"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "manpages/shorewall-mangle.xml" between
shorewall-docs-xml-5.2.3.6.tar.bz2 and shorewall-docs-xml-5.2.6.tar.bz2

About: Shorewall (The Shoreline Firewall) is an iptables based firewall (documentation; XML)

[ To the main shorewall (docs-xml) source changes report ]

shorewall-mangle.xml  (shorewall-docs-xml-5.2.3.6.tar.bz2):shorewall-mangle.xml  (shorewall-docs-xml-5.2.6.tar.bz2)
skipping to change at line 29 skipping to change at line 29
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall[6]/mangle</command> <command>/etc/shorewall[6]/mangle</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>This file was introduced in Shorewall 4.6.0 and replaces <ulink <para>This file was introduced in Shorewall 4.6.0 and replaces <ulink
url="/manpages/shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink>. This
file is only processed by the compiler if:</para> file is only processed by the compiler if:</para>
<para>Entries in this file cause packets to be marked as a means of <para>Entries in this file cause packets to be marked as a means of
classifying them for traffic control or policy routing.</para> classifying them for traffic control or policy routing.</para>
<important> <important>
<para>Unlike rules in the <ulink <para>Unlike rules in the <ulink
url="/manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file, url="shorewall-rules.html">shorewall-rules</ulink>(5) file,
evaluation of rules in this file will continue after a match. So the evaluation of rules in this file will continue after a match. So the
final mark for each packet will be the one assigned by the LAST tcrule final mark for each packet will be the one assigned by the LAST tcrule
that matches.</para> that matches.</para>
<para>If you use multiple internet providers with the 'track' option, in <para>If you use multiple internet providers with the 'track' option, in
/etc/shorewall/providers be sure to read the restrictions at <ulink /etc/shorewall/providers be sure to read the restrictions at <ulink
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink>.</para > url="../MultiISP.html">https://shorewall.org/MultiISP.html</ulink>.</para>
</important> </important>
<para>The columns in the file are as follows (where the column name is <para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para> the alternate specification syntax).</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ACTION</emphasis> - <term><emphasis role="bold">ACTION</emphasis> -
<replaceable>command</replaceable>[(<replaceable>parameters</replaceable >)][:<replaceable>chain-designator</replaceable>]</term> <replaceable>command</replaceable>[(<replaceable>parameters</replaceable >)][:<replaceable>chain-designator</replaceable>]</term>
skipping to change at line 134 skipping to change at line 134
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>The nat table designators were added in Shorewall 5.2.1. When <para>The nat table designators were added in Shorewall 5.2.1. When
a nat table designator is given, only the CONNMARK, MARK, SAVE and a nat table designator is given, only the CONNMARK, MARK, SAVE and
RESTORE commands may be used.</para> RESTORE commands may be used.</para>
<para>Unless otherwise specified for the particular <para>Unless otherwise specified for the particular
<replaceable>command</replaceable>, the default chain is PREROUTING <replaceable>command</replaceable>, the default chain is PREROUTING
when MARK_IN_FORWARD_CHAIN=No in <ulink when MARK_IN_FORWARD_CHAIN=No in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, and url="shorewall.conf.html">shorewall.conf(5)</ulink>, and
FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para> FORWARD when MARK_IN_FORWARD_CHAIN=Yes.</para>
<para>A <replaceable>chain-designator</replaceable> may not be <para>A <replaceable>chain-designator</replaceable> may not be
specified if the SOURCE or DEST columns begin with '$FW'. When the specified if the SOURCE or DEST columns begin with '$FW'. When the
SOURCE is $FW, the generated rule is always placed in the OUTPUT SOURCE is $FW, the generated rule is always placed in the OUTPUT
chain. If DEST is '$FW', then the rule is placed in the INPUT chain. chain. If DEST is '$FW', then the rule is placed in the INPUT chain.
Additionally, a <replaceable>chain-designator</replaceable> may not Additionally, a <replaceable>chain-designator</replaceable> may not
be specified in an action body.</para> be specified in an action body.</para>
<para>Where a command takes parameters, those parameters are <para>Where a command takes parameters, those parameters are
skipping to change at line 229 skipping to change at line 229
prio</programlisting> prio</programlisting>
<para>Classification occurs in the POSTROUTING chain except <para>Classification occurs in the POSTROUTING chain except
when the <emphasis role="bold">SOURCE</emphasis> is <emphasis when the <emphasis role="bold">SOURCE</emphasis> is <emphasis
role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in
which case classification occurs in the OUTPUT chain.</para> which case classification occurs in the OUTPUT chain.</para>
<para>When using Shorewall's built-in traffic shaping tool, <para>When using Shorewall's built-in traffic shaping tool,
the <emphasis>major</emphasis> class is the device number (the the <emphasis>major</emphasis> class is the device number (the
first device in <ulink first device in <ulink
url="/manpages/shorewall-tcdevices.html">shorewall-tcdevices</ul ink>(5) url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
is major class 1, the second device is major class 2, and so is major class 1, the second device is major class 2, and so
on) and the <emphasis>minor</emphasis> class is the class's on) and the <emphasis>minor</emphasis> class is the class's
MARK value in <ulink MARK value in <ulink
url="/manpages/shorewall-tcclasses.html">shorewall-tcclasses</ul ink>(5) url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
preceded by the number 1 (MARK 1 corresponds to minor class preceded by the number 1 (MARK 1 corresponds to minor class
11, MARK 5 corresponds to minor class 15, MARK 22 corresponds 11, MARK 5 corresponds to minor class 15, MARK 22 corresponds
to minor class 122, etc.).</para> to minor class 122, etc.).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">?COMMENT</emphasis></term> <term><emphasis role="bold">?COMMENT</emphasis></term>
<listitem> <listitem>
skipping to change at line 322 skipping to change at line 322
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DIVERTHA</emphasis></term> <term><emphasis role="bold">DIVERTHA</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 5.0.4. To setup the HAProxy <para>Added in Shorewall 5.0.4. To setup the HAProxy
configuration described at <ulink configuration described at <ulink
url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-tr ansparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haprox y-with-transparent-mode-on-centos-6-x</ulink>, url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-tr ansparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haprox y-with-transparent-mode-on-centos-6-x</ulink>,
place this entry in <ulink place this entry in <ulink
url="/manpages/shorewall-providers.html">shorewall-providers(5)< /ulink>:</para> url="shorewall-providers.html">shorewall-providers(5)</ulink>:</ para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE G ATEWAY OPTIONS COPY <programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE G ATEWAY OPTIONS COPY
TProxy 1 - - lo - tproxy</programli sting> TProxy 1 - - lo - tproxy</programli sting>
<para>and use this DIVERTHA entry:</para> <para>and use this DIVERTHA entry:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP <programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
DIVERTHA - - tcp</programlisting> DIVERTHA - - tcp</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
skipping to change at line 389 skipping to change at line 389
placed in the POSTROUTING chain.</para> placed in the POSTROUTING chain.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ECN</emphasis></term> <term><emphasis role="bold">ECN</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 5.0.6 as an alternative to entries in <para>Added in Shorewall 5.0.6 as an alternative to entries in
<ulink <ulink
url="/manpages/shorewall-ecn.html">shorewall-ecn(5)</ulink>. url="shorewall-ecn.html">shorewall-ecn(5)</ulink>.
If a PROTO is specified, it must be 'tcp' (6). If no PROTO is If a PROTO is specified, it must be 'tcp' (6). If no PROTO is
supplied, TCP is assumed. This action causes all ECN bits in supplied, TCP is assumed. This action causes all ECN bits in
the TCP header to be cleared.</para> the TCP header to be cleared.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</ter m> role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</ter m>
skipping to change at line 424 skipping to change at line 424
two semicolons (";;") (preferred since Shoreall 5.0.0). If an two semicolons (";;") (preferred since Shoreall 5.0.0). If an
<replaceable>action</replaceable> is specified, the compiler <replaceable>action</replaceable> is specified, the compiler
proceeds as if that <replaceable>action</replaceable> had been proceeds as if that <replaceable>action</replaceable> had been
specified in this column. If no action is specified, then you specified in this column. If no action is specified, then you
may include your own jump ("-j may include your own jump ("-j
<replaceable>target</replaceable> <replaceable>target</replaceable>
[<replaceable>option</replaceable>] ...") after any matches [<replaceable>option</replaceable>] ...") after any matches
specified at the end of the rule. If the target is not one specified at the end of the rule. If the target is not one
known to Shorewall, then it must be defined as a builtin known to Shorewall, then it must be defined as a builtin
action in <ulink action in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink> url="shorewall-actions.html">shorewall-actions</ulink>
(5).</para> (5).</para>
<para>The following rules are equivalent:</para> <para>The following rules are equivalent:</para>
<programlisting>2:P eth0 - tcp 22 <programlisting>2:P eth0 - tcp 22
INLINE(MARK(2)):P eth0 - tcp 22 INLINE(MARK(2)):P eth0 - tcp 22
INLINE(MARK(2)):P eth0 - ;; -p tcp INLINE(MARK(2)):P eth0 - ;; -p tcp
INLINE eth0 - tcp 22 ;; -j MARK --set-mark 2 INLINE eth0 - tcp 22 ;; -j MARK --set-mark 2
INLINE eth0 - ;; -p tcp -j MARK --se t-mark 2 INLINE eth0 - ;; -p tcp -j MARK --se t-mark 2
</programlisting> </programlisting>
skipping to change at line 567 skipping to change at line 567
following error message will be issued:</para> following error message will be issued:</para>
<simplelist> <simplelist>
<member>ERROR: Unknown target <member>ERROR: Unknown target
(<replaceable>target</replaceable>)</member> (<replaceable>target</replaceable>)</member>
</simplelist> </simplelist>
<para>This error message may be eliminated by adding the <para>This error message may be eliminated by adding the
<replaceable>target</replaceable> as a builtin action in <replaceable>target</replaceable> as a builtin action in
<ulink <ulink
url="/manpages/shorewall-actions.html">shorewall-actions(5)</uli nk>.</para> url="shorewall-actions.html">shorewall-actions(5)</ulink>.</para >
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">IPTABLES({<replaceable>target</replaceable> role="bold">IPTABLES({<replaceable>target</replaceable>
[<replaceable>option</replaceable> ...])</emphasis></term> [<replaceable>option</replaceable> ...])</emphasis></term>
<listitem> <listitem>
<para>IPv4 only.</para> <para>IPv4 only.</para>
skipping to change at line 592 skipping to change at line 592
error message will be issued:</para> error message will be issued:</para>
<simplelist> <simplelist>
<member>ERROR: Unknown target <member>ERROR: Unknown target
(<replaceable>target</replaceable>)</member> (<replaceable>target</replaceable>)</member>
</simplelist> </simplelist>
<para>This error message may be eliminated by adding the <para>This error message may be eliminated by adding the
<replaceable>target</replaceable> as a builtin action in <replaceable>target</replaceable> as a builtin action in
<ulink <ulink
url="/manpages/shorewall-actions.html">shorewall-actions(5)</uli nk>.</para> url="shorewall-actions.html">shorewall-actions(5)</ulink>.</para >
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>ran ge</replaceable>})</emphasis></term> role="bold">MARK({<replaceable>mark</replaceable>|<replaceable>ran ge</replaceable>})</emphasis></term>
<listitem> <listitem>
<para>where <replaceable>mark</replaceable> is a packet mark <para>where <replaceable>mark</replaceable> is a packet mark
value.</para> value.</para>
skipping to change at line 635 skipping to change at line 635
capability in iptables and kernel. Marks in the specified capability in iptables and kernel. Marks in the specified
range are assigned to packets on a round-robin fashion.</para> range are assigned to packets on a round-robin fashion.</para>
<para>When a mask is specified, the result of logically ANDing <para>When a mask is specified, the result of logically ANDing
each mark value with the mask must be the same as the mark each mark value with the mask must be the same as the mark
value. The least significant bit in the mask is used as an value. The least significant bit in the mask is used as an
increment. For example, if '0x200-0x400/0xff00' is specified, increment. For example, if '0x200-0x400/0xff00' is specified,
then the assigned mark values are 0x200, 0x300 and 0x400 in then the assigned mark values are 0x200, 0x300 and 0x400 in
equal proportions. If no mask is specified, then ( 2 ** equal proportions. If no mask is specified, then ( 2 **
MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).< /para> url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis >)]</term> role="bold">NFLOG</emphasis>[(<emphasis>nflog-parameters</emphasis >)]</term>
<listitem> <listitem>
<para>Added in Shorewall 5.0.9. Logs matching packets using <para>Added in Shorewall 5.0.9. Logs matching packets using
NFLOG. The <replaceable>nflog-parameters</replaceable> are a NFLOG. The <replaceable>nflog-parameters</replaceable> are a
skipping to change at line 807 skipping to change at line 807
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>[,<r eplaceable>address</replaceable>]])</term> role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>[,<r eplaceable>address</replaceable>]])</term>
<listitem> <listitem>
<para>Transparently redirects a packet without altering the IP <para>Transparently redirects a packet without altering the IP
header. Requires a tproxy provider to be defined in <ulink header. Requires a tproxy provider to be defined in <ulink
url="/manpages/shorewall-providers.html">shorewall-providers</ul ink>(5).</para> url="shorewall-providers.html">shorewall-providers</ulink>(5).</ para>
<para>There are three parameters to TPROXY - neither is <para>There are three parameters to TPROXY - neither is
required:</para> required:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><replaceable>port</replaceable> - the port on which <para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original the proxy server is listening. If omitted, the original
destination port.</para> destination port.</para>
</listitem> </listitem>
skipping to change at line 866 skipping to change at line 866
<para>where <replaceable>source-spec</replaceable> is one of:</para> <para>where <replaceable>source-spec</replaceable> is one of:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term>[!]<replaceable>interface</replaceable></term> <term>[!]<replaceable>interface</replaceable></term>
<listitem> <listitem>
<para>where <replaceable>interface</replaceable> is the <para>where <replaceable>interface</replaceable> is the
logical name of an <replaceable>interface</replaceable> logical name of an <replaceable>interface</replaceable>
defined in <ulink defined in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ ulink>(5). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Matches packets entering the firewall from the named Matches packets entering the firewall from the named
interface. May not be used in CLASSIFY rules or in rules using interface. May not be used in CLASSIFY rules or in rules using
the :T chain qualifier.</para> the :T chain qualifier.</para>
<para>Beginning with Shorweall 5.2.1, the <para>Beginning with Shorweall 5.2.1, the
<replaceable>interface</replaceable> may be preceded with '!' <replaceable>interface</replaceable> may be preceded with '!'
which matches all interfaces except the one specified.</para> which matches all interfaces except the one specified.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
skipping to change at line 897 skipping to change at line 897
("+").</para> ("+").</para>
<para>A MAC address in Shorewall format (preceded by a tilde <para>A MAC address in Shorewall format (preceded by a tilde
("~") and using dash ("-") as a separator (e.g., ("~") and using dash ("-") as a separator (e.g.,
~00-A0-C9-15-39-78).</para> ~00-A0-C9-15-39-78).</para>
</blockquote> </blockquote>
<para>Matches traffic whose source IP address matches one of <para>Matches traffic whose source IP address matches one of
the listed addresses and that does not match an address listed the listed addresses and that does not match an address listed
in the <replaceable>exclusion</replaceable> (see <ulink in the <replaceable>exclusion</replaceable> (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ul ink>(5)).</para> url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).< /para>
<para><emphasis role="bold">This form will not match traffic <para><emphasis role="bold">This form will not match traffic
that originates on the firewall itself unless either that originates on the firewall itself unless either
&lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used
in the ACTION column.</emphasis></para> in the ACTION column.</emphasis></para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>[!]<replaceable>interface</replaceable>:<replaceable>address </replaceable>,[...][<replaceable>exclusion</replaceable>]</term> <term>[!]<replaceable>interface</replaceable>:<replaceable>address </replaceable>,[...][<replaceable>exclusion</replaceable>]</term>
skipping to change at line 1001 skipping to change at line 1001
<listitem> <listitem>
<para>where <replaceable>dest-spec</replaceable> is one of:</para> <para>where <replaceable>dest-spec</replaceable> is one of:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><replaceable>interface</replaceable></term> <term><replaceable>interface</replaceable></term>
<listitem> <listitem>
<para>where <replaceable>interface</replaceable> is the <para>where <replaceable>interface</replaceable> is the
logical name of an interface defined in <ulink logical name of an interface defined in <ulink
url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ ulink>(5). url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
Matches packets leaving the firewall through the named Matches packets leaving the firewall through the named
interface. May not be used in the PREROUTING chain (:P in the interface. May not be used in the PREROUTING chain (:P in the
mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No mark column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No
in <ulink in <ulink
url="/manpages/shorewall.conf">shorewall.conf</ulink> url="shorewall.conf">shorewall.conf</ulink>
(5)).</para> (5)).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>address</replaceable>[,...][<replaceable>exclus ion</replaceable>]</term> <term><replaceable>address</replaceable>[,...][<replaceable>exclus ion</replaceable>]</term>
<listitem> <listitem>
<para>where <replaceable>address</replaceable> is:</para> <para>where <replaceable>address</replaceable> is:</para>
skipping to change at line 1031 skipping to change at line 1031
("+").</para> ("+").</para>
<para>A MAC address in Shorewall format (preceded by a tilde <para>A MAC address in Shorewall format (preceded by a tilde
("~") and using dash ("-") as a separator (e.g., ("~") and using dash ("-") as a separator (e.g.,
~00-A0-C9-15-39-78).</para> ~00-A0-C9-15-39-78).</para>
</blockquote> </blockquote>
<para>Matches traffic whose destination IP address matches one <para>Matches traffic whose destination IP address matches one
of the listed addresses and that does not match an address of the listed addresses and that does not match an address
listed in the <replaceable>exclusion</replaceable> (see <ulink listed in the <replaceable>exclusion</replaceable> (see <ulink
url="/manpages/shorewall-exclusion.html">shorewall-exclusion</ul ink>(5)).</para> url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).< /para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>interface</replaceable>:<replaceable>address</r eplaceable>,[...][<replaceable>exclusion</replaceable>]</term> <term><replaceable>interface</replaceable>:<replaceable>address</r eplaceable>,[...][<replaceable>exclusion</replaceable>]</term>
<listitem> <listitem>
<para>This form combines the preceding two forms and matches <para>This form combines the preceding two forms and matches
when both the outgoing interface and destination IP address when both the outgoing interface and destination IP address
match. May not be used in the PREROUTING chain (:P in the mark match. May not be used in the PREROUTING chain (:P in the mark
column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in column or no chain qualifier and MARK_IN_FORWARD_CHAIN=No in
<ulink url="/manpages/shorewall.conf">shorewall.conf</ulink> <ulink url="shorewall.conf">shorewall.conf</ulink>
(5)).</para> (5)).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><replaceable>interface</replaceable>:<replaceable>exclusion< /replaceable></term> <term><replaceable>interface</replaceable>:<replaceable>exclusion< /replaceable></term>
<listitem> <listitem>
<para>This form matches packets leaving through the named <para>This form matches packets leaving through the named
<replaceable>interface</replaceable> and whose destination IP <replaceable>interface</replaceable> and whose destination IP
address does not match any of the addresses in the address does not match any of the addresses in the
<replaceable>exclusion</replaceable>. May not be used in the <replaceable>exclusion</replaceable>. May not be used in the
PREROUTING chain (:P in the mark column or no chain qualifier PREROUTING chain (:P in the mark column or no chain qualifier
and MARK_IN_FORWARD_CHAIN=No in <ulink and MARK_IN_FORWARD_CHAIN=No in <ulink
url="/manpages/shorewall.conf">shorewall.conf</ulink> url="shorewall.conf">shorewall.conf</ulink>
(5)).</para> (5)).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>$FW</term> <term>$FW</term>
<listitem> <listitem>
<para>Matches packets originating on the firewall system. May <para>Matches packets originating on the firewall system. May
not be used with a chain qualifier (:P, :F, etc.) in the not be used with a chain qualifier (:P, :F, etc.) in the
skipping to change at line 1127 skipping to change at line 1127
<term><emphasis role="bold">PROTO</emphasis> - {<emphasis <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis role="bold">-</emphasis>|<emphasis
role="bold">{tcp:[!]syn</emphasis>|<emphasis role="bold">{tcp:[!]syn</emphasis>|<emphasis
role="bold">ipp2p</emphasis>|<emphasis role="bold">ipp2p</emphasis>|<emphasis
role="bold">ipp2p:udp</emphasis>|<emphasis role="bold">ipp2p:udp</emphasis>|<emphasis
role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<e mphasis>protocol-name</emphasis>|<emphasis role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<e mphasis>protocol-name</emphasis>|<emphasis
role="bold">all}[,...]}</emphasis></term> role="bold">all}[,...]}</emphasis></term>
<listitem> <listitem>
<para>See <ulink <para>See <ulink
url="/manpages/shorewall-rules.html">shorewall-rules(5)</ulink> for url="shorewall-rules.html">shorewall-rules(5)</ulink> for
details.</para> details.</para>
<para>Beginning with Shorewall 4.5.12, this column can accept a <para>Beginning with Shorewall 4.5.12, this column can accept a
comma-separated list of protocols.</para> comma-separated list of protocols.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DPORT</emphasis>- {<emphasis <term><emphasis role="bold">DPORT</emphasis>- {<emphasis
role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[ <emphasis role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[ <emphasis
role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]. ..|+<replaceable>ipset</replaceable>}</term> role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]. ..|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Optional destination Ports. A comma-separated list of Port <para>Optional destination Ports. A comma-separated list of Port
names (from services(5)), <emphasis>port number</emphasis>s or names (from services(5)), <emphasis>port number</emphasis>s or
<emphasis>port range</emphasis>s; if the protocol is <emphasis <emphasis>port range</emphasis>s; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric destination icmp-type(s). ICMP types may be specified as a numeric
type, a numeric type and code separated by a slash (e.g., 3/4), or a type, a numeric type and code separated by a slash (e.g., 3/4), or a
typename. See <ulink typename. See <ulink
url="/configuration_file_basics.htm#ICMP">http://www.shorewall.net/con figuration_file_basics.htm#ICMP</ulink>.</para> url="../configuration_file_basics.htm#ICMP">https://shorewall.org/conf iguration_file_basics.htm#ICMP</ulink>.</para>
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>, <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
this column is interpreted as an ipp2p option without the leading this column is interpreted as an ipp2p option without the leading
"--" (example <emphasis role="bold">bit</emphasis> for bit-torrent). "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
assumed.</para> assumed.</para>
<para>An entry in this field requires that the PROTO column specify <para>An entry in this field requires that the PROTO column specify
icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
any of the following field is supplied.</para> any of the following field is supplied.</para>
skipping to change at line 1586 skipping to change at line 1586
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">SWITCH - <term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term> [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 5.1.0 and allows enabling and disabling the <para>Added in Shorewall 5.1.0 and allows enabling and disabling the
rule without requiring <command>shorewall restart</command>.</para> rule without requiring <command>shorewall reload</command>.</para>
<para>The rule is enabled if the value stored in <para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable ></filename> <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable ></filename>
is 1. The rule is disabled if that file contains 0 (the default). If is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled '!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para> if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and <para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a '@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...' added. The <replaceable>switch-name</replaceable> (after '@...'
skipping to change at line 1617 skipping to change at line 1617
</simplelist> </simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para> <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist> <simplelist>
<member><command>echo 0 &gt; <member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></comma nd></member> /proc/net/nf_condition/<replaceable>switch-name</replaceable></comma nd></member>
</simplelist> </simplelist>
<para>Switch settings are retained over <command>shorewall <para>Switch settings are retained over <command>shorewall
restart</command>.</para> reload</command>.</para>
<para>When the <replaceable>switch-name</replaceable> is followed by <para>When the <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is <option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the <command>start</command> command. Other commands do not affect the
switch setting.</para> switch setting.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>
skipping to change at line 1727 skipping to change at line 1727
<para>/etc/shorewall/mangle</para> <para>/etc/shorewall/mangle</para>
<para>/etc/shorewall6/mangle</para> <para>/etc/shorewall6/mangle</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink <para><ulink
url="/traffic_shaping.htm">http://www.shorewall.net/traffic_shaping.htm</uli nk></para> url="../traffic_shaping.htm">https://shorewall.org/traffic_shaping.htm</ulin k></para>
<para><ulink <para><ulink
url="/MultiISP.html">http://www.shorewall.net/MultiISP.html</ulink></para> url="../MultiISP.html">https://shorewall.org/MultiISP.html</ulink></para>
<para><ulink <para><ulink
url="/PacketMarking.html">http://www.shorewall.net/PacketMarking.html</ulink ></para> url="../PacketMarking.html">https://shorewall.org/PacketMarking.html</ulink> </para>
<para><ulink <para><ulink
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configur ation_file_basics.htm#Pairs</ulink></para> url="../configuration_file_basics.htm#Pairs">https://shorewall.org/configura tion_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8)</para> <para>shorewall(8)</para>
</refsect1> </refsect1>
</refentry> </refentry>
 End of changes. 28 change blocks. 
28 lines changed or deleted 28 lines changed or added
To the XML Documents section of the shorewall (docs-xml) source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)