2
# Shorewall6 version 4 - Tcrules File
4
# For information about entries in this file, type "man shorewall6-tcrules"
6
# See http://shorewall.net/traffic_shaping.htm for additional information.
7
# For usage in selecting among multiple ISPs, see
8
# http://shorewall.net/MultiISP.html
10
# See http://shorewall.net/PacketMarking.html for a detailed description of
11
# the Netfilter/Shorewall packet marking mechanism.
12
##################################################################################################################################
14
# Entries in this file cause packets to be marked as a means of
15
# classifying them for traffic control or policy routing.
19
# Unlike rules in the shorewall6-rules(5) file, evaluation of
20
# rules in this file will continue after a match. So the final
21
# mark for each packet will be the one assigned by the LAST
22
# tcrule that matches.
24
# If you use multiple internet providers with the 'track' option,
25
# in /etc/shorewall6/providers be sure to read the restrictions
26
# at http://shorewall.net/MultiISP.html.
28
# The columns in the file are as follows.
31
# {value|major:minor|RESTORE[/mask]|SAVE[/mask]|CONTINUE|C
32
# OMMENT}[:{C|F|P|T|CF|CP|CT|I|CI}]
33
# May assume one of the following values.
35
# 1. A mark value which is an integer in the range 1-255.
36
# Normally will set the mark value. If preceded by a
37
# vertical bar ("|"), the mark value will be logically
38
# ORed with the current mark value to produce a new mark
39
# value. If preceded by an ampersand ("&"), will be
40
# logically ANDed with the current mark value to produce
42
# Both "|" and "&" require Extended MARK Target support
43
# in your kernel and ip6tables; neither may be used with
44
# connection marks (see below).
45
# May optionally be followed by :P, :F or :T, :I where
46
# :P indicates that marking should occur in the
47
# PREROUTING chain, :F indicates that marking should
48
# occur in the FORWARD chain, :I indicates that marking
49
# should occur in the INPUT chain (added in Shorewall
50
# 4.4.13) and :T indicates that marking should occur in
51
# the POSTROUTING chain. If neither :P, :F nor :T follow
52
# the mark value then the chain is determined as
55
# $FW[:address-or-range[,address-or-range]...], then the
56
# rule is inserted into the OUTPUT chain. The behavior
57
# changed in Shorewall6-perl 4.1. Only high mark values
58
# may be assigned in this case. Packet marking rules for
59
# traffic shaping of packets originating on the firewall
60
# must be coded in the POSTROUTING chain (see below).
61
# - Otherwise, the chain is determined by the setting of
62
# MARK_IN_FORWARD_CHAIN in shorewall6.conf(5).
63
# Please note that :I is included for completeness and
64
# affects neither traffic shaping nor policy routing.
65
# If your kernel and ip6tables include CONNMARK support
66
# then you can also mark the connection rather than the
68
# The mark value may be optionally followed by "/" and a
69
# mask value (used to determine those bits of the
70
# connection mark to actually be set). The mark and
71
# optional mask are then followed by one of:+
74
# Mark the connection in the chain determined
75
# by the setting of MARK_IN_FORWARD_CHAIN
78
# Mark the connection in the FORWARD chain
81
# Mark the connection in the PREROUTING chain.
84
# Mark the connection in the POSTROUTING chain
87
# Mark the connection in the INPUT chain. This
88
# option is included for completeness and has
89
# no applicability to traffic shaping or
92
# Special considerations for If HIGH_ROUTE_MARKS=Yes in
94
# If HIGH_ROUTE_MARKS=Yes, then you may also specify a
95
# value in the range 0x0100-0xFF00 with the low-order
96
# byte being zero. Such values may only be used in the
97
# PREROUTING chain (value followed by :P or you have set
98
# MARK_IN_FORWARD_CHAIN=No in shorewall6.conf(5) and
99
# have not followed the value with :F) or the OUTPUT
100
# chain (SOURCE is $FW). With HIGH_ROUTE_MARKS=Yes,
101
# non-zero mark values less that 256 are not permitted.
102
# Shorewall6 prohibits non-zero mark values less that
103
# 256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes.
104
# While earlier versions allow such values in the OUTPUT
105
# chain, it is strongly recommended that with
106
# HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to
107
# apply traffic shaping marks/classification.
108
# 2. A classification Id (classid) of the form major:minor
109
# where major and minor are integers. Corresponds to the
110
# 'class' specification in these traffic shaping
118
# Classification occurs in the POSTROUTING chain except
119
# when the SOURCE is $FW[:address] in which case
120
# classification occurs in the OUTPUT chain.
121
# When using Shorewall6's built-in traffic shaping tool,
122
# the major class is the device number (the first device
123
# in shorewall6-tcdevices(5) is major class 1, the
124
# second device is major class 2, and so on) and the
125
# minor class is the class's MARK value in
126
# shorewall6-tcclasses(5) preceded by the number 1 (MARK
127
# 1 corresponds to minor class 11, MARK 5 corresponds to
128
# minor class 15, MARK 22 corresponds to minor class
130
# 3. RESTORE[/mask] -- restore the packet's mark from the
131
# connection's mark using the supplied mask if any. Your
132
# kernel and ip6tables must include CONNMARK support.
133
# As in 1) above, may be followed by :P or :F
134
# 4. SAVE[/mask] -- save the packet's mark to the
135
# connection's mark using the supplied mask if any. Your
136
# kernel and ip6tables must include CONNMARK support.
137
# As in 1) above, may be followed by :P or :F
138
# 5. CONTINUE Don't process any more marking rules in the
140
# As in 1) above, may be followed by :P or :F.
141
# Currently, CONTINUE may not be used with exclusion
142
# (see the SOURCE and DEST columns below); that
143
# restriction will be removed when ip6tables/Netfilter
144
# provides the necessary support.
145
# 6. SAME (Added in Shorewall 4.3.5) -- Some websites run
146
# applications that require multiple connections from a
147
# client browser. Where multiple 'balanced' providers
148
# are configured, this can lead to problems when some of
149
# the connections are routed through one provider and
150
# some through another. The SAME target allows you to
151
# work around that problem. SAME may be used in the
152
# PREROUTING and OUTPUT chains. When used in PREROUTING,
153
# it causes matching connections from an individual
154
# local system to all use the same provider. For
156
# #MARK/ SOURCE DEST PROTO DEST
158
# SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
159
# If a host in 192.168.1.0/24 attempts a connection on
160
# TCP port 80 or 443 and it has sent a packet on either
161
# of those ports in the last five minutes then the new
162
# connection will use the same provider as the
163
# connection over which that last packet was sent.
164
# When used in the OUTPUT chain, it causes all matching
165
# connections to an individual remote system to all use
166
# the same provider. For example:
167
# #MARK/ SOURCE DEST PROTO DEST
169
# SAME $FW 0.0.0.0/0 tcp 80,443
170
# If the firewall attempts a connection on TCP port 80
171
# or 443 and it has sent a packet on either of those
172
# ports in the last five minutes to the same remote
173
# system then the new connection will use the same
174
# provider as the connection over which that last packet
176
# 7. COMMENT -- the rest of the line will be attached as a
177
# comment to the Netfilter rule(s) generated by the
178
# following entries. The comment will appear delimited
179
# by "/* ... */" in the output of shorewall6 show mangle
180
# To stop the comment from being attached to further
181
# rules, simply include COMMENT on a line by itself.
184
# {-|{interface|$FW}|[{interface|$FW}:]<address-or-range[,
185
# address-or-range]...}[exclusion]>
186
# Source of the packet. A comma-separated list of
187
# interface names, IP addresses, MAC addresses and/or
188
# subnets for packets being routed through a common path.
189
# List elements may also consist of an interface name
190
# followed by ":" and an address (e.g.,
191
# eth1:<2002:ce7c:92b4::/48>). For example, all packets
192
# for connections masqueraded to eth0 from other
193
# interfaces can be matched in a single rule with several
194
# alternative SOURCE criteria. However, a connection whose
195
# packets gets to eth0 in a different way, e.g., direct
196
# from the firewall itself, needs a different rule.
198
# Accordingly, use $FW in its own separate rule for
199
# packets originating on the firewall. In such a rule, the
200
# MARK column may NOT specify either :P or :F because
201
# marking for firewall-originated packets always occurs in
204
# MAC addresses must be prefixed with "~" and use "-" as a
207
# Example: ~00-A0-C9-15-39-78
209
# When an interface is not specified, the angled brackets
210
# ('<' and '>') surrounding the address(es) may be
213
# You may exclude certain hosts from the set already
214
# defined through use of an exclusion (see
215
# shorewall6-exclusion(5)).
218
# {-|{interface|$FW}[{interface|$FW}:]<address-or-range[,ad
219
# dress-or-range]...}[exclusion]>
220
# Destination of the packet. Comma separated list of IP
221
# addresses and/or subnets. If your kernel and ip6tables
222
# include iprange match support, IP address ranges are
223
# also allowed. List elements may also consist of an
224
# interface name followed by ":" and an address (e.g.,
225
# eth1:<2002:ce7c:92b4::/48>). If the MARK column
226
# specificies a classification of the form major:minor
227
# then this column may also contain an interface name.
229
# When an interface is not specified, the angled brackets
230
# ('<' and '>') surrounding the address(es) may be
233
# Beginning with Shorewall 4.4.13, $FW may be given by
234
# itself or qualified by an address list. This causes
235
# marking to occur in the INPUT chain.
237
# You may exclude certain hosts from the set already
238
# defined through use of an exclusion (see
239
# shorewall6-exclusion(5)).
242
# {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|pro
244
# Protocol - ipp2p requires ipp2p match support in your
245
# kernel and ip6tables.
247
# PORT(S) (Optional) -
248
# [-|port-name-number-or-range[,port-name-number-or-range]
250
# Destination Ports. A comma-separated list of Port names
251
# (from services(5)), port numbers or port ranges; if the
252
# protocol is icmp, this column is interpreted as the
253
# destination icmp-type(s). ICMP types may be specified as
254
# a numeric type, a numberic type and code separated by a
255
# slash (e.g., 3/4), or a typename. See
256
# http://www.shorewall.net/configuration_file_basics.htm#I
259
# If the protocol is ipp2p, this column is interpreted as
260
# an ipp2p option without the leading "--" (example bit
261
# for bit-torrent). If no PORT is given, ipp2p is assumed.
263
# This column is ignored if PROTOCOL = all but must be
264
# entered if any of the following field is supplied. In
265
# that case, it is suggested that this field contain "-"
267
# SOURCE PORT(S) (Optional) -
268
# [-|port-name-number-or-range[,port-name-number-or-range]
270
# Source port(s). If omitted, any source port is
271
# acceptable. Specified as a comma-separated list of port
272
# names, port numbers or port ranges.
275
# [!][user-name-or-number][:group-name-or-number]
276
# This column may only be non-empty if the SOURCE is the
279
# When this column is non-empty, the rule applies only if
280
# the program generating the output is running under the
281
# effective user and/or group specified (or is NOT running
282
# under that id if "!" is given).
287
# program must be run by joe
290
# program must be run by a member of the 'kids'
294
# program must not be run by a member of the 'kids'
297
# TEST(Optional) - [!]value[/mask][:C]
298
# Defines a test on the existing packet or connection
299
# mark. The rule will match only if the test returns true.
301
# If you don't want to define a test but need to specify
302
# anything in the following columns, place a "-" in this
306
# Inverts the test (not equal)
309
# Value of the packet or connection mark.
312
# A mask to be applied to the mark before testing.
315
# Designates a connection mark. If omitted, the
316
# packet mark's value is tested.
318
# LENGTH (Optional) - [length|[min]:[max]]
319
# Packet Length. This field, if present allow you to match
320
# the length of a packet against a specific value or range
321
# of values. You must have ip6tables length support for
322
# this to work. A range is specified in the form min:max
323
# where either min or max (but not both) may be omitted.
324
# If min is omitted, then 0 is assumed; if max is omitted,
325
# than any packet that is min or longer will match.
327
# TOS (Optional) - tos
328
# Type of service. Either a standard name, or a numeric
331
# Minimize-Delay (16)
332
# Maximize-Throughput (8)
333
# Maximize-Reliability (4)
337
# CONNBYTES (Optional) - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
338
# Connection Bytes; defines a byte or packet range that
339
# the connection must fall within in order for the rule to
342
# A packet matches if the the packet/byte count is within
343
# the range defined by min and max (unless ! is given in
344
# which case, a packet matches if the packet/byte count is
345
# not within the range). min is an integer which defines
346
# the beginning of the byte/packet range. max is an
347
# integer which defines the end of the byte/packet range;
348
# if omitted, only the beginning of the range is checked.
349
# The first letter gives the direction which the range
352
# O - The original direction of the connection.
353
# R - The opposite direction from the original connection.
354
# B - The total of both directions.
356
# If omitted, B is assumed.
358
# The second letter determines what the range refers to.
362
# A - Average packet size.
364
# If omitted, B is assumed.
366
# HELPER (Optional) - helper
367
# Names a Netfiler protocol helper module such as ftp,
368
# sip, amanda, etc. A packet will match if it was accepted
369
# by the named helper module. You can also append "-" and
370
# a port number to the helper module name (e.g., ftp-21)
371
# to specify the port number that the original connection
374
# Example: Mark all FTP data connections with mark 4:
376
# #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGT
377
# H TOS CONNBYTES HELPER
379
# 4 ::/0 ::/0 TCP - - - - -
382
# HEADERS - [!][any:|exactly:]header-list (Optional - Added in
384
# The header-list consists of a comma-separated list of
385
# headers from the following list.
388
# Authentication Headers extension header.
391
# Encrypted Security Payload extension header.
393
# hop, hop-by-hop or 0
394
# Hop-by-hop options extension header.
396
# route, ipv6-route or 41
397
# IPv6 Route extension header.
399
# frag, ipv6-frag or 44
400
# IPv6 fragmentation extension header.
402
# none, ipv6-nonxt or 59
405
# proto, protocol or 255
406
# Any protocol header.
408
# If any: is specified, the rule will match if any of the
409
# listed headers are present. If exactly: is specified,
410
# the will match packets that exactly include all
411
# specified headers. If neither is given, any: is assumed.
413
# If ! is entered, the rule will match those packets which
414
# would not be matched when ! is omitted.
419
# Mark all forwarded ICMP echo traffic with packet mark 1.
420
# Mark all forwarded peer to peer traffic with packet mark
423
# This is a little more complex than otherwise expected.
424
# Since the ipp2p module is unable to determine all
425
# packets in a connection are P2P packets, we mark the
426
# entire connection as P2P if any of the packets are
427
# determined to match.
429
# We assume packet/connection mark 0 means unclassified.
431
# #MARK/ SOURCE DEST PROTO PORT(S) SOURCE US
434
# 1 ::/0 ::/0 icmp echo-request
435
# 1 ::/0 ::/0 icmp echo-reply
436
# RESTORE ::/0 ::/0 all - - -
438
# CONTINUE ::/0 ::/0 all - - -
440
# 4 ::/0 ::/0 ipp2p:all
441
# SAVE ::/0 ::/0 all - - -
444
# If a packet hasn't been classifed (packet mark is 0),
445
# copy the connection mark to the packet mark. If the
446
# packet mark is set, we're done. If the packet is P2P,
447
# set the packet mark to 4. If the packet mark has been
448
# set, save it to the connection mark.
450
##################################################################################################################################
451
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS