.TH "Firewall mark classifier in tc" 8 "21 Oct 2015" "iproute2" "Linux"

.SH NAME
fw \- fwmark traffic control filter
.SH SYNOPSIS
.in +8
.ti -8
.BR tc " " filter " ... " fw " [ " classid
.IR CLASSID " ] [ "
.B action
.IR ACTION_SPEC " ]"
.SH DESCRIPTION
the
.B fw
filter allows to classify packets based on a previously set
.BR fwmark " by " iptables .
If it is identical to the filter's
.BR handle ,
the filter matches.
.B iptables
allows to mark single packets with the
.B MARK
target, or whole connections using
.BR CONNMARK .
The benefit of using this filter instead of doing the
heavy-lifting with
.B tc
itself is that on one hand it might be convenient to keep packet filtering and
classification in one place, possibly having to match a packet just once, and on
the other users familiar with
.BR iptables " but not " tc
will have a less hard time adding QoS to their setups.
.SH OPTIONS
.TP
.BI classid " CLASSID"
Push matching packets to the class identified by
.IR CLASSID .
.TP
.BI action " ACTION_SPEC"
Apply an action from the generic actions framework on matching packets.
.SH EXAMPLES
Take e.g. the following tc filter statement:

.RS
.EX
tc filter add ... handle 6 fw classid 1:1
.EE
.RE

will match if the packet's
.B fwmark
value is
.BR 6 .
This is a sample
.B iptables
statement marking packets coming in on eth0:

.RS
.EX
iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6
.EE
.RE
.SH SEE ALSO
.BR tc (8),
.BR iptables (8),
.BR iptables-extensions (8)