1SHOREWALL-ACCOUNTIN(5)        Configuration Files       SHOREWALL-ACCOUNTIN(5)
2
3
4

NAME

6       accounting - Shorewall Accounting file
7

SYNOPSIS

9       /etc/shorewall[6]/accounting
10

DESCRIPTION

12       Accounting rules exist simply to count packets and bytes in categories
13       that you define in this file. You may display these rules and their
14       packet and byte counters using the shorewall show accounting command.
15
16       Beginning with Shorewall 4.4.18, the accounting structure can be
17       created with three root chains:
18
19       ·   accountin: Rules that are valid in the INPUT chain (may not specify
20           an output interface).
21
22       ·   accountout: Rules that are valid in the OUTPUT chain (may not
23           specify an input interface or a MAC address).
24
25       ·   accounting: Other rules.
26
27       The new structure is enabled by sectioning the accounting file in a
28       manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
29       FORWARD and must appear in that order (although any of them may be
30       omitted). The first non-commentary record in the accounting file must
31       be a section header when sectioning is used.
32
33           Warning
34           If sections are not used, the Shorewall rules compiler cannot
35           detect certain violations of netfilter restrictions. These
36           violations can result in run-time errors such as the following:
37
38           iptables-restore v1.4.13: Can't use -o with INPUT
39
40       Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
41       to shorewall.conf and shorewall6.conf. That setting determines the
42       Netfilter table (filter or mangle) where the accounting rules are
43       added. When ACCOUNTING_TABLE=mangle is specified, the available
44       sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
45
46       Section headers have the form:
47
48       ?SECTION section-name
49
50       When sections are enabled:
51
52       ·   A jump to a user-defined accounting chain must appear before
53           entries that add rules to that chain. This eliminates loops and
54           unreferenced chains.
55
56       ·   An output interface may not be specified in the PREROUTING and
57           INPUT sections.
58
59       ·   In the OUTPUT and POSTROUTING sections:
60
61           ·   An input interface may not be specified
62
63           ·   Jumps to a chain defined in the INPUT or PREROUTING sections
64               that specifies an input interface are prohibited
65
66           ·   MAC addresses may not be used
67
68           ·   Jump to a chain defined in the INPUT or PREROUTING section that
69               specifies a MAC address are prohibited.
70
71       ·   The default value of the CHAIN column is:
72
73           ·   accountin in the INPUT section
74
75           ·   accountout in the OUTPUT section
76
77           ·   accountfwd in the FORWARD section
78
79           ·   accountpre in the PREROUTING section
80
81           ·   accountpost in the POSTROUTING section
82
83       ·   Traffic addressed to the firewall goes through the rules defined in
84           the INPUT section.
85
86       ·   Traffic originating on the firewall goes through the rules defined
87           in the OUTPUT section.
88
89       ·   Traffic being forwarded through the firewall goes through the rules
90           from the FORWARD sections.
91
92       The columns in the file are as follows (where the column name is
93       followed by a different name in parentheses, the different name is used
94       in the alternate specification syntax):
95
96       ACTION -
97       {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|[?]COMMENT
98       comment}
99           What to do when a matching packet is found.
100
101           COUNT
102               Simply count the match and continue with the next rule
103
104           DONE
105               Count the match and don't attempt to match any other accounting
106               rules in the chain specified in the CHAIN column.
107
108           chain[:COUNT]
109               Where chain is the name of a chain; shorewall will create the
110               chain automatically if it doesn't already exist. If a second
111               chain is mentioned in the CHAIN column, then a jump from this
112               second chain to chain is created. If no chain is named in the
113               CHAIN column, then a jump from the default chain to chain is
114               created. If :COUNT is included, a counting rule matching this
115               entry will be added to chain. The chain may not exceed 29
116               characters in length and may be composed of letters, digits,
117               dash ('-') and underscore ('_').
118
119           chain:JUMP
120               Like the previous option without the :COUNT part.
121
122           ACCOUNT(table,network)
123               This action implements per-IP accounting and was added in
124               Shorewall 4.4.17. Requires the ACCOUNT Target capability in
125               your iptables and kernel (see the output of shorewall show
126               capabilities).
127
128               table
129                   is the name of an accounting table (you choose the name).
130                   All rules specifying the same name will have their per-IP
131                   counters accumulated in the same table.
132
133               network
134                   is an IPv4 network in CIDR notation (e.g., 192.168.1.0/24).
135                   The network can be as large as a /8 (class A).
136
137               One nice feature of per-IP accounting is that the counters
138               survive shorewall restart. This has a downside, however. If you
139               change the network associated with an accounting table, then
140               you must shorewall stop; shorewall start to have a successful
141               restart (counters will be cleared).
142
143               The counters in a table are printed using the iptaccount
144               utility. For a command synopsis, type:
145
146               iptaccount --help
147
148               As of February 2011, the ACCOUNT Target capability and the
149               iptaccount utility are only available when xtables-addons[2] is
150               installed. See
151               http://www.shorewall.net/Accounting.html#perIP[3] for
152               additional information.
153
154           INLINE
155               Added in Shorewall 4.5.16. Allows free form iptables matches to
156               be specified following a ';'. In the generated iptables
157               rule(s), the free form matches will follow any matches that are
158               generated by the column contents.
159
160           NFACCT({object[!]}[,...])
161               Added in Shorewall 4.5.7. Provides a form of accounting that
162               survives shorewall stop/shorewall start and shorewall restart.
163               Requires the NFaccnt Match capability in your kernel and
164               iptables.  object names an nfacct object (see man nfaccnt(8)).
165               Multiple rules can specify the same object; all packets that
166               match any of the rules increment the packet and bytes count of
167               the object.
168
169               Prior to Shorewall 4.5.16, only one object could be specified.
170               Beginning with Shorewall 4.5.16, an arbitrary number of objects
171               may be given.
172
173               With Shorewall 4.5.16 or later, an nfacct object in the list
174               may optionally be followed by !  to indicate that the nfacct
175               object will be incremented unconditionally for each packet.
176               When !  is omitted, the object will be incremented only if all
177               of the matches in the rule succeed.
178
179           NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
180               Causes each matching packet to be sent via the currently loaded
181               logging back-end (usually nfnetlink_log) where it is available
182               to accounting daemons through a netlink socket.
183
184           ?COMMENT
185               The remainder of the line is treated as a comment which is
186               attached to subsequent rules until another COMMENT line is
187               found or until the end of the file is reached. To stop adding
188               comments to rules, use a line with only the word ?COMMENT.
189
190       CHAIN - {-|chain}
191           The name of a chain. If specified as - the accounting chain is
192           assumed when the file is un-sectioned. When the file is sectioned,
193           the default is one of accountin, accountout, etc. depending on the
194           section. This is the chain where the accounting rule is added. The
195           chain will be created if it doesn't already exist. The chain may
196           not exceed 29 characters in length.
197
198       SOURCE - {-|any|all|interface|interface:address|address}
199           Packet Source.
200
201           The name of an interface, an address (host or net) or an interface
202           name followed by ":" and a host or net address. An ipset name is
203           also accepted as an address.
204
205       DEST - {-|any|all|interface|interface:address|address}
206           This column was formerly named DESTINATION.
207
208           Packet Destination.
209
210           Format same as SOURCE column.
211
212       PROTO -
213       {-|{any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}[,...]}
214           This column was formerly named PROTOCOL
215
216           A protocol-name (from protocols(5)), a protocol-number, ipp2p,
217           ipp2p:udp or ipp2p:all
218
219           Beginning with Shorewall 4.5.12, this column can accept a
220           comma-separated list of protocols.
221
222       DPORT -
223       {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
224           Destination Port number. Service name from services(5) or port
225           number. May only be specified if the protocol is TCP (6), UDP (17),
226           DCCP (33), SCTP (132) or UDPLITE (136).
227
228           You may place a comma-separated list of port names or numbers in
229           this column if your kernel and iptables include multi-port match
230           support.
231
232           If the PROTOCOL is ipp2p then this column must contain an
233           ipp2p-option ("iptables -m ipp2p --help") without the leading "--".
234           If no option is given in this column, ipp2p is assumed.
235
236           This column was formerly named DEST PORT(S).
237
238       SPORT - {-|any|all|port-name-or-number[,port-name-or-number]...}
239           Service name from services(5) or port number. May only be specified
240           if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
241           UDPLITE (136).
242
243           You may place a comma-separated list of port numbers in this column
244           if your kernel and iptables include multi-port match support.
245
246           Beginning with Shorewall 4.5.15, you may place '=' in this column,
247           provided that the DEST PORT(S) column is non-empty. This causes the
248           rule to match when either the source port or the destination port
249           in a packet matches one of the ports specified in DPORT. Use of '='
250           requires multi-port match in your iptables and kernel.
251
252           This column was formerly labelled SOURCE PORT(S).
253
254       USER - [!][user-name-or-number][:group-name-or-number][+program-name]
255           This column was formerly named USER/GROUP and may only be non-empty
256           if the CHAIN is OUTPUT.
257
258           When this column is non-empty, the rule applies only if the program
259           generating the output is running under the effective user and/or
260           group specified (or is NOT running under that id if "!" is given).
261
262           Examples:
263
264           joe
265               program must be run by joe
266
267           :kids
268               program must be run by a member of the 'kids' group
269
270           !:kids
271               program must not be run by a member of the 'kids' group
272
273           +upnpd
274               #program named upnpd
275
276                   Important
277                   The ability to specify a program name was removed from
278                   Netfilter in kernel version 2.6.14.
279
280       MARK - [!]value[/mask][:C]
281           Defines a test on the existing packet or connection mark. The rule
282           will match only if the test returns true.
283
284           If you don't want to define a test but need to specify anything in
285           the following columns, place a "-" in this field.
286
287           !
288               Inverts the test (not equal)
289
290           value
291               Value of the packet or connection mark.
292
293           mask
294               A mask to be applied to the mark before testing.
295
296           :C
297               Designates a connection mark. If omitted, the packet mark's
298               value is tested.
299
300       IPSEC - option-list (Optional - Added in Shorewall 4.4.13 but broken
301       until 4.5.4.1 )
302           The option-list consists of a comma-separated list of options from
303           the following list. Only packets that will be encrypted or have
304           been decrypted via an SA that matches these options will have their
305           source address changed.
306
307           reqid=number
308               where number is specified using setkey(8) using the
309               'unique:number option for the SPD level.
310
311           spi=<number>
312               where number is the SPI of the SA used to encrypt/decrypt
313               packets.
314
315           proto=ah|esp|ipcomp
316               IPSEC Encapsulation Protocol
317
318           mss=number
319               sets the MSS field in TCP packets
320
321           mode=transport|tunnel
322               IPSEC mode
323
324           tunnel-src=address[/mask]
325               only available with mode=tunnel
326
327           tunnel-dst=address[/mask]
328               only available with mode=tunnel
329
330           strict
331               Means that packets must match all rules.
332
333           next
334               Separates rules; can only be used with strict
335
336           yes or ipsec
337               When used by itself, causes all traffic that will be
338               encrypted/encapsulated or has been decrypted/un-encapsulated to
339               match the rule.
340
341           no or none
342               When used by itself, causes all traffic that will not be
343               encrypted/encapsulated or has been decrypted/un-encapsulated to
344               match the rule.
345
346           in
347               May only be used in the FORWARD section and must be the first
348               or the only item the list. Indicates that matching packets have
349               been decrypted in input.
350
351           out
352               May only be used in the FORWARD section and must be the first
353               or the only item in the list. Indicates that matching packets
354               will be encrypted on output.
355
356           If this column is non-empty and sections are not used, then:
357
358           ·   A chain NAME appearing in the ACTION column must be a chain
359               branched either directly or indirectly from the accipsecin or
360               accipsecout chain.
361
362           ·   The CHAIN column must contain either accipsecin or accipsecout
363               or a chain branched either directly or indirectly from those
364               chains.
365
366           ·   These rules will NOT appear in the accounting chain.
367
368       In all of the above columns except ACTION and CHAIN, the values -, any
369       and all may be used as wildcard'gs. Omitted trailing columns are also
370       treated as wildcard'g.
371

FILES

373       /etc/shorewall/accounting
374
375       /etc/shorewall6/accounting
376

SEE ALSO

378       shorewall-logging(5)[4]
379
380       http://www.shorewall.net/configuration_file_basics.htm#Pairs[5]
381
382       shorewall(8)
383

NOTES

385        1. rules file
386           https://shorewall.org/manpages/shorewall-rules.html
387
388        2. xtables-addons
389           http://xtables-addons.sourceforge.net/
390
391        3. http://www.shorewall.net/Accounting.html#perIP
392           https://shorewall.org/Accounting.html#perIP
393
394        4. shorewall-logging(5)
395           https://shorewall.orgshorewall-logging.htm
396
397        5. http://www.shorewall.net/configuration_file_basics.htm#Pairs
398           https://shorewall.org/configuration_file_basics.htm#Pairs
399
400
401
402Configuration Files               01/15/2020            SHOREWALL-ACCOUNTIN(5)
Impressum