Provided by: shorewall6_4.5.21.6-1_all 
NAME
tcrules - Shorewall6 Packet Marking rules file
SYNOPSIS
/etc/shorewall6/tcrules
DESCRIPTION
Entries in this file cause packets to be marked as a means of classifying them for traffic
control or policy routing.
Important
Unlike rules in the shorewall6-rules[1](5) file, evaluation of rules in this file will
continue after a match. So the final mark for each packet will be the one assigned by
the LAST tcrule that matches.
If you use multiple internet providers with the 'track' option, in
/etc/shorewall6/providers be sure to read the restrictions at
http://shorewall.net/MultiISP.html.
Beginning with Shorewall 4.5.4, the tcrules file supports two different formats:
FORMAT 1 (default - deprecated)
The older limited-function version of TPROXY is supported.
FORMAT 2
The newer version of TPROXY is supported.
The format is specified by a line as follows:
[?]FORMAT {1|2}
The optional '?' was introduced in Shorewall 4.5.11 and ?FORMAT is the preferred form; the
form without the '?' is deprecated.
The columns in the file are as follows (where the column name is followed by a different
name in parentheses, the different name is used in the alternate specification syntax).
ACTION - action
action may assume one of the following values.
1. A mark value which is an integer in the range 1-255.
Normally will set the mark value. If preceded by a vertical bar ("|"), the mark
value will be logically ORed with the current mark value to produce a new mark
value. If preceded by an ampersand ("&"), will be logically ANDed with the current
mark value to produce a new mark value.
Both "|" and "&" require Extended MARK Target support in your kernel and
ip6tables; neither may be used with connection marks (see below).
May optionally be followed by :P, :F or :T, :I where :P indicates that marking
should occur in the PREROUTING chain, :F indicates that marking should occur in
the FORWARD chain, :I indicates that marking should occur in the INPUT chain
(added in Shorewall 4.4.13) and :T indicates that marking should occur in the
POSTROUTING chain. If neither :P, :F nor :T follow the mark value then the chain
is determined as follows:
- If the SOURCE is $FW[:address-or-range[,address-or-range]...], then the rule is
inserted into the OUTPUT chain. The behavior changed in Shorewall6-perl 4.1. Only
high mark values may be assigned in this case. Packet marking rules for traffic
shaping of packets originating on the firewall must be coded in the POSTROUTING
chain (see below).
- Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in
shorewall6.conf[2](5).
Please note that :I is included for completeness and affects neither traffic
shaping nor policy routing.
If your kernel and ip6tables include CONNMARK support then you can also mark the
connection rather than the packet.
The mark value may be optionally followed by "/" and a mask value (used to
determine those bits of the connection mark to actually be set). When a mask is
specified, the result of logically ANDing the mark value with the mask must be the
same as the mark value.
The mark and optional mask are then followed by one of:+
C
Mark the connection in the chain determined by the setting of
MARK_IN_FORWARD_CHAIN
CF
Mark the connection in the FORWARD chain
CP
Mark the connection in the PREROUTING chain.
CT
Mark the connection in the POSTROUTING chain
CI
Mark the connection in the INPUT chain. This option is included for
completeness and has no applicability to traffic shaping or policy routing.
2. A mark range which is a pair of integers separated by a dash ("-"). Added in
Shorewall 4.5.9.
May be optionally followed by a slash ("/") and a mask and requires the Statistics
Match capability in iptables and kernel. Marks in the specified range are assigned
to packets on a round-robin fashion.
When a mask is specified, the result of logically ANDing each mark value with the
mask must be the same as the mark value. The least significant bit in the mask is
used as an increment. For example, if '0x200-0x400/0xff00' is specified, then the
assigned mark values are 0x200, 0x300 and 0x400 in equal proportions. If no mask
is specified, then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in
shorewall6.conf[2](5)).
May optionally be followed by :P, :F,:T or :I where :P indicates that marking
should occur in the PREROUTING chain, :F indicates that marking should occur in
the FORWARD chain, :I indicates that marking should occur in the INPUT chain
(added in Shorewall 4.4.13), and :T indicates that marking should occur in the
POSTROUTING chain. If neither :P, :F nor :T follow the mark value then the chain
is determined as follows:
- If the SOURCE is $FW[:address-or-range[,address-or-range]...], then the rule is
inserted into the OUTPUT chain. When HIGH_ROUTE_MARKS=Yes, only high mark values
may be assigned there. Packet marking rules for traffic shaping of packets
originating on the firewall must be coded in the POSTROUTING chain (see below).
- Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in
shorewall.conf[3](5).
Please note that :I is included for completeness and affects neither traffic
shaping nor policy routing.
If your kernel and iptables include CONNMARK support then you can also mark the
connection rather than the packet.
The mark range may be optionally followed by "/" and a mask value (used to
determine those bits of the connection mark to actually be set). When a mask is
specified, the result of logically ANDing the mark value with each of the masks
must be the same as the mark value.
The mark range and optional mask may followed by one of:
C
Mark the connection in the chain determined by the setting of
MARK_IN_FORWARD_CHAIN
CF
Mark the connection in the FORWARD chain
CP
Mark the connection in the PREROUTING chain.
CT
Mark the connection in the POSTROUTING chain
CI
Mark the connection in the INPUT chain. This option is included for
completeness and has no applicability to traffic shaping or policy routing.
3. A classification Id (classid) of the form major:minor where major and minor are
integers. Corresponds to the 'class' specification in these traffic shaping
modules:
atm
cbq
dsmark
pfifo_fast
htb
prio
Classification occurs in the POSTROUTING chain except when the SOURCE is
$FW[:address] in which case classification occurs in the OUTPUT chain.
When using Shorewall6's built-in traffic shaping tool, the major class is the
device number (the first device in shorewall6-tcdevices[4](5) is major class 1,
the second device is major class 2, and so on) and the minor class is the class's
MARK value in shorewall6-tcclasses[5](5) preceded by the number 1 (MARK 1
corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22
corresponds to minor class 122, etc.).
Beginning with Shorewall 4.4.27, the classid may be optionally followed by ':' and
a capital letter designating the chain where classification is to occur.
F
FORWARD chain.
T
POSTROUTING chain (default).
4. CHECKSUM
Added in Shorewall 4.5.9. Compute and fill in the checksum in a packet that lacks
a checksum. This is particularly useful if you need to work around old
applications, such as dhcp clients, that do not work well with checksum offloads,
but you don't want to disable checksum offload in your device.
Requires 'Checksum Target' support in your kernel and ip6tables.
5. [?]COMMENT -- the rest of the line will be attached as a comment to the Netfilter
rule(s) generated by the following entries. The comment will appear delimited by
"/* ... */" in the output of shorewall6 show mangle
To stop the comment from being attached to further rules, simply include COMMENT
on a line by itself.
Note
Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is
preferred.
6. CONTINUE Don't process any more marking rules in the table.
As in 1) above, may be followed by :P or :F. Currently, CONTINUE may not be used
with exclusion (see the SOURCE and DEST columns below); that restriction will be
removed when ip6tables/Netfilter provides the necessary support.
7. DIVERT
Added in Shorewall 4.5.3. Two DIVERT rule should precede the TPROXY rule and
should select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively (assuming that
tcp port 80 is being proxied). DIVERT avoids sending packets to the TPROXY target
once a socket connection to Squid3 has been established by TPROXY. DIVERT marks
the packet with a unique mark and exempts it from any rules that follow.
8. DROP
Added in Shorewall 4.5.21.4. Causes matching packets to be discarded.
9. DSCP(dscp)
Added in Shorewall 4.5.1. Sets the Differentiated Services Code Point field in the
IP header. The dscp value may be given as an even number (hex or decimal) or as
the name of a DSCP class. Valid class names and their associated hex numeric
values are:
CS0 => 0x00
CS1 => 0x08
CS2 => 0x10
CS3 => 0x18
CS4 => 0x20
CS5 => 0x28
CS6 => 0x30
CS7 => 0x38
BE => 0x00
AF11 => 0x0a
AF12 => 0x0c
AF13 => 0x0e
AF21 => 0x12
AF22 => 0x14
AF23 => 0x16
AF31 => 0x1a
AF32 => 0x1c
AF33 => 0x1e
AF41 => 0x22
AF42 => 0x24
AF43 => 0x26
EF => 0x2e
To indicate more than one class, add their hex values together and specify the
result.
May be optionally followed by ':' and a capital letter designating the chain where
classification is to occur.
F
FORWARD chain.
T
POSTROUTING chain.
10. HL([-|+]number)
Added in Shorewall 4.4.24.
Prior to Shorewall 4.5.7.2, may be optionally followed by :F but the resulting
rule is always added to the FORWARD chain. Beginning with Shorewall 4.5.7.s, it
may be optionally followed by :P, in which case the rule is added to the
PREROUTING chain.
If + is included, packets matching the rule will have their HL (hop limit)
incremented by number. Similarly, if - is included, matching packets have their HL
decremented by number. If neither + nor - is given, the HL of matching packets is
set to number. The valid range of values for number is 1-255.
11. IMQ(number)
Added in Shorewall 4.5.1. Specifies that the packet should be passed to the IMQ
identified by number. Requires IMQ Target support in your kernel and ip6tables.
12. RESTORE[/mask] -- restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and ip6tables must include CONNMARK support.
As in 1) above, may be followed by :P or :F
13. SAME (Added in Shorewall 4.3.5) -- Some websites run applications that require
multiple connections from a client browser. Where multiple 'balanced' providers
are configured, this can lead to problems when some of the connections are routed
through one provider and some through another. The SAME target allows you to work
around that problem. SAME may be used in the PREROUTING and OUTPUT chains. When
used in PREROUTING, it causes matching connections from an individual local system
to all use the same provider. For example:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has
sent a packet on either of those ports in the last five minutes then the new
connection will use the same provider as the connection over which that last
packet was sent.
When used in the OUTPUT chain, it causes all matching connections to an individual
remote system to all use the same provider. For example:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME $FW 0.0.0.0/0 tcp 80,443
If the firewall attempts a connection on TCP port 80 or 443 and it has sent a
packet on either of those ports in the last five minutes to the same remote system
then the new connection will use the same provider as the connection over which
that last packet was sent.
14. SAVE[/mask] -- save the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and ip6tables must include CONNMARK support.
As in 1) above, may be followed by :P or :F
15. TOS(tos[/mask])
Added in Shorewall 4.5.1. Sets the Type of Service field in the IP header. The tos
value may be given as an number (hex or decimal) or as the name of a TOS type.
Valid type names and their associated hex numeric values are:
Minimize-Delay => 0x10,
Maximize-Throughput => 0x08,
Maximize-Reliability => 0x04,
Minimize-Cost => 0x02,
Normal-Service => 0x00
To indicate more than one class, add their hex values together and specify the
result.
When tos is given as a number, it may be optionally followed by '/' and a mask.
When no mask is given, the value 0xff is assumed. When tos is given as a type
name, the mask 0x3f is assumed.
The action performed is to zero out the bits specified by the mask, then set the
bits specified by tos.
May be optionally followed by ':' and a capital letter designating the chain where
classification is to occur.
F
FORWARD chain.
T
POSTROUTING chain (default).
16. TPROXY(mark[,[port][,[address]]]) -- FORMAT 1
Transparently redirects a packet without altering the IP header. Requires a local
provider to be defined in shorewall6-providers[6](5).
There are three parameters to TPROXY - only the first (mark) is required:
· mark - the MARK value corresponding to the local provider in
shorewall6-providers[6](5).
· port - the port on which the proxy server is listening. If omitted, the
original destination port.
· address - a local (to the firewall) IP address on which the proxy server is
listening. If omitted, the IP address of the interface on which the request
arrives.
17. TPROXY([port][,[address]]]) -- FORMAT 2
Transparently redirects a packet without altering the IP header. Requires a local
provider to be defined in shorewall6-providers[6](5).
There are three parameters to TPROXY - only the first (mark) is required:
· port - the port on which the proxy server is listening. If omitted, the
original destination port.
· address - a local (to the firewall) IP address on which the proxy server is
listening. If omitted, the IP address of the interface on which the request
arrives.
SOURCE -
{-|{interface|$FW}|[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]>
Source of the packet. A comma-separated list of interface names, IP addresses, MAC
addresses and/or subnets for packets being routed through a common path. List elements
may also consist of an interface name followed by ":" and an address (e.g.,
eth1:<2002:ce7c:92b4::/48>). For example, all packets for connections masqueraded to
eth0 from other interfaces can be matched in a single rule with several alternative
SOURCE criteria. However, a connection whose packets gets to eth0 in a different way,
e.g., direct from the firewall itself, needs a different rule.
Accordingly, use $FW in its own separate rule for packets originating on the firewall.
In such a rule, the ACTION column may NOT specify either :P or :F because marking for
firewall-originated packets always occurs in the OUTPUT chain.
MAC addresses must be prefixed with "~" and use "-" as a separator.
Example: ~00-A0-C9-15-39-78
When an interface is not specified, the angled brackets ('<' and '>') surrounding the
address(es) may be omitted.
You may exclude certain hosts from the set already defined through use of an exclusion
(see shorewall6-exclusion[7](5)).
DEST -
{-|{interface|$FW}[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]>
Destination of the packet. Comma separated list of IP addresses and/or subnets. If
your kernel and ip6tables include iprange match support, IP address ranges are also
allowed. List elements may also consist of an interface name followed by ":" and an
address (e.g., eth1:<2002:ce7c:92b4::/48>). If the ACTION column specifies a
classification of the form major:minor then this column may also contain an interface
name.
When an interface is not specified, the angled brackets ('<' and '>') surrounding the
address(es) may be omitted.
Beginning with Shorewall 4.4.13, $FW may be given by itself or qualified by an address
list. This causes marking to occur in the INPUT chain.
You may exclude certain hosts from the set already defined through use of an exclusion
(see shorewall6-exclusion[7](5)).
PROTO - {-|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]}
Protocol - ipp2p requires ipp2p match support in your kernel and ip6tables.
Beginning with Shorewall 4.5.12, this column can accept a comma-separated list of
protocols.
PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...]
Optional destination Ports. A comma-separated list of Port names (from services(5)),
port numbers or port ranges; if the protocol is ipv6-icmp, this column is interpreted
as the destination icmp-type(s). ICMP types may be specified as a numeric type, a
numeric type and code separated by a slash (e.g., 3/4), or a typename. See
http://www.shorewall.net/configuration_file_basics.htm#ICMP.
If the protocol is ipp2p, this column is interpreted as an ipp2p option without the
leading "--" (example bit for bit-torrent). If no PORT is given, ipp2p is assumed.
An entry in this field requires that the PROTO column specify tcp (6), udp (17),
ipv6-icmp (58), sctp (132) or udplite (136). Use '-' if any of the following field is
supplied.
SOURCE PORT(S) (sport) - [-|port-name-number-or-range[,port-name-number-or-range]...]
Optional source port(s). If omitted, any source port is acceptable. Specified as a
comma-separated list of port names, port numbers or port ranges.
An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp
(132) or udplite (136). Use '-' if any of the following fields is supplied.
Beginning with Shorewall 4.5.15, you may place '=' in this column, provided that the
DEST PORT(S) column is non-empty. This causes the rule to match when either the source
port or the destination port in a packet matches one of the ports specified in DEST
PORTS(S). Use of '=' requires multi-port match in your iptables and kernel.
USER - [!][user-name-or-number][:group-name-or-number]
This optional column may only be non-empty if the SOURCE is the firewall itself.
When this column is non-empty, the rule applies only if the program generating the
output is running under the effective user and/or group specified (or is NOT running
under that id if "!" is given).
Examples:
joe
program must be run by joe
:kids
program must be run by a member of the 'kids' group
!:kids
program must not be run by a member of the 'kids' group
TEST - [!]value[/mask][:C]
Optional. Defines a test on the existing packet or connection mark. The rule will
match only if the test returns true.
If you don't want to define a test but need to specify anything in the following
columns, place a "-" in this field.
!
Inverts the test (not equal)
value
Value of the packet or connection mark.
mask
A mask to be applied to the mark before testing.
:C
Designates a connection mark. If omitted, the packet mark's value is tested.
LENGTH - [length|[min]:[max]]
Optional - packet payload length. This field, if present allow you to match the length
of a packet payload (Layer 4 data ) against a specific value or range of values. You
must have iptables length support for this to work. A range is specified in the form
min:max where either min or max (but not both) may be omitted. If min is omitted, then
0 is assumed; if max is omitted, than any packet that is min or longer will match.
TOS (Optional) - tos
Type of service. Either a standard name, or a numeric value to match.
Minimize-Delay (16)
Maximize-Throughput (8)
Maximize-Reliability (4)
Minimize-Cost (2)
Normal-Service (0)
CONNBYTES - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
Optional connection Bytes; defines a byte or packet range that the connection must
fall within in order for the rule to match.
A packet matches if the the packet/byte count is within the range defined by min and
max (unless ! is given in which case, a packet matches if the packet/byte count is not
within the range). min is an integer which defines the beginning of the byte/packet
range. max is an integer which defines the end of the byte/packet range; if omitted,
only the beginning of the range is checked. The first letter gives the direction which
the range refers to:O - The original direction of the connection. .sp R - The opposite
direction from the original connection. .sp B - The total of both directions.
If omitted, B is assumed.
The second letter determines what the range refers to.B - Bytes .sp P - Packets .sp A
- Average packet size.If omitted, B is assumed.
HELPER - helper
Optional. Names a Netfilter protocol helper module such as ftp, sip, amanda, etc. A
packet will match if it was accepted by the named helper module.
Example: Mark all FTP data connections with mark 4:
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
# PORT(S)
4 ::/0 ::/0 TCP - - - - - - - ftp
HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall 4.4.15)
The header-list consists of a comma-separated list of headers from the following list.
auth, ah, or 51
Authentication Headers extension header.
esp, or 50
Encrypted Security Payload extension header.
hop, hop-by-hop or 0
Hop-by-hop options extension header.
route, ipv6-route or 41
IPv6 Route extension header.
frag, ipv6-frag or 44
IPv6 fragmentation extension header.
none, ipv6-nonxt or 59
No next header
proto, protocol or 255
Any protocol header.
If any: is specified, the rule will match if any of the listed headers are present. If
exactly: is specified, the will match packets that exactly include all specified
headers. If neither is given, any: is assumed.
If ! is entered, the rule will match those packets which would not be matched when !
is omitted.
PROBABILITY - [probability]
Added in Shorewall 4.5.0. When non-empty, requires the Statistics Match capability in
your kernel and ip6tables and causes the rule to match randomly but with the given
probability. The probability is a number 0 < probability <= 1 and may be expressed at
up to 8 decimal points of precision.
STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...]
Added in Shorewall 4.5.9. The rule will only match if the packet's connection is in
one of the listed states.
EXAMPLE
Example 1:
Mark all forwarded ICMP echo traffic with packet mark 1. Mark all forwarded peer to
peer traffic with packet mark 4.
This is a little more complex than otherwise expected. Since the ipp2p module is
unable to determine all packets in a connection are P2P packets, we mark the entire
connection as P2P if any of the packets are determined to match.
We assume packet/connection mark 0 means unclassified.
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST
# PORT(S)
1 ::/0 ::/0 icmp echo-request
1 ::/0 ::/0 icmp echo-reply
RESTORE ::/0 ::/0 all - - - 0
CONTINUE ::/0 ::/0 all - - - !0
4 ::/0 ::/0 ipp2p:all
SAVE ::/0 ::/0 all - - - !0
If a packet hasn't been classified (packet mark is 0), copy the connection mark to the
packet mark. If the packet mark is set, we're done. If the packet is P2P, set the
packet mark to 4. If the packet mark has been set, save it to the connection mark.
FILES
/etc/shorewall6/tcrules
SEE ALSO
http://shorewall.net/traffic_shaping.htm
http://shorewall.net/MultiISP.html
http://shorewall.net/PacketMarking.html
http://shorewall.net/configuration_file_basics.htm#Pairs
shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-ecn(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
NOTES
1. shorewall6-rules
http://www.shorewall.netshorewall6-rules.html
2. shorewall6.conf
http://www.shorewall.netshorewall6.conf.html
3. shorewall.conf
http://www.shorewall.netshorewall.conf.html
4. shorewall6-tcdevices
http://www.shorewall.netshorewall6-tcdevices.html
5. shorewall6-tcclasses
http://www.shorewall.netshorewall6-tcclasses.html
6. shorewall6-providers
http://www.shorewall.netshorewall6-providers.html
7. shorewall6-exclusion
http://www.shorewall.netshorewall6-exclusion.html
[FIXME: source] 01/30/2014 SHOREWALL6-TCRULES(5)