1SHOREWALL-ACCOUNTIN(5) Configuration Files SHOREWALL-ACCOUNTIN(5)
2
6 accounting - Shorewall Accounting file
7
9 /etc/shorewall[6]/accounting
10
12 Accounting rules exist simply to count packets and bytes in categories
13 that you define in this file. You may display these rules and their
14 packet and byte counters using the shorewall show accounting command.
15 Beginning with Shorewall 4.4.18, the accounting structure can be
17 created with three root chains:
18 · accountin: Rules that are valid in the INPUT chain (may not specify
20 an output interface).
21 · accountout: Rules that are valid in the OUTPUT chain (may not
23 specify an input interface or a MAC address).
24 · accounting: Other rules.
26 The new structure is enabled by sectioning the accounting file in a
28 manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
29 FORWARD and must appear in that order (although any of them may be
30 omitted). The first non-commentary record in the accounting file must
31 be a section header when sectioning is used.
32 Warning
34 If sections are not used, the Shorewall rules compiler cannot
35 detect certain violations of netfilter restrictions. These
36 violations can result in run-time errors such as the following:
37 iptables-restore v1.4.13: Can't use -o with INPUT
39 Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
41 to shorewall.conf and shorewall6.conf. That setting determines the
42 Netfilter table (filter or mangle) where the accounting rules are
43 added. When ACCOUNTING_TABLE=mangle is specified, the available
44 sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
45 Section headers have the form:
47 ?SECTION section-name
49 When sections are enabled:
51 · A jump to a user-defined accounting chain must appear before
53 entries that add rules to that chain. This eliminates loops and
54 unreferenced chains.
55 · An output interface may not be specified in the PREROUTING and
57 INPUT sections.
58 · In the OUTPUT and POSTROUTING sections:
60 · An input interface may not be specified
62 · Jumps to a chain defined in the INPUT or PREROUTING sections
64 that specifies an input interface are prohibited
65 · MAC addresses may not be used
67 · Jump to a chain defined in the INPUT or PREROUTING section that
69 specifies a MAC address are prohibited.
70 · The default value of the CHAIN column is:
72 · accountin in the INPUT section
74 · accountout in the OUTPUT section
76 · accountfwd in the FORWARD section
78 · accountpre in the PREROUTING section
80 · accountpost in the POSTROUTING section
82 · Traffic addressed to the firewall goes through the rules defined in
84 the INPUT section.
85 · Traffic originating on the firewall goes through the rules defined
87 in the OUTPUT section.
88 · Traffic being forwarded through the firewall goes through the rules
90 from the FORWARD sections.
91 The columns in the file are as follows (where the column name is
93 followed by a different name in parentheses, the different name is used
94 in the alternate specification syntax):
95 ACTION -
97 {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|[?]COMMENT
98 comment}
99 What to do when a matching packet is found.
100 COUNT
102 Simply count the match and continue with the next rule
103 DONE
105 Count the match and don't attempt to match any other accounting
106 rules in the chain specified in the CHAIN column.
107 chain[:COUNT]
109 Where chain is the name of a chain; shorewall will create the
110 chain automatically if it doesn't already exist. If a second
111 chain is mentioned in the CHAIN column, then a jump from this
112 second chain to chain is created. If no chain is named in the
113 CHAIN column, then a jump from the default chain to chain is
114 created. If :COUNT is included, a counting rule matching this
115 entry will be added to chain. The chain may not exceed 29
116 characters in length and may be composed of letters, digits,
117 dash ('-') and underscore ('_').
118 chain:JUMP
120 Like the previous option without the :COUNT part.
121 ACCOUNT(table,network)
123 This action implements per-IP accounting and was added in
124 Shorewall 4.4.17. Requires the ACCOUNT Target capability in
125 your iptables and kernel (see the output of shorewall show
126 capabilities).
127 table
129 is the name of an accounting table (you choose the name).
130 All rules specifying the same name will have their per-IP
131 counters accumulated in the same table.
132 network
134 is an IPv4 network in CIDR notation (e.g., 192.168.1.0/24).
135 The network can be as large as a /8 (class A).
136 One nice feature of per-IP accounting is that the counters
138 survive shorewall restart. This has a downside, however. If you
139 change the network associated with an accounting table, then
140 you must shorewall stop; shorewall start to have a successful
141 restart (counters will be cleared).
142 The counters in a table are printed using the iptaccount
144 utility. For a command synopsis, type:
145 iptaccount --help
147 As of February 2011, the ACCOUNT Target capability and the
149 iptaccount utility are only available when xtables-addons[2] is
150 installed. See
151 http://www.shorewall.net/Accounting.html#perIP[3] for
152 additional information.
153 INLINE
155 Added in Shorewall 4.5.16. Allows free form iptables matches to
156 be specified following a ';'. In the generated iptables
157 rule(s), the free form matches will follow any matches that are
158 generated by the column contents.
159 NFACCT({object[!]}[,...])
161 Added in Shorewall 4.5.7. Provides a form of accounting that
162 survives shorewall stop/shorewall start and shorewall restart.
163 Requires the NFaccnt Match capability in your kernel and
164 iptables. object names an nfacct object (see man nfaccnt(8)).
165 Multiple rules can specify the same object; all packets that
166 match any of the rules increment the packet and bytes count of
167 the object.
168 Prior to Shorewall 4.5.16, only one object could be specified.
170 Beginning with Shorewall 4.5.16, an arbitrary number of objects
171 may be given.
172 With Shorewall 4.5.16 or later, an nfacct object in the list
174 may optionally be followed by ! to indicate that the nfacct
175 object will be incremented unconditionally for each packet.
176 When ! is omitted, the object will be incremented only if all
177 of the matches in the rule succeed.
178 NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
180 Causes each matching packet to be sent via the currently loaded
181 logging back-end (usually nfnetlink_log) where it is available
182 to accounting daemons through a netlink socket.
183 ?COMMENT
185 The remainder of the line is treated as a comment which is
186 attached to subsequent rules until another COMMENT line is
187 found or until the end of the file is reached. To stop adding
188 comments to rules, use a line with only the word ?COMMENT.
189 CHAIN - {-|chain}
191 The name of a chain. If specified as - the accounting chain is
192 assumed when the file is un-sectioned. When the file is sectioned,
193 the default is one of accountin, accountout, etc. depending on the
194 section. This is the chain where the accounting rule is added. The
195 chain will be created if it doesn't already exist. The chain may
196 not exceed 29 characters in length.
197 SOURCE - {-|any|all|interface|interface:address|address}
199 Packet Source.
200 The name of an interface, an address (host or net) or an interface
202 name followed by ":" and a host or net address. An ipset name is
203 also accepted as an address.
204 DEST - {-|any|all|interface|interface:address|address}
206 This column was formerly named DESTINATION.
207 Packet Destination.
209 Format same as SOURCE column.
211 PROTO -
213 {-|{any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}[,...]}
214 This column was formerly named PROTOCOL
215 A protocol-name (from protocols(5)), a protocol-number, ipp2p,
217 ipp2p:udp or ipp2p:all
218 Beginning with Shorewall 4.5.12, this column can accept a
220 comma-separated list of protocols.
221 DPORT -
223 {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
224 Destination Port number. Service name from services(5) or port
225 number. May only be specified if the protocol is TCP (6), UDP (17),
226 DCCP (33), SCTP (132) or UDPLITE (136).
227 You may place a comma-separated list of port names or numbers in
229 this column if your kernel and iptables include multi-port match
230 support.
231 If the PROTOCOL is ipp2p then this column must contain an
233 ipp2p-option ("iptables -m ipp2p --help") without the leading "--".
234 If no option is given in this column, ipp2p is assumed.
235 This column was formerly named DEST PORT(S).
237 SPORT - {-|any|all|port-name-or-number[,port-name-or-number]...}
239 Service name from services(5) or port number. May only be specified
240 if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
241 UDPLITE (136).
242 You may place a comma-separated list of port numbers in this column
244 if your kernel and iptables include multi-port match support.
245 Beginning with Shorewall 4.5.15, you may place '=' in this column,
247 provided that the DEST PORT(S) column is non-empty. This causes the
248 rule to match when either the source port or the destination port
249 in a packet matches one of the ports specified in DPORT. Use of '='
250 requires multi-port match in your iptables and kernel.
251 This column was formerly labelled SOURCE PORT(S).
253 USER - [!][user-name-or-number][:group-name-or-number][+program-name]
255 This column was formerly named USER/GROUP and may only be non-empty
256 if the CHAIN is OUTPUT.
257 When this column is non-empty, the rule applies only if the program
259 generating the output is running under the effective user and/or
260 group specified (or is NOT running under that id if "!" is given).
261 Examples:
263 joe
265 program must be run by joe
266 :kids
268 program must be run by a member of the 'kids' group
269 !:kids
271 program must not be run by a member of the 'kids' group
272 +upnpd
274 #program named upnpd
275 Important
277 The ability to specify a program name was removed from
278 Netfilter in kernel version 2.6.14.
279 MARK - [!]value[/mask][:C]
281 Defines a test on the existing packet or connection mark. The rule
282 will match only if the test returns true.
283 If you don't want to define a test but need to specify anything in
285 the following columns, place a "-" in this field.
286 !
288 Inverts the test (not equal)
289 value
291 Value of the packet or connection mark.
292 mask
294 A mask to be applied to the mark before testing.
295 :C
297 Designates a connection mark. If omitted, the packet mark's
298 value is tested.
299 IPSEC - option-list (Optional - Added in Shorewall 4.4.13 but broken
301 until 4.5.4.1 )
302 The option-list consists of a comma-separated list of options from
303 the following list. Only packets that will be encrypted or have
304 been decrypted via an SA that matches these options will have their
305 source address changed.
306 reqid=number
308 where number is specified using setkey(8) using the
309 'unique:number option for the SPD level.
310 spi=<number>
312 where number is the SPI of the SA used to encrypt/decrypt
313 packets.
314 proto=ah|esp|ipcomp
316 IPSEC Encapsulation Protocol
317 mss=number
319 sets the MSS field in TCP packets
320 mode=transport|tunnel
322 IPSEC mode
323 tunnel-src=address[/mask]
325 only available with mode=tunnel
326 tunnel-dst=address[/mask]
328 only available with mode=tunnel
329 strict
331 Means that packets must match all rules.
332 next
334 Separates rules; can only be used with strict
335 yes or ipsec
337 When used by itself, causes all traffic that will be
338 encrypted/encapsulated or has been decrypted/un-encapsulated to
339 match the rule.
340 no or none
342 When used by itself, causes all traffic that will not be
343 encrypted/encapsulated or has been decrypted/un-encapsulated to
344 match the rule.
345 in
347 May only be used in the FORWARD section and must be the first
348 or the only item the list. Indicates that matching packets have
349 been decrypted in input.
350 out
352 May only be used in the FORWARD section and must be the first
353 or the only item in the list. Indicates that matching packets
354 will be encrypted on output.
355 If this column is non-empty and sections are not used, then:
357 · A chain NAME appearing in the ACTION column must be a chain
359 branched either directly or indirectly from the accipsecin or
360 accipsecout chain.
361 · The CHAIN column must contain either accipsecin or accipsecout
363 or a chain branched either directly or indirectly from those
364 chains.
365 · These rules will NOT appear in the accounting chain.
367 In all of the above columns except ACTION and CHAIN, the values -, any
369 and all may be used as wildcard'gs. Omitted trailing columns are also
370 treated as wildcard'g.
371
373 /etc/shorewall/accounting
374 /etc/shorewall6/accounting
376
378 shorewall-logging(5)[4]
379 http://www.shorewall.net/configuration_file_basics.htm#Pairs[5]
381 shorewall(8)
383
385 1. rules file
386 https://shorewall.org/manpages/shorewall-rules.html
387 2. xtables-addons
389 http://xtables-addons.sourceforge.net/
390 3. http://www.shorewall.net/Accounting.html#perIP
392 https://shorewall.org/Accounting.html#perIP
393 4. shorewall-logging(5)
395 https://shorewall.orgshorewall-logging.htm
396 5. http://www.shorewall.net/configuration_file_basics.htm#Pairs
398 https://shorewall.org/configuration_file_basics.htm#Pairs
399Configuration Files 01/15/2020 SHOREWALL-ACCOUNTIN(5)