SHOREWALL6-MANGLE(5) | Configuration Files | SHOREWALL6-MANGLE(5) |
NAME¶
mangle - Shorewall Packet marking/mangling rules fileSYNOPSIS¶
/etc/shorewall6/mangle
DESCRIPTION¶
This file was introduced in Shorewall 4.6.0 and is intended to replace shorewall6-tcrules(5)[1]. This file is only processed by the compiler if: 1.No file named 'tcrules' exists on the current
CONFIG_PATH (see shorewall6.conf(5)[2]); or
2.The first file named 'tcrules' found on the
CONFIG_PATH contains no non-commentary entries.
Entries in this file cause packets to be marked as a means of classifying them
for traffic control or policy routing.
The chain-specifier indicates the Netfilter chain that
the entry applies to and may be one of the following:
P
SOURCE -
{-|{interface|$FW}|[{interface|$FW}:]
address-or-range[
,address-or-range]...}[exclusion]
PREROUTING chain.
F
FORWARD chain.
T
POSTROUTING chain.
I
INPUT chain.
Unless otherwise specified for the particular command, the default chain
is PREROUTING when MARK_IN_FORWARD_CHAIN=No in shorewall6.conf(5)[2],
and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.
A chain-designator may not be specified if the SOURCE or DEST columns begin with
'$FW'. When the SOURCE is $FW, the generated rule is always placed in the
OUTPUT chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
Where a command takes parameters, those parameters are enclosed in parentheses
("(....)") and separated by commas.
The command may be one of the following.
CHECKSUM
Compute and fill in the checksum in a packet that lacks a
checksum. This is particularly useful if you need to work around old
applications, such as dhcp clients, that do not work well with checksum
offloads, but you don't want to disable checksum offload in your device.
Requires 'Checksum Target' support in your kernel and iptables.
CLASSIFY( classid)
A classification Id (classid) is of the form
major: minor where major and minor are integers.
Corresponds to the 'class' specification in these traffic shaping modules:
Classification occurs in the POSTROUTING chain except when the SOURCE is
$FW[:address] in which case classification occurs in the OUTPUT
chain.
When using Shorewall's built-in traffic shaping tool, the major class is
the device number (the first device in shorewall6-tcdevices[5](5) is
major class 1, the second device is major class 2, and so on) and the
minor class is the class's MARK value in
shorewall6-tcclasses[6](5) preceded by the number 1 (MARK 1 corresponds
to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
to minor class 122, etc.).
?COMMENT
atm cbq dsmark pfifo_fast htb prio
The rest of the line will be attached as a comment to the
Netfilter rule(s) generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of shorewall show
mangle
To stop the comment from being attached to further rules, simply include COMMENT
on a line by itself.
CONMARK({mark|range})
Identical to MARK with the exception that the mark is
assigned to connection to which the packet belongs is marked rather than to
the packet itself.
CONTINUE
Don't process any more marking rules in the table.
Currently, CONTINUE may not be used with exclusion (see the SOURCE and
DEST columns below); that restriction will be removed when iptables/Netfilter
provides the necessary support.
DIVERT
Two DIVERT rule should precede the TPROXY rule and should
select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively (assuming that tcp
port 80 is being proxied). DIVERT avoids sending packets to the TPROXY target
once a socket connection to Squid3 has been established by TPROXY. DIVERT
marks the packet with a unique mark and exempts it from any rules that
follow.
DROP
Causes matching packets to be discarded.
DSCP(dscp)
Sets the Differentiated Services Code Point field in the
IP header. The dscp value may be given as an even number (hex or
decimal) or as the name of a DSCP class. Valid class names and their
associated hex numeric values are:
To indicate more than one class, add their hex values together and specify the
result.
IMQ(number)
CS0 => 0x00 CS1 => 0x08 CS2 => 0x10 CS3 => 0x18 CS4 => 0x20 CS5 => 0x28 CS6 => 0x30 CS7 => 0x38 BE => 0x00 AF11 => 0x0a AF12 => 0x0c AF13 => 0x0e AF21 => 0x12 AF22 => 0x14 AF23 => 0x16 AF31 => 0x1a AF32 => 0x1c AF33 => 0x1e AF41 => 0x22 AF42 => 0x24 AF43 => 0x26 EF => 0x2e
Specifies that the packet should be passed to the IMQ
identified by number. Requires IMQ Target support in your kernel and
iptables.
INLINE[(action)]
Allows you to place your own ip[6]tables matches at the
end of the line following a semicolon (";"). If an action is
specified, the compiler procedes as if that action had been specified
in this column. If no action is specified, then you may include your own jump
("-j target [ option] ...") after any matches
specified at the end of the rule. If the target is not one known to Shorewall,
then it must be defined as a builtin action in shorewall6-actions[7]
(5).
The following rules are equivalent:
If INLINE_MATCHES=Yes in shorewall6.conf[2](5) then the third rule above
can be specified as follows:
IPMARK
2:P eth0 - tcp 22 INLINE(2):P eth0 - tcp 22 INLINE(2):P eth0 - ; -p tcp INLINE eth0 - tcp 22 ; -j MARK --set-mark 2 INLINE eth0 - ; -p tcp -j MARK --set-mark 2
2:P eth0 - ; -p tcp
Assigns a mark to each matching packet based on the
either the source or destination IP address. By default, it assigns a mark
value equal to the low-order 8 bits of the source address. Default values are:
IP6TABLES({ target [option ...])
src
mask1 = 0xFF
mask2 = 0x00
shift = 0
'src' and 'dst' specify whether the mark is to be based on the source or
destination address respectively. The selected address is first shifted to the
right by shift bits. The result is then LANDed with mask1 then
LORed with mask2.
In a sense, the IPMARK target is more like an IPCLASSIFY target in that the mark
value is later interpreted as a class ID. A packet mark is 32 bits wide; so is
a class ID. The <major> class occupies the high-order 16 bits and the
<minor> class occupies the low-order 16 bits. So the class ID 1:4ff
(remember that class IDs are always in hex) is equivalent to a mark value of
0x104ff. Remember that Shorewall uses the interface number as the
<major> number where the first interface in tcdevices has <major>
number 1, the second has <major> number 2, and so on.
The IPMARK target assigns a mark to each matching packet based on the either the
source or destination IP address. By default, it assigns a mark value equal to
the low-order 8 bits of the source address. The syntax is as follows:
IPMARK[([{
src|dst}][,[mask1][,[mask2][,[shift]]]])]
Default values are:
src
mask1 = 0xFF
mask2 = 0x00
shift = 0
src and dst specify whether the mark is to be based on the source
or destination address respectively. The selected address is first shifted
right by shift, then LANDed with mask1 and then LORed with
mask2. The shift argument is intended to be used primarily with
IPv6 addresses.
Example: IPMARK(src,0xff,0x10100)
Suppose that the source IP address is 192.168.4.3
= 0xc0a80403; then
= 0xc0a80403; then
0xc0a80403 >> 0 = 0xc0a80403
0xc0a80403 LAND 0xFF = 0x03
0x03 LOR 0x0x10100 = 0x10103 or class ID
1:103
It is important to realize that, while class IDs are composed of a major
and a minor value, the set of values must be unique. That is, the same
numeric value cannot be used as both a major and a minor number
for the same interface unless class nesting occurs (which is not currently
possible with Shorewall). You should keep this in mind when deciding how to
map IP addresses to class IDs.
For example, suppose that your internal network is 192.168.1.0/29 (host IP
addresses 192.168.1.1 - 192.168.1.6). Your first notion might be to use
IPMARK(src,0xFF,0x10000) so as to produce class IDs 1:1 through 1:6. But 1:1
is an invalid class ID since the major and minor classes are
equal. So you might choose instead to use IPMARK(src,0xFF,0x10100) as in the
example above so that all of your minor classes will have a value >
256.1:103
This action allows you to specify an iptables target with
options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'. If the target is not
one recognized by Shorewall, the following error message will be issued:
MARK({ mark|range})
ERROR: Unknown target
( target)
This error message may be eliminated by adding the target as a builtin
action in shorewall6-actions[7](5).( target)
where mark is a packet mark value.
Normally will set the mark value. If preceded by a vertical bar ("|"),
the mark value will be logically ORed with the current mark value to produce a
new mark value. If preceded by an ampersand ("&"), will be
logically ANDed with the current mark value to produce a new mark value.
Both "|" and "&" require Extended MARK Target support in
your kernel and iptables.
The mark value may be optionally followed by "/" and a mask value
(used to determine those bits of the connection mark to actually be set). When
a mask is specified, the result of logically ANDing the mark value with the
mask must be the same as the mark value.
A mark range is a pair of integers separated by a dash ("-").
May be optionally followed by a slash ("/") and a mask and requires
the Statistics Match capability in iptables and kernel. Marks in the specified
range are assigned to packets on a round-robin fashion.
When a mask is specified, the result of logically ANDing each mark value with
the mask must be the same as the mark value. The least significant bit in the
mask is used as an increment. For example, if '0x200-0x400/0xff00' is
specified, then the assigned mark values are 0x200, 0x300 and 0x400 in equal
proportions. If no mask is specified, then ( 2 ** MASK_BITS ) - 1 is assumed
(MASK_BITS is set in shorewall6.conf[2](5)).
RESTORE[(/mask)]
Restore the packet's mark from the connection's mark
using the supplied mask if any. Your kernel and iptables must include CONNMARK
support.
SAME
Some websites run applications that require multiple
connections from a client browser. Where multiple 'balanced' providers are
configured, this can lead to problems when some of the connections are routed
through one provider and some through another. The SAME target allows you to
work around that problem. SAME may be used in the PREROUTING and OUTPUT
chains. When used in PREROUTING, it causes matching connections from an
individual local system to all use the same provider. For example:
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443 and it
has sent a packet on either of those ports in the last five minutes then the
new connection will use the same provider as the connection over which that
last packet was sent.
When used in the OUTPUT chain, it causes all matching connections to an
individual remote system to all use the same provider. For example:
If the firewall attempts a connection on TCP port 80 or 443 and it has sent a
packet on either of those ports in the last five minutes to the same remote
system then the new connection will use the same provider as the connection
over which that last packet was sent.
SAVE[(/mask)]
#ACTION SOURCE DEST PROTO DEST # PORT(S) SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
#ACTION SOURCE DEST PROTO DEST # PORT(S) SAME $FW 0.0.0.0/0 tcp 80,443
Save the packet's mark to the connection's mark using the
supplied mask if any. Your kernel and iptables must include CONNMARK
support.
TOS(tos[/mask])
Sets the Type of Service field in the IP header. The
tos value may be given as an number (hex or decimal) or as the name of
a TOS type. Valid type names and their associated hex numeric values are:
To indicate more than one class, add their hex values together and specify the
result.
When tos is given as a number, it may be optionally followed by '/' and a
mask. When no mask is given, the value 0xff is assumed. When
tos is given as a type name, the mask 0x3f is assumed.
The action performed is to zero out the bits specified by the mask, then
set the bits specified by tos.
TPROXY([port][,address])
Minimize-Delay => 0x10, Maximize-Throughput => 0x08, Maximize-Reliability => 0x04, Minimize-Cost => 0x02, Normal-Service => 0x00
Transparently redirects a packet without altering the IP
header. Requires a tproxy provider to be defined in
shorewall6-providers[8](5).
There are three parameters to TPROXY - neither is required:
TTL([-|+]number)
•port - the port on which the proxy server
is listening. If omitted, the original destination port.
•address - a local (to the firewall) IP
address on which the proxy server is listening. If omitted, the IP address of
the interface on which the request arrives.
If + is included, packets matching the rule will
have their TTL incremented by number. Similarly, if - is
included, matching packets have their TTL decremented by number. If
neither + nor - is given, the TTL of matching packets is set to
number. The valid range of values for number is 1-255.
1.TTL([-|+]number)
Added in Shorewall 4.4.24.
Prior to Shorewall 4.5.7.2, may be optionally followed by :F but the
resulting rule is always added to the FORWARD chain. Beginning with Shorewall
4.5.7.s, it may be optionally followed by :P, in which case the rule is
added to the PREROUTING chain.
If + is included, packets matching the rule will have their TTL
incremented by number. Similarly, if - is included, matching
packets have their TTL decremented by number. If neither + nor
- is given, the TTL of matching packets is set to number. The
valid range of values for number is 1-255.
May be:
1.An interface name - matches traffic entering the
firewall on the specified interface. May not be used in classify rules or in
rules using the :T chain qualifier.
2.A comma-separated list of host or network IP addresses
or MAC addresses. This form will not match traffic that originates on the
firewall itself unless either <major><minor> or the :T chain
qualifier is used in the ACTION column.
Examples:.RS 4 0.0.0.0/0
192.168.1.0/24, 172.20.4.0/24
3.An interface name followed by a colon (":")
followed by a comma-separated list of host or network IP addresses or MAC
addresses. May not be used in classify rules or in rules using the :T chain
qualifier.
4.$FW optionally followed by a colon (":") and
a comma-separated list of host or network IP addresses. Matches packets
originating on the firewall. May not be used with a chain qualifier (:P, :F,
etc.) in the ACTION column.
MAC addresses must be prefixed with "~" and use "-" as a
separator.
Example: ~00-A0-C9-15-39-78
You may exclude certain hosts from the set already defined through use of an
exclusion (see shorewall6-exclusion[9](5)).
DEST -
{-|{interface|$FW}|[{interface|$FW}:]address-or-range[
,address-or-range]...}[exclusion]
May be:
PROTO -
{-|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|
protocol-number| protocol-name|all}[,...]}
1.An interface name. May not be used in the PREROUTING
chain (:P in the mark column or no chain qualifier and
MARK_IN_FORWARD_CHAIN=No in shorewall6.conf[2] (5)). The interface name
may be optionally followed by a colon (":") and an IP address
list.
2.A comma-separated list of host or network IP
addresses. The list may include ip address ranges if your kernel and iptables
include iprange support.
3.Beginning with Shorewall 4.4.13, $FW may be specified
by itself or qualified by an address list. This causes marking to occur in the
INPUT chain.
You may exclude certain hosts from the set already defined through use of an
exclusion (see shorewall6-exclusion[9](5)).Protocol - ipp2p requires ipp2p match support in
your kernel and iptables.
Beginning with Shorewall 4.5.12, this column can accept a comma-separated list
of protocols.
PORT(S) (dport) -
[-|port-name-number-or-range[,port-name-number-or-range]...]
Optional destination Ports. A comma-separated list of
Port names (from services(5)), port numbers or port ranges; if
the protocol is icmp, this column is interpreted as the destination
icmp-type(s). ICMP types may be specified as a numeric type, a numeric type
and code separated by a slash (e.g., 3/4), or a typename. See
http://www.shorewall.net/configuration_file_basics.htm#ICMP[10].
If the protocol is ipp2p, this column is interpreted as an ipp2p option
without the leading "--" (example bit for bit-torrent). If no
PORT is given, ipp2p is assumed.
An entry in this field requires that the PROTO column specify icmp (1), tcp (6),
udp (17), sctp (132) or udplite (136). Use '-' if any of the following field
is supplied.
SOURCE PORT(S) (sport) -
[-|port-name-number-or-range[,
port-name-number-or-range]...]
Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma-separated list of port names, port numbers or
port ranges.
An entry in this field requires that the PROTO column specify tcp (6), udp (17),
sctp (132) or udplite (136). Use '-' if any of the following fields is
supplied.
Beginning with Shorewall 4.5.15, you may place '=' in this column, provided that
the DEST PORT(S) column is non-empty. This causes the rule to match when
either the source port or the destination port in a packet matches one of the
ports specified in DEST PORTS(S). Use of '=' requires multi-port match in your
iptables and kernel.
USER -
[!][user-name-or-number][:group-name-or-number][
+program-name]
This optional column may only be non-empty if the SOURCE
is the firewall itself.
When this column is non-empty, the rule applies only if the program generating
the output is running under the effective user and/or group
specified (or is NOT running under that id if "!" is given).
Examples:
joe
TEST - [!]value[/mask][:C]
program must be run by joe
:kids
program must be run by a member of the 'kids' group
!:kids
program must not be run by a member of the 'kids'
group
+upnpd
#program named upnpd
Important
The ability to specify a program name was removed from Netfilter in kernel
version 2.6.14.
Optional - Defines a test on the existing packet or
connection mark. The rule will match only if the test returns true.
If you don't want to define a test but need to specify anything in the following
columns, place a "-" in this field.
!
LENGTH - [length|[min]:[max]]
Inverts the test (not equal)
value
Value of the packet or connection mark.
mask
A mask to be applied to the mark before testing.
:C
Designates a connection mark. If omitted, the packet
mark's value is tested.
Optional - packet payload length. This field, if present
allow you to match the length of a packet payload (Layer 4 data ) against a
specific value or range of values. You must have iptables length support for
this to work. A range is specified in the form min:max where
either min or max (but not both) may be omitted. If min
is omitted, then 0 is assumed; if max is omitted, than any packet that
is min or longer will match.
TOS - tos
Type of service. Either a standard name, or a numeric
value to match.
CONNBYTES -
[!]min:[max[:{O|R|B}[:{B|
P|A}]]]
Minimize-Delay (16) Maximize-Throughput (8) Maximize-Reliability (4) Minimize-Cost (2) Normal-Service (0)
Optional connection Bytes; defines a byte or packet range
that the connection must fall within in order for the rule to match.
A packet matches if the the packet/byte count is within the range defined by
min and max (unless ! is given in which case, a packet matches
if the packet/byte count is not within the range). min is an integer
which defines the beginning of the byte/packet range. max is an integer
which defines the end of the byte/packet range; if omitted, only the beginning
of the range is checked. The first letter gives the direction which the range
refers to: O - The original direction of the connection. .sp - The
opposite direction from the original connection. .sp B - The total of
both directions.
If omitted, B is assumed.
The second letter determines what the range refers to. B - Bytes .sp
P - Packets .sp A - Average packet size.If omitted, B is
assumed.
HELPER - helper
Names a Netfilter protocol helper module such as
ftp, sip, amanda, etc. A packet will match if it was
accepted by the named helper module.
Example: Mark all FTP data connections with mark 4:
HEADERS - [!][any:|exactly:]header-list
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) 4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
The header-list consists of a comma-separated list
of headers from the following list.
auth, ah, or 51
PROBABILITY - [probability]
Authentication Headers extension header.
esp, or 50
Encrypted Security Payload extension header.
hop, hop-by-hop or 0
Hop-by-hop options extension header.
route, ipv6-route or 41
IPv6 Route extension header.
frag, ipv6-frag or 44
IPv6 fragmentation extension header.
none, ipv6-nonxt or 59
No next header
proto, protocol or 255
Any protocol header.
If any: is specified, the rule will match if any of the listed headers
are present. If exactly: is specified, the will match packets that
exactly include all specified headers. If neither is given, any: is
assumed.
If ! is entered, the rule will match those packets which would not be
matched when ! is omitted.Added in Shorewall 4.5.0. When non-empty, requires the
Statistics Match capability in your kernel and ip6tables and causes the rule
to match randomly but with the given probability. The
probability is a number 0 < probability <= 1 and may be
expressed at up to 8 decimal points of precision.
DSCP - [[!]dscp]
Added in Shorewall 4.5.1. When non-empty, match packets
whose Differentiated Service Code Point field matches the supplied value (when
'!' is given, the rule matches packets whose DSCP field does not match the
supplied value). The dscp value may be given as an even number (hex or
decimal) or as the name of a DSCP class. Valid class names and their
associated hex numeric values are:
STATE -- {NEW|RELATED|ESTABLISHED|INVALID}
[,...]
CS0 => 0x00 CS1 => 0x08 CS2 => 0x10 CS3 => 0x18 CS4 => 0x20 CS5 => 0x28 CS6 => 0x30 CS7 => 0x38 BE => 0x00 AF11 => 0x0a AF12 => 0x0c AF13 => 0x0e AF21 => 0x12 AF22 => 0x14 AF23 => 0x16 AF31 => 0x1a AF32 => 0x1c AF33 => 0x1e AF41 => 0x22 AF42 => 0x24 AF43 => 0x26 EF => 0x2e
The rule will only match if the packet's connection is in
one of the listed states.
TIME - timeelement[&timeelement...]
Added in Shorewall 4.6.2.
May be used to limit the rule to a particular time period each day, to
particular days of the week or month, or to a range defined by dates and
times. Requires time match support in your kernel and ip6tables.
timeelement may be:
timestart= hh:mm[:ss]
Defines the starting time of day.
timestop= hh:mm[:ss]
Defines the ending time of day.
utc
Times are expressed in Greenwich Mean Time.
localtz
Deprecated by the Netfilter team in favor of
kerneltz. Times are expressed in Local Civil Time (default).
kerneltz
Added in Shorewall 4.5.2. Times are expressed in Local
Kernel Time (requires iptables 1.4.12 or later).
weekdays=ddd[,ddd]...
where ddd is one of Mon, Tue,
Wed, Thu, Fri, Sat or Sun
monthdays=dd[,dd],...
where dd is an ordinal day of the month
datestart=
yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
Defines the starting date and time.
datestop=
yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
Defines the ending date and time.
EXAMPLE¶
Example 1:Mark all ICMP echo traffic with packet mark 1. Mark all
peer to peer traffic with packet mark 4.
This is a little more complex than otherwise expected. Since the ipp2p module is
unable to determine all packets in a connection are P2P packets, we mark the
entire connection as P2P if any of the packets are determined to match.
We assume packet/connection mark 0 means unclassified.
If a packet hasn't been classified (packet mark is 0), copy the connection mark
to the packet mark. If the packet mark is set, we're done. If the packet is
P2P, set the packet mark to 4. If the packet mark has been set, save it to the
connection mark.
#ACTION SOURCE DEST PROTO PORT(S) SOURCE USER TEST # PORT(S) MARK(1):T ::/0 ::/0 icmp echo-request MARK(1):T ::/0 ::/0 icmp echo-reply RESTORE:T ::/0 ::/0 all - - - 0 CONTINUE:T ::/0 ::/0 all - - - !0 MARK(4):T ::/0 ::/0 ipp2p:all SAVE:T ::/0 ::/0 all - - - !0
FILES¶
/etc/shorewall6/mangleSEE ALSO¶
http://www.shorewall.net/traffic_shaping.htm[11] http://www.shorewall.net/MultiISP.html[4] http://www.shorewall.net/PacketMarking.html[12] http://www.shorewall.net/configuration_file_basics.htm#Pairs[13] shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5), shorewall6-hosts(5), shorewall6_interfaces(5), shorewall6-ipsets(5), shorewall6-maclist(5), shorewall6-masq(5), shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)NOTES¶
- 3.
- shorewall6-rules
- 5.
- shorewall6-tcdevices
- 6.
- shorewall6-tcclasses
- 7.
- shorewall6-actions
- 8.
- shorewall6-providers
- 9.
- shorewall6-exclusion
10/19/2014 | Configuration Files |