shorewall-tcrules

Langue: en

Version: 12/15/2008 (ubuntu - 08/07/09)

Section: 5 (Format de fichier)

NAME

tcrules - Shorewall Packet Marking rules file

SYNOPSIS

/etc/shorewall/

DESCRIPTION

Entries in this file cause packets to be marked as a means of classifying them for traffic control or policy routing.


Important

Unlike rules in the shorewall-rules[1](5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches.

If you use multiple internet providers with the 'track' option, in /etc/shorewall/providers be sure to read the restrictions at http://shorewall.net/MultiISP.html.

The columns in the file are as follows.

MARK/CLASSIFY - {value|major:minor|RESTORE[/mask]|SAVE[/mask]|CONTINUE|COMMENT}[:{C|F|P|T|CF|CP|CT}]

May assume one of the following values.
1.A mark value which is an integer in the range 1-255.
Normally will set the mark value. If preceded by a vertical bar ("|"), the mark value will be logically ORed with the current mark value to produce a new mark value. If preceded by an ampersand ("&"), will be logically ANDed with the current mark value to produce a new mark value.
Both "|" and "&" require Extended MARK Target support in your kernel and iptables; neither may be used with connection marks (see below).
May optionally be followed by :P, :F or :T where :P indicates that marking should occur in the PREROUTING chain, :F indicates that marking should occur in the FORWARD chain and :T indicates that marking should occur in the POSTROUTING chain. If neither :P, :F nor :T follow the mark value then the chain is determined as follows:
- If the SOURCE is $FW[:address-or-range[,address-or-range]...], then the rule is inserted into the OUTPUT chain.
- Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in shorewall.conf[2](5).
If your kernel and iptables include CONNMARK support then you can also mark the connection rather than the packet.
The mark value may be optionally followed by "/" and a mask value (used to determine those bits of the connection mark to actually be set). The mark and optional mask are then followed by one of:+
C
Mark the connection in the chain determined by the setting of MARK_IN_FORWARD_CHAIN

CF

Mark the connection in the FORWARD chain

CP

Mark the connection in the PREROUTING chain.

CT

Mark the connecdtion in the POSTROUTING chain

Special considerations for If HIGH_ROUTE_MARKS=Yes in shorewall.conf[2](5).

If HIGH_ROUTE_MARKS=Yes, then you may also specify a value in the range 0x0100-0xFF00 with the low-order byte being zero. Such values may only be used in the PREROUTING chain (value followed by :P or you have set MARK_IN_FORWARD_CHAIN=No in shorewall.conf[2](5) and have not followed the value with :F) or the OUTPUT chain (SOURCE is $FW). With HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not permitted. Shorewall 4.1 and later versions prohibit non-zero mark values less that 256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values in the OUTPUT chain, it is strongly recommended that with HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply traffic shaping marks/classification.

2.A classification Id (classid) of the form major:minor where major and minor are integers. Corresponds to the 'class' specification in these traffic shaping modules:
        atm
        cbq
        dsmark
        pfifo_fast
        htb
        prio
 
Classification occurs in the POSTROUTING chain except when the SOURCE is $FW[:address] in which case classification occurs in the OUTPUT chain.

When using Shorewall's built-in traffic shaping tool, the major class is the device number (the first device in shorewall-tcdevices[3](5) is major class 1, the second device is major class 2, and so on) and the minor class is the class's MARK value in shorewall-tcclasses[4](5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc.).

3.RESTORE[/mask] -- restore the packet's mark from the connection's mark using the supplied mask if any. Your kernel and iptables must include CONNMARK support.
As in 1) above, may be followed by :P or :F
4.SAVE[/mask] -- save the packet's mark to the connection's mark using the supplied mask if any. Your kernel and iptables must include CONNMARK support.
As in 1) above, may be followed by :P or :F
5.CONTINUE Don't process any more marking rules in the table.
As in 1) above, may be followed by :P or :F. Currently, CONTINUE may not be used with exclusion (see the SOURCE and DEST columns below); that restriction will be removed when iptables/Netfilter provides the necessary support.
6.COMMENT -- the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of shorewall show mangle
To stop the comment from being attached to further rules, simply include COMMENT on a line by itself.

SOURCE - {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]

Source of the packet. A comma-separated list of interface names, IP addresses, MAC addresses and/or subnets for packets being routed through a common path. List elements may also consist of an interface name followed by ":" and an address (e.g., eth1:192.168.1.0/24). For example, all packets for connections masqueraded to eth0 from other interfaces can be matched in a single rule with several alternative SOURCE criteria. However, a connection whose packets gets to eth0 in a different way, e.g., direct from the firewall itself, needs a different rule.
Accordingly, use $FW in its own separate rule for packets originating on the firewall. In such a rule, the MARK column may NOT specify either :P or :F because marking for firewall-originated packets always occurs in the OUTPUT chain.
MAC addresses must be prefixed with "~" and use "-" as a separator.
Example: ~00-A0-C9-15-39-78
You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion[5](5)).

DEST - {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion]

Destination of the packet. Comma separated list of IP addresses and/or subnets. If your kernel and iptables include iprange match support, IP address ranges are also allowed. List elements may also consist of an interface name followed by ":" and an address (e.g., eth1:192.168.1.0/24). If the MARK column specificies a classification of the form major:minor then this column may also contain an interface name.
You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall-exclusion[5](5)).

PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}

Protocol - ipp2p requires ipp2p match support in your kernel and iptables.

PORT(S) (Optional) - [-|port-name-number-or-range[,port-name-number-or-range]...]

Destination Ports. A comma-separated list of Port names (from services(5)), port numbers or port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s).
If the protocol is ipp2p, this column is interpreted as an ipp2p option without the leading "--" (example bit for bit-torrent). If no PORT is given, ipp2p is assumed.
This column is ignored if PROTOCOL = all but must be entered if any of the following field is supplied. In that case, it is suggested that this field contain "-"

SOURCE PORT(S) (Optional) - [-|port-name-number-or-range[,port-name-number-or-range]...]

Source port(s). If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges.

USER (Optional) - [!][user-name-or-number][:group-name-or-number][+program-name]

This column may only be non-empty if the SOURCE is the firewall itself.
When this column is non-empty, the rule applies only if the program generating the output is running under the effective user and/or group specified (or is NOT running under that id if "!" is given).
Examples:
joe
program must be run by joe

:kids

program must be run by a member of the 'kids' group

!:kids

program must not be run by a member of the 'kids' group

+upnpd

#program named upnpd

Important The ability to specify a program name was removed from Netfilter in kernel version 2.6.14.

TEST - [!]value[/mask][:C]

Defines a test on the existing packet or connection mark. The rule will match only if the test returns true.
If you don't want to define a test but need to specify anything in the following columns, place a "-" in this field.
!
Inverts the test (not equal)

value

Value of the packet or connection mark.

mask

A mask to be applied to the mark before testing.

:C

Designates a connection mark. If omitted, the packet mark's value is tested.

LENGTH (Optional) - [length|[min]:[max]]

Packet Length. This field, if present allow you to match the length of a packet against a specific value or range of values. You must have iptables length support for this to work. A range is specified in the form min:max where either min or max (but not both) may be omitted. If min is omitted, then 0 is assumed; if max is omitted, than any packet that is min or longer will match.

TOS - tos

Type of service. Either a standard name, or a numeric value to match.
          Minimize-Delay (16)
          Maximize-Throughput (8)
          Maximize-Reliability (4)
          Minimize-Cost (2)
          Normal-Service (0)
 

EXAMPLE

Example 1:

Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer traffic with packet mark 4.
This is a little more complex than otherwise expected. Since the ipp2p module is unable to determine all packets in a connection are P2P packets, we mark the entire connection as P2P if any of the packets are determined to match.
We assume packet/connection mark 0 means unclassified.
        #MARK/    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
        #CLASSIFY                                              PORT(S)
        1         0.0.0.0/0 0.0.0.0/0    icmp    echo-request
        1         0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
        RESTORE   0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
        CONTINUE  0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
        4         0.0.0.0/0 0.0.0.0/0    ipp2p:all
        SAVE      0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
 
If a packet hasn't been classifed (packet mark is 0), copy the connection mark to the packet mark. If the packet mark is set, we're done. If the packet is P2P, set the packet mark to 4. If the packet mark has been set, save it to the connection mark.

FILES

/etc/shorewall/tcrules

SEE ALSO

http://shorewall.net/traffic_shaping.htm

http://shorewall.net/MultiISP.html

http://shorewall.net/PacketMarking.html

shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)

NOTES

1.
shorewall-rules
shorewall-rules.html
2.
shorewall.conf
shorewall.conf.html
3.
shorewall-tcdevices
shorewall-tcdevices.html
4.
shorewall-tcclasses
shorewall-tcclasses.html
5.
shorewall-exclusion
shorewall-exclusion.html