1shorewall-accounting(5)                                shorewall-accounting(5)
2
3
4

NAME

6       accounting - Shorewall Accounting file
7

SYNOPSIS

9       /etc/shorewall/accounting
10

DESCRIPTION

12       Accounting  rules exist simply to count packets and bytes in categories
13       that you define in this file. You may display  these  rules  and  their
14       packet and byte counters using the shorewall show accounting command.
15
16       The columns in the file are as follows.
17
18       ACTION — {COUNT|DONE|chain[:COUNT]}
19              What to do when a matching packet is found.
20
21              COUNT  Simply count the match and continue with the next rule
22
23              DONE   Count  the match and don't attempt to match any other ac‐
24                     counting rules in the chain specified in the  CHAIN  col‐
25                     umn.
26
27              chain[:COUNT]
28                     Where chain is the name of a chain; Shorewall will create
29                     the chain automatically  if  it  doesn't  already  exist.
30                     Causes  a  jump  to  that  chain to be added to the chain
31                     specified in the CHAIN column. If :COUNT is  included,  a
32                     counting rule matching this entry will be added to chain
33
34       CHAIN — {-|chain}
35              The  name  of a chain. If specified as - the accounting chain is
36              assumed. This is the chain where the accounting rule  is  added.
37              The chain will be created if it doesn't already exist.
38
39       SOURCE — {-|any|all|interface|interface:address|address}
40              Packet Source.
41
42              The  name of an interface, an address (host or net) or an inter‐
43              face name followed by ":" and a host or net address.
44
45       DESTINATION — {-|any|all|interface|interface:address|address}
46              Packet Destination.
47
48              Format same as SOURCE column.
49
50       PROTOCOL — {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
51              A protocol-name (from protocols(5)), a  protocol-number,  ipp2p,
52              ipp2p:udp or ipp2p:all
53
54       DEST  PORT(S) — {-|any|all|ipp2p-option|port-name-or-number[,port-name-
55       or-number]...}
56              Destination Port number. Service name from services(5)  or  port
57              number.  May  only be specified if the protocol is tcp or udp (6
58              or 17).
59
60              You may place a comma-separated list of port names or numbers in
61              this  column if your kernel and iptables include multiport match
62              support.
63
64              If the PROTOCOL is ipp2p then this column must contain an ipp2p-
65              option ("iptables -m ipp2p --help") without the leading "--". If
66              no option is given in this column, ipp2p is assumed.
67
68       SOURCE  PORT(S)   —   {-|any|all|port-name-or-number[,port-name-or-num‐
69       ber]...}
70              Service name from services(5) or port number. May only be speci‐
71              fied if the protocol is TCP or UDP (6 or 17).
72
73              You may place a comma-separated list of  port  numbers  in  this
74              column  if your kernel and iptables include multiport match sup‐
75              port.
76
77       USER/GROUP —  [!][user-name-or-number][:group-name-or-number][+program-
78       name]
79              This column may only be non-empty if the CHAIN is OUTPUT.
80
81              When this column is non-empty, the rule applies only if the pro‐
82              gram generating the output is running under the  effective  user
83              and/or  group  specified (or is NOT running under that id if "!"
84              is given).
85
86              Examples:
87
88              joe    program must be run by joe
89
90              :kids  program must be run by a member of the 'kids' group
91
92              !:kids program must not be run by a member of the 'kids' group
93
94              +upnpd #program named upnpd
95                     Important
96
97                     The ability to specify a program name  was  removed  from
98                     Netfilter in kernel version 2.6.14.
99
100       MARK — [!]value[/mask][:C]
101              Defines  a  test  on the existing packet or connection mark. The
102              rule will match only if the test returns true.
103
104              If you don't want to define a test but need to specify  anything
105              in the following columns, place a "-" in this field.
106
107              !      Inverts the test (not equal)
108
109              value  Value of the packet or connection mark.
110
111              mask   A mask to be applied to the mark before testing.
112
113              :C     Designates  a  connection  mark.  If  omitted, the packet
114                     mark's value is tested. This option is only supported  by
115                     Shorewall-perl.
116
117       In  all of the above columns except ACTION and CHAIN, the values -, any
118       and all may be used as wildcards. Omitted  trailing  columns  are  also
119       treated as wildcards.
120

FILES

122       /etc/shorewall/accounting
123

SEE ALSO

125http://shorewall.net/Accounting.html
126
127       shorewall(8),  shorewall-actions(5), shorewall-blacklist(5), shorewall-
128       hosts(5),   shorewall-interfaces(5),   shorewall-ipsec(5),   shorewall-
129       maclist(5),  shorewall-masq(5),  shorewall-nat(5), shorewall-netmap(5),
130       shorewall-params(5),    shorewall-policy(5),    shorewall-providers(5),
131       shorewall-proxyarp(5),       shorewall-route_routes(5),      shorewall-
132       routestopped(5), shorewall-rules(5),  shorewall.conf(5),  shorewall-tc‐
133       classes(5),  shorewall-tcdevices(5),  shorewall-tcrules(5),  shorewall-
134       tos(5), shorewall-tunnels(5), shorewall-zones(5)
135
136
137
138                                  19 May 2008          shorewall-accounting(5)
Impressum