Provided by: shorewall_5.1.12.2-1_all bug

NAME

       mangle - Shorewall Packet marking/mangling rules file

SYNOPSIS

       /etc/shorewall[6]/mangle

DESCRIPTION

       This file was introduced in Shorewall 4.6.0 and replaces shorewall-tcrules(5)[1]. This
       file is only processed by the compiler if:

       Entries in this file cause packets to be marked as a means of classifying them for traffic
       control or policy routing.

           Important
           Unlike rules in the shorewall-rules[2](5) file, evaluation of rules in this file will
           continue after a match. So the final mark for each packet will be the one assigned by
           the LAST tcrule that matches.

           If you use multiple internet providers with the 'track' option, in
           /etc/shorewall/providers be sure to read the restrictions at
           http://www.shorewall.net/MultiISP.html[3].

       The columns in the file are as follows (where the column name is followed by a different
       name in parentheses, the different name is used in the alternate specification syntax).

       ACTION - command[(parameters)][:chain-designator]
           The chain-designator indicates the Netfilter chain that the entry applies to and may
           be one of the following:

           P
               PREROUTING chain.

           F
               FORWARD chain.

           T
               POSTROUTING chain.

           I
               INPUT chain.

           Unless otherwise specified for the particular command, the default chain is PREROUTING
           when MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5)[4], and FORWARD when
           MARK_IN_FORWARD_CHAIN=Yes.

           A chain-designator may not be specified if the SOURCE or DEST columns begin with
           '$FW'. When the SOURCE is $FW, the generated rule is always placed in the OUTPUT
           chain. If DEST is '$FW', then the rule is placed in the INPUT chain. Additionally, a
           chain-designator may not be specified in an action body.

           Where a command takes parameters, those parameters are enclosed in parentheses
           ("(....)") and separated by commas.

           The command may be one of the following.

           action[([param[,...])]
               Added in Shorewall 5.0.7.  action must be an action declared with the mangle
               option in shorewall-actions(5)[5]. If the action accepts parameters, they are
               specified as a comma-separated list within parentheses following the action name.

           ADD(ipset:flags)
               Added in Shorewall 4.6.7. Causes addresses and/or port numbers to be added to the
               named ipset. The flags specify the address or tuple to be added to the set and
               must match the type of ipset involved. For example, for an iphash ipset, either
               the SOURCE or DESTINATION address can be added using flags src or dst respectively
               (see the -A command in ipset (8)).

               ADD is non-terminating. Even if a packet matches the rule, it is passed on to the
               next rule.

           CHECKSUM
               Compute and fill in the checksum in a packet that lacks a checksum. This is
               particularly useful if you need to work around old applications, such as dhcp
               clients, that do not work well with checksum offloads, but you don't want to
               disable checksum offload in your device.

               Requires 'Checksum Target' support in your kernel and iptables.

           CLASSIFY(classid)
               A classification Id (classid) is of the form major:minor where major and minor are
               integers. Corresponds to the 'class' specification in these traffic shaping
               modules:

                          atm
                          cbq
                          dsmark
                          pfifo_fast
                          htb
                          prio

               Classification occurs in the POSTROUTING chain except when the SOURCE is
               $FW[:address] in which case classification occurs in the OUTPUT chain.

               When using Shorewall's built-in traffic shaping tool, the major class is the
               device number (the first device in shorewall-tcdevices[6](5) is major class 1, the
               second device is major class 2, and so on) and the minor class is the class's MARK
               value in shorewall-tcclasses[7](5) preceded by the number 1 (MARK 1 corresponds to
               minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor
               class 122, etc.).

           ?COMMENT
               The rest of the line will be attached as a comment to the Netfilter rule(s)
               generated by the following entries. The comment will appear delimited by "/* ...
               */" in the output of shorewall show mangle

               To stop the comment from being attached to further rules, simply include ?COMMENT
               on a line by itself.

           CONMARK({mark|range})
               Identical to MARK with the exception that the mark is assigned to connection to
               which the packet belongs is marked rather than to the packet itself.

           CONTINUE
               Don't process any more marking rules in the table.

               Currently, CONTINUE may not be used with exclusion (see the SOURCE and DEST
               columns below); that restriction will be removed when iptables/Netfilter provides
               the necessary support.

           DEL(ipset:flags)
               Added in Shorewall 4.6.7. Causes an entry to be deleted from the named ipset. The
               flags specify the address or tuple to be deleted from the set and must match the
               type of ipset involved. For example, for an iphash ipset, either the SOURCE or
               DESTINATION address can be deleted using flags src or dst respectively (see the -D
               command in ipset (8)).

               DEL is non-terminating. Even if a packet matches the rule, it is passed on to the
               next rule.

           DIVERT
               Two DIVERT rule should precede the TPROXY rule and should select DEST PORT tcp 80
               and SOURCE PORT tcp 80 respectively (assuming that tcp port 80 is being proxied).
               DIVERT avoids sending packets to the TPROXY target once a socket connection to
               Squid3 has been established by TPROXY. DIVERT marks the packet with a unique mark
               and exempts it from any rules that follow.

           DIVERTHA
               Added in Shorewall 5.0.4. To setup the HAProxy configuration described at
               http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x,
               place this entry in shorewall-providers(5)[8]:

                   #NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
                   TProxy   1        -       -          lo        -               tproxy

               and use this DIVERTHA entry:

                   #ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
                   DIVERTHA        -               -               tcp

           DROP
               Causes matching packets to be discarded.

           DSCP(dscp)
               Sets the Differentiated Services Code Point field in the IP header. The dscp value
               may be given as an even number (hex or decimal) or as the name of a DSCP class.
               Valid class names and their associated hex numeric values are:

                       CS0  => 0x00
                       CS1  => 0x08
                       CS2  => 0x10
                       CS3  => 0x18
                       CS4  => 0x20
                       CS5  => 0x28
                       CS6  => 0x30
                       CS7  => 0x38
                       BE   => 0x00
                       AF11 => 0x0a
                       AF12 => 0x0c
                       AF13 => 0x0e
                       AF21 => 0x12
                       AF22 => 0x14
                       AF23 => 0x16
                       AF31 => 0x1a
                       AF32 => 0x1c
                       AF33 => 0x1e
                       AF41 => 0x22
                       AF42 => 0x24
                       AF43 => 0x26
                       EF   => 0x2e

               To indicate more than one class, add their hex values together and specify the
               result. By default, DSCP rules are placed in the POSTROUTING chain.

           ECN
               Added in Shorewall 5.0.6 as an alternative to entries in shorewall-ecn(5)[9]. If a
               PROTO is specified, it must be 'tcp' (6). If no PROTO is supplied, TCP is assumed.
               This action causes all ECN bits in the TCP header to be cleared.

           IMQ(number)
               Specifies that the packet should be passed to the IMQ identified by number.
               Requires IMQ Target support in your kernel and iptables.

           INLINE[(action)]
               Allows you to place your own ip[6]tables matches at the end of the line following
               two semicolons (";;") (preferred) or a single semicolon (";") (deprecated). If an
               action is specified, the compiler proceeds as if that action had been specified in
               this column. If no action is specified, then you may include your own jump ("-j
               target [option] ...") after any matches specified at the end of the rule. If the
               target is not one known to Shorewall, then it must be defined as a builtin action
               in shorewall-actions[10] (5).

               The following rules are equivalent:

                   2:P                   eth0              -         tcp 22
                   INLINE(MARK(2)):P     eth0              -         tcp 22
                   INLINE(MARK(2)):P     eth0              -                 ;; -p tcp
                   INLINE                eth0              -         tcp 22  ;; -j MARK --set-mark 2
                   INLINE                eth0              -                 ;; -p tcp -j MARK --set-mark 2

           IPMARK
               Assigns a mark to each matching packet based on the either the source or
               destination IP address. By default, it assigns a mark value equal to the low-order
               8 bits of the source address. Default values are:
                   src
                   mask1 = 0xFF
                   mask2 = 0x00
                   shift = 0
               'src' and 'dst' specify whether the mark is to be based on the source or
               destination address respectively. The selected address is first shifted to the
               right by shift bits. The result is then LANDed with mask1 then LORed with mask2.

               In a sense, the IPMARK target is more like an IPCLASSIFY target in that the mark
               value is later interpreted as a class ID. A packet mark is 32 bits wide; so is a
               class ID. The <major> class occupies the high-order 16 bits and the <minor> class
               occupies the low-order 16 bits. So the class ID 1:4ff (remember that class IDs are
               always in hex) is equivalent to a mark value of 0x104ff. Remember that Shorewall
               uses the interface number as the <major> number where the first interface in
               tcdevices has <major> number 1, the second has <major> number 2, and so on.

               The IPMARK target assigns a mark to each matching packet based on the either the
               source or destination IP address. By default, it assigns a mark value equal to the
               low-order 8 bits of the source address. The syntax is as follows:
               IPMARK[([{src|dst}][,[mask1][,[mask2][,[shift]]]])] Default values are:
                   src
                   mask1 = 0xFF
                   mask2 = 0x00
                   shift = 0
               src and dst specify whether the mark is to be based on the source or destination
               address respectively. The selected address is first shifted right by shift, then
               LANDed with mask1 and then LORed with mask2. The shift argument is intended to be
               used primarily with IPv6 addresses.

               Example: IPMARK(src,0xff,0x10100)
                   Suppose that the source IP address is 192.168.4.3
                                       = 0xc0a80403; then
                   0xc0a80403 >> 0 = 0xc0a80403
                   0xc0a80403 LAND 0xFF = 0x03
                   0x03 LOR 0x10100 = 0x10103 or class ID
                                       1:103
               It is important to realize that, while class IDs are composed of a major and a
               minor value, the set of values must be unique. That is, the same numeric value
               cannot be used as both a major and a minor number for the same interface unless
               class nesting occurs (which is not currently possible with Shorewall). You should
               keep this in mind when deciding how to map IP addresses to class IDs.

               For example, suppose that your internal network is 192.168.1.0/29 (host IP
               addresses 192.168.1.1 - 192.168.1.6). Your first notion might be to use
               IPMARK(src,0xFF,0x10000) so as to produce class IDs 1:1 through 1:6. But 1:1 is an
               invalid class ID since the major and minor classes are equal. So you might choose
               instead to use IPMARK(src,0xFF,0x10100) as in the example above so that all of
               your minor classes will have a value > 256.

           IP6TABLES({target [option ...])
               IPv6 only.

               This action allows you to specify an iptables target with options (e.g.,
               'IP6TABLES(MARK --set-xmark 0x01/0xff)'. If the target is not one recognized by
               Shorewall, the following error message will be issued:
                   ERROR: Unknown target
                                     (target)
               This error message may be eliminated by adding the target as a builtin action in
               shorewall-actions(5)[10].

           IPTABLES({target [option ...])
               IPv4 only.

               This action allows you to specify an iptables target with options (e.g.,
               'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the target is not one recognized by
               Shorewall, the following error message will be issued:
                   ERROR: Unknown target
                                     (target)
               This error message may be eliminated by adding the target as a builtin action in
               shorewall-actions(5)[10].

           MARK({mark|range})
               where mark is a packet mark value.

               Normally will set the mark value. If preceded by a vertical bar ("|"), the mark
               value will be logically ORed with the current mark value to produce a new mark
               value. If preceded by an ampersand ("&"), will be logically ANDed with the current
               mark value to produce a new mark value.

               Both "|" and "&" require Extended MARK Target support in your kernel and iptables.

               The mark value may be optionally followed by "/" and a mask value (used to
               determine those bits of the connection mark to actually be set). When a mask is
               specified, the result of logically ANDing the mark value with the mask must be the
               same as the mark value.

               A mark range is a pair of integers separated by a dash ("-").

               May be optionally followed by a slash ("/") and a mask and requires the Statistics
               Match capability in iptables and kernel. Marks in the specified range are assigned
               to packets on a round-robin fashion.

               When a mask is specified, the result of logically ANDing each mark value with the
               mask must be the same as the mark value. The least significant bit in the mask is
               used as an increment. For example, if '0x200-0x400/0xff00' is specified, then the
               assigned mark values are 0x200, 0x300 and 0x400 in equal proportions. If no mask
               is specified, then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in
               shorewall.conf[4](5)).

           NFLOG[(nflog-parameters)]
               Added in Shorewall 5.0.9. Logs matching packets using NFLOG. The nflog-parameters
               are a comma-separated list of up to 3 numbers:

               •   The first number specifies the netlink group (0-65535). If omitted (e.g.,
                   NFLOG(,0,10)) then a value of 0 is assumed.

               •   The second number specifies the maximum number of bytes to copy. If omitted, 0
                   (no limit) is assumed.

               •   The third number specifies the number of log messages that should be buffered
                   in the kernel before they are sent to user space. The default is 1.

           RESTORE[(mask)]
               Restore the packet's mark from the connection's mark using the supplied mask if
               any. Your kernel and iptables must include CONNMARK support.

           SAME[(timeout)]
               Some websites run applications that require multiple connections from a client
               browser. Where multiple 'balanced' providers are configured, this can lead to
               problems when some of the connections are routed through one provider and some
               through another. The SAME target allows you to work around that problem. SAME may
               be used in the PREROUTING and OUTPUT chains. When used in PREROUTING, it causes
               matching connections from an individual local system to all use the same provider.
               For example:

                   #ACTION           SOURCE         DEST         PROTO      DPORT
                   SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443

               If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it has
               sent a packet on either of those ports in the last five minutes then the new
               connection will use the same provider as the connection over which that last
               packet was sent.

               When used in the OUTPUT chain, it causes all matching connections to an individual
               remote system to all use the same provider. For example:

                   #ACTION           SOURCE         DEST         PROTO      DPORT
                   SAME              $FW            0.0.0.0/0    tcp        80,443

               The optional timeout parameter was added in Shorewall 4.6.7 and specifies a number
               of seconds . When not specified, a value of 300 seconds (5 minutes) is assumed. If
               the firewall attempts a connection on TCP port 80 or 443 and it has sent a packet
               on either of those ports in the last timeout seconds to the same remote system
               then the new connection will use the same provider as the connection over which
               that last packet was sent.

           SAVE[(mask)]
               Save the packet's mark to the connection's mark using the supplied mask if any.
               Your kernel and iptables must include CONNMARK support.

           TCPMSS([mss[,ipsec]])
               Added in Shorewall 5.1.9. This target only applies to TCP traffic and alters the
               MSS value in SYN packets. It may be used in the FORWARD and POSTROUTING chains;
               the default is FORWARD.

               The mss parameter may be either pmtu or an integer in the range 500:65533. The
               value pmtu automatically clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
               IPv6). This may not function as desired where asymmetric routes with differing
               path MTU exist — the kernel uses the path MTU which it would use to send packets
               from itself to the source and destination IP addresses. Prior to Linux 2.6.25,
               only the path MTU to the destination IP address was considered by this option;
               subsequent kernels also consider the path MTU to the source IP address. If an
               integer is given, the MSS option is set to the specified value. If the MSS of the
               packet is already lower than mss, it will not be increased (from Linux 2.6.25
               onwards) to avoid more problems with hosts relying on a proper MSS. If mss is
               omitted, pmtu is assumed.

               The ipsec parameter determines whether the rule applies to IPSEC traffic (ipsec is
               passed), non-IPSEC traffic (none is passed) or both (all is passed). If omitted,
               all is assumed.

           TOS(tos[/mask])
               Sets the Type of Service field in the IP header. The tos value may be given as an
               number (hex or decimal) or as the name of a TOS type. Valid type names and their
               associated hex numeric values are:

                   Minimize-Delay       => 0x10,
                   Maximize-Throughput  => 0x08,
                   Maximize-Reliability => 0x04,
                   Minimize-Cost        => 0x02,
                   Normal-Service       => 0x00

               To indicate more than one class, add their hex values together and specify the
               result.

               When tos is given as a number, it may be optionally followed by '/' and a mask.
               When no mask is given, the value 0xff is assumed. When tos is given as a type
               name, the mask 0x3f is assumed.

               The action performed is to zero out the bits specified by the mask, then set the
               bits specified by tos.

           TPROXY([port[,address]])
               Transparently redirects a packet without altering the IP header. Requires a tproxy
               provider to be defined in shorewall-providers[8](5).

               There are three parameters to TPROXY - neither is required:

               •   port - the port on which the proxy server is listening. If omitted, the
                   original destination port.

               •   address - a local (to the firewall) IP address on which the proxy server is
                   listening. If omitted, the IP address of the interface on which the request
                   arrives.

           TTL([-|+]number)
               If + is included, packets matching the rule will have their TTL incremented by
               number. Similarly, if - is included, matching packets have their TTL decremented
               by number. If neither + nor - is given, the TTL of matching packets is set to
               number. The valid range of values for number is 1-255.

       SOURCE - {-|source-spec[,...]}
           where source-spec is one of:

           interface
               where interface is the logical name of an interface defined in
               shorewall-interfaces[11](5). Matches packets entering the firewall from the named
               interface. May not be used in CLASSIFY rules or in rules using the :T chain
               qualifier.

           address[,...][exclusion]
               where address is: A host or network IP address.

               The name of an ipset preceded by a plus sign ("+").

               A MAC address in Shorewall format (preceded by a tilde ("~") and using dash ("-")
               as a separator (e.g., ~00-A0-C9-15-39-78).  Matches traffic whose source IP
               address matches one of the listed addresses and that does not match an address
               listed in the exclusion (see shorewall-exclusion[12](5)).

               This form will not match traffic that originates on the firewall itself unless
               either <major><minor> or the :T chain qualifier is used in the ACTION column.

           interface:address,[...][exclusion]
               This form combines the preceding two forms and matches when both the incoming
               interface and source IP address match.

           interface:exclusion
               This form matches packets arriving through the named interface and whose source IP
               address does not match any of the addresses in the exclusion.

           $FW
               Matches packets originating on the firewall system. May not be used with a chain
               qualifier (:P, :F, etc.) in the ACTION column.

           $FW:address[,...][exclusion]
               where address is as above (MAC addresses are not permitted). Matches packets
               originating on the firewall and whose source IP address matches one of the listed
               addresses and does not match any address listed in the exclusion. May not be used
               with a chain qualifier (:P, :F, etc.) in the ACTION column.

           $FW:exclusion
               Matches traffic originating on the firewall, provided that the source IP address
               does not match any address listed in the exclusion.

           Beginning with Shorewall 5.1.0, multiple source_specs, separated by commas, may be
           given provided that the following alternative forms are used:
           (address[,...][exclusion])

           interface:(address[,...][exclusion])

           interface:(exclusion)

           $FW:(address[,...][exclusion])

           $FW:(exclusion)

       DEST - {-|dest-spec[,...]}
           where dest-spec is one of:

           interface
               where interface is the logical name of an interface defined in
               shorewall-interfaces[11](5). Matches packets leaving the firewall through the
               named interface. May not be used in the PREROUTING chain (:P in the mark column or
               no chain qualifier and MARK_IN_FORWARD_CHAIN=No in shorewall.conf[13] (5)).

           address[,...][exclusion]
               where address is: A host or network IP address.

               The name of an ipset preceded by a plus sign ("+").

               A MAC address in Shorewall format (preceded by a tilde ("~") and using dash ("-")
               as a separator (e.g., ~00-A0-C9-15-39-78).  Matches traffic whose destination IP
               address matches one of the listed addresses and that does not match an address
               listed in the exclusion (see shorewall-exclusion[12](5)).

           interface:address,[...][exclusion]
               This form combines the preceding two forms and matches when both the outgoing
               interface and destination IP address match. May not be used in the PREROUTING
               chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
               shorewall.conf[13] (5)).

           interface:exclusion
               This form matches packets leaving through the named interface and whose
               destination IP address does not match any of the addresses in the exclusion. May
               not be used in the PREROUTING chain (:P in the mark column or no chain qualifier
               and MARK_IN_FORWARD_CHAIN=No in shorewall.conf[13] (5)).

           $FW
               Matches packets originating on the firewall system. May not be used with a chain
               qualifier (:P, :F, etc.) in the ACTION column.

           $FW:address[,...][exclusion]
               where address is as above (MAC addresses are not permitted). Matches packets
               destined for the firewall and whose destination IP address matches one of the
               listed addresses and does not match any address listed in the exclusion. May not
               be used with a chain qualifier (:P, :F, etc.) in the ACTION column.

           $FW:exclusion
               Matches traffic destined for the firewall, provided that the destination IP
               address does not match any address listed in the exclusion.

           Beginning with Shorewall 5.1.0, multiple dest_specs, separated by commas, may be given
           provided that the following alternative forms are used: (address[,...][exclusion])

           interface:(address[,...][exclusion])

           interface:(exclusion)

           $FW:(address[,...][exclusion])

           $FW:(exclusion)

       PROTO - {-|{tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]}
           See shorewall-rules(5)[2] for details.

           Beginning with Shorewall 4.5.12, this column can accept a comma-separated list of
           protocols.

       DPORT- {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
           Optional destination Ports. A comma-separated list of Port names (from services(5)),
           port numbers or port ranges; if the protocol is icmp, this column is interpreted as
           the destination icmp-type(s). ICMP types may be specified as a numeric type, a numeric
           type and code separated by a slash (e.g., 3/4), or a typename. See
           http://www.shorewall.net/configuration_file_basics.htm#ICMP[14].

           If the protocol is ipp2p, this column is interpreted as an ipp2p option without the
           leading "--" (example bit for bit-torrent). If no PORT is given, ipp2p is assumed.

           An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp
           (17), sctp (132) or udplite (136). Use '-' if any of the following field is supplied.

           Beginning with Shorewall 4.6.0, an ipset name can be specified in this column. This is
           intended to be used with bitmap:port ipsets.

           This column was formerly named DEST PORT(S).

       SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
           Optional source port(s). If omitted, any source port is acceptable. Specified as a
           comma-separated list of port names, port numbers or port ranges.

           An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp
           (132) or udplite (136). Use '-' if any of the following fields is supplied.

           Beginning with Shorewall 4.5.15, you may place '=' in this column, provided that the
           DPORT column is non-empty. This causes the rule to match when either the source port
           or the destination port in a packet matches one of the ports specified in DEST
           PORTS(S). Use of '=' requires multi-port match in your iptables and kernel.

           Beginning with Shorewall 4.6.0, an ipset name can be specified in this column. This is
           intended to be used with bitmap:port ipsets.

           This column was formerly labelled SOURCE PORT(S).

       USER - [!][user-name-or-number][:group-name-or-number][+program-name]
           This optional column may only be non-empty if the SOURCE is the firewall itself.

           When this column is non-empty, the rule applies only if the program generating the
           output is running under the effective user and/or group specified (or is NOT running
           under that id if "!" is given).

           Examples:

           joe
               program must be run by joe

           :kids
               program must be run by a member of the 'kids' group

           !:kids
               program must not be run by a member of the 'kids' group

           +upnpd
               #program named upnpd

                   Important
                   The ability to specify a program name was removed from Netfilter in kernel
                   version 2.6.14.

       TEST - [!]value[/mask][:C]
           Optional - Defines a test on the existing packet or connection mark. The rule will
           match only if the test returns true.

           If you don't want to define a test but need to specify anything in the following
           columns, place a "-" in this field.

           !
               Inverts the test (not equal)

           value
               Value of the packet or connection mark.

           mask
               A mask to be applied to the mark before testing.

           :C
               Designates a connection mark. If omitted, the packet mark's value is tested.

       LENGTH - [length|[min]:[max]]
           Optional - packet payload length. This field, if present allow you to match the length
           of a packet payload (Layer 4 data ) against a specific value or range of values. You
           must have iptables length support for this to work. A range is specified in the form
           min:max where either min or max (but not both) may be omitted. If min is omitted, then
           0 is assumed; if max is omitted, than any packet that is min or longer will match.

       TOS - tos
           Type of service. Either a standard name, or a numeric value to match.

                        Minimize-Delay (16)
                        Maximize-Throughput (8)
                        Maximize-Reliability (4)
                        Minimize-Cost (2)
                        Normal-Service (0)

       CONNBYTES - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
           Optional connection Bytes; defines a byte or packet range that the connection must
           fall within in order for the rule to match.

           A packet matches if the the packet/byte count is within the range defined by min and
           max (unless ! is given in which case, a packet matches if the packet/byte count is not
           within the range).  min is an integer which defines the beginning of the byte/packet
           range.  max is an integer which defines the end of the byte/packet range; if omitted,
           only the beginning of the range is checked. The first letter gives the direction which
           the range refers to:O - The original direction of the connection. .sp - The opposite
           direction from the original connection. .sp B - The total of both directions.

           If omitted, B is assumed.

           The second letter determines what the range refers to.B - Bytes .sp P - Packets .sp A
           - Average packet size.If omitted, B is assumed.

       HELPER - helper
           Names a Netfilter protocol helper module such as ftp, sip, amanda, etc. A packet will
           match if it was accepted by the named helper module.

           Example: Mark all FTP data connections with mark 4:

               #ACTION   SOURCE    DEST      PROTO   DPORT      SPORT   USER TEST LENGTH TOS CONNBYTES HELPER
               4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp

       PROBABILITY - [probability]
           Added in Shorewall 4.5.0. When non-empty, requires the Statistics Match capability in
           your kernel and ip6tables and causes the rule to match randomly but with the given
           probability. The probability is a number 0 < probability <= 1 and may be expressed at
           up to 8 decimal points of precision.

       DSCP - [[!]dscp]
           Added in Shorewall 4.5.1. When non-empty, match packets whose Differentiated Service
           Code Point field matches the supplied value (when '!' is given, the rule matches
           packets whose DSCP field does not match the supplied value). The dscp value may be
           given as an even number (hex or decimal) or as the name of a DSCP class. Valid class
           names and their associated hex numeric values are:

                   CS0  => 0x00
                   CS1  => 0x08
                   CS2  => 0x10
                   CS3  => 0x18
                   CS4  => 0x20
                   CS5  => 0x28
                   CS6  => 0x30
                   CS7  => 0x38
                   BE   => 0x00
                   AF11 => 0x0a
                   AF12 => 0x0c
                   AF13 => 0x0e
                   AF21 => 0x12
                   AF22 => 0x14
                   AF23 => 0x16
                   AF31 => 0x1a
                   AF32 => 0x1c
                   AF33 => 0x1e
                   AF41 => 0x22
                   AF42 => 0x24
                   AF43 => 0x26
                   EF   => 0x2e

       STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...]
           The rule will only match if the packet's connection is in one of the listed states.

       TIME - timeelement[&timeelement...]
           Added in Shorewall 4.6.2.

           May be used to limit the rule to a particular time period each day, to particular days
           of the week or month, or to a range defined by dates and times. Requires time match
           support in your kernel and ip6tables.

           timeelement may be:

           timestart=hh:mm[:ss]
               Defines the starting time of day.

           timestop=hh:mm[:ss]
               Defines the ending time of day.

           contiguous
               Added in Shoreawll 5.0.12. When timestop is smaller than timestart value, match
               this as a single time period instead of distinct intervals.

           utc
               Times are expressed in Greenwich Mean Time.

           localtz
               Deprecated by the Netfilter team in favor of kerneltz. Times are expressed in
               Local Civil Time (default).

           kerneltz
               Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time (requires
               iptables 1.4.12 or later).

           weekdays=ddd[,ddd]...
               where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun

           monthdays=dd[,dd],...
               where dd is an ordinal day of the month

           datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
               Defines the starting date and time.

           datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
               Defines the ending date and time.

       SWITCH - [!]switch-name[={0|1}]
           Added in Shorewall 5.1.0 and allows enabling and disabling the rule without requiring
           shorewall restart.

           The rule is enabled if the value stored in /proc/net/nf_condition/switch-name is 1.
           The rule is disabled if that file contains 0 (the default). If '!' is supplied, the
           test is inverted such that the rule is enabled if the file contains 0.

           Within the switch-name, '@0' and '@{0}' are replaced by the name of the chain to which
           the rule is a added. The switch-name (after '@...' expansion) must begin with a letter
           and be composed of letters, decimal digits, underscores or hyphens. Switch names must
           be 30 characters or less in length.

           Switches are normally off. To turn a switch on:
               echo 1 >
                           /proc/net/nf_condition/switch-name
           To turn it off again:
               echo 0 >
                           /proc/net/nf_condition/switch-name
           Switch settings are retained over shorewall restart.

           When the switch-name is followed by =0 or =1, then the switch is initialized to off or
           on respectively by the start command. Other commands do not affect the switch setting.

EXAMPLE

       IPv4 Example 1:
           Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer traffic with
           packet mark 4.

           This is a little more complex than otherwise expected. Since the ipp2p module is
           unable to determine all packets in a connection are P2P packets, we mark the entire
           connection as P2P if any of the packets are determined to match.

           We assume packet/connection mark 0 means unclassified.

                      #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
                      MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
                      MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
                      RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
                      CONTINUE:T 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
                      MARK(4):T  0.0.0.0/0 0.0.0.0/0   ipp2p:all
                      SAVE:T     0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0

           If a packet hasn't been classified (packet mark is 0), copy the connection mark to the
           packet mark. If the packet mark is set, we're done. If the packet is P2P, set the
           packet mark to 4. If the packet mark has been set, save it to the connection mark.

       IPv4 Example 2:
           SNAT outgoing connections on eth0 from 192.168.1.0/24 in round-robin fashion between
           addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 4.5.9 and later).

               /etc/shorewall/mangle:

                      #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
                      CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW

               /etc/shorewall/snat:

                      #ACTION          SOURCE              DEST     ...
                      SNAT(1.1.1.1)    eth0:192.168.1.0/24 - { mark=1:C }
                      SNAT(1.1.1.3)    eth0:192.168.1.0/24 - { mark=2:C }
                      SNAT(1.1.1.4)    eth0:192.168.1.0/24 - { mark=3:C }

       IPv6 Example 1:
           Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer traffic with
           packet mark 4.

           This is a little more complex than otherwise expected. Since the ipp2p module is
           unable to determine all packets in a connection are P2P packets, we mark the entire
           connection as P2P if any of the packets are determined to match.

           We assume packet/connection mark 0 means unclassified.

                      #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
                      MARK(1):T  ::/0      ::/0         icmp    echo-request
                      MARK(1):T  ::/0      ::/0         icmp    echo-reply
                      RESTORE:T  ::/0      ::/0         all     -             -       -       0
                      CONTINUE:T ::/0      ::/0         all     -             -       -       !0
                      MARK(4):T  ::/0      ::/0         ipp2p:all
                      SAVE:T     ::/0      ::/0         all     -             -       -       !0

           If a packet hasn't been classified (packet mark is 0), copy the connection mark to the
           packet mark. If the packet mark is set, we're done. If the packet is P2P, set the
           packet mark to 4. If the packet mark has been set, save it to the connection mark.

FILES

       /etc/shorewall/mangle

       /etc/shorewall6/mangle

SEE ALSO

       http://www.shorewall.net/traffic_shaping.htm[15]

       http://www.shorewall.net/MultiISP.html[3]

       http://www.shorewall.net/PacketMarking.html[16]

       http://www.shorewall.net/configuration_file_basics.htm#Pairs[17]

       shorewall(8)

NOTES

        1. shorewall-tcrules(5)
           http://www.shorewall.net/manpages/shorewall-tcrules.html

        2. shorewall-rules
           http://www.shorewall.net/manpages/shorewall-rules.html

        3. http://www.shorewall.net/MultiISP.html
           http://www.shorewall.net/MultiISP.html

        4. shorewall.conf(5)
           http://www.shorewall.net/manpages/shorewall.conf.html

        5. shorewall-actions(5)
           http://www.shorewall.netmanpages/shorewall-actions.html

        6. shorewall-tcdevices
           http://www.shorewall.net/manpages/shorewall-tcdevices.html

        7. shorewall-tcclasses
           http://www.shorewall.net/manpages/shorewall-tcclasses.html

        8. shorewall-providers(5)
           http://www.shorewall.net/manpages/shorewall-providers.html

        9. shorewall-ecn(5)
           http://www.shorewall.net/manpages/shorewall-ecn.html

       10. shorewall-actions
           http://www.shorewall.net/manpages/shorewall-actions.html

       11. shorewall-interfaces
           http://www.shorewall.net/manpages/shorewall-interfaces.html

       12. shorewall-exclusion
           http://www.shorewall.net/manpages/shorewall-exclusion.html

       13. shorewall.conf
           http://www.shorewall.net/manpages/shorewall.conf

       14. http://www.shorewall.net/configuration_file_basics.htm#ICMP
           http://www.shorewall.net/configuration_file_basics.htm#ICMP

       15. http://www.shorewall.net/traffic_shaping.htm
           http://www.shorewall.net/traffic_shaping.htm

       16. http://www.shorewall.net/PacketMarking.html
           http://www.shorewall.net/PacketMarking.html

       17. http://www.shorewall.net/configuration_file_basics.htm#Pairs
           http://www.shorewall.net/configuration_file_basics.htm#Pairs