diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 407c40770..d0c73a21d 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -209,8 +209,30 @@ Migration Considerations:
/etc/shorewall/hosts
- lan eth1:192.168.2.0/24 ...
+ lan eth1:192.168.2.0/24 ...
+ The structure of the accounting rules changes slightly when
+ there are bridges defined in the Shorewall
+ configuration. Because of the restrictions imposed by Netfilter
+ in kernel 2.6.21 and later, output accounting rules must be
+ segregated from forwarding and input rules.
+
+ To accomplish this separation, Shorewall-perl creates two
+ accounting chains:
+
+ - accounting - for input and forwarded traffic.
+ - accountout - for output traffic.
+
+ If the CHAIN column contains '-', then:
+
+ - If the SOURCE column in a rule includes the name of the
+ firewall zone (e.g., $FW), then the default chain to insert
+ the rule into is accountout only.
+
+ - Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0,
+ then the rule is added to both accounting and accountout.
+
+ - Otherwise, the rule is added to accounting only.
d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will
diff --git a/docs/Accounting.xml b/docs/Accounting.xml
index 1ef87e934..35e1851c8 100644
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -41,142 +41,148 @@
release.
- Shorewall accounting rules are described in the file
- /etc/shorewall/accounting. By default, the accounting rules are placed in a
- chain called accounting and can thus be displayed using
- shorewall[-lite] show accounting. All traffic passing into,
- out of, or through the firewall traverses the accounting chain including
- traffic that will later be rejected by interface options such as
- tcpflags and maclist. If your kernel doesn't
- support the connection tracking match extension (Kernel 2.4.21) then some
- traffic rejected under norfc1918 will not traverse the
- accounting chain.
+
+ Accounting Basics
- The columns in the accounting file are as follows:
+ Shorewall accounting rules are described in the file
+ /etc/shorewall/accounting. By default, the accounting rules are placed in
+ a chain called accounting and can thus be displayed using
+ shorewall[-lite] show accounting. All traffic passing into,
+ out of, or through the firewall traverses the accounting chain including
+ traffic that will later be rejected by interface options such as
+ tcpflags and maclist. If your kernel doesn't
+ support the connection tracking match extension (Kernel 2.4.21) then some
+ traffic rejected under norfc1918 will not traverse the
+ accounting chain.
-
-
- ACTION - What to do when a match
- is found. Possible values are:
+ The columns in the accounting file are as follows:
-
-
- COUNT- Simply count the match and continue trying to match the
- packet with the following accounting rules
-
+
+
+ ACTION - What to do when a
+ match is found. Possible values are:
-
- DONE- Count the match and don't attempt to match any following
- accounting rules.
-
+
+
+ COUNT- Simply count the match and continue trying to match
+ the packet with the following accounting rules
+
-
- <chain> - The name of a chain to
- jump to. Shorewall will create the chain automatically. If the name
- of the chain is followed by :COUNT then a COUNT rule
- matching this rule will automatically be added to <chain>.
- Chain names must start with a letter, must be composed of letters
- and digits, and may contain underscores (_) and
- periods (.). Beginning with Shorewall version 1.4.8,
- chain names may also contain embedded dashes (-) and
- are not required to start with a letter.
-
-
-
+
+ DONE- Count the match and don't attempt to match any
+ following accounting rules.
+
-
- CHAIN - The name of the chain
- where the accounting rule is to be added. If empty or -
- then the accounting chain is assumed.
-
+
+ <chain> - The name of a chain to
+ jump to. Shorewall will create the chain automatically. If the
+ name of the chain is followed by :COUNT then a
+ COUNT rule matching this rule will automatically be added to
+ <chain>. Chain names must start with a letter, must be
+ composed of letters and digits, and may contain underscores
+ (_) and periods (.). Beginning with
+ Shorewall version 1.4.8, chain names may also contain embedded
+ dashes (-) and are not required to start with a
+ letter.
+
+
+
-
- SOURCE - Packet Source. The name
- of an interface, an address (host or net), or an interface name followed
- by : and a host or net address.
-
+
+ CHAIN - The name of the chain
+ where the accounting rule is to be added. If empty or -
+ then the accounting chain is assumed (see below for exceptions).
+
-
- DESTINATION - Packet Destination
- Format the same as the SOURCE column.
-
+
+ SOURCE - Packet Source. The
+ name of an interface, an address (host or net), or an interface name
+ followed by : and a host or net address.
+
-
- PROTOCOL - A protocol name (from
- /etc/protocols), a protocol number or "ipp2p". For
- "ipp2p", your kernel and iptables must have ipp2p match support from
- Netfilter
- Patch_o_matic_ng.
-
+
+ DESTINATION - Packet
+ Destination Format the same as the SOURCE column.
+
-
- DEST PORT - Destination Port
- number. Service name from /etc/services or port
- number. May only be specified if the protocol is TCP or UDP (6 or 17).
- If the PROTOCOL is "ipp2p", then this column is interpreted as an ipp2p
- option without the leading "--" (default "ipp2p"). For a list of value
- ipp2p options, as root type iptables -m ipp2p
- --help.
-
+
+ PROTOCOL - A protocol name
+ (from /etc/protocols), a protocol number or
+ "ipp2p". For "ipp2p", your kernel and iptables must have ipp2p match
+ support from Netfilter
+ Patch_o_matic_ng.
+
-
- SOURCE PORT- Source Port number.
- Service name from /etc/services or port number. May only be specified if
- the protocol is TCP or UDP (6 or 17).
-
+
+ DEST PORT - Destination Port
+ number. Service name from /etc/services or port
+ number. May only be specified if the protocol is TCP or UDP (6 or 17).
+ If the PROTOCOL is "ipp2p", then this column is interpreted as an
+ ipp2p option without the leading "--" (default "ipp2p"). For a list of
+ value ipp2p options, as root type iptables -m ipp2p
+ --help.
+
-
- USER/GROUP - This column may only
- be non-empty if the CHAIN is OUTPUT. The column may contain:
+
+ SOURCE PORT- Source Port
+ number. Service name from /etc/services or port number. May only be
+ specified if the protocol is TCP or UDP (6 or 17).
+
- [!][<user name or number>][:<group name or number>][+<program name>]
+
+ USER/GROUP - This column may
+ only be non-empty if the CHAIN is OUTPUT. The column may
+ contain:
- When this column is non-empty, the rule applies only if the
- program generating the output is running under the effective
- <user> and/or <group> specified (or is NOT running under
- that id if "!" is given).
+ [!][<user name or number>][:<group name or number>][+<program name>]
- Examples:
+ When this column is non-empty, the rule applies only if the
+ program generating the output is running under the effective
+ <user> and/or <group> specified (or is NOT running under
+ that id if "!" is given).
-
- joe #program must be run by joe
+ Examples:
- :kids #program must be run by a member of the 'kids'
- group.
+
+ joe #program must be run by joe
- !:kids #program must not be run by a member of the 'kids'
- group
+ :kids #program must be run by a member of the 'kids'
+ group.
- +upnpd #program named upnpd (This feature was removed from
- Netfilter in kernel version 2.6.14).
-
-
-
+ !:kids #program must not be run by a member of the 'kids'
+ group
- In all columns except ACTION and CHAIN, the values
- -,any and all are treated as
- wild-cards.
+ +upnpd #program named upnpd (This feature was removed from
+ Netfilter in kernel version 2.6.14).
+
+
+
- The accounting rules are evaluated in the Netfilter
- filter table. This is the same environment where the
- rules file rules are evaluated and in this environment, DNAT
- has already occurred in inbound packets and SNAT has not yet occurred on
- outbound ones.
+ In all columns except ACTION and CHAIN, the values
+ -,any and all are treated as
+ wild-cards.
- Accounting rules are not stateful -- each rule only handles traffic in
- one direction. For example, if eth0 is your internet interface, and you have
- a web server in your DMZ connected to eth1, then to count HTTP traffic in
- both directions requires two rules:
+ The accounting rules are evaluated in the Netfilter
+ filter table. This is the same environment where the
+ rules file rules are evaluated and in this environment,
+ DNAT has already occurred in inbound packets and SNAT has not yet occurred
+ on outbound ones.
- #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
+ Accounting rules are not stateful -- each rule only handles traffic
+ in one direction. For example, if eth0 is your internet interface, and you
+ have a web server in your DMZ connected to eth1, then to count HTTP
+ traffic in both directions requires two rules:
+
+ #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
DONE - eth0 eth1 tcp 80
DONE - eth1 eth0 tcp - 80
- Associating a counter with a chain allows for nice reporting. For
- example:
+ Associating a counter with a chain allows for nice reporting. For
+ example:
- #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
+ #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web:COUNT - eth0 eth1 tcp 80
web:COUNT - eth1 eth0 tcp - 80
@@ -184,11 +190,11 @@
web:COUNT - eth1 eth0 tcp - 443
DONE web
- Now shorewall show web (or "shorewall-lite show web"
- for Shorewall Lite users) will give you a breakdown of your web
- traffic:
+ Now shorewall show web (or "shorewall-lite show web"
+ for Shorewall Lite users) will give you a breakdown of your web
+ traffic:
- [root@gateway shorewall]# shorewall show web
+ [root@gateway shorewall]# shorewall show web
Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
Counters reset Wed Aug 20 09:48:00 PDT 2003
@@ -202,9 +208,9 @@
29 3297 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#
- Here is a slightly different example:
+ Here is a slightly different example:
- #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
+ #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 eth1 tcp 80
web - eth1 eth0 tcp - 80
@@ -213,11 +219,11 @@
COUNT web eth0 eth1
COUNT web eth1 eth0
- Now shorewall show web (or "shorewall-lite show web"
- for Shorewall Lite users) simply gives you a breakdown by input and
- output:
+ Now shorewall show web (or "shorewall-lite show web"
+ for Shorewall Lite users) simply gives you a breakdown by input and
+ output:
- [root@gateway shorewall]# shorewall show accounting web
+ [root@gateway shorewall]# shorewall show accounting web
Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
Counters reset Wed Aug 20 10:24:33 PDT 2003
@@ -225,7 +231,9 @@
Chain accounting (3 references)
pkts bytes target prot opt in out source destination
8767 727K web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
- 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
+ 0 0 web tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
+
+
11506 13M web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 web tcp -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443
@@ -235,16 +243,16 @@
11506 13M all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
[root@gateway shorewall]#
- Here's how the same example would be constructed on an HTTP server
- with only one interface (eth0).
+ Here's how the same example would be constructed on an HTTP server
+ with only one interface (eth0).
-
- READ THE ABOVE CAREFULLY -- IT SAYS SERVER. If you want to account for web browsing,
- you have to reverse the rules below.
-
+
+ READ THE ABOVE CAREFULLY -- IT SAYS SERVER. If you want to account for web browsing,
+ you have to reverse the rules below.
+
- #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
+ #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE
# PORT PORT
web - eth0 - tcp 80
web - - eth0 tcp - 80
@@ -253,12 +261,12 @@
COUNT web eth0
COUNT web - eth0
- Note that with only one interface, only the SOURCE (for input rules)
- or the DESTINATION (for output rules) is specified in each rule.
+ Note that with only one interface, only the SOURCE (for input rules)
+ or the DESTINATION (for output rules) is specified in each rule.
- Here's the output:
+ Here's the output:
- [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
+ [root@mail shorewall]# shorewall show accounting web Shorewall-1.4.7
Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003
Counters reset Sat Oct 11 08:12:57 PDT 2003
@@ -276,7 +284,54 @@
11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0
[root@mail shorewall]#
- For an example of integrating Shorewall Accounting with MRTG, see
- http://www.nightbrawler.com/code/shorewall-stats/.
+ For an example of integrating Shorewall Accounting with MRTG, see
+ http://www.nightbrawler.com/code/shorewall-stats/.
+
+
+
+ Accounting with Bridges
+
+ The structure of the accounting rules changes slightly when there
+ are bridges defined in the
+ Shorewall configuration. Because of the restrictions imposed by Netfilter
+ in kernel 2.6.21 and later, output accounting rules must be segregated
+ from forwarding and input rules. To accomplish this separation,
+ Shorewall-perl creates two accounting chains:
+
+
+
+ accounting - for input and
+ forwarded traffic.
+
+
+
+ accountout - for output
+ traffic.
+
+
+
+ If the CHAIN column contains '-', then:
+
+
+
+ If the SOURCE column in a rule includes the name of the firewall
+ zone (e.g., $FW), then the default chain to insert the rule into is
+ accountout only.
+
+
+
+ Otherwise, if the DEST in the rule is any or all or
+ 0.0.0.0/0, then the rule is added to both accounting and accountout.
+
+
+
+ Otherwise, the rule is added to accounting only.
+
+
+
\ No newline at end of file