{"id":4610,"date":"2022-12-20T18:09:16","date_gmt":"2022-12-20T21:09:16","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewallmangle-man5\/"},"modified":"2022-12-20T18:09:16","modified_gmt":"2022-12-20T21:09:16","slug":"shorewallmangle-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewallmangle-man5\/","title":{"rendered":"SHOREWALL−MANGLE (man5)"},"content":{"rendered":"

SHOREWALL\u2212MANGLE<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLE<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

mangle \u2212 Shorewall Packet marking\/mangling rules file<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

\/etc\/shorewall[6]\/mangle<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

This file was introduced in Shorewall 4.6.0 and replaces shorewall\u2212tcrules(5)<\/font><\/b> [1]<\/font><\/small> . This file is only processed by the compiler if:<\/font><\/p>\n

Entries in this file cause packets to be marked as a means of classifying them for traffic control or policy routing.<\/font><\/p>\n

Important<\/big><\/b>
Unlike rules in the<\/font> shorewall\u2212rules<\/font><\/b> [2]<\/font><\/small> (5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches.<\/font><\/p>\n

If you use multiple internet providers with the ‘track’ option, in \/etc\/shorewall\/providers be sure to read the restrictions at<\/font> https:\/\/shorewall.org\/MultiISP.html<\/font><\/b> [3]<\/font><\/small> .<\/font><\/p>\n

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).<\/font><\/p>\n

ACTION<\/b> \u2212 command<\/i>[(parameters<\/i>)][:chain\u2212designator<\/i>]<\/font><\/p>\n

The chain\u2212designator<\/i> indicates the Netfilter chain that the entry applies to and may be one of the following:<\/font><\/p>\n

P<\/font><\/p>\n

PREROUTING chain.<\/font><\/p>\n

F<\/font><\/p>\n

FORWARD chain.<\/font><\/p>\n

T<\/font><\/p>\n

POSTROUTING chain.<\/font><\/p>\n

I<\/font><\/p>\n

INPUT chain.<\/font><\/p>\n

NP<\/font><\/p>\n

PREROUTING chain in the nat table.<\/font><\/p>\n

NI<\/font><\/p>\n

INPUT chain in the nat table.<\/font><\/p>\n

NO<\/font><\/p>\n

OUTPUT chain in the nat table.<\/font><\/p>\n

NT<\/font><\/p>\n

POSTROUTING chain in the nat table.<\/font><\/p>\n

The nat table designators were added in Shorewall 5.2.1. When a nat table designator is given, only the CONNMARK, MARK, SAVE and RESTORE commands may be used.<\/font><\/p>\n

Unless otherwise specified for the particular command<\/i>, the default chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in<\/font> shorewall.conf(5)<\/font><\/b> [4]<\/font><\/small> , and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.<\/font><\/p>\n

A chain\u2212designator<\/i> may not be specified if the SOURCE or DEST columns begin with ‘$FW’. When the SOURCE is $FW, the generated rule is always placed in the OUTPUT chain. If DEST is ‘$FW’, then the rule is placed in the INPUT chain. Additionally, a chain\u2212designator<\/i> may not be specified in an action body.<\/font><\/p>\n

Where a command takes parameters, those parameters are enclosed in parentheses (“(….)”) and separated by commas.<\/font><\/p>\n

The command<\/i> may be one of the following.<\/font><\/p>\n

action<\/i>[([<\/b>param<\/i>[,…])]<\/b><\/font><\/p>\n

Added in Shorewall 5.0.7. action<\/i> must be an action declared with the mangle<\/b> option in<\/font> shorewall\u2212actions(5)<\/font><\/b> [5]<\/font><\/small> . If the action accepts parameters, they are specified as a comma\u2212separated list within parentheses following the action<\/i> name.<\/font><\/p>\n

ADD(<\/b>ipset<\/i>:<\/b>flags<\/i>)<\/b><\/font><\/p>\n

Added in Shorewall 4.6.7. Causes addresses and\/or port numbers to be added to the named ipset<\/i>. The flags<\/i> specify the address or tuple to be added to the set and must match the type of ipset involved. For example, for an iphash ipset, either the SOURCE or DESTINATION address can be added using flags<\/i> src<\/b> or dst<\/b> respectively (see the \u2212A command in ipset (8)).<\/font><\/p>\n

ADD is non\u2212terminating. Even if a packet matches the rule, it is passed on to the next rule.<\/font><\/p>\n

CHECKSUM<\/b><\/font><\/p>\n

Compute and fill in the checksum in a packet that lacks a checksum. This is particularly useful if you need to work around old applications, such as dhcp clients, that do not work well with checksum offloads, but you don’t want to disable checksum offload in your device.<\/font><\/p>\n

Requires ‘Checksum Target’ support in your kernel and iptables.<\/font><\/p>\n

CLASSIFY(<\/b>classid<\/i>)<\/b><\/font><\/p>\n

A classification Id (classid) is of the form major<\/i>:minor<\/i> where major<\/i> and minor<\/i> are integers. Corresponds to the ‘class’ specification in these traffic shaping modules:<\/font><\/p>\n

atm
cbq
dsmark
pfifo_fast
htb
prio<\/font><\/p>\n

Classification occurs in the POSTROUTING chain except when the SOURCE<\/b> is $FW<\/b>[:address<\/i>] in which case classification occurs in the OUTPUT chain.<\/font><\/p>\n

When using Shorewall’s built\u2212in traffic shaping tool, the major<\/i> class is the device number (the first device in<\/font> shorewall\u2212tcdevices<\/font><\/b> [6]<\/font><\/small> (5) is major class 1, the second device is major class 2, and so on) and the minor<\/i> class is the class’s MARK value in<\/font> shorewall\u2212tcclasses<\/font><\/b> [7]<\/font><\/small> (5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds to minor class 122, etc.).<\/font><\/p>\n

?COMMENT<\/b><\/font><\/p>\n

The rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by “\/* … *\/” in the output of shorewall show mangle<\/b><\/font><\/p>\n

To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself.<\/font><\/p>\n

CONMARK({mark|range})<\/b><\/font><\/p>\n

Identical to MARK with the exception that the mark is assigned to connection to which the packet belongs is marked rather than to the packet itself.<\/font><\/p>\n

CONTINUE<\/b><\/font><\/p>\n

Don’t process any more marking rules in the table.<\/font><\/p>\n

Currently, CONTINUE may not be used with exclusion<\/i> (see the SOURCE and DEST columns below); that restriction will be removed when iptables\/Netfilter provides the necessary support.<\/font><\/p>\n

DEL(<\/b>ipset<\/i>:<\/b>flags<\/i>)<\/b><\/font><\/p>\n

Added in Shorewall 4.6.7. Causes an entry to be deleted from the named ipset<\/i>. The flags<\/i> specify the address or tuple to be deleted from the set and must match the type of ipset involved. For example, for an iphash ipset, either the SOURCE or DESTINATION address can be deleted using flags<\/i> src<\/b> or dst<\/b> respectively (see the \u2212D command in ipset (8)).<\/font><\/p>\n

DEL is non\u2212terminating. Even if a packet matches the rule, it is passed on to the next rule.<\/font><\/p>\n

DIVERT<\/b><\/font><\/p>\n

Two DIVERT rule should precede the TPROXY rule and should select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively (assuming that tcp port 80 is being proxied). DIVERT avoids sending packets to the TPROXY target once a socket connection to Squid3 has been established by TPROXY. DIVERT marks the packet with a unique mark and exempts it from any rules that follow.<\/font><\/p>\n

DIVERTHA<\/b><\/font><\/p>\n

Added in Shorewall 5.0.4. To setup the HAProxy configuration described at<\/font> http:\/\/www.loadbalancer.org\/blog\/setting\u2212up\u2212haproxy\u2212with\u2212transparent\u2212mode\u2212on\u2212centos\u22126\u2212x<\/font><\/b>, place this entry in<\/font> shorewall\u2212providers(5)<\/font><\/b> [8]<\/font><\/small> :<\/font><\/p>\n

#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
TProxy 1 \u2212 \u2212 lo \u2212 tproxy<\/font><\/p>\n

and use this DIVERTHA entry:<\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
DIVERTHA \u2212 \u2212 tcp<\/font><\/p>\n

DROP<\/b><\/font><\/p>\n

Causes matching packets to be discarded.<\/font><\/p>\n

DSCP<\/b>(dscp<\/i>)<\/font><\/p>\n

Sets the Differentiated Services Code Point field in the IP header. The dscp<\/i> value may be given as an even number (hex or decimal) or as the name of a DSCP class. Valid class names and their associated hex numeric values are:<\/font><\/p>\n

CS0 => 0x00
CS1 => 0x08
CS2 => 0x10
CS3 => 0x18
CS4 => 0x20
CS5 => 0x28
CS6 => 0x30
CS7 => 0x38
BE => 0x00
AF11 => 0x0a
AF12 => 0x0c
AF13 => 0x0e
AF21 => 0x12
AF22 => 0x14
AF23 => 0x16
AF31 => 0x1a
AF32 => 0x1c
AF33 => 0x1e
AF41 => 0x22
AF42 => 0x24
AF43 => 0x26
EF => 0x2e<\/font><\/p>\n

To indicate more than one class, add their hex values together and specify the result. By default, DSCP rules are placed in the POSTROUTING chain.<\/font><\/p>\n

ECN<\/b><\/font><\/p>\n

Added in Shorewall 5.0.6 as an alternative to entries in<\/font> shorewall\u2212ecn(5)<\/font><\/b> [9]<\/font><\/small> . If a PROTO is specified, it must be ‘tcp’ (6). If no PROTO is supplied, TCP is assumed. This action causes all ECN bits in the TCP header to be cleared.<\/font><\/p>\n

IMQ<\/b>(number<\/i>)<\/font><\/p>\n

Specifies that the packet should be passed to the IMQ identified by number<\/i>. Requires IMQ Target support in your kernel and iptables.<\/font><\/p>\n

INLINE<\/b>[(action<\/i>)]<\/font><\/p>\n

Allows you to place your own ip[6]tables matches at the end of the line following a semicolon (“;”) (deprecated) or two semicolons (“;;”) (preferred since Shoreall 5.0.0). If an action<\/i> is specified, the compiler proceeds as if that action<\/i> had been specified in this column. If no action is specified, then you may include your own jump (“\u2212j target<\/i> [option<\/i>] …”) after any matches specified at the end of the rule. If the target is not one known to Shorewall, then it must be defined as a builtin action in<\/font> shorewall\u2212actions<\/font><\/b> [10]<\/font><\/small> (5).<\/font><\/p>\n

The following rules are equivalent:<\/font><\/p>\n

2:P eth0 \u2212 tcp 22
INLINE(MARK(2)):P eth0 \u2212 tcp 22
INLINE(MARK(2)):P eth0 \u2212 ;; \u2212p tcp
INLINE eth0 \u2212 tcp 22 ;; \u2212j MARK \u2212\u2212set\u2212mark 2
INLINE eth0 \u2212 ;; \u2212p tcp \u2212j MARK \u2212\u2212set\u2212mark 2<\/font><\/p>\n

IPMARK<\/b><\/font><\/p>\n

Assigns a mark to each matching packet based on the either the source or destination IP address. By default, it assigns a mark value equal to the low\u2212order 8 bits of the source address. Default values are:<\/font><\/p>\n

src
mask1<\/i> = 0xFF
mask2<\/i> = 0x00
shift<\/i> = 0<\/font><\/p>\n

‘src’ and ‘dst’ specify whether the mark is to be based on the source or destination address respectively. The selected address is first shifted to the right by shift<\/i> bits. The result is then LANDed with mask1<\/i> then LORed with mask2<\/i>.<\/font><\/p>\n

In a sense, the IPMARK target is more like an IPCLASSIFY target in that the mark value is later interpreted as a class ID. A packet mark is 32 bits wide; so is a class ID. The class occupies the high\u2212order 16 bits and the class occupies the low\u2212order 16 bits. So the class ID 1:4ff (remember that class IDs are always in hex) is equivalent to a mark value of 0x104ff. Remember that Shorewall uses the interface number as the number where the first interface in tcdevices has number 1, the second has number 2, and so on.<\/font><\/p>\n

The IPMARK target assigns a mark to each matching packet based on the either the source or destination IP address. By default, it assigns a mark value equal to the low\u2212order 8 bits of the source address. The syntax is as follows: IPMARK<\/b>[([{src<\/b>|dst<\/b>}][,[mask1<\/i>][,[mask2<\/i>][,[shift<\/i>]]]])] Default values are:<\/font><\/p>\n

src<\/b>
mask1<\/i> = 0xFF
mask2<\/i> = 0x00
shift<\/i> = 0<\/font><\/p>\n

src<\/b> and dst<\/b> specify whether the mark is to be based on the source or destination address respectively. The selected address is first shifted right by shift<\/i>, then LANDed with mask1<\/i> and then LORed with mask2<\/i>. The shift<\/i> argument is intended to be used primarily with IPv6 addresses.<\/font><\/p>\n

Example: IPMARK(src,0xff,0x10100)<\/font><\/p>\n

Suppose that the source IP address is 192.168.4.3
= 0xc0a80403; then
0xc0a80403 >> 0 = 0xc0a80403
0xc0a80403 LAND 0xFF = 0x03
0x03 LOR 0x10100 = 0x10103 or class ID
1:103<\/font><\/p>\n

It is important to realize that, while class IDs are composed of a major<\/i> and a minor<\/i> value, the set of values must be unique. That is, the same numeric value cannot be used as both a major<\/i> and a minor<\/i> number for the same interface unless class nesting occurs (which is not currently possible with Shorewall). You should keep this in mind when deciding how to map IP addresses to class IDs.<\/font><\/p>\n

For example, suppose that your internal network is 192.168.1.0\/29 (host IP addresses 192.168.1.1 \u2212 192.168.1.6). Your first notion might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid class ID since the major<\/i> and minor<\/i> classes are equal. So you might choose instead to use IPMARK(src,0xFF,0x10100) as in the example above so that all of your minor<\/i> classes will have a value > 256.<\/font><\/p>\n

IP6TABLES({<\/b>target<\/i> [<\/b>option<\/i> …])<\/b><\/font><\/p>\n

IPv6 only.<\/font><\/p>\n

This action allows you to specify an iptables target with options (e.g., ‘IP6TABLES(MARK \u2212\u2212set\u2212xmark 0x01\/0xff)’. If the target is not one recognized by Shorewall, the following error message will be issued:<\/font><\/p>\n

ERROR: Unknown target
(target<\/i>)<\/font><\/p>\n

This error message may be eliminated by adding the target<\/i> as a builtin action in<\/font> shorewall\u2212actions(5)<\/font><\/b> [10]<\/font><\/small> .<\/font><\/p>\n

IPTABLES({<\/b>target<\/i> [<\/b>option<\/i> …])<\/b><\/font><\/p>\n

IPv4 only.<\/font><\/p>\n

This action allows you to specify an iptables target with options (e.g., ‘IPTABLES(MARK \u2212\u2212set\u2212xmark 0x01\/0xff)’. If the target is not one recognized by Shorewall, the following error message will be issued:<\/font><\/p>\n

ERROR: Unknown target
(target<\/i>)<\/font><\/p>\n

This error message may be eliminated by adding the target<\/i> as a builtin action in<\/font> shorewall\u2212actions(5)<\/font><\/b> [10]<\/font><\/small> .<\/font><\/p>\n

MARK({<\/b>mark<\/i>|<\/b>range<\/i>})<\/b><\/font><\/p>\n

where mark<\/i> is a packet mark value.<\/font><\/p>\n

Normally will set the mark value. If preceded by a vertical bar (“|”), the mark value will be logically ORed with the current mark value to produce a new mark value. If preceded by an ampersand (“&”), will be logically ANDed with the current mark value to produce a new mark value.<\/font><\/p>\n

Both “|” and “&” require Extended MARK Target support in your kernel and iptables.<\/font><\/p>\n

The mark value may be optionally followed by “\/” and a mask value (used to determine those bits of the connection mark to actually be set). When a mask is specified, the result of logically ANDing the mark value with the mask must be the same as the mark value.<\/font><\/p>\n

A mark range<\/i> is a pair of integers separated by a dash (“\u2212”).<\/font><\/p>\n

May be optionally followed by a slash (“\/”) and a mask and requires the Statistics Match capability in iptables and kernel. Marks in the specified range are assigned to packets on a round\u2212robin fashion.<\/font><\/p>\n

When a mask is specified, the result of logically ANDing each mark value with the mask must be the same as the mark value. The least significant bit in the mask is used as an increment. For example, if ‘0x200\u22120x400\/0xff00’ is specified, then the assigned mark values are 0x200, 0x300 and 0x400 in equal proportions. If no mask is specified, then ( 2 bodies manpages.csv script_extrae_body.sh script.sh usr MASK_BITS ) \u2212 1 is assumed (MASK_BITS is set in<\/font> shorewall.conf<\/font><\/b> [4]<\/font><\/small> (5)).<\/font><\/p>\n

NFLOG<\/b>[(nflog\u2212parameters<\/i>)]<\/font><\/p>\n

Added in Shorewall 5.0.9. Logs matching packets using NFLOG. The nflog\u2212parameters<\/i> are a comma\u2212separated list of up to 3 numbers:<\/font><\/p>\n

\u2022 The first number specifies the netlink group (0\u221265535). If omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.<\/font><\/p>\n

\u2022 The second number specifies the maximum number of bytes to copy. If omitted, 0 (no limit) is assumed.<\/font><\/p>\n

\u2022 The third number specifies the number of log messages that should be buffered in the kernel before they are sent to user space. The default is 1.<\/font><\/p>\n

RESTORE<\/b>[(mask<\/i>)]<\/font><\/p>\n

Restore the packet’s mark from the connection’s mark using the supplied mask if any. Your kernel and iptables must include CONNMARK support.<\/font><\/p>\n

SAME[(<\/b>timeout<\/i>)]<\/b><\/font><\/p>\n

Some websites run applications that require multiple connections from a client browser. Where multiple ‘balanced’ providers are configured, this can lead to problems when some of the connections are routed through one provider and some through another. The SAME target allows you to work around that problem. SAME may be used in the PREROUTING and OUTPUT chains. When used in PREROUTING, it causes matching connections from an individual local system to all use the same provider. For example:<\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT
SAME:P 192.168.1.0\/24 0.0.0.0\/0 tcp 80,443<\/font><\/p>\n

If a host in 192.168.1.0\/24 attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the last five minutes then the new connection will use the same provider as the connection over which that last packet was sent.<\/font><\/p>\n

When used in the OUTPUT chain, it causes all matching connections to an individual remote system to all use the same provider. For example:<\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT
SAME $FW 0.0.0.0\/0 tcp 80,443<\/font><\/p>\n

The optional timeout<\/i> parameter was added in Shorewall 4.6.7 and specifies a number of seconds . When not specified, a value of 300 seconds (5 minutes) is assumed. If the firewall attempts a connection on TCP port 80 or 443 and it has sent a packet on either of those ports in the last timeout<\/i> seconds to the same remote system then the new connection will use the same provider as the connection over which that last packet was sent.<\/font><\/p>\n

SAVE[(<\/b>mask)<\/i>]<\/b><\/font><\/p>\n

Save the packet’s mark to the connection’s mark using the supplied mask if any. Your kernel and iptables must include CONNMARK support.<\/font><\/p>\n

TCPMSS<\/b>([mss<\/i>[,ipsec<\/i>]])<\/font><\/p>\n

Added in Shorewall 5.1.9. This target only applies to TCP traffic and alters the MSS value in SYN packets. It may be used in the FORWARD and POSTROUTING chains; the default is FORWARD.<\/font><\/p>\n

The mss<\/i> parameter may be either pmtu<\/b> or an integer in the range 500:65533. The value pmtu<\/b> automatically clamps the MSS value to (path_MTU \u2212 40 for IPv4; \u221260 for IPv6). This may not function as desired where asymmetric routes with differing path MTU exist \u2014 the kernel uses the path MTU which it would use to send packets from itself to the source and destination IP addresses. Prior to Linux 2.6.25, only the path MTU to the destination IP address was considered by this option; subsequent kernels also consider the path MTU to the source IP address. If an integer is given, the MSS option is set to the specified value. If the MSS of the packet is already lower than mss<\/i>, it will not be increased (from Linux 2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. If mss<\/i> is omitted, pmtu<\/b> is assumed.<\/font><\/p>\n

The ipsec<\/i> parameter determines whether the rule applies to IPSEC traffic (ipsec<\/b> is passed), non\u2212IPSEC traffic (none<\/b> is passed) or both (all<\/b> is passed). If omitted, all<\/b> is assumed.<\/font><\/p>\n

TOS<\/b>(tos<\/i>[\/mask<\/i>])<\/font><\/p>\n

Sets the Type of Service field in the IP header. The tos<\/i> value may be given as an number (hex or decimal) or as the name of a TOS type. Valid type names and their associated hex numeric values are:<\/font><\/p>\n

Minimize\u2212Delay => 0x10,
Maximize\u2212Throughput => 0x08,
Maximize\u2212Reliability => 0x04,
Minimize\u2212Cost => 0x02,
Normal\u2212Service => 0x00<\/font><\/p>\n

To indicate more than one class, add their hex values together and specify the result.<\/font><\/p>\n

When tos<\/i> is given as a number, it may be optionally followed by ‘\/’ and a mask<\/i>. When no mask<\/i> is given, the value 0xff is assumed. When tos<\/i> is given as a type name, the mask<\/i> 0x3f is assumed.<\/font><\/p>\n

The action performed is to zero out the bits specified by the mask<\/i>, then set the bits specified by tos<\/i>.<\/font><\/p>\n

TPROXY<\/b>([port<\/i>[,address<\/i>]])<\/font><\/p>\n

Transparently redirects a packet without altering the IP header. Requires a tproxy provider to be defined in<\/font> shorewall\u2212providers<\/font><\/b> [8]<\/font><\/small> (5).<\/font><\/p>\n

There are three parameters to TPROXY \u2212 neither is required:<\/font><\/p>\n

\u2022 port<\/i> \u2212 the port on which the proxy server is listening. If omitted, the original destination port.<\/font><\/p>\n

\u2022 address<\/i> \u2212 a local (to the firewall) IP address on which the proxy server is listening. If omitted, the IP address of the interface on which the request arrives.<\/font><\/p>\n

TTL<\/b>([\u2212<\/b>|+<\/b>]number<\/i>)<\/font><\/p>\n

If +<\/b> is included, packets matching the rule will have their TTL incremented by number<\/i>. Similarly, if \u2212<\/b> is included, matching packets have their TTL decremented by number<\/i>. If neither +<\/b> nor \u2212<\/b> is given, the TTL of matching packets is set to number<\/i>. The valid range of values for number<\/i> is 1\u2212255.<\/font><\/p>\n

SOURCE \u2212 {\u2212|<\/b>source\u2212spec<\/i>[,…]}<\/b><\/font><\/p>\n

where source\u2212spec<\/i> is one of:<\/font><\/p>\n

[!]interface<\/i><\/font><\/p>\n

where interface<\/i> is the logical name of an interface<\/i> defined in<\/font> shorewall\u2212interfaces<\/font><\/b> [11]<\/font><\/small> (5). Matches packets entering the firewall from the named interface. May not be used in CLASSIFY rules or in rules using the :T chain qualifier.<\/font><\/p>\n

Beginning with Shorweall 5.2.1, the interface<\/i> may be preceded with ‘!’ which matches all interfaces except the one specified.<\/font><\/p>\n

address<\/i>[,…][exclusion<\/i>]<\/font><\/p>\n

where address<\/i> is: A host or network IP address.<\/font><\/p>\n

The name of an ipset preceded by a plus sign (“+”).<\/font><\/p>\n

A MAC address in Shorewall format (preceded by a tilde (“~”) and using dash (“\u2212”) as a separator (e.g., ~00\u2212A0\u2212C9\u221215\u221239\u221278). Matches traffic whose source IP address matches one of the listed addresses and that does not match an address listed in the exclusion<\/i> (see<\/font> shorewall\u2212exclusion<\/font><\/b> [12]<\/font><\/small> (5)).<\/font><\/p>\n

This form will not match traffic that originates on the firewall itself unless either or the :T chain qualifier is used in the ACTION column.<\/b><\/font><\/p>\n

[!]interface<\/i>:address<\/i>,[…][exclusion<\/i>]<\/font><\/p>\n

This form combines the preceding two forms and matches when both the incoming interface and source IP address match.<\/font><\/p>\n

Beginning with Shorweall 5.2.1, the interface<\/i> may be preceded with ‘!’ which matches all interfaces except the one specified.<\/font><\/p>\n

[!]interface<\/i>:exclusion<\/i><\/font><\/p>\n

This form matches packets arriving through the named interface<\/i> and whose source IP address does not match any of the addresses in the exclusion<\/i>.<\/font><\/p>\n

Beginning with Shorweall 5.2.1, the interface<\/i> may be preceded with ‘!’ which matches all interfaces except the one specified.<\/font><\/p>\n

$FW<\/font><\/p>\n

Matches packets originating on the firewall system. May not be used with a chain qualifier (:P, :F, etc.) in the ACTION column.<\/font><\/p>\n

$FW:address<\/i>[,…][exclusion<\/i>]<\/font><\/p>\n

where address<\/i> is as above (MAC addresses are not permitted). Matches packets originating on the firewall and whose source IP address matches one of the listed addresses and does not match any address listed in the exclusion<\/i>. May not be used with a chain qualifier (:P, :F, etc.) in the ACTION column.<\/font><\/p>\n

$FW:exclusion<\/i><\/font><\/p>\n

Matches traffic originating on the firewall, provided that the source IP address does not match any address listed in the exclusion<\/i>.<\/font><\/p>\n

Beginning with Shorewall 5.1.0, multiple source_spec<\/i>s, separated by commas, may be given provided that the following alternative forms are used: (address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

interface<\/i>\ud83d\ude41address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

interface<\/i>\ud83d\ude41exclusion<\/i>)<\/font><\/p>\n

$FW:(address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

$FW:(exclusion<\/i>)<\/font><\/p>\n

DEST \u2212 {\u2212|<\/b>dest\u2212spec<\/i>[,…]}<\/b><\/font><\/p>\n

where dest\u2212spec<\/i> is one of:<\/font><\/p>\n

interface<\/i><\/font><\/p>\n

where interface<\/i> is the logical name of an interface defined in<\/font> shorewall\u2212interfaces<\/font><\/b> [11]<\/font><\/small> (5). Matches packets leaving the firewall through the named interface. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in<\/font> shorewall.conf<\/font><\/b> (5)).<\/font><\/p>\n

address<\/i>[,…][exclusion<\/i>]<\/font><\/p>\n

where address<\/i> is: A host or network IP address.<\/font><\/p>\n

The name of an ipset preceded by a plus sign (“+”).<\/font><\/p>\n

A MAC address in Shorewall format (preceded by a tilde (“~”) and using dash (“\u2212”) as a separator (e.g., ~00\u2212A0\u2212C9\u221215\u221239\u221278). Matches traffic whose destination IP address matches one of the listed addresses and that does not match an address listed in the exclusion<\/i> (see<\/font> shorewall\u2212exclusion<\/font><\/b> [12]<\/font><\/small> (5)).<\/font><\/p>\n

interface<\/i>:address<\/i>,[…][exclusion<\/i>]<\/font><\/p>\n

This form combines the preceding two forms and matches when both the outgoing interface and destination IP address match. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in<\/font> shorewall.conf<\/font><\/b> (5)).<\/font><\/p>\n

interface<\/i>:exclusion<\/i><\/font><\/p>\n

This form matches packets leaving through the named interface<\/i> and whose destination IP address does not match any of the addresses in the exclusion<\/i>. May not be used in the PREROUTING chain (:P in the mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in<\/font> shorewall.conf<\/font><\/b> (5)).<\/font><\/p>\n

$FW<\/font><\/p>\n

Matches packets originating on the firewall system. May not be used with a chain qualifier (:P, :F, etc.) in the ACTION column.<\/font><\/p>\n

$FW:address<\/i>[,…][exclusion<\/i>]<\/font><\/p>\n

where address<\/i> is as above (MAC addresses are not permitted). Matches packets destined for the firewall and whose destination IP address matches one of the listed addresses and does not match any address listed in the exclusion<\/i>. May not be used with a chain qualifier (:P, :F, etc.) in the ACTION column.<\/font><\/p>\n

$FW:exclusion<\/i><\/font><\/p>\n

Matches traffic destined for the firewall, provided that the destination IP address does not match any address listed in the exclusion<\/i>.<\/font><\/p>\n

Beginning with Shorewall 5.1.0, multiple dest_spec<\/i>s, separated by commas, may be given provided that the following alternative forms are used: (address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

interface<\/i>\ud83d\ude41address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

interface<\/i>\ud83d\ude41exclusion<\/i>)<\/font><\/p>\n

$FW:(address<\/i>[,…][exclusion<\/i>])<\/font><\/p>\n

$FW:(exclusion<\/i>)<\/font><\/p>\n

PROTO<\/b> \u2212 {\u2212<\/b>|{tcp:[!]syn<\/b>|ipp2p<\/b>|ipp2p:udp<\/b>|ipp2p:all<\/b>|protocol\u2212number<\/i>|protocol\u2212name<\/i>|all}[,…]}<\/b><\/font><\/p>\n

See<\/font> shorewall\u2212rules(5)<\/font><\/b> [2]<\/font><\/small> for details.<\/font><\/p>\n

Beginning with Shorewall 4.5.12, this column can accept a comma\u2212separated list of protocols.<\/font><\/p>\n

DPORT<\/b>\u2212 {\u2212<\/b>|port\u2212name\u2212number\u2212or\u2212range<\/i>[,<\/b>port\u2212name\u2212number\u2212or\u2212range<\/i>]…|+ipset<\/i>}<\/font><\/p>\n

Optional destination Ports. A comma\u2212separated list of Port names (from services(5)), port number<\/i>s or port range<\/i>s; if the protocol is icmp<\/b>, this column is interpreted as the destination icmp\u2212type(s). ICMP types may be specified as a numeric type, a numeric type and code separated by a slash (e.g., 3\/4), or a typename. See<\/font> https:\/\/shorewall.org\/configuration_file_basics.htm#ICMP<\/font><\/b> [13]<\/font><\/small> .<\/font><\/p>\n

If the protocol is ipp2p<\/b>, this column is interpreted as an ipp2p option without the leading “\u2212\u2212” (example bit<\/b> for bit\u2212torrent). If no PORT is given, ipp2p<\/b> is assumed.<\/font><\/p>\n

An entry in this field requires that the PROTO column specify icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use ‘\u2212’ if any of the following field is supplied.<\/font><\/p>\n

Beginning with Shorewall 4.6.0, an ipset<\/i> name can be specified in this column. This is intended to be used with bitmap:port ipsets.<\/font><\/p>\n

This column was formerly named DEST PORT(S).<\/font><\/p>\n

SPORT<\/b> \u2212 {\u2212<\/b>|port\u2212name\u2212number\u2212or\u2212range<\/i>[,<\/b>port\u2212name\u2212number\u2212or\u2212range<\/i>]…|+ipset<\/i>}<\/font><\/p>\n

Optional source port(s). If omitted, any source port is acceptable. Specified as a comma\u2212separated list of port names, port numbers or port ranges.<\/font><\/p>\n

An entry in this field requires that the PROTO column specify tcp (6), udp (17), sctp (132) or udplite (136). Use ‘\u2212’ if any of the following fields is supplied.<\/font><\/p>\n

Beginning with Shorewall 4.5.15, you may place ‘=’ in this column, provided that the DPORT column is non\u2212empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DEST PORTS(S). Use of ‘=’ requires multi\u2212port match in your iptables and kernel.<\/font><\/p>\n

Beginning with Shorewall 4.6.0, an ipset<\/i> name can be specified in this column. This is intended to be used with bitmap:port ipsets.<\/font><\/p>\n

This column was formerly labelled SOURCE PORT(S).<\/font><\/p>\n

USER<\/b> \u2212 [!<\/b>][user\u2212name\u2212or\u2212number<\/i>][:<\/b>group\u2212name\u2212or\u2212number<\/i>][+<\/b>program\u2212name<\/i>]<\/font><\/p>\n

This optional column may only be non\u2212empty if the SOURCE is the firewall itself.<\/font><\/p>\n

When this column is non\u2212empty, the rule applies only if the program generating the output is running under the effective user<\/i> and\/or group<\/i> specified (or is NOT running under that id if “!” is given).<\/font><\/p>\n

Examples:<\/font><\/p>\n

joe<\/font><\/p>\n

program must be run by joe<\/font><\/p>\n

:kids<\/font><\/p>\n

program must be run by a member of the ‘kids’ group<\/font><\/p>\n

!:kids<\/font><\/p>\n

program must not be run by a member of the ‘kids’ group<\/font><\/p>\n

+upnpd<\/font><\/p>\n

#program named upnpd<\/font><\/p>\n

Important<\/big><\/b>
The ability to specify a program name was removed from Netfilter in kernel version 2.6.14.<\/font><\/p>\n

TEST<\/big><\/b> \u2212 [!<\/b>]value<\/i>[\/mask<\/i>][:C<\/b>]<\/big><\/font><\/p>\n

Optional \u2212 Defines a test on the existing packet or connection mark. The rule will match only if the test returns true.<\/big><\/font><\/p>\n

If you don’t want to define a test but need to specify anything in the following columns, place a “\u2212” in this field.<\/big><\/font><\/p>\n

!<\/big><\/font><\/p>\n

Inverts the test (not equal)<\/big><\/font><\/p>\n

value<\/i><\/big><\/font><\/p>\n

Value of the packet or connection mark.<\/big><\/font><\/p>\n

mask<\/i><\/big><\/font><\/p>\n

A mask to be applied to the mark before testing.<\/big><\/font><\/p>\n

:C<\/b><\/big><\/font><\/p>\n

Designates a connection mark. If omitted, the packet mark’s value is tested.<\/big><\/font><\/p>\n

LENGTH<\/b> \u2212 [length<\/i>|[min<\/i>]:<\/b>[max<\/i>]]<\/big><\/font><\/p>\n

Optional \u2212 packet payload length. This field, if present allow you to match the length of a packet payload (Layer 4 data ) against a specific value or range of values. You must have iptables length support for this to work. A range is specified in the form min<\/i>:max<\/i> where either min<\/i> or max<\/i> (but not both) may be omitted. If min<\/i> is omitted, then 0 is assumed; if max<\/i> is omitted, than any packet that is min<\/i> or longer will match.<\/big><\/font><\/p>\n

TOS<\/b> \u2212 tos<\/i><\/big><\/font><\/p>\n

Type of service. Either a standard name, or a numeric value to match.<\/big><\/font><\/p>\n

Minimize\u2212Delay<\/b> (16)
Maximize\u2212Throughput<\/b> (8)
Maximize\u2212Reliability<\/b> (4)
Minimize\u2212Cost<\/b> (2)
Normal\u2212Service<\/b> (0)<\/big><\/font><\/p>\n

CONNBYTES<\/b> \u2212 [!]min<\/i>:[max<\/i>[:{O<\/b>|R<\/b>|B<\/b>}[:{B<\/b>|P<\/b>|A<\/b>}]]]<\/big><\/font><\/p>\n

Optional connection Bytes; defines a byte or packet range that the connection must fall within in order for the rule to match.<\/big><\/font><\/p>\n

A packet matches if the the packet\/byte count is within the range defined by min<\/i> and max<\/i> (unless ! is given in which case, a packet matches if the packet\/byte count is not within the range). min<\/i> is an integer which defines the beginning of the byte\/packet range. max<\/i> is an integer which defines the end of the byte\/packet range; if omitted, only the beginning of the range is checked. The first letter gives the direction which the range refers to:O<\/b> \u2212 The original direction of the connection. .sp \u2212 The opposite direction from the original connection. .sp B<\/b> \u2212 The total of both directions.<\/big><\/font><\/p>\n

If omitted, B<\/b> is assumed.<\/big><\/font><\/p>\n

The second letter determines what the range refers to.B<\/b> \u2212 Bytes .sp P<\/b> \u2212 Packets .sp A<\/b> \u2212 Average packet size.If omitted, B<\/b> is assumed.<\/big><\/font><\/p>\n

HELPER \u2212<\/b> helper<\/i><\/big><\/font><\/p>\n

Names a Netfilter protocol helper module such as ftp<\/b>, sip<\/b>, amanda<\/b>, etc. A packet will match if it was accepted by the named helper module.<\/big><\/font><\/p>\n

Example: Mark all FTP data connections with mark 4:<\/big><\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER
4:T 0.0.0.0\/0 0.0.0.0\/0 TCP \u2212 \u2212 \u2212 \u2212 \u2212 \u2212 \u2212 ftp<\/big><\/font><\/p>\n

PROBABILITY<\/b> \u2212 [probability<\/i>]<\/big><\/font><\/p>\n

Added in Shorewall 4.5.0. When non\u2212empty, requires the Statistics Match capability in your kernel and ip6tables and causes the rule to match randomly but with the given probability<\/i>. The probability<\/i> is a number 0 < probability<\/i> <= 1 and may be expressed at up to 8 decimal points of precision.<\/big><\/font><\/p>\n

DSCP \u2212<\/b> [[!]dscp<\/i>]<\/big><\/font><\/p>\n

Added in Shorewall 4.5.1. When non\u2212empty, match packets whose Differentiated Service Code Point field matches the supplied value (when ‘!’ is given, the rule matches packets whose DSCP field does not match the supplied value). The dscp<\/i> value may be given as an even number (hex or decimal) or as the name of a DSCP class. Valid class names and their associated hex numeric values are:<\/big><\/font><\/p>\n

CS0 => 0x00
CS1 => 0x08
CS2 => 0x10
CS3 => 0x18
CS4 => 0x20
CS5 => 0x28
CS6 => 0x30
CS7 => 0x38
BE => 0x00
AF11 => 0x0a
AF12 => 0x0c
AF13 => 0x0e
AF21 => 0x12
AF22 => 0x14
AF23 => 0x16
AF31 => 0x1a
AF32 => 0x1c
AF33 => 0x1e
AF41 => 0x22
AF42 => 0x24
AF43 => 0x26
EF => 0x2e<\/big><\/font><\/p>\n

STATE<\/b> \u2212\u2212 {NEW<\/b>|RELATED<\/b>|ESTABLISHED<\/b>|INVALID<\/b>} [,…]<\/big><\/font><\/p>\n

The rule will only match if the packet’s connection is in one of the listed states.<\/big><\/font><\/p>\n

TIME<\/b> \u2212 timeelement<\/i>[&timeelement<\/i>…]<\/big><\/font><\/p>\n

Added in Shorewall 4.6.2.<\/big><\/font><\/p>\n

May be used to limit the rule to a particular time period each day, to particular days of the week or month, or to a range defined by dates and times. Requires time match support in your kernel and ip6tables.<\/big><\/font><\/p>\n

timeelement<\/i> may be:<\/big><\/font><\/p>\n

timestart=hh<\/i>:mm<\/i>[:ss<\/i>]<\/big><\/font><\/p>\n

Defines the starting time of day.<\/big><\/font><\/p>\n

timestop=hh<\/i>:mm<\/i>[:ss<\/i>]<\/big><\/font><\/p>\n

Defines the ending time of day.<\/big><\/font><\/p>\n

contiguous<\/big><\/font><\/p>\n

Added in Shoreawll 5.0.12. When timestop<\/b> is smaller than timestart<\/b> value, match this as a single time period instead of distinct intervals.<\/big><\/font><\/p>\n

utc<\/big><\/font><\/p>\n

Times are expressed in Greenwich Mean Time.<\/big><\/font><\/p>\n

localtz<\/big><\/font><\/p>\n

Deprecated by the Netfilter team in favor of kerneltz<\/b>. Times are expressed in Local Civil Time (default).<\/big><\/font><\/p>\n

kerneltz<\/big><\/font><\/p>\n

Added in Shorewall 4.5.2. Times are expressed in Local Kernel Time (requires iptables 1.4.12 or later).<\/big><\/font><\/p>\n

weekdays=ddd[,ddd]…<\/big><\/font><\/p>\n

where ddd<\/i> is one of Mon<\/b>, Tue<\/b>, Wed<\/b>, Thu<\/b>, Fri<\/b>, Sat<\/b> or Sun<\/b><\/big><\/font><\/p>\n

monthdays=dd[,dd],…<\/big><\/font><\/p>\n

where dd<\/i> is an ordinal day of the month<\/big><\/font><\/p>\n

datestart=yyyy<\/i>[\u2212mm<\/i>[\u2212dd<\/i>[T<\/b>hh<\/i>[:mm<\/i>[:ss<\/i>]]]]]<\/big><\/font><\/p>\n

Defines the starting date and time.<\/big><\/font><\/p>\n

datestop=yyyy<\/i>[\u2212mm<\/i>[\u2212dd<\/i>[T<\/b>hh<\/i>[:mm<\/i>[:ss<\/i>]]]]]<\/big><\/font><\/p>\n

Defines the ending date and time.<\/big><\/font><\/p>\n

SWITCH \u2212 [!]<\/b>switch\u2212name<\/i>[={0|1}]<\/b><\/big><\/font><\/p>\n

Added in Shorewall 5.1.0 and allows enabling and disabling the rule without requiring shorewall reload<\/b>.<\/big><\/font><\/p>\n

The rule is enabled if the value stored in \/proc\/net\/nf_condition\/switch\u2212name<\/i> is 1. The rule is disabled if that file contains 0 (the default). If ‘!’ is supplied, the test is inverted such that the rule is enabled if the file contains 0.<\/big><\/font><\/p>\n

Within the switch\u2212name<\/i>, ‘@0’ and ‘@{0}’ are replaced by the name of the chain to which the rule is a added. The switch\u2212name<\/i> (after ‘@…’ expansion) must begin with a letter and be composed of letters, decimal digits, underscores or hyphens. Switch names must be 30 characters or less in length.<\/big><\/font><\/p>\n

Switches are normally off<\/b>. To turn a switch on<\/b>:<\/big><\/font><\/p>\n

echo 1 >
\/proc\/net\/nf_condition\/<\/b>switch\u2212name<\/i><\/big><\/font><\/p>\n

To turn it off<\/b> again:<\/big><\/font><\/p>\n

echo 0 >
\/proc\/net\/nf_condition\/<\/b>switch\u2212name<\/i><\/big><\/font><\/p>\n

Switch settings are retained over shorewall reload<\/b>.<\/big><\/font><\/p>\n

When the switch\u2212name<\/i> is followed by =0<\/b> or =1<\/b>, then the switch is initialized to off or on respectively by the start<\/b> command. Other commands do not affect the switch setting.<\/big><\/font><\/p>\n

EXAMPLE <\/a> <\/h2>\n

IPv4 Example 1:<\/big><\/font><\/p>\n

Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer traffic with packet mark 4.<\/big><\/font><\/p>\n

This is a little more complex than otherwise expected. Since the ipp2p module is unable to determine all packets in a connection are P2P packets, we mark the entire connection as P2P if any of the packets are determined to match.<\/big><\/font><\/p>\n

We assume packet\/connection mark 0 means unclassified.<\/big><\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(1):T 0.0.0.0\/0 0.0.0.0\/0 icmp echo\u2212request
MARK(1):T 0.0.0.0\/0 0.0.0.0\/0 icmp echo\u2212reply
RESTORE:T 0.0.0.0\/0 0.0.0.0\/0 all \u2212 \u2212 \u2212 0
CONTINUE:T 0.0.0.0\/0 0.0.0.0\/0 all \u2212 \u2212 \u2212 !0
MARK(4):T 0.0.0.0\/0 0.0.0.0\/0 ipp2p:all
SAVE:T 0.0.0.0\/0 0.0.0.0\/0 all \u2212 \u2212 \u2212 !0<\/big><\/font><\/p>\n

If a packet hasn’t been classified (packet mark is 0), copy the connection mark to the packet mark. If the packet mark is set, we’re done. If the packet is P2P, set the packet mark to 4. If the packet mark has been set, save it to the connection mark.<\/big><\/font><\/p>\n

IPv4 Example 2:<\/big><\/font><\/p>\n

SNAT outgoing connections on eth0 from 192.168.1.0\/24 in round\u2212robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 4.5.9 and later).<\/big><\/font><\/p>\n

\/etc\/shorewall\/mangle:<\/big><\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CONNMARK(1\u22123):F 192.168.1.0\/24 eth0 ; state=NEW<\/big><\/font><\/p>\n

\/etc\/shorewall\/snat:<\/big><\/font><\/p>\n

#ACTION SOURCE DEST …
SNAT(1.1.1.1) eth0:192.168.1.0\/24 \u2212 { mark=1:C }
SNAT(1.1.1.3) eth0:192.168.1.0\/24 \u2212 { mark=2:C }
SNAT(1.1.1.4) eth0:192.168.1.0\/24 \u2212 { mark=3:C }<\/big><\/font><\/p>\n

IPv6 Example 1:<\/big><\/font><\/p>\n

Mark all ICMP echo traffic with packet mark 1. Mark all peer to peer traffic with packet mark 4.<\/big><\/font><\/p>\n

This is a little more complex than otherwise expected. Since the ipp2p module is unable to determine all packets in a connection are P2P packets, we mark the entire connection as P2P if any of the packets are determined to match.<\/big><\/font><\/p>\n

We assume packet\/connection mark 0 means unclassified.<\/big><\/font><\/p>\n

#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
MARK(1):T ::\/0 ::\/0 icmp echo\u2212request
MARK(1):T ::\/0 ::\/0 icmp echo\u2212reply
RESTORE:T ::\/0 ::\/0 all \u2212 \u2212 \u2212 0
CONTINUE:T ::\/0 ::\/0 all \u2212 \u2212 \u2212 !0
MARK(4):T ::\/0 ::\/0 ipp2p:all
SAVE:T ::\/0 ::\/0 all \u2212 \u2212 \u2212 !0<\/big><\/font><\/p>\n

If a packet hasn’t been classified (packet mark is 0), copy the connection mark to the packet mark. If the packet mark is set, we’re done. If the packet is P2P, set the packet mark to 4. If the packet mark has been set, save it to the connection mark.<\/big><\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/mangle<\/big><\/font><\/p>\n

\/etc\/shorewall6\/mangle<\/big><\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

https:\/\/shorewall.org\/traffic_shaping.htm<\/font><\/b><\/big> [14]<\/font><\/p>\n

https:\/\/shorewall.org\/MultiISP.html<\/font><\/big><\/b> [3]<\/font><\/p>\n

https:\/\/shorewall.org\/PacketMarking.html<\/font><\/big><\/b> [15]<\/font><\/p>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/big><\/b> [16]<\/font><\/p>\n

shorewall(8)<\/big><\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-tcrules(5)<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-tcrules.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-rules<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-rules.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/MultiISP.html<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/MultiISP.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

4.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall.conf(5)<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall.conf.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

5.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-actions(5)<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-actions.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

6.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-tcdevices<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-tcdevices.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

7.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-tcclasses<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-tcclasses.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

8.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-providers(5)<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-providers.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

9.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-ecn(5)<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-ecn.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

10.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-actions<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-actions.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

11.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-interfaces<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-interfaces.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

12.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-exclusion<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-exclusion.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

13.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#ICMP<\/big><\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#ICMP<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

14.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/traffic_shaping.htm<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/traffic_shaping.htm<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

15.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/PacketMarking.html<\/big><\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/PacketMarking.html<\/big><\/font><\/p>\n\n\n
<\/td>\n\n

16.<\/big><\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/big><\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/big><\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

mangle \u2212 Shorewall Packet marking\/mangling rules file <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1556],"class_list":["post-4610","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-mangle"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4610"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4610\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}