shorewall-tcrules5tcrulesShorewall Packet Marking rules file/etc/shorewall/rulesDescriptionEntries in this file cause packets to be marked as a means of
classifying them for traffic control or policy routing.Unlike rules in the shorewall-rules(5) file, evaluation
of rules in this file will continue after a match. So the final mark for
each packet will be the one assigned by the LAST tcrule that
matches.If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html.The columns in the file are as follows.MARK/CLASSIFY -
{value|major:minor|RESTORE[/mask]|SAVE[/mask]|CONTINUE|SAME|COMMENT|IPMARK[([(src|dst}][,[mask1][,[mask2][,[shift]]]]])]}[:{C|F|P|T|CF|CP|CT}]May assume one of the following values.A mark value which is an integer in
the range 1-255.Normally will set the mark value. If preceded by a
vertical bar ("|"), the mark value will be logically ORed with
the current mark value to produce a new mark value. If preceded
by an ampersand ("&"), will be logically ANDed with the
current mark value to produce a new mark value.Both "|" and "&" require Extended MARK Target support
in your kernel and iptables; neither may be used with connection
marks (see below).May optionally be followed by :P, :F
or :T where :P indicates that marking should occur
in the PREROUTING chain, :F
indicates that marking should occur in the FORWARD chain and
:T indicates that marking
should occur in the POSTROUTING chain. If neither :P, :F
nor :T follow the mark value
then the chain is determined as follows:- If the SOURCE is $FW[:address-or-range[,address-or-range]...],
then the rule is inserted into the OUTPUT chain. The behavior
changed in Shorewall-perl 4.1. Previously, when
HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values
< 256 to be assigned in the OUTPUT chain. This has been
changed so that only high mark values may be assigned there.
Packet marking rules for traffic shaping of packets originating
on the firewall must be coded in the POSTROUTING chain (see
below).- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in shorewall.conf(5).If your kernel and iptables include CONNMARK support then
you can also mark the connection rather than the packet.The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection mark
to actually be set). The mark and optional mask are then
followed by one of:+CMark the connection in the chain determined by the
setting of MARK_IN_FORWARD_CHAINCFMark the connection in the FORWARD chainCPMark the connection in the PREROUTING chain.CTMark the connecdtion in the POSTROUTING chainSpecial considerations for If
HIGH_ROUTE_MARKS=Yes in shorewall.conf(5).If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
in the range 0x0100-0xFF00 with the low-order byte being zero.
Such values may only be used in the PREROUTING chain (value
followed by :P or you have set
MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5) and have not
followed the value with ) or the OUTPUT chain
(SOURCE is $FW). With
HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
permitted. Shorewall 4.1 and later versions prohibit non-zero
mark values less that 256 in the OUTPUT chain when
HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
in the OUTPUT chain, it is strongly recommended that with
HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply
traffic shaping marks/classification.A classification Id (classid) of the form
major:minor where
major and minor are
integers. Corresponds to the 'class' specification in these
traffic shaping modules: atm
cbq
dsmark
pfifo_fast
htb
prioClassification occurs in the POSTROUTING chain except when
the SOURCE is $FW[:address] in
which case classification occurs in the OUTPUT chain.When using Shorewall's built-in traffic shaping tool, the
major class is the device number (the first
device in shorewall-tcdevices(5) is
major class 1, the second device is major class 2, and so on)
and the minor class is the class's MARK
value in shorewall-tcclasses(5)
preceded by the number 1 (MARK 1 corresponds to minor class 11,
MARK 5 corresponds to minor class 15, MARK 22 corresponds to
minor class 122, etc.).RESTORE[/mask] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and iptables must include
CONNMARK support.As in 1) above, may be followed by :P or :FSAVE[/mask] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and iptables must include CONNMARK
support.As in 1) above, may be followed by :P or :FCONTINUE Don't process
any more marking rules ‒in the table.As in 1) above, may be followed by :P or :F. Currently, CONTINUE may not be used
with exclusion (see the SOURCE and DEST
columns below); that restriction will be removed when
iptables/Netfilter provides the necessary support.SAME (Added in Shorewall
4.3.5) -- Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced'
providers are configured, this can lead to problems when some of
the connections are routed through one provider and some through
another. The SAME target allows you to work around that problem.
SAME may be used in the PREROUTING and OUTPUT chains. When used
in PREROUTING, it causes matching connections from an individual
local system to all use the same provider. For example:
#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
or 443 and it has sent a packet on either of those ports in the
last five minutes then the new connection will use the same
provider as the connection over which that ‒‒last packet was
sent.When used in the OUTPUT chain, it causes all matching
connections to an individual remote system to all use the same
provider. For example:#MARK/ SOURCE DEST PROTO DEST
#CLASSIFY PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443
If the firewall attempts a connection on TCP port 80 or 443 and
it has sent a packet on either of those ports in the last five
minutes to the same remote system then the new connection will
use the same provider as the connection over which that last
packet was sent.COMMENT -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of shorewall
show mangleTo stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.IPMARK ‒ Assigns a mark
to each matching packet based on the either the source or
destination IP address. By default, it assigns a mark value
equal to the low-order 8 bits of the source address. Default
values are:srcmask1 = 0xFFmask2 = 0x00shift = 0'src' and 'dst' specify whether the mark is to be based on
the source or destination address respectively. The selected
address is first LANDed with mask1 then
LORed with mask2. The
result is then shifted shift bits to the
right.Example:
IPMARK(dst, 0XFF00, 0x8000,8)Destination IP address is 192.168.4.3 =
0xc0a80103Meaning:0xc0a80403 LAND 0xFF00 = 0x04000x0400 LOR 0x80 = 0x84000x8400 >> 8 = 0x84Mark = 0x84 = 132
SOURCE - {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]May be:An interface name - matches traffic entering the firewall
on the specified interface. May not be used in classify rules or
in rules using the :T chain qualifier.A comma-separated list of host or network IP addresses or
MAC addresses. This form will not match
traffic that originates on the firewall itself unless either
<major><minor> or the :T chain qualifier is used in
the MARK column.Examples:0.0.0.0/0192.168.1.0/24, 172.20.4.0/24An interface name followed by a colon (":") followed by a
comma-separated list of host or network IP addresses or MAC
addresses. May not be used in classify rules or in rules using
the :T chain qualifier.$FW optionally followed by a colon (":") and a
comma-separated list of host or network IP addresses. Matches
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.MAC addresses must be prefixed with "~" and use "-" as a
separator.Example: ~00-A0-C9-15-39-78You may exclude certain hosts from the set already defined
through use of an exclusion (see shorewall-exclusion(5)).DEST - {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion]May be:An interface name. May not be used in the PREROUTING chain
(:P in the mark column or no chain qualifier and
MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)). The
interface name may be optionally followed by a colon (":") and
an IP address list.A comma-separated list of host or network IP addresses.
The list may include ip address ranges if your kernel and
iptables include iprange support.You may exclude certain hosts from the set already defined
through use of an exclusion (see shorewall-exclusion(5)).PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}Protocol - ipp2p requires
ipp2p match support in your kernel and iptables.PORT(S) (Optional) - [-|port-name-number-or-range[,port-name-number-or-range]...]Destination Ports. A comma-separated list of Port names (from
services(5)), port numbers or port
ranges; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s).If the protocol is ipp2p,
this column is interpreted as an ipp2p option without the leading
"--" (example bit for bit-torrent).
If no PORT is given, ipp2p is
assumed.This column is ignored if PROTOCOL = all but must be entered
if any of the following field is supplied. In that case, it is
suggested that this field contain "-"SOURCE PORT(S) (Optional) -
[-|port-name-number-or-range[,port-name-number-or-range]...]Source port(s). If omitted, any source port is acceptable.
Specified as a comma-separated list of port names, port numbers or
port ranges.USER (Optional) - [!][user-name-or-number][:group-name-or-number][+program-name]This column may only be non-empty if the SOURCE is the
firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
user and/or group
specified (or is NOT running under that id if "!" is given).Examples:joeprogram must be run by joe:kidsprogram must be run by a member of the 'kids'
group!:kidsprogram must not be run by a member of the 'kids'
group+upnpd#program named upnpdThe ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.TEST - [!]value[/mask][:C]Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.!Inverts the test (not equal)valueValue of the packet or connection mark.maskA mask to be applied to the mark before testing.:CDesignates a connection mark. If omitted, the packet
mark's value is tested.LENGTH (Optional) -
[length|[min]:[max]]Packet Length. This field, if present allow you to match the
length of a packet against a specific value or range of values. You
must have iptables length support for this to work. A range is
specified in the form
min:max where either
min or max (but not both)
may be omitted. If min is omitted, then 0 is
assumed; if max is omitted, than any packet
that is min or longer will match.TOS -
tosType of service. Either a standard name, or a numeric value to
match.Minimize-Delay (16)
Maximize-Throughput (8)
Maximize-Reliability (4)
Minimize-Cost (2)
Normal-Service (0)CONNBYTES -
[!]min:[max[:{O|R|B}[:{B|P|A}]]]Connection Bytes; defines a byte or packet range that the
connection must fall within in order for the rule to match. Added in
Shorewall-perl 4.2.0.A packet matches if the the packet/byte count is within the
range defined by min and
max (unless ! is given in which case, a packet
matches if the packet/byte count is not within the range).
min is an integer which defines the beginning
of the byte/packet range. max is an integer
which defines the end of the byte/packet range; if omitted, only the
beginning of the range is checked. The first letter gives the
direction which the range refers to:
O - The original
direction of the connection.R - The opposite
direction from the original connection.B - The total of both
directions.
If omitted, B is
assumed.The second letter determines what the range refers
to.
B - BytesP - PacketsA - Average packet
size.
If omitted, B is
assumed.HELPER -
helperAdded in Shorewall-perl 4.2.0. Names a Netfiler protocol
helper module such as ,
, , etc. A packet will
match if it was accepted by the named helper module. You can also
append "-" and a port number to the helper module name (e.g.,
ftp-21) to specify the port number
that the original connection was made on.Example: Mark all FTP data connections with mark
4:#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
#CLASSIFY PORT(S)
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftpExampleExample 1:Mark all ICMP echo traffic with packet mark 1. Mark all peer
to peer traffic with packet mark 4.This is a little more complex than otherwise expected. Since
the ipp2p module is unable to determine all packets in a connection
are P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match.We assume packet/connection mark 0 means unclassified. #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
#CLASSIFY PORT(S)
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0If a packet hasn't been classifed (packet mark is 0), copy the
connection mark to the packet mark. If the packet mark is set, we're
done. If the packet is P2P, set the packet mark to 4. If the packet
mark has been set, save it to the connection mark.FILES/etc/shorewall/tcrulesSee ALSOhttp://shorewall.net/traffic_shaping.htmhttp://shorewall.net/MultiISP.htmlhttp://shorewall.net/PacketMarking.htmlshorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)