Provided by: shorewall-common_4.0.12-1_all bug

NAME

       tcrules - Shorewall Packet Marking rules file

SYNOPSIS

       /etc/shorewall/

DESCRIPTION

       Entries  in  this  file  cause  packets  to  be  marked  as  a means of
       classifying them for traffic control or policy routing.
              Important

              Unlike rules in the shorewall-rules  〈shorewall-rules.html〉  (5)
              file,  evaluation  of  rules  in this file will continue after a
              match. So the final  mark  for  each  packet  will  be  the  one
              assigned by the LAST tcrule that matches.

              If  you use multiple internet providers with the ’track’ option,
              in /etc/shorewall/providers be sure to read the restrictions  at
              〈http://shorewall.net/MultiISP.html〉.

       The columns in the file are as follows.

       MARK/CLASSIFY                                                         —
       {value|major:minor|RESTORE[/mask]|SAVE[/mask]|CONTINUE|COMMENT}[:{C|F|P|T|CF|CP|CT}]
              May assume one of the following values.

              1.  A mark value which is an integer in the range 1-255.

                  Normally  will set the mark value. If preceded by a vertical
                  bar ("|"), the mark value will be logically  ORed  with  the
                  current  mark value to produce a new mark value. If preceded
                  by an ampersand ("&"), will  be  logically  ANDed  with  the
                  current mark value to produce a new mark value.

                  Both  "|"  and  "&"  require Extended MARK Target support in
                  your  kernel  and  iptables;  neither  may  be   used   with
                  connection marks (see below).

                  May  optionally  be  followed  by  :P,  :F  or  :T  where :P
                  indicates that marking should occur in the PREROUTING chain,
                  :F  indicates that marking should occur in the FORWARD chain
                  and  :T  indicates  that  marking  should   occur   in   the
                  POSTROUTING  chain. If neither :P, :F nor :T follow the mark
                  value then the chain is determined as follows:

                  -  If  the  SOURCE   is   $FW[:address-or-range[,address-or-
                  range]...], then the rule is inserted into the OUTPUT chain.

                  - Otherwise, the chain  is  determined  by  the  setting  of
                  MARK_IN_FORWARD_CHAIN            in           shorewall.conf
                  〈shorewall.conf.html〉 (5).

                  If your kernel and iptables include  CONNMARK  support  then
                  you can also mark the connection rather than the packet.

                  The  mark value may be optionally followed by "/" and a mask
                  value (used to determine those bits of the  connection  mark
                  to  actually  be  set).  The mark and optional mask are then
                  followed by one of:+

                  C      Mark the connection in the chain  determined  by  the
                         setting of MARK_IN_FORWARD_CHAIN

                  CF     Mark the connection in the FORWARD chain

                  CP     Mark the connection in the PREROUTING chain.

                  CT     Mark the connecdtion in the POSTROUTING chain

              Special    considerations   for   If   HIGH_ROUTE_MARKS=Yes   in
              shorewall.confshorewall.conf.html(5).

              If HIGH_ROUTE_MARKS=Yes, then you may also specify  a  value  in
              the  range  0x0100-0xFF00  with  the  low-order byte being zero.
              Such values may only be used  in  the  PREROUTING  chain  (value
              followed  by  :P  or  you  have  set MARK_IN_FORWARD_CHAIN=No in
              shorewall.conf 〈shorewall.conf.html〉 (5) and have  not  followed
              the  value  with  :F)  or the OUTPUT chain (SOURCE is $FW). With
              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
              permitted.  Shorewall  4.1  and later versions prohibit non-zero
              mark  values  less  that  256   in   the   OUTPUT   chain   when
              HIGH_ROUTE_MARKS=Yes.  While  earlier versions allow such values
              in the OUTPUT  chain,  it  is  strongly  recommended  that  with
              HIGH_ROUTE_MARKS=Yes,  you  use  the  POSTROUTING chain to apply
              traffic shaping marks/classification.

              2.  A classification Id (classid) of the form major:minor  where
                  major  and  minor  are  integers. Corresponds to the ’class’
                  specification in these traffic shaping modules:

                         atm
                         cbq
                         dsmark
                         pfifo_fast
                         htb
                         prio

                  Classification occurs in the POSTROUTING chain  except  when
                  the  SOURCE  is  $FW[:address]  in which case classification
                  occurs in the OUTPUT chain.

                  When using Shorewall’s built-in traffic  shaping  tool,  the
                  major  class  is  the  device  number  (the  first device in
                  shorewall-tcdevices 〈shorewall-tcdevices.html〉 (5) is  major
                  class  1, the second device is major class 2, and so on) and
                  the minor class is the  class’s  MARK  value  in  shorewall-
                  tcclasses  〈shorewall-tcclasses.html〉  (5)  preceded  by the
                  number 1 (MARK 1 corresponds  to  minor  class  11,  MARK  5
                  corresponds  to minor class 15, MARK 22 corresponds to minor
                  class 122, etc.).

              3.  RESTORE[/mask]  --  restore  the  packet’s  mark  from   the
                  connection’s  mark  using  the  supplied  mask  if any. Your
                  kernel and iptables must include CONNMARK support.

                  As in 1) above, may be followed by :P or :F

              4.  SAVE[/mask] -- save the packet’s mark  to  the  connection’s
                  mark  using  the  supplied  mask  if  any.  Your  kernel and
                  iptables must include CONNMARK support.

                  As in 1) above, may be followed by :P or :F

              5.  CONTINUE Don’t process any more marking rules in the  table.

                  As  in  1)  above,  may  be followed by :P or :F. Currently,
                  CONTINUE may not be used with exclusion (see the SOURCE  and
                  DEST  columns  below); that restriction will be removed when
                  iptables/Netfilter provides the necessary support.

              6.  COMMENT -- the rest of  the  line  will  be  attached  as  a
                  comment  to the Netfilter rule(s) generated by the following
                  entries. The comment will appear delimited by "/* ... */" in
                  the output of shorewall show mangle

                  To  stop  the  comment from being attached to further rules,
                  simply include COMMENT on a line by itself.

       SOURCE        —        {-|{interface|$FW}|[{interface|$FW}:]address-or-
       range[,address-or-range]...}[exclusion]
              Source of the packet. A comma-separated list of interface names,
              IP  addresses,  MAC  addresses  and/or subnets for packets being
              routed through a common path. List elements may also consist  of
              an  interface  name  followed  by  ":"  and  an  address  (e.g.,
              eth1:192.168.1.0/24). For example, all packets  for  connections
              masqueraded  to  eth0  from other interfaces can be matched in a
              single rule with several alternative SOURCE criteria. However, a
              connection  whose packets gets to eth0 in a different way, e.g.,
              direct from the firewall itself, needs a different rule.

              Accordingly, use $FW  in  its  own  separate  rule  for  packets
              originating on the firewall. In such a rule, the MARK column may
              NOT specify either  :P  or  :F  because  marking  for  firewall-
              originated packets always occurs in the OUTPUT chain.

              MAC  addresses  must  be  prefixed  with  "~"  and  use "-" as a
              separator.

              Example: ~00-A0-C9-15-39-78

              You may exclude certain  hosts  from  the  set  already  defined
              through   use   of   an   exclusion   (see   shorewall-exclusion
              〈shorewall-exclusion.html〉 (5)).

       DEST     —      {-|{interface|[interface:]address-or-range[,address-or-
       range]...}[exclusion]
              Destination of the packet. Comma separated list of IP  addresses
              and/or  subnets.  If  your  kernel  and iptables include iprange
              match support, IP address ranges are also allowed. List elements
              may  also  consist  of  an interface name followed by ":" and an
              address  (e.g.,  eth1:192.168.1.0/24).  If   the   MARK   column
              specificies  a  classification of the form major:minor then this
              column may also contain an interface name.

              You may exclude certain  hosts  from  the  set  already  defined
              through   use   of   an   exclusion   (see   shorewall-exclusion
              〈shorewall-exclusion.html〉 (5)).

       PROTO —  {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-
       name|all}
              Protocol - ipp2p requires ipp2p match support in your kernel and
              iptables.

       PORT(S) (Optional) — [-|port-name-number-or-range[,port-name-number-or-
       range]...]
              Destination  Ports.  A  comma-separated list of Port names (from
              services(5)), port numbers or port ranges; if  the  protocol  is
              icmp,  this  column  is  interpreted  as  the  destination icmp-
              type(s).

              If the protocol is ipp2p, this column is interpreted as an ipp2p
              option  without  the leading "--" (example bit for bit-torrent).
              If no PORT is given, ipp2p is assumed.

              This column is ignored if PROTOCOL = all but must be entered  if
              any  of  the  following  field  is supplied. In that case, it is
              suggested that this field contain "-"

       SOURCE PORT(S)  (Optional)  —  [-|port-name-number-or-range[,port-name-
       number-or-range]...]
              Source port(s). If  omitted,  any  source  port  is  acceptable.
              Specified  as a comma-separated list of port names, port numbers
              or port ranges.

       USER     (Optional)     —      [!][user-name-or-number][:group-name-or-
       number][+program-name]
              This column may only be non-empty if the SOURCE is the  firewall
              itself.

              When  this  column  is  non-empty,  the rule applies only if the
              program generating the output is  running  under  the  effective
              user  and/or group specified (or is NOT running under that id if
              "!" is given).

              Examples:

              joe    program must be run by joe

              :kids  program must be run by a member of the ’kids’ group

              !:kids program must not be run by a member of the ’kids’ group

              +upnpd #program named upnpd
                     Important

                     The ability to specify a program name  was  removed  from
                     Netfilter in kernel version 2.6.14.

       TEST — [!]value[/mask][:C]
              Defines  a  test  on the existing packet or connection mark. The
              rule will match only if the test returns true.

              If you don’t want to define a test but need to specify  anything
              in the following columns, place a "-" in this field.

              !      Inverts the test (not equal)

              value  Value of the packet or connection mark.

              mask   A mask to be applied to the mark before testing.

              :C     Designates  a  connection  mark.  If  omitted, the packet
                     mark’s value is tested.

       LENGTH (Optional) - [length|[min]:[max]]
              Packet Length. This field, if present allow  you  to  match  the
              length  of a packet against a specific value or range of values.
              You must have iptables length support for this to work. A  range
              is  specified  in  the form min:max where either min or max (but
              not both) may be omitted. If min is omitted, then 0 is  assumed;
              if  max  is  omitted, than any packet that is min or longer will
              match.

       TOStos
              Type of service. Either a standard name, or a numeric  value  to
              match.

                       Minimize-Delay (16)
                       Maximize-Throughput (8)
                       Maximize-Reliability (4)
                       Minimize-Cost (2)
                       Normal-Service (0)

EXAMPLE

       Example 1:
              Mark  all ICMP echo traffic with packet mark 1. Mark all peer to
              peer traffic with packet mark 4.

              This is a little more complex than otherwise expected. Since the
              ipp2p  module is unable to determine all packets in a connection
              are P2P packets, we mark the entire connection as P2P if any  of
              the packets are determined to match.

              We assume packet/connection mark 0 means unclassified.

                     #MARK/    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
                     #CLASSIFY                                              PORT(S)
                     1         0.0.0.0/0 0.0.0.0/0    icmp    echo-request
                     1         0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
                     RESTORE   0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
                     CONTINUE  0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
                     4         0.0.0.0/0 0.0.0.0/0    ipp2p:all
                     SAVE      0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0

              If  a  packet hasn’t been classifed (packet mark is 0), copy the
              connection mark to the packet mark. If the packet mark  is  set,
              we’re  done.  If the packet is P2P, set the packet mark to 4. If
              the packet mark has been set, save it to the connection mark.

FILES

       /etc/shorewall/tcrules

SEE ALSO

http://shorewall.net/traffic_shaping.htm〉

       〈http://shorewall.net/MultiISP.html〉

       〈http://shorewall.net/PacketMarking.htmlshorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-
       blacklist(5),   shorewall-ecn(5),   shorewall-exclusion(5),  shorewall-
       hosts(5),   shorewall-interfaces(5),   shorewall-ipsec(5),   shorewall-
       maclist(5),  shorewall-masq(5),  shorewall-nat(5), shorewall-netmap(5),
       shorewall-params(5),    shorewall-policy(5),    shorewall-providers(5),
       shorewall-proxyarp(5),       shorewall-route_rules(5),       shorewall-
       routestopped(5),  shorewall-rules(5),   shorewall.conf(5),   shorewall-
       tcclasses(5),   shorewall-tcdevices(5),   shorewall-tos(5),  shorewall-
       tunnels(5), shorewall-zones(5)

                                 24 June 2008             shorewall-tcrules(5)