shorewall-mangle(5)

NAME

   mangle - Shorewall Packet marking/mangling rules file

SYNOPSIS

   /etc/shorewall/mangle

DESCRIPTION

   This file was introduced in Shorewall 4.6.0 and is intended to replace
   shorewall-tcrules(5)[1]. This file is only processed by the compiler
   if:

    1. No file named 'tcrules' exists on the current CONFIG_PATH (see
       shorewall.conf(5)[2]); or

    2. The first file named 'tcrules' found on the CONFIG_PATH contains no
       non-commentary entries.

   Entries in this file cause packets to be marked as a means of
   classifying them for traffic control or policy routing.

       Important
       Unlike rules in the shorewall-rules[3](5) file, evaluation of rules
       in this file will continue after a match. So the final mark for
       each packet will be the one assigned by the LAST tcrule that
       matches.

       If you use multiple internet providers with the 'track' option, in
       /etc/shorewall/providers be sure to read the restrictions at
       http://www.shorewall.net/MultiISP.html[4].

   The columns in the file are as follows (where the column name is
   followed by a different name in parentheses, the different name is used
   in the alternate specification syntax).

   ACTION - command[(parameters)][:chain-designator]
       The chain-designator indicates the Netfilter chain that the entry
       applies to and may be one of the following:

       P
           PREROUTING chain.

       F
           FORWARD chain.

       T
           POSTROUTING chain.

       I
           INPUT chain.

       Unless otherwise specified for the particular command, the default
       chain is PREROUTING when MARK_IN_FORWARD_CHAIN=No in
       shorewall.conf(5)[2], and FORWARD when MARK_IN_FORWARD_CHAIN=Yes.

       A chain-designator may not be specified if the SOURCE or DEST
       columns begin with '$FW'. When the SOURCE is $FW, the generated
       rule is always placed in the OUTPUT chain. If DEST is '$FW', then
       the rule is placed in the INPUT chain. Additionally, a
       chain-designator may not be specified in an action body unless the
       action is declared as inline in shorewall-actions[5](5).

       Where a command takes parameters, those parameters are enclosed in
       parentheses ("(....)") and separated by commas.

       The command may be one of the following.

       action[([param[,...])]
           Added in Shorewall 5.0.7.  action must be an action declared
           with the mangle option in shorewall-actions(5)[6]. If the
           action accepts parameters, they are specified as a
           comma-separated list within parentheses following the action
           name.

       ADD(ipset:flags)
           Added in Shorewall 4.6.7. Causes addresses and/or port numbers
           to be added to the named ipset. The flags specify the address
           or tuple to be added to the set and must match the type of
           ipset involved. For example, for an iphash ipset, either the
           SOURCE or DESTINATION address can be added using flagssrc or
           dst respectively (see the -A command in ipset (8)).

           ADD is non-terminating. Even if a packet matches the rule, it
           is passed on to the next rule.

       CHECKSUM
           Compute and fill in the checksum in a packet that lacks a
           checksum. This is particularly useful if you need to work
           around old applications, such as dhcp clients, that do not work
           well with checksum offloads, but you don't want to disable
           checksum offload in your device.

           Requires 'Checksum Target' support in your kernel and iptables.

       CLASSIFY(classid)
           A classification Id (classid) is of the form major:minor where
           major and minor are integers. Corresponds to the 'class'
           specification in these traffic shaping modules:

                      atm
                      cbq
                      dsmark
                      pfifo_fast
                      htb
                      prio

           Classification occurs in the POSTROUTING chain except when the
           SOURCE is $FW[:address] in which case classification occurs in
           the OUTPUT chain.

           When using Shorewall's built-in traffic shaping tool, the major
           class is the device number (the first device in
           shorewall-tcdevices[7](5) is major class 1, the second device
           is major class 2, and so on) and the minor class is the class's
           MARK value in shorewall-tcclasses[8](5) preceded by the number
           1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to
           minor class 15, MARK 22 corresponds to minor class 122, etc.).

       ?COMMENT
           The rest of the line will be attached as a comment to the
           Netfilter rule(s) generated by the following entries. The
           comment will appear delimited by "/* ... */" in the output of
           shorewall show mangle

           To stop the comment from being attached to further rules,
           simply include ?COMMENT on a line by itself.

       CONMARK({mark|range})
           Identical to MARK with the exception that the mark is assigned
           to connection to which the packet belongs is marked rather than
           to the packet itself.

       CONTINUE
           Don't process any more marking rules in the table.

           Currently, CONTINUE may not be used with exclusion (see the
           SOURCE and DEST columns below); that restriction will be
           removed when iptables/Netfilter provides the necessary support.

       DEL(ipset:flags)
           Added in Shorewall 4.6.7. Causes an entry to be deleted from
           the named ipset. The flags specify the address or tuple to be
           deleted from the set and must match the type of ipset involved.
           For example, for an iphash ipset, either the SOURCE or
           DESTINATION address can be deleted using flagssrc or dst
           respectively (see the -D command in ipset (8)).

           DEL is non-terminating. Even if a packet matches the rule, it
           is passed on to the next rule.

       DIVERT
           Two DIVERT rule should precede the TPROXY rule and should
           select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
           (assuming that tcp port 80 is being proxied). DIVERT avoids
           sending packets to the TPROXY target once a socket connection
           to Squid3 has been established by TPROXY. DIVERT marks the
           packet with a unique mark and exempts it from any rules that
           follow.

       DIVERTHA
           Added in Shorewall 5.0.4. To setup the HAProxy configuration
           described at
           http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x,
           place this entry in shorewall-providers(5)[9]:

               #NAME    NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY         OPTIONS               COPY
               TProxy   1        -       -          lo        -               tproxy

           and use this DIVERTHA entry:

               #ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
               DIVERTHA        -               -               tcp

       DROP
           Causes matching packets to be discarded.

       DSCP(dscp)
           Sets the Differentiated Services Code Point field in the IP
           header. The dscp value may be given as an even number (hex or
           decimal) or as the name of a DSCP class. Valid class names and
           their associated hex numeric values are:

                   CS0  => 0x00
                   CS1  => 0x08
                   CS2  => 0x10
                   CS3  => 0x18
                   CS4  => 0x20
                   CS5  => 0x28
                   CS6  => 0x30
                   CS7  => 0x38
                   BE   => 0x00
                   AF11 => 0x0a
                   AF12 => 0x0c
                   AF13 => 0x0e
                   AF21 => 0x12
                   AF22 => 0x14
                   AF23 => 0x16
                   AF31 => 0x1a
                   AF32 => 0x1c
                   AF33 => 0x1e
                   AF41 => 0x22
                   AF42 => 0x24
                   AF43 => 0x26
                   EF   => 0x2e

           To indicate more than one class, add their hex values together
           and specify the result. By default, DSCP rules are placed in
           the POSTROUTING chain.

       ECN
           Added in Shorewall 5.0.6 as an alternative to entries in
           shorewall-ecn(5)[10]. If a PROTO is specified, it must be 'tcp'
           (6). If no PROTO is supplied, TCP is assumed. This action
           causes all ECN bits in the TCP header to be cleared.

       IMQ(number)
           Specifies that the packet should be passed to the IMQ
           identified by number. Requires IMQ Target support in your
           kernel and iptables.

       INLINE[(action)]
           Allows you to place your own ip[6]tables matches at the end of
           the line following a semicolon (";"). If an action is
           specified, the compiler proceeds as if that action had been
           specified in this column. If no action is specified, then you
           may include your own jump ("-j target [option] ...") after any
           matches specified at the end of the rule. If the target is not
           one known to Shorewall, then it must be defined as a builtin
           action in shorewall-actions[11] (5).

           The following rules are equivalent:

               2:P                   eth0              -         tcp 22
               INLINE(MARK(2)):P     eth0              -         tcp 22
               INLINE(MARK(2)):P     eth0              -                 ; -p tcp
               INLINE                eth0              -         tcp 22  ; -j MARK --set-mark 2
               INLINE                eth0              -                 ; -p tcp -j MARK --set-mark 2

           If INLINE_MATCHES=Yes in shorewall6.conf(5)[2] then the third
           rule above can be specified as follows:

               MARK(2):P             eth0              -                 ; -p tcp

           Beginning with Shorewall 5.0.0, the rule may also be written
           this way, irrespective of the setting of INLINE_MATCHES:

               MARK(2):P             eth0              -                 ;; -p tcp

       IPMARK
           Assigns a mark to each matching packet based on the either the
           source or destination IP address. By default, it assigns a mark
           value equal to the low-order 8 bits of the source address.
           Default values are:
               src
               mask1 = 0xFF
               mask2 = 0x00
               shift = 0
           'src' and 'dst' specify whether the mark is to be based on the
           source or destination address respectively. The selected
           address is first shifted to the right by shift bits. The result
           is then LANDed with mask1 then LORed with mask2.

           In a sense, the IPMARK target is more like an IPCLASSIFY target
           in that the mark value is later interpreted as a class ID. A
           packet mark is 32 bits wide; so is a class ID. The <major>
           class occupies the high-order 16 bits and the <minor> class
           occupies the low-order 16 bits. So the class ID 1:4ff (remember
           that class IDs are always in hex) is equivalent to a mark value
           of 0x104ff. Remember that Shorewall uses the interface number
           as the <major> number where the first interface in tcdevices
           has <major> number 1, the second has <major> number 2, and so
           on.

           The IPMARK target assigns a mark to each matching packet based
           on the either the source or destination IP address. By default,
           it assigns a mark value equal to the low-order 8 bits of the
           source address. The syntax is as follows:
           IPMARK[([{src|dst}][,[mask1][,[mask2][,[shift]]]])] Default
           values are:
               src
               mask1 = 0xFF
               mask2 = 0x00
               shift = 0
           src and dst specify whether the mark is to be based on the
           source or destination address respectively. The selected
           address is first shifted right by shift, then LANDed with mask1
           and then LORed with mask2. The shift argument is intended to be
           used primarily with IPv6 addresses.

           Example: IPMARK(src,0xff,0x10100)
               Suppose that the source IP address is 192.168.4.3
                                   = 0xc0a80403; then
               0xc0a80403 >> 0 = 0xc0a80403
               0xc0a80403 LAND 0xFF = 0x03
               0x03 LOR 0x10100 = 0x10103 or class ID
                                   1:103
           It is important to realize that, while class IDs are composed
           of a major and a minor value, the set of values must be unique.
           That is, the same numeric value cannot be used as both a major
           and a minor number for the same interface unless class nesting
           occurs (which is not currently possible with Shorewall). You
           should keep this in mind when deciding how to map IP addresses
           to class IDs.

           For example, suppose that your internal network is
           192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6).
           Your first notion might be to use IPMARK(src,0xFF,0x10000) so
           as to produce class IDs 1:1 through 1:6. But 1:1 is an invalid
           class ID since the major and minor classes are equal. So you
           might choose instead to use IPMARK(src,0xFF,0x10100) as in the
           example above so that all of your minor classes will have a
           value > 256.

       IPTABLES({target [option ...])
           This action allows you to specify an iptables target with
           options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If the
           target is not one recognized by Shorewall, the following error
           message will be issued:
               ERROR: Unknown target
                                 (target)
           This error message may be eliminated by adding the target as a
           builtin action in shorewall-actions(5)[11].

       MARK({mark|range})
           where mark is a packet mark value.

           Normally will set the mark value. If preceded by a vertical bar
           ("|"), the mark value will be logically ORed with the current
           mark value to produce a new mark value. If preceded by an
           ampersand ("&"), will be logically ANDed with the current mark
           value to produce a new mark value.

           Both "|" and "&" require Extended MARK Target support in your
           kernel and iptables.

           The mark value may be optionally followed by "/" and a mask
           value (used to determine those bits of the connection mark to
           actually be set). When a mask is specified, the result of
           logically ANDing the mark value with the mask must be the same
           as the mark value.

           A mark range is a pair of integers separated by a dash ("-").

           May be optionally followed by a slash ("/") and a mask and
           requires the Statistics Match capability in iptables and
           kernel. Marks in the specified range are assigned to packets on
           a round-robin fashion.

           When a mask is specified, the result of logically ANDing each
           mark value with the mask must be the same as the mark value.
           The least significant bit in the mask is used as an increment.
           For example, if '0x200-0x400/0xff00' is specified, then the
           assigned mark values are 0x200, 0x300 and 0x400 in equal
           proportions. If no mask is specified, then ( 2 ** MASK_BITS ) -
           1 is assumed (MASK_BITS is set in shorewall.conf[2](5)).

       NFLOG[(nflog-parameters)]
           Added in Shorewall 5.0.9. Logs matching packets using NFLOG.
           The nflog-parameters are a comma-separated list of up to 3
           numbers:

           ·   The first number specifies the netlink group (0-65535). If
               omitted (e.g., NFLOG(,0,10)) then a value of 0 is assumed.

           ·   The second number specifies the maximum number of bytes to
               copy. If omitted, 0 (no limit) is assumed.

           ·   The third number specifies the number of log messages that
               should be buffered in the kernel before they are sent to
               user space. The default is 1.

       RESTORE[(mask)]
           Restore the packet's mark from the connection's mark using the
           supplied mask if any. Your kernel and iptables must include
           CONNMARK support.

       SAME[(timeout)]
           Some websites run applications that require multiple
           connections from a client browser. Where multiple 'balanced'
           providers are configured, this can lead to problems when some
           of the connections are routed through one provider and some
           through another. The SAME target allows you to work around that
           problem. SAME may be used in the PREROUTING and OUTPUT chains.
           When used in PREROUTING, it causes matching connections from an
           individual local system to all use the same provider. For
           example:

               #ACTION           SOURCE         DEST         PROTO      DPORT
               SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443

           If a host in 192.168.1.0/24 attempts a connection on TCP port
           80 or 443 and it has sent a packet on either of those ports in
           the last five minutes then the new connection will use the same
           provider as the connection over which that last packet was
           sent.

           When used in the OUTPUT chain, it causes all matching
           connections to an individual remote system to all use the same
           provider. For example:

               #ACTION           SOURCE         DEST         PROTO      DPORT
               SAME              $FW            0.0.0.0/0    tcp        80,443

           The optional timeout parameter was added in Shorewall 4.6.7 and
           specifies a number of seconds . When not specified, a value of
           300 seconds (5 minutes) is assumed. If the firewall attempts a
           connection on TCP port 80 or 443 and it has sent a packet on
           either of those ports in the last timeout seconds to the same
           remote system then the new connection will use the same
           provider as the connection over which that last packet was
           sent.

       SAVE[(mask)]
           Save the packet's mark to the connection's mark using the
           supplied mask if any. Your kernel and iptables must include
           CONNMARK support.

       TOS(tos[/mask])
           Sets the Type of Service field in the IP header. The tos value
           may be given as an number (hex or decimal) or as the name of a
           TOS type. Valid type names and their associated hex numeric
           values are:

               Minimize-Delay       => 0x10,
               Maximize-Throughput  => 0x08,
               Maximize-Reliability => 0x04,
               Minimize-Cost        => 0x02,
               Normal-Service       => 0x00

           To indicate more than one class, add their hex values together
           and specify the result.

           When tos is given as a number, it may be optionally followed by
           '/' and a mask. When no mask is given, the value 0xff is
           assumed. When tos is given as a type name, the mask 0x3f is
           assumed.

           The action performed is to zero out the bits specified by the
           mask, then set the bits specified by tos.

       TPROXY([port][,address])
           Transparently redirects a packet without altering the IP
           header. Requires a tproxy provider to be defined in
           shorewall-providers[12](5).

           There are three parameters to TPROXY - neither is required:

           ·   port - the port on which the proxy server is listening. If
               omitted, the original destination port.

           ·   address - a local (to the firewall) IP address on which the
               proxy server is listening. If omitted, the IP address of
               the interface on which the request arrives.

       TTL([-|+]number)
           If + is included, packets matching the rule will have their TTL
           incremented by number. Similarly, if - is included, matching
           packets have their TTL decremented by number. If neither + nor
           - is given, the TTL of matching packets is set to number. The
           valid range of values for number is 1-255.

   SOURCE -
   {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]
       May be:

        1. An interface name - matches traffic entering the firewall on
           the specified interface. May not be used in classify rules or
           in rules using the :T chain qualifier.

        2. A comma-separated list of host or network IP addresses or MAC
           addresses.  This form will not match traffic that originates on
           the firewall itself unless either <major><minor> or the :T
           chain qualifier is used in the ACTION column.

           Examples:.RS 4 0.0.0.0/0

           192.168.1.0/24, 172.20.4.0/24

    3. An interface name followed by a colon (":") followed by a
       comma-separated list of host or network IP addresses or MAC
       addresses. May not be used in classify rules or in rules using the
       :T chain qualifier.

    4. $FW optionally followed by a colon (":") and a comma-separated list
       of host or network IP addresses. Matches packets originating on the
       firewall. May not be used with a chain qualifier (:P, :F, etc.) in
       the ACTION column.

   MAC addresses must be prefixed with "~" and use "-" as a separator.

   Example: ~00-A0-C9-15-39-78

   You may exclude certain hosts from the set already defined through use
   of an exclusion (see shorewall-exclusion[13](5)).

   DEST -
   {-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion]
       May be:

        1. An interface name. May not be used in the PREROUTING chain (:P
           in the mark column or no chain qualifier and
           MARK_IN_FORWARD_CHAIN=No in shorewall.conf[14] (5)). The
           interface name may be optionally followed by a colon (":") and
           an IP address list.

        2. A comma-separated list of host or network IP addresses. The
           list may include ip address ranges if your kernel and iptables
           include iprange support.

        3. Beginning with Shorewall 4.4.13, $FW may be specified by itself
           or qualified by an address list. This causes marking to occur
           in the INPUT chain.

       You may exclude certain hosts from the set already defined through
       use of an exclusion (see shorewall-exclusion[13](5)).

   PROTO -
   {-|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}[,...]}
       Protocol - ipp2p requires ipp2p match support in your kernel and
       iptables.

       Beginning with Shorewall 4.5.12, this column can accept a
       comma-separated list of protocols.

   DPORT-
   {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
       Optional destination Ports. A comma-separated list of Port names
       (from services(5)), port numbers or port ranges; if the protocol is
       icmp, this column is interpreted as the destination icmp-type(s).
       ICMP types may be specified as a numeric type, a numeric type and
       code separated by a slash (e.g., 3/4), or a typename. See
       http://www.shorewall.net/configuration_file_basics.htm#ICMP[15].

       If the protocol is ipp2p, this column is interpreted as an ipp2p
       option without the leading "--" (example bit for bit-torrent). If
       no PORT is given, ipp2p is assumed.

       An entry in this field requires that the PROTO column specify icmp
       (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any
       of the following field is supplied.

       Beginning with Shorewall 4.6.0, an ipset name can be specified in
       this column. This is intended to be used with bitmap:port ipsets.

       This column was formerly named DEST PORT(S).

   SPORT -
   {-|port-name-number-or-range[,port-name-number-or-range]...|+ipset}
       Optional source port(s). If omitted, any source port is acceptable.
       Specified as a comma-separated list of port names, port numbers or
       port ranges.

       An entry in this field requires that the PROTO column specify tcp
       (6), udp (17), sctp (132) or udplite (136). Use '-' if any of the
       following fields is supplied.

       Beginning with Shorewall 4.5.15, you may place '=' in this column,
       provided that the DPORT column is non-empty. This causes the rule
       to match when either the source port or the destination port in a
       packet matches one of the ports specified in DEST PORTS(S). Use of
       '=' requires multi-port match in your iptables and kernel.

       Beginning with Shorewall 4.6.0, an ipset name can be specified in
       this column. This is intended to be used with bitmap:port ipsets.

       This column was formerly labelled SOURCE PORT(S).

   USER - [!][user-name-or-number][:group-name-or-number][+program-name]
       This optional column may only be non-empty if the SOURCE is the
       firewall itself.

       When this column is non-empty, the rule applies only if the program
       generating the output is running under the effective user and/or
       group specified (or is NOT running under that id if "!" is given).

       Examples:

       joe
           program must be run by joe

       :kids
           program must be run by a member of the 'kids' group

       !:kids
           program must not be run by a member of the 'kids' group

       +upnpd
           #program named upnpd

               Important
               The ability to specify a program name was removed from
               Netfilter in kernel version 2.6.14.

   TEST - [!]value[/mask][:C]
       Optional - Defines a test on the existing packet or connection
       mark. The rule will match only if the test returns true.

       If you don't want to define a test but need to specify anything in
       the following columns, place a "-" in this field.

       !
           Inverts the test (not equal)

       value
           Value of the packet or connection mark.

       mask
           A mask to be applied to the mark before testing.

       :C
           Designates a connection mark. If omitted, the packet mark's
           value is tested.

   LENGTH - [length|[min]:[max]]
       Optional - packet payload length. This field, if present allow you
       to match the length of a packet payload (Layer 4 data ) against a
       specific value or range of values. You must have iptables length
       support for this to work. A range is specified in the form min:max
       where either min or max (but not both) may be omitted. If min is
       omitted, then 0 is assumed; if max is omitted, than any packet that
       is min or longer will match.

   TOS - tos
       Type of service. Either a standard name, or a numeric value to
       match.

                    Minimize-Delay (16)
                    Maximize-Throughput (8)
                    Maximize-Reliability (4)
                    Minimize-Cost (2)
                    Normal-Service (0)

   CONNBYTES - [!]min:[max[:{O|R|B}[:{B|P|A}]]]
       Optional connection Bytes; defines a byte or packet range that the
       connection must fall within in order for the rule to match.

       A packet matches if the the packet/byte count is within the range
       defined by min and max (unless ! is given in which case, a packet
       matches if the packet/byte count is not within the range).  min is
       an integer which defines the beginning of the byte/packet range.
       max is an integer which defines the end of the byte/packet range;
       if omitted, only the beginning of the range is checked. The first
       letter gives the direction which the range refers to:O - The
       original direction of the connection. .sp - The opposite direction
       from the original connection. .sp B - The total of both directions.

       If omitted, B is assumed.

       The second letter determines what the range refers to.B - Bytes .sp
       P - Packets .sp A - Average packet size.If omitted, B is assumed.

   HELPER - helper
       Names a Netfilter protocol helper module such as ftp, sip, amanda,
       etc. A packet will match if it was accepted by the named helper
       module.

       Example: Mark all FTP data connections with mark 4:

           #ACTION   SOURCE    DEST      PROTO   DPORT      SPORT   USER TEST LENGTH TOS CONNBYTES HELPER
           4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp

   PROBABILITY - [probability]
       Added in Shorewall 4.5.0. When non-empty, requires the Statistics
       Match capability in your kernel and ip6tables and causes the rule
       to match randomly but with the given probability. The probability
       is a number 0 < probability <= 1 and may be expressed at up to 8
       decimal points of precision.

   DSCP - [[!]dscp]
       Added in Shorewall 4.5.1. When non-empty, match packets whose
       Differentiated Service Code Point field matches the supplied value
       (when '!' is given, the rule matches packets whose DSCP field does
       not match the supplied value). The dscp value may be given as an
       even number (hex or decimal) or as the name of a DSCP class. Valid
       class names and their associated hex numeric values are:

               CS0  => 0x00
               CS1  => 0x08
               CS2  => 0x10
               CS3  => 0x18
               CS4  => 0x20
               CS5  => 0x28
               CS6  => 0x30
               CS7  => 0x38
               BE   => 0x00
               AF11 => 0x0a
               AF12 => 0x0c
               AF13 => 0x0e
               AF21 => 0x12
               AF22 => 0x14
               AF23 => 0x16
               AF31 => 0x1a
               AF32 => 0x1c
               AF33 => 0x1e
               AF41 => 0x22
               AF42 => 0x24
               AF43 => 0x26
               EF   => 0x2e

   STATE -- {NEW|RELATED|ESTABLISHED|INVALID} [,...]
       The rule will only match if the packet's connection is in one of
       the listed states.

   TIME - timeelement[&timeelement...]
       Added in Shorewall 4.6.2.

       May be used to limit the rule to a particular time period each day,
       to particular days of the week or month, or to a range defined by
       dates and times. Requires time match support in your kernel and
       ip6tables.

       timeelement may be:

       timestart=hh:mm[:ss]
           Defines the starting time of day.

       timestop=hh:mm[:ss]
           Defines the ending time of day.

       contiguous
           Added in Shoreawll 5.0.12. When timestop is smaller than
           timestart value, match this as a single time period instead of
           distinct intervals.

       utc
           Times are expressed in Greenwich Mean Time.

       localtz
           Deprecated by the Netfilter team in favor of kerneltz. Times
           are expressed in Local Civil Time (default).

       kerneltz
           Added in Shorewall 4.5.2. Times are expressed in Local Kernel
           Time (requires iptables 1.4.12 or later).

       weekdays=ddd[,ddd]...
           where ddd is one of Mon, Tue, Wed, Thu, Fri, Sat or Sun

       monthdays=dd[,dd],...
           where dd is an ordinal day of the month

       datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
           Defines the starting date and time.

       datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
           Defines the ending date and time.

EXAMPLE

   Example 1:
       Mark all ICMP echo traffic with packet mark 1. Mark all peer to
       peer traffic with packet mark 4.

       This is a little more complex than otherwise expected. Since the
       ipp2p module is unable to determine all packets in a connection are
       P2P packets, we mark the entire connection as P2P if any of the
       packets are determined to match.

       We assume packet/connection mark 0 means unclassified.

                  #ACTION    SOURCE    DEST         PROTO   DPORT         SPORT   USER    TEST
                  MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-request
                  MARK(1):T  0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
                  RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
                  CONTINUE:T 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
                  MARK(4):T  0.0.0.0/0 0.0.0.0/0   ipp2p:all
                  SAVE:T     0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0

       If a packet hasn't been classified (packet mark is 0), copy the
       connection mark to the packet mark. If the packet mark is set,
       we're done. If the packet is P2P, set the packet mark to 4. If the
       packet mark has been set, save it to the connection mark.

   Example 2:
       SNAT outgoing connections on eth0 from 192.168.1.0/24 in
       round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
       (Shorewall 4.5.9 and later).

           /etc/shorewall/mangle:

                  #ACTION            SOURCE         DEST         PROTO   DPORT         SPORT   USER    TEST
                  CONNMARK(1-3):F    192.168.1.0/24 eth0 ; state=NEW

           /etc/shorewall/masq:

                  #INTERFACE SOURCE         ADDRESS     ...
                  eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
                  eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
                  eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C

FILES

   /etc/shorewall/mangle

SEE ALSO

   http://www.shorewall.net/traffic_shaping.htm[16]

   http://www.shorewall.net/MultiISP.html[4]

   http://www.shorewall.net/PacketMarking.html[17]

   http://www.shorewall.net/configuration_file_basics.htm#Pairs[18]

   shorewall(8), shorewall-accounting(5), shorewall-actions(5),
   shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
   shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
   shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
   shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
   shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
   shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
   shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
   shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)

NOTES

    1. shorewall-tcrules(5)
       http://www.shorewall.net/manpages/shorewall-tcrules.html

    2. shorewall.conf(5)
       http://www.shorewall.net/manpages/shorewall.conf.html

    3. shorewall-rules
       http://www.shorewall.net/manpages/shorewall-rules.html

    4. http://www.shorewall.net/MultiISP.html
       http://www.shorewall.net/MultiISP.html

    5. shorewall-actions
       http://www.shorewall.netshorewall6-actions.html

    6. shorewall-actions(5)
       http://www.shorewall.netmanpages/shorewall-actions.html

    7. shorewall-tcdevices
       http://www.shorewall.net/manpages/shorewall-tcdevices.html

    8. shorewall-tcclasses
       http://www.shorewall.net/manpages/shorewall-tcclasses.html

    9. shorewall-providers(5)
       http://www.shorewall.netmanpages/shorewall-providers.html

   10. shorewall-ecn(5)
       http://www.shorewall.netshorewall-ecn.html

   11. shorewall-actions
       http://www.shorewall.net/manpages/shorewall-actions.html

   12. shorewall-providers
       http://www.shorewall.net/manpages/shorewall-providers.html

   13. shorewall-exclusion
       http://www.shorewall.net/manpages/shorewall-exclusion.html

   14. shorewall.conf
       http://www.shorewall.netmanpages/shorewall.conf

   15. http://www.shorewall.net/configuration_file_basics.htm#ICMP
       http://www.shorewall.net/configuration_file_basics.htm#ICMP

   16. http://www.shorewall.net/traffic_shaping.htm
       http://www.shorewall.net/traffic_shaping.htm

   17. http://www.shorewall.net/PacketMarking.html
       http://www.shorewall.net/PacketMarking.html

   18. http://www.shorewall.net/configuration_file_basics.htm#Pairs
       http://www.shorewall.net/configuration_file_basics.htm#Pairs



Opportunity


Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.

Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.


Free Software


Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.

Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.


Free Books


The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.

Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.


Education


Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.

Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.