1SHOREWALL-ACCOUNTIN(5)        Configuration Files       SHOREWALL-ACCOUNTIN(5)
2
3
4

NAME

6       accounting - Shorewall Accounting file
7

SYNOPSIS

9       /etc/shorewall[6]/accounting
10

DESCRIPTION

12       Accounting rules exist simply to count packets and bytes in categories
13       that you define in this file. You may display these rules and their
14       packet and byte counters using the shorewall show accounting command.
15
16       Beginning with Shorewall 4.4.18, the accounting structure can be
17       created with three root chains:
18
19       ·   accountin: Rules that are valid in the INPUT chain (may not specify
20           an output interface).
21
22       ·   accountout: Rules that are valid in the OUTPUT chain (may not
23           specify an input interface or a MAC address).
24
25       ·   accounting: Other rules.
26
27       The new structure is enabled by sectioning the accounting file in a
28       manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
29       FORWARD and must appear in that order (although any of them may be
30       omitted). The first non-commentary record in the accounting file must
31       be a section header when sectioning is used.
32
33           Warning
34           If sections are not used, the Shorewall rules compiler cannot
35           detect certain violations of netfilter restrictions. These
36           violations can result in run-time errors such as the following:
37
38           iptables-restore v1.4.13: Can't use -o with INPUT
39
40       Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
41       to shorewall.conf and shorewall6.conf. That setting determines the
42       Netfilter table (filter or mangle) where the accounting rules are
43       added. When ACCOUNTING_TABLE=mangle is specified, the available
44       sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
45
46       Section headers have the form:
47
48       ?SECTION section-name
49
50       When sections are enabled:
51
52       ·   A jump to a user-defined accounting chain must appear before
53           entries that add rules to that chain. This eliminates loops and
54           unreferenced chains.
55
56       ·   An output interface may not be specified in the PREROUTING and
57           INPUT sections.
58
59       ·   In the OUTPUT and POSTROUTING sections:
60
61           ·   An input interface may not be specified
62
63           ·   Jumps to a chain defined in the INPUT or PREROUTING sections
64               that specifies an input interface are prohibited
65
66           ·   MAC addresses may not be used
67
68           ·   Jump to a chain defined in the INPUT or PREROUTING section that
69               specifies a MAC address are prohibited.
70
71       ·   The default value of the CHAIN column is:
72
73           ·   accountin in the INPUT section
74
75           ·   accountout in the OUTPUT section
76
77           ·   accountfwd in the FORWARD section
78
79           ·   accountpre in the PREROUTING section
80
81           ·   accountpost in the POSTROUTING section
82
83       ·   Traffic addressed to the firewall goes through the rules defined in
84           the INPUT section.
85
86       ·   Traffic originating on the firewall goes through the rules defined
87           in the OUTPUT section.
88
89       ·   Traffic being forwarded through the firewall goes through the rules
90           from the FORWARD sections.
91
92       The columns in the file are as follows (where the column name is
93       followed by a different name in parentheses, the different name is used
94       in the alternate specification syntax):
95
96       ACTION -
97       {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|[?]COMMENT
98       comment}
99           What to do when a matching packet is found.
100
101           COUNT
102               Simply count the match and continue with the next rule
103
104           DONE
105               Count the match and don't attempt to match any other accounting
106               rules in the chain specified in the CHAIN column.
107
108           chain[:COUNT]
109               Where chain is the name of a chain; shorewall will create the
110               chain automatically if it doesn't already exist. If a second
111               chain is mentioned in the CHAIN column, then a jump from this
112               second chain to chain is created. If no chain is named in the
113               CHAIN column, then a jump from the default chain to chain is
114               created. If :COUNT is included, a counting rule matching this
115               entry will be added to chain. The chain may not exceed 29
116               characters in length and may be composed of letters, digits,
117               dash ('-') and underscore ('_').
118
119           chain:JUMP
120               Like the previous option without the :COUNT part.
121
122           ACCOUNT(table,network)
123               This action implements per-IP accounting and was added in
124               Shorewall 4.4.17. Requires the ACCOUNT Target capability in
125               your iptables and kernel (see the output of shorewall show
126               capabilities).
127
128               table
129                   is the name of an accounting table (you choose the name).
130                   All rules specifying the same name will have their per-IP
131                   counters accumulated in the same table.
132
133               network
134                   is an IPv4 network in CIDR notation (e.g., 192.168.1.0/24).
135                   The network can be as large as a /8 (class A).
136
137               One nice feature of per-IP accounting is that the counters
138               survive shorewall restart. This has a downside, however. If you
139               change the network associated with an accounting table, then
140               you must shorewall stop; shorewall start to have a successful
141               restart (counters will be cleared).
142
143               The counters in a table are printed using the iptaccount
144               utility. For a command synopsis, type:
145
146               iptaccount --help
147
148               As of February 2011, the ACCOUNT Target capability and the
149               iptaccount utility are only available when xtables-addons[2] is
150               installed. See https://shorewall.org/Accounting.html#perIP[3]
151               for additional information.
152
153           INLINE
154               Added in Shorewall 4.5.16. Allows free form iptables matches to
155               be specified following a ';'. In the generated iptables
156               rule(s), the free form matches will follow any matches that are
157               generated by the column contents.
158
159           NFACCT({object[!]}[,...])
160               Added in Shorewall 4.5.7. Provides a form of accounting that
161               survives shorewall stop/shorewall start and shorewall restart.
162               Requires the NFaccnt Match capability in your kernel and
163               iptables.  object names an nfacct object (see man nfaccnt(8)).
164               Multiple rules can specify the same object; all packets that
165               match any of the rules increment the packet and bytes count of
166               the object.
167
168               Prior to Shorewall 4.5.16, only one object could be specified.
169               Beginning with Shorewall 4.5.16, an arbitrary number of objects
170               may be given.
171
172               With Shorewall 4.5.16 or later, an nfacct object in the list
173               may optionally be followed by !  to indicate that the nfacct
174               object will be incremented unconditionally for each packet.
175               When !  is omitted, the object will be incremented only if all
176               of the matches in the rule succeed.
177
178           NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
179               Causes each matching packet to be sent via the currently loaded
180               logging back-end (usually nfnetlink_log) where it is available
181               to accounting daemons through a netlink socket.
182
183           ?COMMENT
184               The remainder of the line is treated as a comment which is
185               attached to subsequent rules until another COMMENT line is
186               found or until the end of the file is reached. To stop adding
187               comments to rules, use a line with only the word ?COMMENT.
188
189       CHAIN - {-|chain}
190           The name of a chain. If specified as - the accounting chain is
191           assumed when the file is un-sectioned. When the file is sectioned,
192           the default is one of accountin, accountout, etc. depending on the
193           section. This is the chain where the accounting rule is added. The
194           chain will be created if it doesn't already exist. The chain may
195           not exceed 29 characters in length.
196
197       SOURCE - {-|any|all|interface|interface:address|address}
198           Packet Source.
199
200           The name of an interface, an address (host or net) or an interface
201           name followed by ":" and a host or net address. An ipset name is
202           also accepted as an address.
203
204       DEST - {-|any|all|interface|interface:address|address}
205           This column was formerly named DESTINATION.
206
207           Packet Destination.
208
209           Format same as SOURCE column.
210
211       PROTO -
212       {-|{any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}[,...]}
213           This column was formerly named PROTOCOL
214
215           A protocol-name (from protocols(5)), a protocol-number, ipp2p,
216           ipp2p:udp or ipp2p:all
217
218           Beginning with Shorewall 4.5.12, this column can accept a
219           comma-separated list of protocols.
220
221       DPORT -
222       {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
223           Destination Port number. Service name from services(5) or port
224           number. May only be specified if the protocol is TCP (6), UDP (17),
225           DCCP (33), SCTP (132) or UDPLITE (136).
226
227           You may place a comma-separated list of port names or numbers in
228           this column if your kernel and iptables include multi-port match
229           support.
230
231           If the PROTOCOL is ipp2p then this column must contain an
232           ipp2p-option ("iptables -m ipp2p --help") without the leading "--".
233           If no option is given in this column, ipp2p is assumed.
234
235           This column was formerly named DEST PORT(S).
236
237       SPORT - {-|any|all|port-name-or-number[,port-name-or-number]...}
238           Service name from services(5) or port number. May only be specified
239           if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
240           UDPLITE (136).
241
242           You may place a comma-separated list of port numbers in this column
243           if your kernel and iptables include multi-port match support.
244
245           Beginning with Shorewall 4.5.15, you may place '=' in this column,
246           provided that the DEST PORT(S) column is non-empty. This causes the
247           rule to match when either the source port or the destination port
248           in a packet matches one of the ports specified in DPORT. Use of '='
249           requires multi-port match in your iptables and kernel.
250
251           This column was formerly labelled SOURCE PORT(S).
252
253       USER - [!][user-name-or-number][:group-name-or-number][+program-name]
254           This column was formerly named USER/GROUP and may only be non-empty
255           if the CHAIN is OUTPUT.
256
257           When this column is non-empty, the rule applies only if the program
258           generating the output is running under the effective user and/or
259           group specified (or is NOT running under that id if "!" is given).
260
261           Examples:
262
263           joe
264               program must be run by joe
265
266           :kids
267               program must be run by a member of the 'kids' group
268
269           !:kids
270               program must not be run by a member of the 'kids' group
271
272           +upnpd
273               #program named upnpd
274
275                   Important
276                   The ability to specify a program name was removed from
277                   Netfilter in kernel version 2.6.14.
278
279       MARK - [!]value[/mask][:C]
280           Defines a test on the existing packet or connection mark. The rule
281           will match only if the test returns true.
282
283           If you don't want to define a test but need to specify anything in
284           the following columns, place a "-" in this field.
285
286           !
287               Inverts the test (not equal)
288
289           value
290               Value of the packet or connection mark.
291
292           mask
293               A mask to be applied to the mark before testing.
294
295           :C
296               Designates a connection mark. If omitted, the packet mark's
297               value is tested.
298
299       IPSEC - option-list (Optional - Added in Shorewall 4.4.13 but broken
300       until 4.5.4.1 )
301           The option-list consists of a comma-separated list of options from
302           the following list. Only packets that will be encrypted or have
303           been decrypted via an SA that matches these options will have their
304           source address changed.
305
306           reqid=number
307               where number is specified using setkey(8) using the
308               'unique:number option for the SPD level.
309
310           spi=<number>
311               where number is the SPI of the SA used to encrypt/decrypt
312               packets.
313
314           proto=ah|esp|ipcomp
315               IPSEC Encapsulation Protocol
316
317           mss=number
318               sets the MSS field in TCP packets
319
320           mode=transport|tunnel
321               IPSEC mode
322
323           tunnel-src=address[/mask]
324               only available with mode=tunnel
325
326           tunnel-dst=address[/mask]
327               only available with mode=tunnel
328
329           strict
330               Means that packets must match all rules.
331
332           next
333               Separates rules; can only be used with strict
334
335           yes or ipsec
336               When used by itself, causes all traffic that will be
337               encrypted/encapsulated or has been decrypted/un-encapsulated to
338               match the rule.
339
340           no or none
341               When used by itself, causes all traffic that will not be
342               encrypted/encapsulated or has been decrypted/un-encapsulated to
343               match the rule.
344
345           in
346               May only be used in the FORWARD section and must be the first
347               or the only item the list. Indicates that matching packets have
348               been decrypted in input.
349
350           out
351               May only be used in the FORWARD section and must be the first
352               or the only item in the list. Indicates that matching packets
353               will be encrypted on output.
354
355           If this column is non-empty and sections are not used, then:
356
357           ·   A chain NAME appearing in the ACTION column must be a chain
358               branched either directly or indirectly from the accipsecin or
359               accipsecout chain.
360
361           ·   The CHAIN column must contain either accipsecin or accipsecout
362               or a chain branched either directly or indirectly from those
363               chains.
364
365           ·   These rules will NOT appear in the accounting chain.
366
367       In all of the above columns except ACTION and CHAIN, the values -, any
368       and all may be used as wildcard'gs. Omitted trailing columns are also
369       treated as wildcard'g.
370

FILES

372       /etc/shorewall/accounting
373
374       /etc/shorewall6/accounting
375

SEE ALSO

377       shorewall-logging(5)[4]
378
379       https://shorewall.org/configuration_file_basics.htm#Pairs[5]
380
381       shorewall(8)
382

NOTES

384        1. rules file
385           https://shorewall.org/manpages/shorewall-rules.html
386
387        2. xtables-addons
388           http://xtables-addons.sourceforge.net/
389
390        3. https://shorewall.org/Accounting.html#perIP
391           https://shorewall.org/Accounting.html#perIP
392
393        4. shorewall-logging(5)
394           https://shorewall.org/manpages/shorewall-logging.htm
395
396        5. https://shorewall.org/configuration_file_basics.htm#Pairs
397           https://shorewall.org/configuration_file_basics.htm#Pairs
398
399
400
401Configuration Files               07/29/2020            SHOREWALL-ACCOUNTIN(5)
Impressum