1SHOREWALL6-ACCOUNTI(5) [FIXME: manual] SHOREWALL6-ACCOUNTI(5)
2
6 accounting - Shorewall6 Accounting file
7
9 /etc/shorewall6/accounting
10
12 Accounting rules exist simply to count packets and bytes in categories
13 that you define in this file. You may display these rules and their
14 packet and byte counters using the shorewall6 show accounting command.
15 Beginning with Shorewall 4.4.18, the accounting structure can be
17 created with three root chains:
18 · accountin: Rules that are valid in the INPUT chain (may not specify
20 an output interface).
21 · accountout: Rules that are valid in the OUTPUT chain (may not
23 specify an input interface or a MAC address).
24 · accounting: Other rules.
26 The new structure is enabled by sectioning the accounting file in a
28 manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
29 FORWARD and must appear in that order (although any of them may be
30 omitted). The first non-commentary record in the accounting file must
31 be a section header when sectioning is used.
32 Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
34 to shorewall.conf and shorewall6.conf. That setting determines the
35 Netfilter table (filter or mangle) where the accounting rules are
36 added. When ACCOUNTING_TABLE=mangle is specified, the available
37 sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
38 Section headers have the form:
40 SECTION section-name
42 When sections are enabled:
44 · A jump to a user-defined accounting chain before entries that add
46 rules to that chain.
47 · This eliminates loops and unreferenced chains.
49 · An output interface may not be specified in the PREROUTING and
51 INPUT sections.
52 · In the OUTPUT and POSTROUTING sections:
54 · An input interface may not be specified
56 · Jumps to a chain defined in the INPUT or PREROUTING sections
58 that specifies an input interface are prohibited
59 · MAC addresses may not be used
61 · Jump to a chain defined in the INPUT or PREROUTING section that
63 specifies a MAC address are prohibited.
64 · The default value of the CHAIN column is:
66 · accountin in the INPUT section
68 · accounout in the OUTPUT section
70 · accountfwd in the FORWARD section
72 · accountpre in the PREROUTING section
74 · accountpost in the POSTROUTING section
76 · Traffic addressed to the firewall goes through the rules defined in
78 the INPUT section.
79 · Traffic originating on the firewall goes through the rules defined
81 in the OUTPUT section.
82 · Traffic being forwarded through the firewall goes through the rules
84 from the FORWARD sections.
85 The columns in the file are as follows.
87 ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|COMMENT comment}
89 What to do when a matching packet is found.
90 COUNT
92 Simply count the match and continue with the next rule
93 DONE
95 Count the match and don't attempt to match any other accounting
96 rules in the chain specified in the CHAIN column.
97 chain[:COUNT]
99 Where chain is the name of a chain; shorewall6 will create the
100 chain automatically if it doesn't already exist. Causes a jump
101 to that chain to be added to the chain specified in the CHAIN
102 column. If :COUNT is included, a counting rule matching this
103 entry will be added to chain. The chain may not exceed 29
104 characters in length and may be composed of letters, digits,
105 dash ('-') and underscore ('_').
106 chain:JUMP
108 Like the previous option without the :COUNT part.
109 NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
111 Causes each matching packet to be sent via the currently loaded
112 logging backend (usually nfnetlink_log) where it is available
113 to accounting daemons through a netlink socket.
114 COMMENT
116 The remainder of the line is treated as a comment which is
117 attached to subsequent rules until another COMMENT line is
118 found or until the end of the file is reached. To stop adding
119 comments to rules, use a line with only the word COMMENT.
120 CHAIN - {-|chain}
122 The name of a chain. If specified as - the accounting chain is
123 assumed. This is the chain where the accounting rule is added. The
124 chain will be created if it doesn't already exist. The chain may
125 not exceed 29 characters in length.
126 SOURCE - {-|any|all|interface|interface:[address]|address}
128 Packet Source.
129 The name of an interface, an address (host or net) or an interface
131 name followed by ":" and a host or net address.
132 DESTINATION - {-|any|all|interface|interface:[address]|address}
134 Packet Destination.
135 Format same as SOURCE column.
137 PROTOCOL - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
139 A protocol-name (from protocols(5)), a protocol-number, ipp2p,
140 ipp2p:udp or ipp2p:all
141 DEST PORT(S) -
143 {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
144 Destination Port number. Service name from services(5) or port
145 number. May only be specified if the protocol is TCP (6), UDP (17),
146 DCCP (33), SCTP (132) or UDPLITE (136).
147 You may place a comma-separated list of port names or numbers in
149 this column if your kernel and ip6tables include multiport match
150 support.
151 If the PROTOCOL is ipp2p then this column must contain an
153 ipp2p-option ("ip6tables -m ipp2p --help") without the leading
154 "--". If no option is given in this column, ipp2p is assumed.
155 SOURCE PORT(S) -
157 {-|any|all|port-name-or-number[,port-name-or-number]...}
158 Service name from services(5) or port number. May only be specified
159 if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
160 UDPLITE (136).
161 You may place a comma-separated list of port numbers in this column
163 if your kernel and ip6tables include multiport match support.
164 USER/GROUP -
166 [!][user-name-or-number][:group-name-or-number][+program-name]
167 This column may only be non-empty if the CHAIN is OUTPUT.
168 When this column is non-empty, the rule applies only if the program
170 generating the output is running under the effective user and/or
171 group specified (or is NOT running under that id if "!" is given).
172 Examples:
174 joe
176 program must be run by joe
177 :kids
179 program must be run by a member of the 'kids' group
180 !:kids
182 program must not be run by a member of the 'kids' group
183 +upnpd
185 #program named upnpd
186 Important
188 The ability to specify a program name was removed from
189 Netfilter in kernel version 2.6.14.
190 MARK - [!]value[/mask][:C]
192 Defines a test on the existing packet or connection mark. The rule
193 will match only if the test returns true.
194 If you don't want to define a test but need to specify anything in
196 the following columns, place a "-" in this field.
197 !
199 Inverts the test (not equal)
200 value
202 Value of the packet or connection mark.
203 mask
205 A mask to be applied to the mark before testing.
206 :C
208 Designates a connection mark. If omitted, the packet mark's
209 value is tested.
210 IPSEC - option-list (Optional - Added in Shorewall 4.4.13 )
212 The option-list consists of a comma-separated list of options from
213 the following list. Only packets that will be encrypted or have
214 been de-crypted via an SA that matches these options will have
215 their source address changed.
216 reqid=number
218 where number is specified using setkey(8) using the
219 'unique:number option for the SPD level.
220 spi=<number>
222 where number is the SPI of the SA used to encrypt/decrypt
223 packets.
224 proto=ah|esp|ipcomp
226 IPSEC Encapsulation Protocol
227 mss=number
229 sets the MSS field in TCP packets
230 mode=transport|tunnel
232 IPSEC mode
233 tunnel-src=address[/mask]
235 only available with mode=tunnel
236 tunnel-dst=address[/mask]
238 only available with mode=tunnel
239 strict
241 Means that packets must match all rules.
242 next
244 Separates rules; can only be used with strict
245 yes or ipsec
247 When used by itself, causes all traffic that will be
248 encrypted/encapsulated or has been decrypted/un-encapsulted to
249 match the rule.
250 no or none
252 When used by itself, causes all traffic that will not be
253 encrypted/encapsulated or has been decrypted/un-encapsulted to
254 match the rule.
255 If this column is non-empty, then:
257 · A chain NAME may appearing in the ACTION column must be a chain
259 branched either directly or indirectly from the accountin or
260 accountout chain.
261 · The CHAIN column must contain either accountin or accountout or
263 a chain branched either directly or indirectly from those
264 chains.
265 These rules will NOT appear in the accounting chain.
267 HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
269 4.4.15)
270 The header-list consists of a comma-separated list of headers from
271 the following list.
272 auth, ah, or 51
274 Authentication Headers extension header.
275 esp, or 50
277 Encrypted Security Payload extension header.
278 hop, hop-by-hop or 0
280 Hop-by-hop options extension header.
281 route, ipv6-route or 41
283 IPv6 Route extension header.
284 frag, ipv6-frag or 44
286 IPv6 fragmentation extension header.
287 none, ipv6-nonxt or 59
289 No next header
290 proto, protocol or 255
292 Any protocol header.
293 If any: is specified, the rule will match if any of the listed
295 headers are present. If exactly: is specified, the will match
296 packets that exactly include all specified headers. If neither is
297 given, any: is assumed.
298 If ! is entered, the rule will match those packets which would not
300 be matched when ! is omitted.
301 In all of the above columns except ACTION and CHAIN, the values -, any
303 and all may be used as wildcards. Omitted trailing columns are also
304 treated as wildcards.
305
307 /etc/shorewall6/accounting
308
310 http://shorewall.net/Accounting.html[2]
311 http://shorewall.net/shorewall_logging.html
313 shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
315 shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
316 shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
317 shorewall6-route_rules(5), shorewall6-routestopped(5),
318 shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
319 shorewall6-tcclasses(5), shorewall6-tcdevices(5),
320 shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
321 shorewall6-zones(5)
322
324 1. rules file
325 http://www.shorewall.net/manpages6/shorewall-rules.html
326 2. http://shorewall.net/Accounting.html
328 http://shorewall.net/Accounting.html
329[FIXME: source] 09/16/2011 SHOREWALL6-ACCOUNTI(5)