1SHOREWALL-ACCOUNTIN(5)          [FIXME: manual]         SHOREWALL-ACCOUNTIN(5)
2
3
4

NAME

6       accounting - Shorewall Accounting file
7

SYNOPSIS

9       /etc/shorewall/accounting
10

DESCRIPTION

12       Accounting rules exist simply to count packets and bytes in categories
13       that you define in this file. You may display these rules and their
14       packet and byte counters using the shorewall show accounting command.
15
16       Beginning with Shorewall 4.4.18, the accounting structure can be
17       created with three root chains:
18
19       ·   accountin: Rules that are valid in the INPUT chain (may not specify
20           an output interface).
21
22       ·   accountout: Rules that are valid in the OUTPUT chain (may not
23           specify an input interface or a MAC address).
24
25       ·   accounting: Other rules.
26
27       The new structure is enabled by sectioning the accounting file in a
28       manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
29       FORWARD and must appear in that order (although any of them may be
30       omitted). The first non-commentary record in the accounting file must
31       be a section header when sectioning is used.
32
33       Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
34       to shorewall.conf and shorewall6.conf. That setting determines the
35       Netfilter table (filter or mangle) where the accounting rules are
36       added. When ACCOUNTING_TABLE=mangle is specified, the available
37       sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
38
39       Section headers have the form:
40
41       SECTION section-name
42
43       When sections are enabled:
44
45       ·   A jump to a user-defined accounting chain before entries that add
46           rules to that chain.
47
48       ·   This eliminates loops and unreferenced chains.
49
50       ·   An output interface may not be specified in the PREROUTING and
51           INPUT sections.
52
53       ·   In the OUTPUT and POSTROUTING sections:
54
55           ·   An input interface may not be specified
56
57           ·   Jumps to a chain defined in the INPUT or PREROUTING sections
58               that specifies an input interface are prohibited
59
60           ·   MAC addresses may not be used
61
62           ·   Jump to a chain defined in the INPUT or PREROUTING section that
63               specifies a MAC address are prohibited.
64
65       ·   The default value of the CHAIN column is:
66
67           ·   accountin in the INPUT section
68
69           ·   accounout in the OUTPUT section
70
71           ·   accountfwd in the FORWARD section
72
73           ·   accountpre in the PREROUTING section
74
75           ·   accountpost in the POSTROUTING section
76
77       ·   Traffic addressed to the firewall goes through the rules defined in
78           the INPUT section.
79
80       ·   Traffic originating on the firewall goes through the rules defined
81           in the OUTPUT section.
82
83       ·   Traffic being forwarded through the firewall goes through the rules
84           from the FORWARD sections.
85
86       The columns in the file are as follows.
87
88       ACTION -
89       {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|COMMENT
90       comment}
91           What to do when a matching packet is found.
92
93           COUNT
94               Simply count the match and continue with the next rule
95
96           DONE
97               Count the match and don't attempt to match any other accounting
98               rules in the chain specified in the CHAIN column.
99
100           chain[:COUNT]
101               Where chain is the name of a chain; Shorewall will create the
102               chain automatically if it doesn't already exist. Causes a jump
103               to that chain to be added to the chain specified in the CHAIN
104               column. If :COUNT is included, a counting rule matching this
105               entry will be added to chain. The chain may not exceed 29
106               characters in length and may be composed of letters, digits,
107               dash ('-') and underscore ('_').
108
109           chain:JUMP
110               Like the previous option without the :COUNT part.
111
112           ACCOUNT(table,network)
113               This action implements per-IP accounting and was added in
114               Shorewall 4.4.17. Requires the ACCOUNT Target capability in
115               your iptables and kernel (see the output of shorewall show
116               capabilities).
117
118               table
119                   is the name of an accounting table (you choose the name).
120                   All rules specifying the same name will have their per-IP
121                   counters accumulated in the same table.
122
123               network
124                   is an IPv4 network in CIDR notation (e.g., 192.168.1.0/24).
125                   The network can be as large as a /8 (class A).
126
127               One nice feature of per-IP accounting is that the counters
128               survive shorewall restart. This has a downside, however. If you
129               change the network associated with an accounting table, then
130               you must shorewall stop; shorewall start to have a successful
131               restart (counters will be cleared).
132
133               The counters in a table are printed using the iptaccount
134               utility. For a command synopsis, type:
135
136               iptaccount --help
137
138               As of February 2011, the ACCOUNT Target capability and the
139               iptaccount utility are only available when xtables-addons[2] is
140               installed. See http://www.shorewall.net/Accounting.html#perIP
141               for additional information.
142
143           NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
144               Causes each matching packet to be sent via the currently loaded
145               logging backend (usually nfnetlink_log) where it is available
146               to accounting daemons through a netlink socket.
147
148           COMMENT
149               The remainder of the line is treated as a comment which is
150               attached to subsequent rules until another COMMENT line is
151               found or until the end of the file is reached. To stop adding
152               comments to rules, use a line with only the word COMMENT.
153
154       CHAIN - {-|chain}
155           The name of a chain. If specified as - the accounting chain is
156           assumed. This is the chain where the accounting rule is added. The
157           chain will be created if it doesn't already exist. The chain may
158           not exceed 29 characters in length.
159
160       SOURCE - {-|any|all|interface|interface:address|address}
161           Packet Source.
162
163           The name of an interface, an address (host or net) or an interface
164           name followed by ":" and a host or net address.
165
166       DESTINATION - {-|any|all|interface|interface:address|address}
167           Packet Destination.
168
169           Format same as SOURCE column.
170
171       PROTOCOL - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
172           A protocol-name (from protocols(5)), a protocol-number, ipp2p,
173           ipp2p:udp or ipp2p:all
174
175       DEST PORT(S) -
176       {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
177           Destination Port number. Service name from services(5) or port
178           number. May only be specified if the protocol is TCP (6), UDP (17),
179           DCCP (33), SCTP (132) or UDPLITE (136).
180
181           You may place a comma-separated list of port names or numbers in
182           this column if your kernel and iptables include multiport match
183           support.
184
185           If the PROTOCOL is ipp2p then this column must contain an
186           ipp2p-option ("iptables -m ipp2p --help") without the leading "--".
187           If no option is given in this column, ipp2p is assumed.
188
189       SOURCE PORT(S) -
190       {-|any|all|port-name-or-number[,port-name-or-number]...}
191           Service name from services(5) or port number. May only be specified
192           if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
193           UDPLITE (136).
194
195           You may place a comma-separated list of port numbers in this column
196           if your kernel and iptables include multiport match support.
197
198       USER/GROUP -
199       [!][user-name-or-number][:group-name-or-number][+program-name]
200           This column may only be non-empty if the CHAIN is OUTPUT.
201
202           When this column is non-empty, the rule applies only if the program
203           generating the output is running under the effective user and/or
204           group specified (or is NOT running under that id if "!" is given).
205
206           Examples:
207
208           joe
209               program must be run by joe
210
211           :kids
212               program must be run by a member of the 'kids' group
213
214           !:kids
215               program must not be run by a member of the 'kids' group
216
217           +upnpd
218               #program named upnpd
219
220                   Important
221                   The ability to specify a program name was removed from
222                   Netfilter in kernel version 2.6.14.
223
224       MARK - [!]value[/mask][:C]
225           Defines a test on the existing packet or connection mark. The rule
226           will match only if the test returns true.
227
228           If you don't want to define a test but need to specify anything in
229           the following columns, place a "-" in this field.
230
231           !
232               Inverts the test (not equal)
233
234           value
235               Value of the packet or connection mark.
236
237           mask
238               A mask to be applied to the mark before testing.
239
240           :C
241               Designates a connection mark. If omitted, the packet mark's
242               value is tested.
243
244       IPSEC - option-list (Optional - Added in Shorewall 4.4.13 )
245           The option-list consists of a comma-separated list of options from
246           the following list. Only packets that will be encrypted or have
247           been de-crypted via an SA that matches these options will have
248           their source address changed.
249
250           reqid=number
251               where number is specified using setkey(8) using the
252               'unique:number option for the SPD level.
253
254           spi=<number>
255               where number is the SPI of the SA used to encrypt/decrypt
256               packets.
257
258           proto=ah|esp|ipcomp
259               IPSEC Encapsulation Protocol
260
261           mss=number
262               sets the MSS field in TCP packets
263
264           mode=transport|tunnel
265               IPSEC mode
266
267           tunnel-src=address[/mask]
268               only available with mode=tunnel
269
270           tunnel-dst=address[/mask]
271               only available with mode=tunnel
272
273           strict
274               Means that packets must match all rules.
275
276           next
277               Separates rules; can only be used with strict
278
279           yes or ipsec
280               When used by itself, causes all traffic that will be
281               encrypted/encapsulated or has been decrypted/un-encapsulted to
282               match the rule.
283
284           no or none
285               When used by itself, causes all traffic that will not be
286               encrypted/encapsulated or has been decrypted/un-encapsulted to
287               match the rule.
288
289           If this column is non-empty, then:
290
291           ·   A chain NAME may appearing in the ACTION column must be a chain
292               branched either directly or indirectly from the accountin or
293               accountout chain.
294
295           ·   The CHAIN column must contain either accountin or accountout or
296               a chain branched either directly or indirectly from those
297               chains.
298
299           These rules will NOT appear in the accounting chain.
300
301       In all of the above columns except ACTION and CHAIN, the values -, any
302       and all may be used as wildcards. Omitted trailing columns are also
303       treated as wildcards.
304

FILES

306       /etc/shorewall/accounting
307

SEE ALSO

309       http://shorewall.net/Accounting.html[3]
310
311       http://shorewall.net/shorewall_logging.html
312
313       shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
314       shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
315       shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
316       shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
317       shorewall-providers(5), shorewall-proxyarp(5),
318       shorewall-route_rules(5), shorewall-routestopped(5),
319       shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
320       shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
321       shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
322

NOTES

324        1. rules file
325           http://www.shorewall.net/manpages/shorewall-rules.html
326
327        2. xtables-addons
328           http://xtables-addons.sourceforge.net/
329
330        3. http://shorewall.net/Accounting.html
331           http://shorewall.net/Accounting.html
332
333
334
335[FIXME: source]                   09/16/2011            SHOREWALL-ACCOUNTIN(5)
Impressum