shorewall-tcfilters (5)
Leading comments
Title: shorewall-tcfilters
Author: [FIXME: author] [see http://docbook.sf.net/el/author]
Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
Date: 03/16/2017
Manual: Configuration Files
Source: Configuration Files
Language: English
NAME
tcfilters - Shorewall u32/basic classifier rules fileSYNOPSIS
- /etc/shorewall/tcfilters
DESCRIPTION
Beginning with Shorewall 4.4.15, the file may contain entries for both IPv4 and IPv6. By default, all rules apply to IPv4 but that can be changed by inserting a line as follows:
IPV4
- Following entries apply to IPv4.
IPV6
- Following entries apply to IPv6
ALL
- Following entries apply to both IPv4 and IPv6. Each entry is processed twice; once for IPv4 and once for IPv6.
The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).
CLASS - interface:class
-
The name or number of an
interface
defined in
m[blue]shorewall-tcdevicesm[][1](5) followed by a class number defined for that interface in m[blue]shorewall-tcclassesm[][2](5).
SOURCE - {-|address|+ipset}
-
Source of the packet. May be a host or network
address. DNS names are not allowed. Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') may be used if your kernel and ip6tables have the
Basic Ematch
capability and you set BASIC_FILTERS=Yes in
m[blue]shorewall.conf (5)m[][3]. The ipset name may optionally be followed by a number or a comma separated list of src and/or dst enclosed in square brackets ([...]). See m[blue]shorewall-ipsets(5)m[][4]for details.
DEST - {-|address|+ipset}
-
Destination of the packet. May be a host or network
address. DNS names are not allowed. Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+') may be used if your kernel and ip6tables have the
Basic Ematch
capability and you set BASIC_FILTERS=Yes in
m[blue]shorewall.conf (5)m[][3]. The ipset name may optionally be followed by a number or a comma separated list of src and/or dst enclosed in square brackets ([...]). See m[blue]shorewall-ipsets(5)m[][4]for details.
You may exclude certain hosts from the set already defined through use of an exclusion (see m[blue]shorewall-exclusionm[]
[5](5)).
PROTO - {-|{protocol-number|protocol-name|all}[,...]}
-
Protocol.
Beginning with Shorewall 4.5.12, this column can accept a comma-separated list of protocols.
DPORT - [-|port-name-or-number]
-
Optional destination Ports. A Port name (from services(5)) or a
port number; if the protocol is
icmp, this column is interpreted as the destination icmp-type(s).
This column was previously labelled DEST PORT(S).
SPORT - [-|port-name-or-number]
-
Optional source port.
This column was previously labelled SOURCE PORT(S).
TOS (Optional) - [-|tos]
-
Specifies the value of the TOS field. The
tos
value can be any of the following:
- * tos-minimize-delay
- * tos-maximize-throughput
- * tos-maximize-reliability
- * tos-minimize-cost
- * tos-normal-service
- * hex-number
- * hex-number/hex-number
The hex-numbers must be exactly two digits (e.g., 0x04)x.
LENGTH - [-|number]
- Optional - Must be a power of 2 between 32 and 8192 inclusive. Packets with a total length that is strictly less than the specified number will match the rule.
PRIORITY - [-|priority]
-
Added in Shorewall 4.5.8. Specifies the rule
priority. The
priority
value must be > 0 and <= 65535.
When a priority is not given:
- * For Shorewall versions prior to 4.5.8 - all filters have priority 10.
- * For Shorewall 4.5.8 and later - for each device, the compiler maintains a high-water priority with an initial value of 0. When a filter has no priority, the high-water priority is incremented by 1 and assigned to the filter. When a priority greater than the high-water priority is entered in this column, the high-water priority is set to the specified priority. An attempt to assign a priority value greater than 65535 (explicitly or implicitly) raises an error.
The default priority values used by other Shorewall-generated filters are as follows:
- * Classify by packet mark - ( class priority << 8 ) | 20.
- * Ingress policing - 10
- * Simple TC ACK packets - 1
- * Complex TC ACK packets - ( class priority << 8 ) | 10.
- * Classify by TOS - ( class priority << 8 ) | 15.
- * Class with 'occurs' - 65535
EXAMPLE
Example 1:
-
Place all 'ping' traffic on interface 1 in class 10. Note that ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different protocols.
-
#CLASS SOURCE DEST PROTO DPORT IPV4 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply IPV6 1:10 ::/0 ::/0 icmp6 echo-request 1:10 ::/0 ::/0 icmp6 echo-reply
-
Example 2:
-
Add two filters with priority 10 (Shorewall 4.5.8 or later).
-
#CLASS SOURCE DEST PROTO DPORT PRIORITY IPV4 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-request 10 1:10 0.0.0.0/0 0.0.0.0/0 icmp echo-reply 10
-
FILES
/etc/shorewall/tcfilters
SEE ALSO
m[blue]www.shorewall.net/traffic_shaping.htmm[]
m[blue]www.shorewall.net/MultiISP.htmlm[]
m[blue]www.shorewall.net/PacketMarking.htmlm[]
m[blue]www.shorewall.net/configuration_file_basics.htm#Pairsm[]
shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
NOTES
- 1.
- shorewall-tcdevices
- 2.
- shorewall-tcclasses
- 3.
- shorewall.conf (5)
- 4.
- shorewall-ipsets(5)
- 5.
- shorewall-exclusion
- 6.
- www.shorewall.net/traffic_shaping.htm
- 7.
- www.shorewall.net/MultiISP.html
- 8.
- www.shorewall.net/PacketMarking.html
- 9.
-
www.shorewall.net/configuration_file_basics.htm#Pairs