + + + + + Description + + This file was introduced in Shorewall 4.6.0 and is intended to + replace shorewall6-tcrules(5). This file is + only processed by the compiler if: + + + + No file named 'tcrules' exists on the current CONFIG_PATH (see + shorewall6.conf(5)); + or + + + + The first file named 'tcrules' found on the CONFIG_PATH contains + no non-commentary entries. + + + + Entries in this file cause packets to be marked as a means of + classifying them for traffic control or policy routing. + + + Unlike rules in the shorewall6-rules(5) file, evaluation + of rules in this file will continue after a match. So the final mark for + each packet will be the one assigned by the LAST tcrule that + matches. + + If you use multiple internet providers with the 'track' option, in + /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html. + + + The columns in the file are as follows (where the column name is + followed by a different name in parentheses, the different name is used in + the alternate specification syntax). + + + + ACTION - + command[(parameters)][:chain-designator] + + + The chain-specifier indicates the Netfilter chain that the + entry applies to and may be one of the following: + + + + P + + + PREROUTING chain. + + + + + F + + + FORWARD chain. + + + + + T + + + POSTROUTING chain. + + + + + I + + + INPUT chain. + + + + + Unless otherwise specified for the particular + command, the default chain is PREROUTING + when MARK_IN_FORWARD_CHAIN=No in shorewall6.conf(5), and FORWARD + when MARK_IN_FORWARD_CHAIN=Yes. + + A chain-designator may not be specified if the SOURCE or DEST + columns begin with '$FW'. When the SOURCE is $FW, the generated rule + is always placed in the OUTPUT chain. If DEST is '$FW', then the + rule is placed in the INPUT chain. + + Where a command takes parameters, those parameters are + enclosed in parentheses ("(....)") and separated by commas. + + The command may be one of the + following. + + + + CHECKSUM + + + Compute and fill in the checksum in a packet that lacks + a checksum. This is particularly useful if you need to work + around old applications, such as dhcp clients, that do not + work well with checksum offloads, but you don't want to + disable checksum offload in your device. + + Requires 'Checksum Target' support in your kernel and + iptables. + + + + + CLASSIFY(classid) + + + A classification Id (classid) is of the form + major:minor where + major and minor are + integers. Corresponds to the 'class' specification in these + traffic shaping modules: + + atm + cbq + dsmark + pfifo_fast + htb + prio + + Classification occurs in the POSTROUTING chain except + when the SOURCE is $FW[:address] in + which case classification occurs in the OUTPUT chain. + + When using Shorewall's built-in traffic shaping tool, + the major class is the device number (the + first device in shorewall6-tcdevices(5) + is major class 1, the second device is major class 2, and so + on) and the minor class is the class's + MARK value in shorewall6-tcclasses(5) + preceded by the number 1 (MARK 1 corresponds to minor class + 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds + to minor class 122, etc.). + + + + + ?COMMENT + + + The rest of the line will be attached as a comment to + the Netfilter rule(s) generated by the following entries. The + comment will appear delimited by "/* ... */" in the output of + shorewall show mangle + + To stop the comment from being attached to further + rules, simply include COMMENT on a line by itself. + + + + + CONMARK({mark|range}) + + + Identical to MARK with the exception that the mark is + assigned to connection to which the packet belongs is marked + rather than to the packet itself. + + + + + CONTINUE + + + Don't process any more marking rules in the + table. + + Currently, CONTINUE may not be used with + exclusion (see the SOURCE and DEST + columns below); that restriction will be removed when + iptables/Netfilter provides the necessary support. + + + + + DIVERT + + + Two DIVERT rule should precede the TPROXY rule and + should select DEST PORT tcp 80 and SOURCE PORT tcp 80 + respectively (assuming that tcp port 80 is being proxied). + DIVERT avoids sending packets to the TPROXY target once a + socket connection to Squid3 has been established by TPROXY. + DIVERT marks the packet with a unique mark and exempts it from + any rules that follow. + + + + + DROP + + + Causes matching packets to be discarded. + + + + + DSCP(dscp) + + + Sets the Differentiated Services Code + Point field in the IP header. The + dscp value may be given as an even + number (hex or decimal) or as the name of a DSCP class. Valid + class names and their associated hex numeric values + are: + + CS0 => 0x00 + CS1 => 0x08 + CS2 => 0x10 + CS3 => 0x18 + CS4 => 0x20 + CS5 => 0x28 + CS6 => 0x30 + CS7 => 0x38 + BE => 0x00 + AF11 => 0x0a + AF12 => 0x0c + AF13 => 0x0e + AF21 => 0x12 + AF22 => 0x14 + AF23 => 0x16 + AF31 => 0x1a + AF32 => 0x1c + AF33 => 0x1e + AF41 => 0x22 + AF42 => 0x24 + AF43 => 0x26 + EF => 0x2e + + To indicate more than one class, add their hex values + together and specify the result. + + + + + IMQ(number) + + + Specifies that the packet should be passed to the IMQ + identified by number. Requires IMQ + Target support in your kernel and iptables. + + + + + INLINE[(action)] + + + Allows you to place your own ip[6]tables matches at the + end of the line following a semicolon (";"). If an + action is specified, the compiler + procedes as if that action had been + specified in this column. If no action is specified, then you + may include your own jump ("-j + target + [option] ...") after any matches + specified at the end of the rule. If the target is not one + known to Shorewall, then it must be defined as a builtin + action in shorewall6-actions + (5). + + The following rules are equivalent: + + 2:P eth0 - tcp 22 +INLINE(2):P eth0 - tcp 22 +INLINE(2):P eth0 - ; -p tcp +INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 +INLINE eth0 - ; -p tcp -j MARK --set-mark 2 + + + If INLINE_MATCHES=Yes in shorewall6.conf(5) then the + third rule above can be specified as follows: + + 2:P eth0 - ; -p tcp + + + + + IPMARK + + + Assigns a mark to each matching packet based on the + either the source or destination IP address. By default, it + assigns a mark value equal to the low-order 8 bits of the + source address. Default values are: + + + src + + mask1 = 0xFF + + mask2 = 0x00 + + shift = 0 + + + 'src' and 'dst' specify whether the mark is to be based + on the source or destination address respectively. The + selected address is first shifted to the right by + shift bits. The result is then LANDed + with mask1 then LORed with + mask2. + + In a sense, the IPMARK target is more like an IPCLASSIFY + target in that the mark value is later interpreted as a class + ID. A packet mark is 32 bits wide; so is a class ID. The + <major> class occupies the high-order 16 bits and the + <minor> class occupies the low-order 16 bits. So the + class ID 1:4ff (remember that class IDs are always in hex) is + equivalent to a mark value of 0x104ff. Remember that Shorewall + uses the interface number as the <major> number where + the first interface in tcdevices has <major> number 1, + the second has <major> number 2, and so on. + + The IPMARK target assigns a mark to each matching packet + based on the either the source or destination IP address. By + default, it assigns a mark value equal to the low-order 8 bits + of the source address. The syntax is as follows: + +
+ [([{|}][,[mask1][,[mask2][,[shift]]]])] +
+ + Default values are: + + + + + mask1 = 0xFF + + mask2 = 0x00 + + shift = 0 + + + and specify + whether the mark is to be based on the source or destination + address respectively. The selected address is first shifted + right by shift, then LANDed with + mask1 and then LORed with + mask2. The + shift argument is intended to be + used primarily with IPv6 addresses. + + Example: + +
+ IPMARK(src,0xff,0x10100) + + + Suppose that the source IP address is 192.168.4.3 + = 0xc0a80403; then + + 0xc0a80403 >> 0 = 0xc0a80403 + + 0xc0a80403 LAND 0xFF = 0x03 + + 0x03 LOR 0x0x10100 = 0x10103 or class ID + 1:103 + +
+ + It is important to realize that, while class IDs are + composed of a major and a + minor value, the set of values must + be unique. That is, the same numeric value cannot be used as + both a major and a + minor number for the same interface + unless class nesting occurs (which is not currently possible + with Shorewall). You should keep this in mind when deciding + how to map IP addresses to class IDs. + + For example, suppose that your internal network is + 192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6). + Your first notion might be to use IPMARK(src,0xFF,0x10000) so + as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid + class ID since the major and + minor classes are equal. So you + might choose instead to use IPMARK(src,0xFF,0x10100) as in the + example above so that all of your + minor classes will have a value + > 256. + + + + + MARK({mark|range}) + + + where mark is a packet mark + value. + + Normally will set the mark value. If preceded by a + vertical bar ("|"), the mark value will be logically ORed with + the current mark value to produce a new mark value. If + preceded by an ampersand ("&"), will be logically ANDed + with the current mark value to produce a new mark + value. + + Both "|" and "&" require Extended MARK Target + support in your kernel and iptables. + + The mark value may be optionally followed by "/" and a + mask value (used to determine those bits of the connection + mark to actually be set). When a mask is specified, the result + of logically ANDing the mark value with the mask must be the + same as the mark value. + + A mark range is a pair of + integers separated by a dash ("-"). + + May be optionally followed by a slash ("/") and a mask + and requires the Statistics Match + capability in iptables and kernel. Marks in the specified + range are assigned to packets on a round-robin fashion. + + When a mask is specified, the result of logically ANDing + each mark value with the mask must be the same as the mark + value. The least significant bit in the mask is used as an + increment. For example, if '0x200-0x400/0xff00' is specified, + then the assigned mark values are 0x200, 0x300 and 0x400 in + equal proportions. If no mask is specified, then ( 2 ** + MASK_BITS ) - 1 is assumed (MASK_BITS is set in shorewall6.conf(5)). + + + + + RESTORE[(/mask)] + + + Restore the packet's mark from the connection's mark + using the supplied mask if any. Your kernel and iptables must + include CONNMARK support. + + + + + SAME + + + Some websites run applications that require multiple + connections from a client browser. Where multiple 'balanced' + providers are configured, this can lead to problems when some + of the connections are routed through one provider and some + through another. The SAME target allows you to work around + that problem. SAME may be used in the PREROUTING and OUTPUT + chains. When used in PREROUTING, it causes matching + connections from an individual local system to all use the + same provider. For example: #ACTION SOURCE DEST PROTO DEST +# PORT(S) +SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443 + If a host in 192.168.1.0/24 attempts a connection on TCP port + 80 or 443 and it has sent a packet on either of those ports in + the last five minutes then the new connection will use the + same provider as the connection over which that last packet + was sent. + + When used in the OUTPUT chain, it causes all matching + connections to an individual remote system to all use the same + provider. For example:#ACTION SOURCE DEST PROTO DEST +# PORT(S) +SAME $FW 0.0.0.0/0 tcp 80,443 + If the firewall attempts a connection on TCP port 80 or 443 + and it has sent a packet on either of those ports in the last + five minutes to the same remote system then the new connection + will use the same provider as the connection over which that + last packet was sent. + + + + + SAVE[(/mask)] + + + + Save the packet's mark to the connection's mark using + the supplied mask if any. Your kernel and iptables must + include CONNMARK support. + + + + + TOS(tos[/mask]) + + + Sets the Type of Service field in + the IP header. The tos value may be + given as an number (hex or decimal) or as the name of a TOS + type. Valid type names and their associated hex numeric values + are: + + Minimize-Delay => 0x10, +Maximize-Throughput => 0x08, +Maximize-Reliability => 0x04, +Minimize-Cost => 0x02, +Normal-Service => 0x00 + + To indicate more than one class, add their hex values + together and specify the result. + + When tos is given as a + number, it may be optionally followed by '/' and a + mask. When no + mask is given, the value 0xff is + assumed. When tos is given as a + type name, the mask 0x3f is + assumed. + + The action performed is to zero out the bits specified + by the mask, then set the bits + specified by tos. + + + + + TPROXY([port][,address]) + + + Transparently redirects a packet without altering the IP + header. Requires a tproxy provider to be defined in shorewall6-providers(5). + + There are three parameters to TPROXY - neither is + required: + + + + port - the port on which + the proxy server is listening. If omitted, the original + destination port. + + + + address - a local (to the + firewall) IP address on which the proxy server is + listening. If omitted, the IP address of the interface on + which the request arrives. + + + + + + + TTL([-|+]number) + + + If + is included, + packets matching the rule will have their TTL incremented by + number. Similarly, if - is included, matching packets have + their TTL decremented by number. If + neither + nor - is given, the TTL of matching packets + is set to number. The valid range + of values for number is + 1-255. + + + + + + + TTL([-|+]number) + + Added in Shorewall 4.4.24. + + Prior to Shorewall 4.5.7.2, may be optionally followed by + :F but the resulting rule is + always added to the FORWARD chain. Beginning with Shorewall + 4.5.7.s, it may be optionally followed by :P, in which case the rule is added to + the PREROUTING chain. + + If + is included, packets + matching the rule will have their TTL incremented by + number. Similarly, if - is included, matching packets have + their TTL decremented by number. If + neither + nor - is given, the TTL of matching packets + is set to number. The valid range of + values for number is 1-255. + + + + + + + SOURCE - {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion] + + + May be: + + + + An interface name - matches traffic entering the firewall + on the specified interface. May not be used in classify rules or + in rules using the :T chain qualifier. + + + + A comma-separated list of host or network IP addresses or + MAC addresses. This form will not match + traffic that originates on the firewall itself unless either + <major><minor> or the :T chain qualifier is used in + the ACTION column. + + Examples: + 0.0.0.0/0 + + + + 192.168.1.0/24, 172.20.4.0/24 + + + + + An interface name followed by a colon (":") followed by a + comma-separated list of host or network IP addresses or MAC + addresses. May not be used in classify rules or in rules using + the :T chain qualifier. + + + + $FW optionally followed by a colon (":") and a + comma-separated list of host or network IP addresses. Matches + packets originating on the firewall. May not be used with a + chain qualifier (:P, :F, etc.) in the ACTION column. + + + + MAC addresses must be prefixed with "~" and use "-" as a + separator. + + Example: ~00-A0-C9-15-39-78 + + You may exclude certain hosts from the set already defined + through use of an exclusion (see shorewall6-exclusion(5)). + + + + + DEST - {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion] + + + May be: + + + + An interface name. May not be used in the PREROUTING chain + (:P in the mark column or no chain qualifier and + MARK_IN_FORWARD_CHAIN=No in shorewall6.conf (5)). The + interface name may be optionally followed by a colon (":") and + an IP address list. + + + + A comma-separated list of host or network IP addresses. + The list may include ip address ranges if your kernel and + iptables include iprange support. + + + + Beginning with Shorewall 4.4.13, $FW may be specified by + itself or qualified by an address list. This causes marking to + occur in the INPUT chain. + + + + You may exclude certain hosts from the set already defined + through use of an exclusion (see shorewall6-exclusion(5)). + + + + + PROTO - {-|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]} + + + Protocol - ipp2p requires + ipp2p match support in your kernel and iptables. + + Beginning with Shorewall 4.5.12, this column can accept a + comma-separated list of protocols. + + + + + PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...] + + + Optional destination Ports. A comma-separated list of Port + names (from services(5)), port numbers or + port ranges; if the protocol is icmp, this column is interpreted as the + destination icmp-type(s). ICMP types may be specified as a numeric + type, a numeric type and code separated by a slash (e.g., 3/4), or a + typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. + + If the protocol is ipp2p, + this column is interpreted as an ipp2p option without the leading + "--" (example bit for bit-torrent). + If no PORT is given, ipp2p is + assumed. + + An entry in this field requires that the PROTO column specify + icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if + any of the following field is supplied. + + + + + SOURCE PORT(S) (sport) - + [-|port-name-number-or-range[,port-name-number-or-range]...] + + + Optional source port(s). If omitted, any source port is + acceptable. Specified as a comma-separated list of port names, port + numbers or port ranges. + + An entry in this field requires that the PROTO column specify + tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of + the following fields is supplied. + + Beginning with Shorewall 4.5.15, you may place '=' in this + column, provided that the DEST PORT(S) column is non-empty. This + causes the rule to match when either the source port or the + destination port in a packet matches one of the ports specified in + DEST PORTS(S). Use of '=' requires multi-port match in your iptables + and kernel. + + + + + USER - [!][user-name-or-number][:group-name-or-number][+program-name] + + + This optional column may only be non-empty if the SOURCE is + the firewall itself. + + When this column is non-empty, the rule applies only if the + program generating the output is running under the effective + user and/or group + specified (or is NOT running under that id if "!" is given). + + Examples: + + + + joe + + + program must be run by joe + + + + + :kids + + + program must be run by a member of the 'kids' + group + + + + + !:kids + + + program must not be run by a member of the 'kids' + group + + + + + +upnpd + + + #program named upnpd + + + The ability to specify a program name was removed from + Netfilter in kernel version 2.6.14. + + + + + + + + + TEST - [!]value[/mask][:C] + + + Optional - Defines a test on the existing packet or connection + mark. The rule will match only if the test returns true. + + If you don't want to define a test but need to specify + anything in the following columns, place a "-" in this field. + + + + ! + + + Inverts the test (not equal) + + + + + value + + + Value of the packet or connection mark. + + + + + mask + + + A mask to be applied to the mark before testing. + + + + + :C + + + Designates a connection mark. If omitted, the packet + mark's value is tested. + + + + + + + + LENGTH - + [length|[min]:[max]] + + + Optional - packet payload length. This field, if present allow + you to match the length of a packet payload (Layer 4 data ) against + a specific value or range of values. You must have iptables length + support for this to work. A range is specified in the form + min:max where either + min or max (but not both) + may be omitted. If min is omitted, then 0 is + assumed; if max is omitted, than any packet + that is min or longer will match. + + + + + TOS - + tos + + + Type of service. Either a standard name, or a numeric value to + match. + + Minimize-Delay (16) + Maximize-Throughput (8) + Maximize-Reliability (4) + Minimize-Cost (2) + Normal-Service (0) + + + + + CONNBYTES - + [!]min:[max[:{O|R|B}[:{B|P|A}]]] + + + Optional connection Bytes; defines a byte or packet range that + the connection must fall within in order for the rule to + match. + + A packet matches if the the packet/byte count is within the + range defined by min and + max (unless ! is given in which case, a packet + matches if the packet/byte count is not within the range). + min is an integer which defines the beginning + of the byte/packet range. max is an integer + which defines the end of the byte/packet range; if omitted, only the + beginning of the range is checked. The first letter gives the + direction which the range refers to:
+ O - The original + direction of the connection. + + - The opposite direction from the original + connection. + + B - The total of both + directions. +
+ + If omitted, B is + assumed. + + The second letter determines what the range refers + to.
+ B - Bytes + + P - Packets + + A - Average packet + size. +
If omitted, B is + assumed. + + + + + HELPER - + helper + + + Names a Netfilter protocol helper + module such as , , + , etc. A packet will match if it was accepted + by the named helper module. + + Example: Mark all FTP data connections with mark + 4:#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +# PORT(S) +4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp + + + + + PROBABILITY - + [probability] + + + Added in Shorewall 4.5.0. When non-empty, requires the + Statistics Match capability in your kernel + and ip6tables and causes the rule to match randomly but with the + given probability. The + probability is a number 0 < + probability <= 1 and may be expressed + at up to 8 decimal points of precision. + + + + + DSCP - + [[!]dscp] + + + Added in Shorewall 4.5.1. When non-empty, match packets whose + Differentiated Service Code Point field + matches the supplied value (when '!' is given, the rule matches + packets whose DSCP field does not match the supplied value). The + dscp value may be given as an even number + (hex or decimal) or as the name of a DSCP class. Valid class names + and their associated hex numeric values are: + + CS0 => 0x00 + CS1 => 0x08 + CS2 => 0x10 + CS3 => 0x18 + CS4 => 0x20 + CS5 => 0x28 + CS6 => 0x30 + CS7 => 0x38 + BE => 0x00 + AF11 => 0x0a + AF12 => 0x0c + AF13 => 0x0e + AF21 => 0x12 + AF22 => 0x14 + AF23 => 0x16 + AF31 => 0x1a + AF32 => 0x1c + AF33 => 0x1e + AF41 => 0x22 + AF42 => 0x24 + AF43 => 0x26 + EF => 0x2e + + + + + STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...] + + + The rule will only match if the packet's connection is in one + of the listed states. + + + + + + + Example + + + + Example 1: + + + Mark all ICMP echo traffic with packet mark 1. Mark all peer + to peer traffic with packet mark 4. + + This is a little more complex than otherwise expected. Since + the ipp2p module is unable to determine all packets in a connection + are P2P packets, we mark the entire connection as P2P if any of the + packets are determined to match. + + We assume packet/connection mark 0 means unclassified. + + #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST + # PORT(S) + MARK(1):T ::/0 ::/0 icmp echo-request + MARK(1):T ::/0 ::/0 icmp echo-reply + RESTORE:T ::/0 ::/0 all - - - 0 + CONTINUE:T ::/0 ::/0 all - - - !0 + MARK(4):T ::/0 ::/0 ipp2p:all + SAVE:T ::/0 ::/0 all - - - !0 + + If a packet hasn't been classified (packet mark is 0), copy + the connection mark to the packet mark. If the packet mark is set, + we're done. If the packet is P2P, set the packet mark to 4. If the + packet mark has been set, save it to the connection mark. + + + + + + + FILES + + /etc/shorewall6/mangle + + + + See ALSO + + http://shorewall.net/traffic_shaping.htm + + http://shorewall.net/MultiISP.html + + http://shorewall.net/PacketMarking.html + + http://shorewall.net/configuration_file_basics.htm#Pairs + + shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), + shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5), + shorewall6-hosts(5), shorewall6_interfaces(5), shorewall6-ipsets(5), + shorewall6-maclist(5), shorewall6-masq(5), shorewall6-nat(5), + shorewall6-netmap(5), shorewall6-params(5), shorewall6-policy(5), + shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5), + shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), + shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), + shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5) + + diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index c55029394..3b9b7c17b 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -134,7 +134,9 @@ /etc/shorewall/tcrules - The file has a rather unfortunate name because it is used to define marking of packets for later use by both traffic control/shaping and policy - routing. + routing. This file is superceded by + /etc/shorewall/mangle in Shorewall + 4.6.0. @@ -275,6 +277,12 @@ /usr/share/arprules — Added in Shorewall 4.5.12. Allows specification of arptables rules. + + + /etc/shorewall/mangle -- Added in + Shorewall 4.6.0. Supercedes + /etc/shorewall/tcrules. + If you need to change a file in @@ -356,10 +364,14 @@ ACCEPT net $FW tcp www #This is an end-of-line commentExample: Traffic from zone A to zone B would go through chain A2B (think "A to B") or "A-B". - The default separator is "2" but you can override that by setting - ZONE_SEPARATOR="-" in In Shorewall 4.6, the default separator is "-" but you can override + that by setting ZONE_SEPARATOR="2" in shorewall.conf (5). + + Prior to Shorewall 4.6, the default separator was "2". + + Zones themselves have names that begin with a letter and are composed of letters, numerals, and "_". The maximum length of a name is dependent on the setting of LOGFORMAT in To attach a comment to one or more rules, insert a record above the - rules that begins with the word COMMENT (must be in all caps). The + rules that begins with the word ?COMMENT (must be in all caps). The remainder of the line is treated as a comment -- that comment will appear delimited by "/* ... */" in the output of the shorewall[-lite] show and shorewall[-lite] dump commands. The - comment will be attached to each generated rule until another COMMENT line - appears. To stop attaching comments to rules, simply insert a line that - contains the single word COMMENT. + comment will be attached to each generated rule until another ?COMMENT + line appears. To stop attaching comments to rules, simply insert a line + that contains the single word ?COMMENT. Example (/etc/shorewall/rules): - COMMENT Stop NETBIOS noise + ?COMMENT Stop NETBIOS noise REJECT loc net tcp 137,445 REJECT loc net udp 137:139 -COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address +?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address DROP loc:!192.168.0.0/22 net -COMMENT +?COMMENT Here's the corresponding output from /sbin/shorewall-lite: - gateway:~ # shorewall-lite show loc2net + gateway:~ # shorewall-lite show loc-net Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008 Counters reset Mon Oct 16 14:52:17 PDT 2006 -Chain loc2net (1 references) +Chain loc-net (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:' 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 @@ -467,8 +479,8 @@ gateway:~ # - COMMENT lines in macro files work somewhat differently from other - files. COMMENT lines in macros are ignored if COMMENT support is not + ?COMMENT lines in macro files work somewhat differently from other + files. ?COMMENT lines in macros are ignored if COMMENT support is not available or if there was a COMMENT in use when the top-level macro was invoked. This allows the following: @@ -476,12 +488,12 @@ gateway:~ # #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP -COMMENT SSH +?COMMENT SSH PARAM - - tcp 22 - /etc/shorewall/rules:COMMENT Allow SSH from home + /etc/shorewall/rules:?COMMENT Allow SSH from home SSH(ACCEPT) net:$MYIP $FW -COMMENTThe comment line in macro.SSH will not override the - COMMENT line in the rules file and the generated rule will show The comment line in macro.SSH will not override the + ?COMMENT line in the rules file and the generated rule will show /* Allow SSH from home */ when displayed through the Shorewall show and dump commands. @@ -571,8 +583,8 @@ ACCEPT net:\ - At any point, you can enter a semicolon (';') followed by one or - more specifications of the following forms: + At any point, you can enter a left curly bracket ('{') followed + by one or more specifications of the following forms: column-name=value @@ -582,6 +594,9 @@ ACCEPT net:\ column-name:value + The pairs must be followed by a right curly bracket + ("}"). + The value may optionally be enclosed in double quotes. The pairs must be separated by white space, but you can add a @@ -589,19 +604,23 @@ ACCEPT net:\ readability as in: - ; proto=>udp, - port=1024 + { proto=>udp, port=1024 + } - You can enclose the pairs in curly brackets ("{...}") rather - than separating them from columns by a semicolon: + You can also separate the pairs from columns by using a + semicolon: - { proto:udp, port:1024 - } + ; proto:udp, + port:1024 + + That usage is deprecated beginning with Shorewall 4.6.0. See the + INLINE_MATCHES option in shorewall.conf(5). @@ -673,6 +692,12 @@ ACCEPT net:\ disposition,interface,mac,addresses + + mangle + + action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers + + masq