Provided by: shorewall6_4.4.26.1-1_all bug

NAME

       tcrules - Shorewall6 Packet Marking rules file

SYNOPSIS

       /etc/shorewall6/tcrules

DESCRIPTION

       Entries in this file cause packets to be marked as a means of classifying them for traffic
       control or policy routing.

           Important
           Unlike rules in the shorewall6-rules[1](5) file, evaluation of rules in this file will
           continue after a match. So the final mark for each packet will be the one assigned by
           the LAST tcrule that matches.

           If you use multiple internet providers with the 'track' option, in
           /etc/shorewall6/providers be sure to read the restrictions at
           http://shorewall.net/MultiISP.html.

       The columns in the file are as follows (where the column name is followed by a different
       name in parentheses, the different name is used in the alternate specification syntax).

       MARK/CLASSIFY - mark
           mark may assume one of the following values.

            1. A mark value which is an integer in the range 1-255.

               Normally will set the mark value. If preceded by a vertical bar ("|"), the mark
               value will be logically ORed with the current mark value to produce a new mark
               value. If preceded by an ampersand ("&"), will be logically ANDed with the current
               mark value to produce a new mark value.

               Both "|" and "&" require Extended MARK Target support in your kernel and
               ip6tables; neither may be used with connection marks (see below).

               May optionally be followed by :P, :F or :T, :I where :P indicates that marking
               should occur in the PREROUTING chain, :F indicates that marking should occur in
               the FORWARD chain, :I indicates that marking should occur in the INPUT chain
               (added in Shorewall 4.4.13) and :T indicates that marking should occur in the
               POSTROUTING chain. If neither :P, :F nor :T follow the mark value then the chain
               is determined as follows:

               - If the SOURCE is $FW[:address-or-range[,address-or-range]...], then the rule is
               inserted into the OUTPUT chain. The behavior changed in Shorewall6-perl 4.1. Only
               high mark values may be assigned in this case. Packet marking rules for traffic
               shaping of packets originating on the firewall must be coded in the POSTROUTING
               chain (see below).

               - Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in
               shorewall6.conf[2](5).

               Please note that :I is included for completeness and affects neither traffic
               shaping nor policy routing.

               If your kernel and ip6tables include CONNMARK support then you can also mark the
               connection rather than the packet.

               The mark value may be optionally followed by "/" and a mask value (used to
               determine those bits of the connection mark to actually be set). The mark and
               optional mask are then followed by one of:+

               C
                   Mark the connection in the chain determined by the setting of
                   MARK_IN_FORWARD_CHAIN

               CF
                   Mark the connection in the FORWARD chain

               CP
                   Mark the connection in the PREROUTING chain.

               CT
                   Mark the connection in the POSTROUTING chain

               CI
                   Mark the connection in the INPUT chain. This option is included for
                   completeness and has no applicability to traffic shaping or policy routing.

               Special considerations for If HIGH_ROUTE_MARKS=Yes in shorewall6.conf[2](5).

               If HIGH_ROUTE_MARKS=Yes, then you may also specify a value in the range
               0x0100-0xFF00 with the low-order byte being zero. Such values may only be used in
               the PREROUTING chain (value followed by :P or you have set
               MARK_IN_FORWARD_CHAIN=No in shorewall6.conf[2](5) and have not followed the value
               with :F) or the OUTPUT chain (SOURCE is $FW). With HIGH_ROUTE_MARKS=Yes, non-zero
               mark values less that 256 are not permitted. Shorewall6 prohibits non-zero mark
               values less that 256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
               versions allow such values in the OUTPUT chain, it is strongly recommended that
               with HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply traffic shaping
               marks/classification.

            2. A classification Id (classid) of the form major:minor where major and minor are
               integers. Corresponds to the 'class' specification in these traffic shaping
               modules:

                          atm
                          cbq
                          dsmark
                          pfifo_fast
                          htb
                          prio

               Classification occurs in the POSTROUTING chain except when the SOURCE is
               $FW[:address] in which case classification occurs in the OUTPUT chain.

               When using Shorewall6's built-in traffic shaping tool, the major class is the
               device number (the first device in shorewall6-tcdevices[3](5) is major class 1,
               the second device is major class 2, and so on) and the minor class is the class's
               MARK value in shorewall6-tcclasses[4](5) preceded by the number 1 (MARK 1
               corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22
               corresponds to minor class 122, etc.).

            3. RESTORE[/mask] -- restore the packet's mark from the connection's mark using the
               supplied mask if any. Your kernel and ip6tables must include CONNMARK support.

               As in 1) above, may be followed by :P or :F

            4. SAVE[/mask] -- save the packet's mark to the connection's mark using the supplied
               mask if any. Your kernel and ip6tables must include CONNMARK support.

               As in 1) above, may be followed by :P or :F

            5. CONTINUE Don't process any more marking rules in the table.

               As in 1) above, may be followed by :P or :F. Currently, CONTINUE may not be used
               with exclusion (see the SOURCE and DEST columns below); that restriction will be
               removed when ip6tables/Netfilter provides the necessary support.

            6. SAME (Added in Shorewall 4.3.5) -- Some websites run applications that require
               multiple connections from a client browser. Where multiple 'balanced' providers
               are configured, this can lead to problems when some of the connections are routed
               through one provider and some through another. The SAME target allows you to work
               around that problem. SAME may be used in the PREROUTING and OUTPUT chains. When
               used in PREROUTING, it causes matching connections from an individual local system
               to all use the same provider. For example:

                   #MARK/            SOURCE         DEST         PROTO      DEST
                   #CLASSIFY                                                PORT(S)
                   SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443

               If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has
               sent a packet on either of those ports in the last five minutes then the new
               connection will use the same provider as the connection over which that last
               packet was sent.

               When used in the OUTPUT chain, it causes all matching connections to an individual
               remote system to all use the same provider. For example:

                   #MARK/            SOURCE         DEST         PROTO      DEST
                   #CLASSIFY                                                PORT(S)
                   SAME              $FW            0.0.0.0/0    tcp        80,443

               If the firewall attempts a connection on TCP port 80 or 443 and it has sent a
               packet on either of those ports in the last five minutes to the same remote system
               then the new connection will use the same provider as the connection over which
               that last packet was sent.

            7. COMMENT -- the rest of the line will be attached as a comment to the Netfilter
               rule(s) generated by the following entries. The comment will appear delimited by
               "/* ... */" in the output of shorewall6 show mangle

               To stop the comment from being attached to further rules, simply include COMMENT
               on a line by itself.

            8. TPROXY(mark[/mask][,[port][,[address]]])

               Transparently redirects a packet without altering the IP header. Requires a local
               provider to be defined in shorewall6-providers[5](5).

               There are three parameters to TPROXY - only the first (mark) is required:

               ·   mark - the MARK value corresponding to the local provider in
                   shorewall6-providers[5](5).

               ·   port - the port on which the proxy server is listening. If omitted, the
                   original destination port.

               ·   address - a local (to the firewall) IP address on which the proxy server is
                   listening. If omitted, the IP address of the interface on which the request
                   arrives.

            9. HL([-|+]number)

               Added in Shorewall 4.4.24. May be option followed by :F but the resulting rule is
               always added to the FORWARD chain. If + is included, packets matching the rule
               will have their HL (hop limit) incremented by number. Similarly, if - is included,
               matching packets have their HL decremented by number. If neither + nor - is given,
               the HL of matching packets is set to number. The valid range of values for number
               is 1-255.

       SOURCE -
       {-|{interface|$FW}|[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]>
           Source of the packet. A comma-separated list of interface names, IP addresses, MAC
           addresses and/or subnets for packets being routed through a common path. List elements
           may also consist of an interface name followed by ":" and an address (e.g.,
           eth1:<2002:ce7c:92b4::/48>). For example, all packets for connections masqueraded to
           eth0 from other interfaces can be matched in a single rule with several alternative
           SOURCE criteria. However, a connection whose packets gets to eth0 in a different way,
           e.g., direct from the firewall itself, needs a different rule.

           Accordingly, use $FW in its own separate rule for packets originating on the firewall.
           In such a rule, the MARK column may NOT specify either :P or :F because marking for
           firewall-originated packets always occurs in the OUTPUT chain.

           MAC addresses must be prefixed with "~" and use "-" as a separator.

           Example: ~00-A0-C9-15-39-78

           When an interface is not specified, the angled brackets ('<' and '>') surrounding the
           address(es) may be omitted.

           You may exclude certain hosts from the set already defined through use of an exclusion
           (see shorewall6-exclusion[6](5)).

       DEST -
       {-|{interface|$FW}[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]>
           Destination of the packet. Comma separated list of IP addresses and/or subnets. If
           your kernel and ip6tables include iprange match support, IP address ranges are also
           allowed. List elements may also consist of an interface name followed by ":" and an
           address (e.g., eth1:<2002:ce7c:92b4::/48>). If the MARK column specificies a
           classification of the form major:minor then this column may also contain an interface
           name.

           When an interface is not specified, the angled brackets ('<' and '>') surrounding the
           address(es) may be omitted.

           Beginning with Shorewall 4.4.13, $FW may be given by itself or qualified by an address
           list. This causes marking to occur in the INPUT chain.

           You may exclude certain hosts from the set already defined through use of an exclusion
           (see shorewall6-exclusion[6](5)).

       PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
           Protocol - ipp2p requires ipp2p match support in your kernel and ip6tables.

       PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...]
           Optional destination Ports. A comma-separated list of Port names (from services(5)),
           port numbers or port ranges; if the protocol is ipv6-icmp, this column is interpreted
           as the destination icmp-type(s). ICMP types may be specified as a numeric type, a
           numberic type and code separated by a slash (e.g., 3/4), or a typename. See
           http://www.shorewall.net/configuration_file_basics.htm#ICMP.

           If the protocol is ipp2p, this column is interpreted as an ipp2p option without the
           leading "--" (example bit for bit-torrent). If no PORT is given, ipp2p is assumed.

           An entry in this field requires that the PROTO column specify tcp (6), udp (17),
           ipv6-icmp (58), sctp (132) or udplite (136). Use '-' if any of the following field is
           supplied.

       SOURCE PORT(S) (sport) - [-|port-name-number-or-range[,port-name-number-or-range]...]
           Optional source port(s). If omitted, any source port is acceptable. Specified as a
           comma-separated list of port names, port numbers or port ranges.

           An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp
           (132) or udplite (136). Use '-' if any of the following fields is supplied.

       USER - [!][user-name-or-number][:group-name-or-number]
           This optional column may only be non-empty if the SOURCE is the firewall itself.

           When this column is non-empty, the rule applies only if the program generating the
           output is running under the effective user and/or group specified (or is NOT running
           under that id if "!" is given).

           Examples:

           joe
               program must be run by joe

           :kids
               program must be run by a member of the 'kids' group

           !:kids
               program must not be run by a member of the 'kids' group

       TEST - [!]value[/mask][:C]
           Optional. Defines a test on the existing packet or connection mark. The rule will
           match only if the test returns true.

           If you don't want to define a test but need to specify anything in the following
           columns, place a "-" in this field.

           !
               Inverts the test (not equal)

           value
               Value of the packet or connection mark.

           mask
               A mask to be applied to the mark before testing.

           :C
               Designates a connection mark. If omitted, the packet mark's value is tested.

       LENGTH - [length|[min]:[max]]
           Optional packet Length. This field, if present allow you to match the length of a
           packet against a specific value or range of values. You must have ip6tables length
           support for this to work. A range is specified in the form min:max where either min or
           max (but not both) may be omitted. If min is omitted, then 0 is assumed; if max is
           omitted, than any packet that is min or longer will match.

       TOS (Optional) - tos
           Type of service. Either a standard name, or a numeric value to match.

                        Minimize-Delay (16)
                        Maximize-Throughput (8)
                        Maximize-Reliability (4)
                        Minimize-Cost (2)
                        Normal-Service (0)

       CONNBYTES - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
           Optional connection Bytes; defines a byte or packet range that the connection must
           fall within in order for the rule to match.

           A packet matches if the the packet/byte count is within the range defined by min and
           max (unless ! is given in which case, a packet matches if the packet/byte count is not
           within the range).  min is an integer which defines the beginning of the byte/packet
           range.  max is an integer which defines the end of the byte/packet range; if omitted,
           only the beginning of the range is checked. The first letter gives the direction which
           the range refers to:O - The original direction of the connection. .sp R - The opposite
           direction from the original connection. .sp B - The total of both directions.

           If omitted, B is assumed.

           The second letter determines what the range refers to.B - Bytes .sp P - Packets .sp A
           - Average packet size.If omitted, B is assumed.

       HELPER - helper
           Optional. Names a Netfiler protocol helper module such as ftp, sip, amanda, etc. A
           packet will match if it was accepted by the named helper module. You can also append
           "-" and a port number to the helper module name (e.g., ftp-21) to specify the port
           number that the original connection was made on.

           Example: Mark all FTP data connections with mark 4:

               #MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
               #CLASSIFY                                        PORT(S)
               4         ::/0      ::/0      TCP     -          -       -    -    -      -   -         ftp

       HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall 4.4.15)
           The header-list consists of a comma-separated list of headers from the following list.

           auth, ah, or 51
               Authentication Headers extension header.

           esp, or 50
               Encrypted Security Payload extension header.

           hop, hop-by-hop or 0
               Hop-by-hop options extension header.

           route, ipv6-route or 41
               IPv6 Route extension header.

           frag, ipv6-frag or 44
               IPv6 fragmentation extension header.

           none, ipv6-nonxt or 59
               No next header

           proto, protocol or 255
               Any protocol header.

           If any: is specified, the rule will match if any of the listed headers are present. If
           exactly: is specified, the will match packets that exactly include all specified
           headers. If neither is given, any: is assumed.

           If !  is entered, the rule will match those packets which would not be matched when !
           is omitted.

EXAMPLE

       Example 1:
           Mark all forwarded ICMP echo traffic with packet mark 1. Mark all forwarded peer to
           peer traffic with packet mark 4.

           This is a little more complex than otherwise expected. Since the ipp2p module is
           unable to determine all packets in a connection are P2P packets, we mark the entire
           connection as P2P if any of the packets are determined to match.

           We assume packet/connection mark 0 means unclassified.

                      #MARK/    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
                      #CLASSIFY                                              PORT(S)
                      1         ::/0      ::/0         icmp    echo-request
                      1         ::/0      ::/0         icmp    echo-reply
                      RESTORE   ::/0      ::/0         all     -             -       -       0
                      CONTINUE  ::/0      ::/0         all     -             -       -      !0
                      4         ::/0      ::/0         ipp2p:all
                      SAVE      ::/0      ::/0         all     -             -       -       !0

           If a packet hasn't been classifed (packet mark is 0), copy the connection mark to the
           packet mark. If the packet mark is set, we're done. If the packet is P2P, set the
           packet mark to 4. If the packet mark has been set, save it to the connection mark.

FILES

       /etc/shorewall6/tcrules

SEE ALSO

       http://shorewall.net/traffic_shaping.htm

       http://shorewall.net/MultiISP.html

       http://shorewall.net/PacketMarking.html

       http://shorewall.net/configuration_file_basics.htm#Pairs

       shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5),
       shorewall6-ecn(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6-interfaces(5),
       shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
       shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5),
       shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
       shorewall6-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)

NOTES

        1. shorewall6-rules
           http://www.shorewall.net/manpages6/shorewall6-rules.html

        2. shorewall6.conf
           http://www.shorewall.net/manpages6/shorewall6.conf.html

        3. shorewall6-tcdevices
           http://www.shorewall.net/manpages6/shorewall6-tcdevices.html

        4. shorewall6-tcclasses
           http://www.shorewall.net/manpages6/shorewall6-tcclasses.html

        5. shorewall6-providers
           http://www.shorewall.net/manpages6/shorewall6-providers.html

        6. shorewall6-exclusion
           http://www.shorewall.net/manpages6/shorewall6-exclusion.html

[FIXME: source]                             12/13/2011                      SHOREWALL6-TCRULES(5)