1SHOREWALL-ACCOUNTIN(5) [FIXME: manual] SHOREWALL-ACCOUNTIN(5)
2
6 accounting - Shorewall Accounting file
7
9 /etc/shorewall/accounting
10
12 Accounting rules exist simply to count packets and bytes in categories
13 that you define in this file. You may display these rules and their
14 packet and byte counters using the shorewall show accounting command.
15 Beginning with Shorewall 4.4.18, the accounting structure can be
17 created with three root chains:
18 · accountin: Rules that are valid in the INPUT chain (may not specify
20 an output interface).
21 · accountout: Rules that are valid in the OUTPUT chain (may not
23 specify an input interface or a MAC address).
24 · accounting: Other rules.
26 The new structure is enabled by sectioning the accounting file in a
28 manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
29 FORWARD and must appear in that order (although any of them may be
30 omitted). The first non-commentary record in the accounting file must
31 be a section header when sectioning is used.
32 Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
34 to shorewall.conf and shorewall6.conf. That setting determines the
35 Netfilter table (filter or mangle) where the accounting rules are
36 added. When ACCOUNTING_TABLE=mangle is specified, the available
37 sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
38 Section headers have the form:
40 SECTION section-name
42 When sections are enabled:
44 · A jump to a user-defined accounting chain before entries that add
46 rules to that chain.
47 · This eliminates loops and unreferenced chains.
49 · An output interface may not be specified in the PREROUTING and
51 INPUT sections.
52 · In the OUTPUT and POSTROUTING sections:
54 · An input interface may not be specified
56 · Jumps to a chain defined in the INPUT or PREROUTING sections
58 that specifies an input interface are prohibited
59 · MAC addresses may not be used
61 · Jump to a chain defined in the INPUT or PREROUTING section that
63 specifies a MAC address are prohibited.
64 · The default value of the CHAIN column is:
66 · accountin in the INPUT section
68 · accounout in the OUTPUT section
70 · accountfwd in the FORWARD section
72 · accountpre in the PREROUTING section
74 · accountpost in the POSTROUTING section
76 · Traffic addressed to the firewall goes through the rules defined in
78 the INPUT section.
79 · Traffic originating on the firewall goes through the rules defined
81 in the OUTPUT section.
82 · Traffic being forwarded through the firewall goes through the rules
84 from the FORWARD sections.
85 The columns in the file are as follows.
87 ACTION -
89 {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|COMMENT
90 comment}
91 What to do when a matching packet is found.
92 COUNT
94 Simply count the match and continue with the next rule
95 DONE
97 Count the match and don't attempt to match any other accounting
98 rules in the chain specified in the CHAIN column.
99 chain[:COUNT]
101 Where chain is the name of a chain; Shorewall will create the
102 chain automatically if it doesn't already exist. Causes a jump
103 to that chain to be added to the chain specified in the CHAIN
104 column. If :COUNT is included, a counting rule matching this
105 entry will be added to chain. The chain may not exceed 29
106 characters in length and may be composed of letters, digits,
107 dash ('-') and underscore ('_').
108 chain:JUMP
110 Like the previous option without the :COUNT part.
111 ACCOUNT(table,network)
113 This action implements per-IP accounting and was added in
114 Shorewall 4.4.17. Requires the ACCOUNT Target capability in
115 your iptables and kernel (see the output of shorewall show
116 capabilities).
117 table
119 is the name of an accounting table (you choose the name).
120 All rules specifying the same name will have their per-IP
121 counters accumulated in the same table.
122 network
124 is an IPv4 network in CIDR notation (e.g., 192.168.1.0/24).
125 The network can be as large as a /8 (class A).
126 One nice feature of per-IP accounting is that the counters
128 survive shorewall restart. This has a downside, however. If you
129 change the network associated with an accounting table, then
130 you must shorewall stop; shorewall start to have a successful
131 restart (counters will be cleared).
132 The counters in a table are printed using the iptaccount
134 utility. For a command synopsis, type:
135 iptaccount --help
137 As of February 2011, the ACCOUNT Target capability and the
139 iptaccount utility are only available when xtables-addons[2] is
140 installed. See http://www.shorewall.net/Accounting.html#perIP
141 for additional information.
142 NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
144 Causes each matching packet to be sent via the currently loaded
145 logging backend (usually nfnetlink_log) where it is available
146 to accounting daemons through a netlink socket.
147 COMMENT
149 The remainder of the line is treated as a comment which is
150 attached to subsequent rules until another COMMENT line is
151 found or until the end of the file is reached. To stop adding
152 comments to rules, use a line with only the word COMMENT.
153 CHAIN - {-|chain}
155 The name of a chain. If specified as - the accounting chain is
156 assumed. This is the chain where the accounting rule is added. The
157 chain will be created if it doesn't already exist. The chain may
158 not exceed 29 characters in length.
159 SOURCE - {-|any|all|interface|interface:address|address}
161 Packet Source.
162 The name of an interface, an address (host or net) or an interface
164 name followed by ":" and a host or net address.
165 DESTINATION - {-|any|all|interface|interface:address|address}
167 Packet Destination.
168 Format same as SOURCE column.
170 PROTOCOL - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
172 A protocol-name (from protocols(5)), a protocol-number, ipp2p,
173 ipp2p:udp or ipp2p:all
174 DEST PORT(S) -
176 {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
177 Destination Port number. Service name from services(5) or port
178 number. May only be specified if the protocol is TCP (6), UDP (17),
179 DCCP (33), SCTP (132) or UDPLITE (136).
180 You may place a comma-separated list of port names or numbers in
182 this column if your kernel and iptables include multiport match
183 support.
184 If the PROTOCOL is ipp2p then this column must contain an
186 ipp2p-option ("iptables -m ipp2p --help") without the leading "--".
187 If no option is given in this column, ipp2p is assumed.
188 SOURCE PORT(S) -
190 {-|any|all|port-name-or-number[,port-name-or-number]...}
191 Service name from services(5) or port number. May only be specified
192 if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
193 UDPLITE (136).
194 You may place a comma-separated list of port numbers in this column
196 if your kernel and iptables include multiport match support.
197 USER/GROUP -
199 [!][user-name-or-number][:group-name-or-number][+program-name]
200 This column may only be non-empty if the CHAIN is OUTPUT.
201 When this column is non-empty, the rule applies only if the program
203 generating the output is running under the effective user and/or
204 group specified (or is NOT running under that id if "!" is given).
205 Examples:
207 joe
209 program must be run by joe
210 :kids
212 program must be run by a member of the 'kids' group
213 !:kids
215 program must not be run by a member of the 'kids' group
216 +upnpd
218 #program named upnpd
219 Important
221 The ability to specify a program name was removed from
222 Netfilter in kernel version 2.6.14.
223 MARK - [!]value[/mask][:C]
225 Defines a test on the existing packet or connection mark. The rule
226 will match only if the test returns true.
227 If you don't want to define a test but need to specify anything in
229 the following columns, place a "-" in this field.
230 !
232 Inverts the test (not equal)
233 value
235 Value of the packet or connection mark.
236 mask
238 A mask to be applied to the mark before testing.
239 :C
241 Designates a connection mark. If omitted, the packet mark's
242 value is tested.
243 IPSEC - option-list (Optional - Added in Shorewall 4.4.13 )
245 The option-list consists of a comma-separated list of options from
246 the following list. Only packets that will be encrypted or have
247 been de-crypted via an SA that matches these options will have
248 their source address changed.
249 reqid=number
251 where number is specified using setkey(8) using the
252 'unique:number option for the SPD level.
253 spi=<number>
255 where number is the SPI of the SA used to encrypt/decrypt
256 packets.
257 proto=ah|esp|ipcomp
259 IPSEC Encapsulation Protocol
260 mss=number
262 sets the MSS field in TCP packets
263 mode=transport|tunnel
265 IPSEC mode
266 tunnel-src=address[/mask]
268 only available with mode=tunnel
269 tunnel-dst=address[/mask]
271 only available with mode=tunnel
272 strict
274 Means that packets must match all rules.
275 next
277 Separates rules; can only be used with strict
278 yes or ipsec
280 When used by itself, causes all traffic that will be
281 encrypted/encapsulated or has been decrypted/un-encapsulted to
282 match the rule.
283 no or none
285 When used by itself, causes all traffic that will not be
286 encrypted/encapsulated or has been decrypted/un-encapsulted to
287 match the rule.
288 If this column is non-empty, then:
290 · A chain NAME may appearing in the ACTION column must be a chain
292 branched either directly or indirectly from the accountin or
293 accountout chain.
294 · The CHAIN column must contain either accountin or accountout or
296 a chain branched either directly or indirectly from those
297 chains.
298 These rules will NOT appear in the accounting chain.
300 In all of the above columns except ACTION and CHAIN, the values -, any
302 and all may be used as wildcards. Omitted trailing columns are also
303 treated as wildcards.
304
306 /etc/shorewall/accounting
307
309 http://shorewall.net/Accounting.html[3]
310 http://shorewall.net/shorewall_logging.html
312 shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
314 shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
315 shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
316 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
317 shorewall-providers(5), shorewall-proxyarp(5),
318 shorewall-route_rules(5), shorewall-routestopped(5),
319 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
320 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
321 shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
322
324 1. rules file
325 http://www.shorewall.net/manpages/shorewall-rules.html
326 2. xtables-addons
328 http://xtables-addons.sourceforge.net/
329 3. http://shorewall.net/Accounting.html
331 http://shorewall.net/Accounting.html
332[FIXME: source] 09/16/2011 SHOREWALL-ACCOUNTIN(5)