File: //usr/share/shorewall/configfiles/mangle.annotated
#
# Shorewall -- /etc/shorewall/mangle
#
# For information about entries in this file, type "man shorewall-mangle"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# http://shorewall.net/MultiISP.html
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
#
##############################################################################################################################################################
#
# This file was introduced in Shorewall 4.6.0 and replaces shorewall-tcrules(5).
# This file is only processed by the compiler if:
#
# Entries in this file cause packets to be marked as a means of classifying them
# for traffic control or policy routing.
#
# Important
#
# Unlike rules in the shorewall-rules(5) file, evaluation of rules in this file
# will continue after a match. So the final mark for each packet will be the one
# assigned by the LAST tcrule that matches.
#
# If you use multiple internet providers with the 'track' option, in /etc/
# shorewall/providers be sure to read the restrictions at http://
# www.shorewall.net/MultiISP.html.
#
# The columns in the file are as follows (where the column name is followed by a
# different name in parentheses, the different name is used in the alternate
# specification syntax).
#
# ACTION - command[(parameters)][:chain-designator]
#
# The chain-designator indicates the Netfilter chain that the entry applies
# to and may be one of the following:
#
# P
#
# PREROUTING chain.
#
# F
#
# FORWARD chain.
#
# T
#
# POSTROUTING chain.
#
# I
#
# INPUT chain.
#
# NP
#
# PREROUTING chain in the nat table.
#
# NI
#
# INPUT chain in the nat table.
#
# NO
#
# OUTPUT chain in the nat table.
#
# NT
#
# POSTROUTING chain in the nat table.
#
# The nat table designators were added in Shorewall 5.2.1. When a nat table
# designator is given, only the CONNMARK, MARK, SAVE and RESTORE commands may
# be used.
#
# Unless otherwise specified for the particular command, the default chain is
# PREROUTING when MARK_IN_FORWARD_CHAIN=No in shorewall.conf(5), and FORWARD
# when MARK_IN_FORWARD_CHAIN=Yes.
#
# A chain-designator may not be specified if the SOURCE or DEST columns begin
# with '$FW'. When the SOURCE is $FW, the generated rule is always placed in
# the OUTPUT chain. If DEST is '$FW', then the rule is placed in the INPUT
# chain. Additionally, a chain-designator may not be specified in an action
# body.
#
# Where a command takes parameters, those parameters are enclosed in
# parentheses ("(....)") and separated by commas.
#
# The command may be one of the following.
#
# action[([param[,...])]
#
# Added in Shorewall 5.0.7. action must be an action declared with the
# mangle option in shorewall-actions(5). If the action accepts
# parameters, they are specified as a comma-separated list within
# parentheses following the action name.
#
# ADD(ipset:flags)
#
# Added in Shorewall 4.6.7. Causes addresses and/or port numbers to be
# added to the named ipset. The flags specify the address or tuple to be
# added to the set and must match the type of ipset involved. For
# example, for an iphash ipset, either the SOURCE or DESTINATION address
# can be added using flags src or dst respectively (see the -A command in
# ipset (8)).
#
# ADD is non-terminating. Even if a packet matches the rule, it is passed
# on to the next rule.
#
# CHECKSUM
#
# Compute and fill in the checksum in a packet that lacks a checksum.
# This is particularly useful if you need to work around old
# applications, such as dhcp clients, that do not work well with checksum
# offloads, but you don't want to disable checksum offload in your
# device.
#
# Requires 'Checksum Target' support in your kernel and iptables.
#
# CLASSIFY(classid)
#
# A classification Id (classid) is of the form major:minor where major
# and minor are integers. Corresponds to the 'class' specification in
# these traffic shaping modules:
#
# atm
# cbq
# dsmark
# pfifo_fast
# htb
# prio
#
# Classification occurs in the POSTROUTING chain except when the SOURCE
# is $FW[:address] in which case classification occurs in the OUTPUT
# chain.
#
# When using Shorewall's built-in traffic shaping tool, the major class
# is the device number (the first device in shorewall-tcdevices(5) is
# major class 1, the second device is major class 2, and so on) and the
# minor class is the class's MARK value in shorewall-tcclasses(5)
# preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5
# corresponds to minor class 15, MARK 22 corresponds to minor class 122,
# etc.).
#
# ?COMMENT
#
# The rest of the line will be attached as a comment to the Netfilter
# rule(s) generated by the following entries. The comment will appear
# delimited by "/* ... */" in the output of shorewall show mangle
#
# To stop the comment from being attached to further rules, simply
# include ?COMMENT on a line by itself.
#
# CONMARK({mark|range})
#
# Identical to MARK with the exception that the mark is assigned to
# connection to which the packet belongs is marked rather than to the
# packet itself.
#
# CONTINUE
#
# Don't process any more marking rules in the table.
#
# Currently, CONTINUE may not be used with exclusion (see the SOURCE and
# DEST columns below); that restriction will be removed when iptables/
# Netfilter provides the necessary support.
#
# DEL(ipset:flags)
#
# Added in Shorewall 4.6.7. Causes an entry to be deleted from the named
# ipset. The flags specify the address or tuple to be deleted from the
# set and must match the type of ipset involved. For example, for an
# iphash ipset, either the SOURCE or DESTINATION address can be deleted
# using flags src or dst respectively (see the -D command in ipset (8)).
#
# DEL is non-terminating. Even if a packet matches the rule, it is passed
# on to the next rule.
#
# DIVERT
#
# Two DIVERT rule should precede the TPROXY rule and should select DEST
# PORT tcp 80 and SOURCE PORT tcp 80 respectively (assuming that tcp port
# 80 is being proxied). DIVERT avoids sending packets to the TPROXY
# target once a socket connection to Squid3 has been established by
# TPROXY. DIVERT marks the packet with a unique mark and exempts it from
# any rules that follow.
#
# DIVERTHA
#
# Added in Shorewall 5.0.4. To setup the HAProxy configuration described
# at http://www.loadbalancer.org/blog/
# setting-up-haproxy-with-transparent-mode-on-centos-6-x, place this
# entry in shorewall-providers(5):
#
# #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
# TProxy 1 - - lo - tproxy
#
# and use this DIVERTHA entry:
#
# #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
# DIVERTHA - - tcp
#
# DROP
#
# Causes matching packets to be discarded.
#
# DSCP(dscp)
#
# Sets the Differentiated Services Code Point field in the IP header. The
# dscp value may be given as an even number (hex or decimal) or as the
# name of a DSCP class. Valid class names and their associated hex
# numeric values are:
#
# CS0 => 0x00
# CS1 => 0x08
# CS2 => 0x10
# CS3 => 0x18
# CS4 => 0x20
# CS5 => 0x28
# CS6 => 0x30
# CS7 => 0x38
# BE => 0x00
# AF11 => 0x0a
# AF12 => 0x0c
# AF13 => 0x0e
# AF21 => 0x12
# AF22 => 0x14
# AF23 => 0x16
# AF31 => 0x1a
# AF32 => 0x1c
# AF33 => 0x1e
# AF41 => 0x22
# AF42 => 0x24
# AF43 => 0x26
# EF => 0x2e
#
# To indicate more than one class, add their hex values together and
# specify the result. By default, DSCP rules are placed in the
# POSTROUTING chain.
#
# ECN
#
# Added in Shorewall 5.0.6 as an alternative to entries in shorewall-ecn
# (5). If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
# supplied, TCP is assumed. This action causes all ECN bits in the TCP
# header to be cleared.
#
# IMQ(number)
#
# Specifies that the packet should be passed to the IMQ identified by
# number. Requires IMQ Target support in your kernel and iptables.
#
# INLINE[(action)]
#
# Allows you to place your own ip[6]tables matches at the end of the line
# following a semicolon (";") (deprecated) or two semicolons (";;")
# (preferred since Shoreall 5.0.0). If an action is specified, the
# compiler proceeds as if that action had been specified in this column.
# If no action is specified, then you may include your own jump ("-j
# target [option] ...") after any matches specified at the end of the
# rule. If the target is not one known to Shorewall, then it must be
# defined as a builtin action in shorewall-actions (5).
#
# The following rules are equivalent:
#
# 2:P eth0 - tcp 22
# INLINE(MARK(2)):P eth0 - tcp 22
# INLINE(MARK(2)):P eth0 - ;; -p tcp
# INLINE eth0 - tcp 22 ;; -j MARK --set-mark 2
# INLINE eth0 - ;; -p tcp -j MARK --set-mark 2
#
# IPMARK
#
# Assigns a mark to each matching packet based on the either the source
# or destination IP address. By default, it assigns a mark value equal to
# the low-order 8 bits of the source address. Default values are:
#
# src
# mask1 = 0xFF
# mask2 = 0x00
# shift = 0
#
# 'src' and 'dst' specify whether the mark is to be based on the source
# or destination address respectively. The selected address is first
# shifted to the right by shift bits. The result is then LANDed with
# mask1 then LORed with mask2.
#
# In a sense, the IPMARK target is more like an IPCLASSIFY target in that
# the mark value is later interpreted as a class ID. A packet mark is 32
# bits wide; so is a class ID. The <major> class occupies the high-order
# 16 bits and the <minor> class occupies the low-order 16 bits. So the
# class ID 1:4ff (remember that class IDs are always in hex) is
# equivalent to a mark value of 0x104ff. Remember that Shorewall uses the
# interface number as the <major> number where the first interface in
# tcdevices has <major> number 1, the second has <major> number 2, and so
# on.
#
# The IPMARK target assigns a mark to each matching packet based on the
# either the source or destination IP address. By default, it assigns a
# mark value equal to the low-order 8 bits of the source address. The
# syntax is as follows:
#
# IPMARK[([{src|dst}][,[mask1][,[mask2][,[shift]]]])]
#
# Default values are:
#
# src
# mask1 = 0xFF
# mask2 = 0x00
# shift = 0
#
# src and dst specify whether the mark is to be based on the source or
# destination address respectively. The selected address is first shifted
# right by shift, then LANDed with mask1 and then LORed with mask2. The
# shift argument is intended to be used primarily with IPv6 addresses.
#
# Example:
#
# IPMARK(src,0xff,0x10100)
#
# Suppose that the source IP address is 192.168.4.3 = 0xc0a80403;
# then
# 0xc0a80403 >> 0 = 0xc0a80403
# 0xc0a80403 LAND 0xFF = 0x03
# 0x03 LOR 0x10100 = 0x10103 or class ID 1:103
#
# It is important to realize that, while class IDs are composed of a
# major and a minor value, the set of values must be unique. That is, the
# same numeric value cannot be used as both a major and a minor number
# for the same interface unless class nesting occurs (which is not
# currently possible with Shorewall). You should keep this in mind when
# deciding how to map IP addresses to class IDs.
#
# For example, suppose that your internal network is 192.168.1.0/29 (host
# IP addresses 192.168.1.1 - 192.168.1.6). Your first notion might be to
# use IPMARK(src,0xFF,0x10000) so as to produce class IDs 1:1 through
# 1:6. But 1:1 is an invalid class ID since the major and minor classes
# are equal. So you might choose instead to use IPMARK(src,0xFF,0x10100)
# as in the example above so that all of your minor classes will have a
# value > 256.
#
# IP6TABLES({target [option ...])
#
# IPv6 only.
#
# This action allows you to specify an iptables target with options
# (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'. If the target is not
# one recognized by Shorewall, the following error message will be
# issued:
#
# ERROR: Unknown target (target)
#
# This error message may be eliminated by adding the target as a builtin
# action in shorewall-actions(5).
#
# IPTABLES({target [option ...])
#
# IPv4 only.
#
# This action allows you to specify an iptables target with options
# (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the target is not one
# recognized by Shorewall, the following error message will be issued:
#
# ERROR: Unknown target (target)
#
# This error message may be eliminated by adding the target as a builtin
# action in shorewall-actions(5).
#
# MARK({mark|range})
#
# where mark is a packet mark value.
#
# Normally will set the mark value. If preceded by a vertical bar ("|"),
# the mark value will be logically ORed with the current mark value to
# produce a new mark value. If preceded by an ampersand ("&"), will be
# logically ANDed with the current mark value to produce a new mark
# value.
#
# Both "|" and "&" require Extended MARK Target support in your kernel
# and iptables.
#
# The mark value may be optionally followed by "/" and a mask value (used
# to determine those bits of the connection mark to actually be set).
# When a mask is specified, the result of logically ANDing the mark value
# with the mask must be the same as the mark value.
#
# A mark range is a pair of integers separated by a dash ("-").
#
# May be optionally followed by a slash ("/") and a mask and requires the
# Statistics Match capability in iptables and kernel. Marks in the
# specified range are assigned to packets on a round-robin fashion.
#
# When a mask is specified, the result of logically ANDing each mark
# value with the mask must be the same as the mark value. The least
# significant bit in the mask is used as an increment. For example, if
# '0x200-0x400/0xff00' is specified, then the assigned mark values are
# 0x200, 0x300 and 0x400 in equal proportions. If no mask is specified,
# then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in
# shorewall.conf(5)).
#
# NFLOG[(nflog-parameters)]
#
# Added in Shorewall 5.0.9. Logs matching packets using NFLOG. The
# nflog-parameters are a comma-separated list of up to 3 numbers:
#
# ☆ The first number specifies the netlink group (0-65535). If omitted
# (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
#
# ☆ The second number specifies the maximum number of bytes to copy. If
# omitted, 0 (no limit) is assumed.
#
# ☆ The third number specifies the number of log messages that should
# be buffered in the kernel before they are sent to user space. The
# default is 1.
#
# RESTORE[(mask)]
#
# Restore the packet's mark from the connection's mark using the supplied
# mask if any. Your kernel and iptables must include CONNMARK support.
#
# SAME[(timeout)]
#
# Some websites run applications that require multiple connections from a
# client browser. Where multiple 'balanced' providers are configured,
# this can lead to problems when some of the connections are routed
# through one provider and some through another. The SAME target allows
# you to work around that problem. SAME may be used in the PREROUTING and
# OUTPUT chains. When used in PREROUTING, it causes matching connections
# from an individual local system to all use the same provider. For
# example:
#
# #ACTION SOURCE DEST PROTO DPORT
# SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
#
# If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or 443
# and it has sent a packet on either of those ports in the last five
# minutes then the new connection will use the same provider as the
# connection over which that last packet was sent.
#
# When used in the OUTPUT chain, it causes all matching connections to an
# individual remote system to all use the same provider. For example:
#
# #ACTION SOURCE DEST PROTO DPORT
# SAME $FW 0.0.0.0/0 tcp 80,443
#
# The optional timeout parameter was added in Shorewall 4.6.7 and
# specifies a number of seconds . When not specified, a value of 300
# seconds (5 minutes) is assumed. If the firewall attempts a connection
# on TCP port 80 or 443 and it has sent a packet on either of those ports
# in the last timeout seconds to the same remote system then the new
# connection will use the same provider as the connection over which that
# last packet was sent.
#
# SAVE[(mask)]
#
# Save the packet's mark to the connection's mark using the supplied mask
# if any. Your kernel and iptables must include CONNMARK support.
#
# TCPMSS([mss[,ipsec]])
#
# Added in Shorewall 5.1.9. This target only applies to TCP traffic and
# alters the MSS value in SYN packets. It may be used in the FORWARD and
# POSTROUTING chains; the default is FORWARD.
#
# The mss parameter may be either pmtu or an integer in the range
# 500:65533. The value pmtu automatically clamps the MSS value to
# (path_MTU - 40 for IPv4; -60 for IPv6). This may not function as
# desired where asymmetric routes with differing path MTU exist — the
# kernel uses the path MTU which it would use to send packets from itself
# to the source and destination IP addresses. Prior to Linux 2.6.25, only
# the path MTU to the destination IP address was considered by this
# option; subsequent kernels also consider the path MTU to the source IP
# address. If an integer is given, the MSS option is set to the specified
# value. If the MSS of the packet is already lower than mss, it will not
# be increased (from Linux 2.6.25 onwards) to avoid more problems with
# hosts relying on a proper MSS. If mss is omitted, pmtu is assumed.
#
# The ipsec parameter determines whether the rule applies to IPSEC
# traffic (ipsec is passed), non-IPSEC traffic (none is passed) or both
# (all is passed). If omitted, all is assumed.
#
# TOS(tos[/mask])
#
# Sets the Type of Service field in the IP header. The tos value may be
# given as an number (hex or decimal) or as the name of a TOS type. Valid
# type names and their associated hex numeric values are:
#
# Minimize-Delay => 0x10,
# Maximize-Throughput => 0x08,
# Maximize-Reliability => 0x04,
# Minimize-Cost => 0x02,
# Normal-Service => 0x00
#
# To indicate more than one class, add their hex values together and
# specify the result.
#
# When tos is given as a number, it may be optionally followed by '/' and
# a mask. When no mask is given, the value 0xff is assumed. When tos is
# given as a type name, the mask 0x3f is assumed.
#
# The action performed is to zero out the bits specified by the mask,
# then set the bits specified by tos.
#
# TPROXY([port[,address]])
#
# Transparently redirects a packet without altering the IP header.
# Requires a tproxy provider to be defined in shorewall-providers(5).
#
# There are three parameters to TPROXY - neither is required:
#
# ☆ port - the port on which the proxy server is listening. If omitted,
# the original destination port.
#
# ☆ address - a local (to the firewall) IP address on which the proxy
# server is listening. If omitted, the IP address of the interface on
# which the request arrives.
#
# TTL([-|+]number)
#
# If + is included, packets matching the rule will have their TTL
# incremented by number. Similarly, if - is included, matching packets
# have their TTL decremented by number. If neither + nor - is given, the
# TTL of matching packets is set to number. The valid range of values for
# number is 1-255.
#
# SOURCE - {-|source-spec[,...]}
#
# where source-spec is one of:
#
# [!]interface
#
# where interface is the logical name of an interface defined in
# shorewall-interfaces(5). Matches packets entering the firewall from the
# named interface. May not be used in CLASSIFY rules or in rules using
# the :T chain qualifier.
#
# Beginning with Shorweall 5.2.1, the interface may be preceded with '!'
# which matches all interfaces except the one specified.
#
# address[,...][exclusion]
#
# where address is:
#
# A host or network IP address.
#
# The name of an ipset preceded by a plus sign ("+").
#
# A MAC address in Shorewall format (preceded by a tilde ("~") and
# using dash ("-") as a separator (e.g., ~00-A0-C9-15-39-78).
#
# Matches traffic whose source IP address matches one of the listed
# addresses and that does not match an address listed in the exclusion
# (see shorewall-exclusion(5)).
#
# This form will not match traffic that originates on the firewall itself
# unless either <major><minor> or the :T chain qualifier is used in the
# ACTION column.
#
# [!]interface:address,[...][exclusion]
#
# This form combines the preceding two forms and matches when both the
# incoming interface and source IP address match.
#
# Beginning with Shorweall 5.2.1, the interface may be preceded with '!'
# which matches all interfaces except the one specified.
#
# [!]interface:exclusion
#
# This form matches packets arriving through the named interface and
# whose source IP address does not match any of the addresses in the
# exclusion.
#
# Beginning with Shorweall 5.2.1, the interface may be preceded with '!'
# which matches all interfaces except the one specified.
#
# $FW
#
# Matches packets originating on the firewall system. May not be used
# with a chain qualifier (:P, :F, etc.) in the ACTION column.
#
# $FW:address[,...][exclusion]
#
# where address is as above (MAC addresses are not permitted). Matches
# packets originating on the firewall and whose source IP address matches
# one of the listed addresses and does not match any address listed in
# the exclusion. May not be used with a chain qualifier (:P, :F, etc.) in
# the ACTION column.
#
# $FW:exclusion
#
# Matches traffic originating on the firewall, provided that the source
# IP address does not match any address listed in the exclusion.
#
# Beginning with Shorewall 5.1.0, multiple source_specs, separated by commas,
# may be given provided that the following alternative forms are used:
#
# (address[,...][exclusion])
#
# interface:(address[,...][exclusion])
#
# interface:(exclusion)
#
# $FW:(address[,...][exclusion])
#
# $FW:(exclusion)
#
# DEST - {-|dest-spec[,...]}
#
# where dest-spec is one of:
#
# interface
#
# where interface is the logical name of an interface defined in
# shorewall-interfaces(5). Matches packets leaving the firewall through
# the named interface. May not be used in the PREROUTING chain (:P in the
# mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
# shorewall.conf (5)).
#
# address[,...][exclusion]
#
# where address is:
#
# A host or network IP address.
#
# The name of an ipset preceded by a plus sign ("+").
#
# A MAC address in Shorewall format (preceded by a tilde ("~") and
# using dash ("-") as a separator (e.g., ~00-A0-C9-15-39-78).
#
# Matches traffic whose destination IP address matches one of the listed
# addresses and that does not match an address listed in the exclusion
# (see shorewall-exclusion(5)).
#
# interface:address,[...][exclusion]
#
# This form combines the preceding two forms and matches when both the
# outgoing interface and destination IP address match. May not be used in
# the PREROUTING chain (:P in the mark column or no chain qualifier and
# MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)).
#
# interface:exclusion
#
# This form matches packets leaving through the named interface and whose
# destination IP address does not match any of the addresses in the
# exclusion. May not be used in the PREROUTING chain (:P in the mark
# column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
# shorewall.conf (5)).
#
# $FW
#
# Matches packets originating on the firewall system. May not be used
# with a chain qualifier (:P, :F, etc.) in the ACTION column.
#
# $FW:address[,...][exclusion]
#
# where address is as above (MAC addresses are not permitted). Matches
# packets destined for the firewall and whose destination IP address
# matches one of the listed addresses and does not match any address
# listed in the exclusion. May not be used with a chain qualifier (:P,
# :F, etc.) in the ACTION column.
#
# $FW:exclusion
#
# Matches traffic destined for the firewall, provided that the
# destination IP address does not match any address listed in the
# exclusion.
#
# Beginning with Shorewall 5.1.0, multiple dest_specs, separated by commas,
# may be given provided that the following alternative forms are used:
#
# (address[,...][exclusion])
#
# interface:(address[,...][exclusion])
#
# interface:(exclusion)
#
# $FW:(address[,...][exclusion])
#
# $FW:(exclusion)
#
# PROTO - {-|{tcp:[!]syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|
# all}[,...]}
#
# See shorewall-rules(5) for details.
#
# Beginning with Shorewall 4.5.12, this column can accept a comma-separated
# list of protocols.
#
# DPORT- {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
#
# Optional destination Ports. A comma-separated list of Port names (from
# services(5)), port numbers or port ranges; if the protocol is icmp, this
# column is interpreted as the destination icmp-type(s). ICMP types may be
# specified as a numeric type, a numeric type and code separated by a slash
# (e.g., 3/4), or a typename. See http://www.shorewall.net/
# configuration_file_basics.htm#ICMP.
#
# If the protocol is ipp2p, this column is interpreted as an ipp2p option
# without the leading "--" (example bit for bit-torrent). If no PORT is
# given, ipp2p is assumed.
#
# An entry in this field requires that the PROTO column specify icmp (1), tcp
# (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the following
# field is supplied.
#
# Beginning with Shorewall 4.6.0, an ipset name can be specified in this
# column. This is intended to be used with bitmap:port ipsets.
#
# This column was formerly named DEST PORT(S).
#
# SPORT - {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
#
# Optional source port(s). If omitted, any source port is acceptable.
# Specified as a comma-separated list of port names, port numbers or port
# ranges.
#
# An entry in this field requires that the PROTO column specify tcp (6), udp
# (17), sctp (132) or udplite (136). Use '-' if any of the following fields
# is supplied.
#
# Beginning with Shorewall 4.5.15, you may place '=' in this column, provided
# that the DPORT column is non-empty. This causes the rule to match when
# either the source port or the destination port in a packet matches one of
# the ports specified in DEST PORTS(S). Use of '=' requires multi-port match
# in your iptables and kernel.
#
# Beginning with Shorewall 4.6.0, an ipset name can be specified in this
# column. This is intended to be used with bitmap:port ipsets.
#
# This column was formerly labelled SOURCE PORT(S).
#
# USER - [!][user-name-or-number][:group-name-or-number][+program-name]
#
# This optional column may only be non-empty if the SOURCE is the firewall
# itself.
#
# When this column is non-empty, the rule applies only if the program
# generating the output is running under the effective user and/or group
# specified (or is NOT running under that id if "!" is given).
#
# Examples:
#
# joe
#
# program must be run by joe
#
# :kids
#
# program must be run by a member of the 'kids' group
#
# !:kids
#
# program must not be run by a member of the 'kids' group
#
# +upnpd
#
# #program named upnpd
#
# Important
#
# The ability to specify a program name was removed from Netfilter in
# kernel version 2.6.14.
#
# TEST - [!]value[/mask][:C]
#
# Optional - Defines a test on the existing packet or connection mark. The
# rule will match only if the test returns true.
#
# If you don't want to define a test but need to specify anything in the
# following columns, place a "-" in this field.
#
# !
#
# Inverts the test (not equal)
#
# value
#
# Value of the packet or connection mark.
#
# mask
#
# A mask to be applied to the mark before testing.
#
# :C
#
# Designates a connection mark. If omitted, the packet mark's value is
# tested.
#
# LENGTH - [length|[min]:[max]]
#
# Optional - packet payload length. This field, if present allow you to match
# the length of a packet payload (Layer 4 data ) against a specific value or
# range of values. You must have iptables length support for this to work. A
# range is specified in the form min:max where either min or max (but not
# both) may be omitted. If min is omitted, then 0 is assumed; if max is
# omitted, than any packet that is min or longer will match.
#
# TOS - tos
#
# Type of service. Either a standard name, or a numeric value to match.
#
# Minimize-Delay (16)
# Maximize-Throughput (8)
# Maximize-Reliability (4)
# Minimize-Cost (2)
# Normal-Service (0)
#
# CONNBYTES - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
#
# Optional connection Bytes; defines a byte or packet range that the
# connection must fall within in order for the rule to match.
#
# A packet matches if the the packet/byte count is within the range defined
# by min and max (unless ! is given in which case, a packet matches if the
# packet/byte count is not within the range). min is an integer which defines
# the beginning of the byte/packet range. max is an integer which defines the
# end of the byte/packet range; if omitted, only the beginning of the range
# is checked. The first letter gives the direction which the range refers to:
#
# O - The original direction of the connection.
#
# - The opposite direction from the original connection.
#
# B - The total of both directions.
#
# If omitted, B is assumed.
#
# The second letter determines what the range refers to.
#
# B - Bytes
#
# P - Packets
#
# A - Average packet size.
#
# If omitted, B is assumed.
#
# HELPER - helper
#
# Names a Netfilter protocol helper module such as ftp, sip, amanda, etc. A
# packet will match if it was accepted by the named helper module.
#
# Example: Mark all FTP data connections with mark 4:
#
# #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
# 4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
#
# PROBABILITY - [probability]
#
# Added in Shorewall 4.5.0. When non-empty, requires the Statistics Match
# capability in your kernel and ip6tables and causes the rule to match
# randomly but with the given probability. The probability is a number 0 <
# probability <= 1 and may be expressed at up to 8 decimal points of
# precision.
#
# DSCP - [[!]dscp]
#
# Added in Shorewall 4.5.1. When non-empty, match packets whose
# Differentiated Service Code Point field matches the supplied value (when '!
# ' is given, the rule matches packets whose DSCP field does not match the
# supplied value). The dscp value may be given as an even number (hex or
# decimal) or as the name of a DSCP class. Valid class names and their
# associated hex numeric values are:
#
# CS0 => 0x00
# CS1 => 0x08
# CS2 => 0x10
# CS3 => 0x18
# CS4 => 0x20
# CS5 => 0x28
# CS6 => 0x30
# CS7 => 0x38
# BE => 0x00
# AF11 => 0x0a
# AF12 => 0x0c
# AF13 => 0x0e
# AF21 => 0x12
# AF22 => 0x14
# AF23 => 0x16
# AF31 => 0x1a
# AF32 => 0x1c
# AF33 => 0x1e
# AF41 => 0x22
# AF42 => 0x24
# AF43 => 0x26
# EF => 0x2e
#
# STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...]
#
# The rule will only match if the packet's connection is in one of the listed
# states.
#
# TIME - timeelement[&timeelement...]
#
# Added in Shorewall 4.6.2.
#
# May be used to limit the rule to a particular time period each day, to
# particular days of the week or month, or to a range defined by dates and
# times. Requires time match support in your kernel and ip6tables.
#
# timeelement may be:
#
# timestart=hh:mm[:ss]
#
# Defines the starting time of day.
#
# timestop=hh:mm[:ss]
#
# Defines the ending time of day.
#
# contiguous
#
# Added in Shoreawll 5.0.12. When timestop is smaller than timestart
# value, match this as a single time period instead of distinct
# intervals.
#
# utc
#
# Times are expressed in Greenwich Mean Time.
#
# localtz
#
# Deprecated by the Netfilter team in favor of kerneltz. Times are
# expressed in Local Civil Time (default).
#
# kerneltz
#
# Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time
# (requires iptables 1.4.12 or later).
#
# weekdays=ddd[,ddd]...
#
# where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun
#
# monthdays=dd[,dd],...
#
# where dd is an ordinal day of the month
#
# datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
#
# Defines the starting date and time.
#
# datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
#
# Defines the ending date and time.
#
# SWITCH - [!]switch-name[={0|1}]
#
# Added in Shorewall 5.1.0 and allows enabling and disabling the rule without
# requiring shorewall restart.
#
# The rule is enabled if the value stored in /proc/net/nf_condition/
# switch-name is 1. The rule is disabled if that file contains 0 (the
# default). If '!' is supplied, the test is inverted such that the rule is
# enabled if the file contains 0.
#
# Within the switch-name, '@0' and '@{0}' are replaced by the name of the
# chain to which the rule is a added. The switch-name (after '@...'
# expansion) must begin with a letter and be composed of letters, decimal
# digits, underscores or hyphens. Switch names must be 30 characters or less
# in length.
#
# Switches are normally off. To turn a switch on:
#
# echo 1 > /proc/net/nf_condition/switch-name
#
# To turn it off again:
#
# echo 0 > /proc/net/nf_condition/switch-name
#
# Switch settings are retained over shorewall restart.
#
# When the switch-name is followed by =0 or =1, then the switch is
# initialized to off or on respectively by the start command. Other commands
# do not affect the switch setting.
#
# Example
#
# IPv4 Example 1:
#
# Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer
# traffic with packet mark 4.
#
# This is a little more complex than otherwise expected. Since the ipp2p
# module is unable to determine all packets in a connection are P2P packets,
# we mark the entire connection as P2P if any of the packets are determined
# to match.
#
# We assume packet/connection mark 0 means unclassified.
#
# #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
# MARK(1):T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
# RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
# CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
# MARK(4):T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
# SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
#
# If a packet hasn't been classified (packet mark is 0), copy the connection
# mark to the packet mark. If the packet mark is set, we're done. If the
# packet is P2P, set the packet mark to 4. If the packet mark has been set,
# save it to the connection mark.
#
# IPv4 Example 2:
#
# SNAT outgoing connections on eth0 from 192.168.1.0/24 in round-robin
# fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 4.5.9
# and later).
#
# /etc/shorewall/mangle:
#
# #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# CONNMARK(1-3):F 192.168.1.0/24 eth0 ; state=NEW
#
# /etc/shorewall/snat:
#
# #ACTION SOURCE DEST ...
# SNAT(1.1.1.1) eth0:192.168.1.0/24 - { mark=1:C }
# SNAT(1.1.1.3) eth0:192.168.1.0/24 - { mark=2:C }
# SNAT(1.1.1.4) eth0:192.168.1.0/24 - { mark=3:C }
#
# IPv6 Example 1:
#
# Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer
# traffic with packet mark 4.
#
# This is a little more complex than otherwise expected. Since the ipp2p
# module is unable to determine all packets in a connection are P2P packets,
# we mark the entire connection as P2P if any of the packets are determined
# to match.
#
# We assume packet/connection mark 0 means unclassified.
#
# #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
# MARK(1):T ::/0 ::/0 icmp echo-request
# MARK(1):T ::/0 ::/0 icmp echo-reply
# RESTORE:T ::/0 ::/0 all - - - 0
# CONTINUE:T ::/0 ::/0 all - - - !0
# MARK(4):T ::/0 ::/0 ipp2p:all
# SAVE:T ::/0 ::/0 all - - - !0
#
# If a packet hasn't been classified (packet mark is 0), copy the connection
# mark to the packet mark. If the packet mark is set, we're done. If the
# packet is P2P, set the packet mark to 4. If the packet mark has been set,
# save it to the connection mark.
#
##############################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH