shorewall-tcrules.5

sharewall is very good

.\"     Title: shorewall-tcrules
.\"    Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
.\"      Date: 03/19/2009
.\"    Manual: [FIXME: manual]
.\"    Source: [FIXME: source]
.\"  Language: English
.\"
.TH "SHOREWALL\-TCRULES" "5" "03/19/2009" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * (re)Define some macros
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" toupper - uppercase a string (locale-aware)
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de toupper
.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
\\$*
.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH-xref - format a cross-reference to an SH section
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de SH-xref
.ie n \{\
.\}
.toupper \\$*
.el \{\
\\$*
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SH - level-one heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SH
.\" put an extra blank line of space above the head in non-TTY output
.if t \{\
.sp 1
.\}
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[an-margin]u
.ti 0
.HTML-TAG ".NH \\n[an-level]"
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
\." make the size of the head bigger
.ps +3
.ft B
.ne (2v + 1u)
.ie n \{\
.\" if n (TTY output), use uppercase
.toupper \\$*
.\}
.el \{\
.nr an-break-flag 0
.\" if not n (not TTY), use normal case (not uppercase)
\\$1
.in \\n[an-margin]u
.ti 0
.\" if not n (not TTY), put a border/line under subheading
.sp -.6
\l'\n(.lu'
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" SS - level-two heading that works better for non-TTY output
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de1 SS
.sp \\n[PD]u
.nr an-level 1
.set-an-margin
.nr an-prevailing-indent \\n[IN]
.fi
.in \\n[IN]u
.ti \\n[SN]u
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.ps \\n[PS-SS]u
\." make the size of the head bigger
.ps +2
.ft B
.ne (2v + 1u)
.if \\n[.$] \&\\$*
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BB/BE - put background/screen (filled box) around block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BB
.if t \{\
.sp -.5
.br
.in +2n
.ll -2n
.gcolor red
.di BX
.\}
..
.de EB
.if t \{\
.if "\\$2"adjust-for-leading-newline" \{\
.sp -1
.\}
.br
.di
.in
.ll
.gcolor
.nr BW \\n(.lu-\\n(.i
.nr BH \\n(dn+.5v
.ne \\n(BHu+.5v
.ie "\\$2"adjust-for-leading-newline" \{\
\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.el \{\
\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
.\}
.in 0
.sp -.5v
.nf
.BX
.in
.sp .5v
.fi
.\}
..
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" BM/EM - put colored marker in margin next to block of text
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.de BM
.if t \{\
.br
.ll -2n
.gcolor red
.di BX
.\}
..
.de EM
.if t \{\
.br
.di
.ll
.gcolor
.nr BH \\n(dn
.ne \\n(BHu
\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
.in 0
.nf
.BX
.in
.fi
.\}
..
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "Name"
tcrules \- Shorewall Packet Marking rules file
.SH "Synopsis"
.fam C
.HP \w'\fB/etc/shorewall/rules\fR\ 'u
\fB/etc/shorewall/rules\fR
.fam
.SH "Description"
.PP
Entries in this file cause packets to be marked as a means of classifying them for traffic control or policy routing\&.
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
.PP
Unlike rules in the
\m[blue]\fBshorewall\-rules\fR\m[]\&\s-2\u[1]\d\s+2(5) file, evaluation of rules in this file will continue after a match\&. So the final mark for each packet will be the one assigned by the LAST tcrule that matches\&.
.PP
If you use multiple internet providers with the \'track\' option, in /etc/shorewall/providers be sure to read the restrictions at
\m[blue]\fBhttp://shorewall\&.net/MultiISP\&.html\fR\m[]\&.
.sp .5v
.EM yellow
.RE
.PP
The columns in the file are as follows\&.
.PP
\fBMARK/CLASSIFY\fR \- {\fIvalue\fR|\fImajor\fR\fB:\fR\fIminor\fR|\fBRESTORE\fR[\fB/\fR\fImask\fR]|\fBSAVE\fR[\fB/\fR\fImask\fR]|\fBCONTINUE\fR|\fBCOMMENT\fR}[\fB:\fR{\fBC\fR|\fBF\fR|\fBP\fR|\fBT\fR|\fBCF\fR|\fBCP\fR|\fBCT\fR}]
.RS 4
May assume one of the following values\&.
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  1." 4.2
.\}
A mark
\fIvalue\fR
which is an integer in the range 1\-255\&.
.sp
Normally will set the mark value\&. If preceded by a vertical bar ("|"), the mark value will be logically ORed with the current mark value to produce a new mark value\&. If preceded by an ampersand ("&"), will be logically ANDed with the current mark value to produce a new mark value\&.
.sp
Both "|" and "&" require Extended MARK Target support in your kernel and iptables; neither may be used with connection marks (see below)\&.
.sp
May optionally be followed by
\fB:P\fR,
\fB:F\fR
or
\fB:T\fR
where\fB :P\fR
indicates that marking should occur in the PREROUTING chain,
\fB:F\fR
indicates that marking should occur in the FORWARD chain and
\fB:T\fR
indicates that marking should occur in the POSTROUTING chain\&. If neither
\fB:P\fR,
\fB:F\fR
nor
\fB:T\fR
follow the mark value then the chain is determined as follows:
.sp
\- If the SOURCE is
\fB$FW\fR[\fB:\fR\fIaddress\-or\-range\fR[,\fIaddress\-or\-range\fR]\&.\&.\&.], then the rule is inserted into the OUTPUT chain\&. The behavior changed in Shorewall\-perl 4\&.1\&. Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non\-zero mark values < 256 to be assigned in the OUTPUT chain\&. This has been changed so that only high mark values may be assigned there\&. Packet marking rules for traffic shaping of packets originating on the firewall must be coded in the POSTROUTING chain (see below)\&.
.sp
\- Otherwise, the chain is determined by the setting of MARK_IN_FORWARD_CHAIN in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5)\&.
.sp
If your kernel and iptables include CONNMARK support then you can also mark the connection rather than the packet\&.
.sp
The mark value may be optionally followed by "/" and a mask value (used to determine those bits of the connection mark to actually be set)\&. The mark and optional mask are then followed by one of:+
.PP
\fBC\fR
.RS 4
Mark the connection in the chain determined by the setting of MARK_IN_FORWARD_CHAIN
.RE
.PP
\fBCF\fR
.RS 4
Mark the connection in the FORWARD chain
.RE
.PP
\fBCP\fR
.RS 4
Mark the connection in the PREROUTING chain\&.
.RE
.PP
CT
.RS 4
Mark the connecdtion in the POSTROUTING chain
.RE
.sp
\fBSpecial considerations for If HIGH_ROUTE_MARKS=Yes in \fR\fB\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2\fR\fB(5\fR)\&.
.sp
If HIGH_ROUTE_MARKS=Yes, then you may also specify a value in the range 0x0100\-0xFF00 with the low\-order byte being zero\&. Such values may only be used in the PREROUTING chain (value followed by
\fB:P\fR
or you have set MARK_IN_FORWARD_CHAIN=No in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5) and have not followed the value with
\fB:F\fR) or the OUTPUT chain (SOURCE is
\fB$FW\fR)\&. With HIGH_ROUTE_MARKS=Yes, non\-zero mark values less that 256 are not permitted\&. Shorewall 4\&.1 and later versions prohibit non\-zero mark values less that 256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes\&. While earlier versions allow such values in the OUTPUT chain, it is strongly recommended that with HIGH_ROUTE_MARKS=Yes, you use the POSTROUTING chain to apply traffic shaping marks/classification\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  2." 4.2
.\}
A classification Id (classid) of the form
\fImajor\fR:\fIminor\fR
where
\fImajor\fR
and
\fIminor\fR
are integers\&. Corresponds to the \'class\' specification in these traffic shaping modules:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
       atm
       cbq
       dsmark
       pfifo_fast
       htb
       prio
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
Classification occurs in the POSTROUTING chain except when the
\fBSOURCE\fR
is
\fB$FW\fR[:\fIaddress\fR] in which case classification occurs in the OUTPUT chain\&.
.sp
When using Shorewall\'s built\-in traffic shaping tool, the
\fImajor\fR
class is the device number (the first device in
\m[blue]\fBshorewall\-tcdevices\fR\m[]\&\s-2\u[3]\d\s+2(5) is major class 1, the second device is major class 2, and so on) and the
\fIminor\fR
class is the class\'s MARK value in
\m[blue]\fBshorewall\-tcclasses\fR\m[]\&\s-2\u[4]\d\s+2(5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc\&.)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  3." 4.2
.\}
\fBRESTORE\fR[/\fImask\fR] \-\- restore the packet\'s mark from the connection\'s mark using the supplied mask if any\&. Your kernel and iptables must include CONNMARK support\&.
.sp
As in 1) above, may be followed by
\fB:P\fR
or
\fB:F\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  4." 4.2
.\}
\fBSAVE\fR[/\fImask\fR] \-\- save the packet\'s mark to the connection\'s mark using the supplied mask if any\&. Your kernel and iptables must include CONNMARK support\&.
.sp
As in 1) above, may be followed by
\fB:P\fR
or
\fB:F\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  5." 4.2
.\}
\fBCONTINUE\fR
Don\'t process any more marking rules in the table\&.
.sp
As in 1) above, may be followed by
\fB:P\fR
or
\fB:F\fR\&. Currently, CONTINUE may not be used with
\fIexclusion\fR
(see the SOURCE and DEST columns below); that restriction will be removed when iptables/Netfilter provides the necessary support\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP "  6." 4.2
.\}