extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-05 01:07:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add INLINE to the accounting file.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-04-20 08:02:02 -07:00
parent 7c8f1ae020
commit 1b9fd642bb
9 changed files with 122 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -190,6 +190,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT; fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers ); my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
my $prerule = '';
my $rule2 = 0; my $rule2 = 0;
my $jump = 0; my $jump = 0;
@ -222,11 +223,17 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
} }
} elsif ( $action =~ /^NFLOG/ ) { } elsif ( $action =~ /^NFLOG/ ) {
$target = validate_level $action; $target = validate_level $action;
} elsif ( $action =~ /^NFACCT\(([\w,]+)\)$/ ) { } elsif ( $action =~ /^NFACCT\(([\w,]+)\)(!)?$/ ) {
require_capability 'NFACCT_MATCH', 'The NFACCT action', 's'; require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
$target = ''; $target = '';
my @objects = split_list $1, 'nfacct'; my @objects = split_list $1, 'nfacct';
$rule .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects; if ( $2 ) {
$prerule .= "-m nfacct --nfacct-name $_ " for @objects;
} else {
$rule .= "-m nfacct --nfacct-name $_ " for @objects;
}
} elsif ( $action eq 'INLINE' ) {
$rule .= get_inline_matches;
} else { } else {
( $action, my $cmd ) = split /:/, $action; ( $action, my $cmd ) = split /:/, $action;
@ -267,6 +274,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
expand_rule( expand_rule(
ensure_rules_chain ( 'accountout' ) , ensure_rules_chain ( 'accountout' ) ,
OUTPUT_RESTRICT , OUTPUT_RESTRICT ,
$prerule ,
$rule , $rule ,
$source , $source ,
$dest = ALLIP , $dest = ALLIP ,
@ -360,6 +368,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
expand_rule expand_rule
$chainref , $chainref ,
$restriction , $restriction ,
$prerule ,
$rule , $rule ,
$source , $source ,
$dest , $dest ,
@ -385,17 +394,18 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
} }
if ( $rule2 ) { if ( $rule2 ) {
expand_rule expand_rule(
$jumpchainref , $jumpchainref ,
$restriction , $restriction ,
$rule , $prerule ,
$source , $rule ,
$dest , $source ,
'' , $dest ,
'' , '' ,
'' , '' ,
'' , '' ,
'' ; '' ,
'' );
} }
return 1; return 1;

89
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -257,7 +257,6 @@ our %EXPORT_TAGS = (
%targets %targets
%builtin_target %builtin_target
%dscpmap %dscpmap
%nfobjects
) ], ) ],
); );
@ -611,13 +610,13 @@ use constant { UNIQUE => 1,
MATCH => 8, MATCH => 8,
CONTROL => 16, CONTROL => 16,
COMPLEX => 32, COMPLEX => 32,
LAST => 64, NFACCT => 64,
}; };
our %opttype = ( rule => CONTROL, our %opttype = ( rule => CONTROL,
cmd => CONTROL, cmd => CONTROL,
dhcp => UNIQUE, dhcp => CONTROL,
mode => CONTROL, mode => CONTROL,
cmdlevel => CONTROL, cmdlevel => CONTROL,
@ -642,14 +641,13 @@ our %opttype = ( rule => CONTROL,
'conntrack --ctstate' => 'conntrack --ctstate' =>
EXCLUSIVE, EXCLUSIVE,
nfacct => NFACCT,
conntrack => COMPLEX, conntrack => COMPLEX,
jump => TARGET, jump => TARGET,
target => TARGET, target => TARGET,
targetopts => TARGET, targetopts => TARGET,
nfacct => LAST,
set => LAST,
); );
our %aliases = ( protocol => 'p', our %aliases = ( protocol => 'p',
@ -775,7 +773,14 @@ sub decr_cmd_level( $ ) {
# iptables command strings which are converted into the new form by # iptables command strings which are converted into the new form by
# transform_rule() # transform_rule()
# #
# First a helper for setting an individual option # First a helper for recording an nfacct object name
#
sub record_nfobject( $ ) {
my @value = split ' ', $_[0];
$nfobjects{$value[-1]} = 1;
}
# # Next a helper for setting an individual option
# #
sub set_rule_option( $$$ ) { sub set_rule_option( $$$ ) {
my ( $ruleref, $option, $value ) = @_; my ( $ruleref, $option, $value ) = @_;
@ -808,7 +813,7 @@ sub set_rule_option( $$$ ) {
if ( exists $ruleref->{$option} ) { if ( exists $ruleref->{$option} ) {
assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref ); assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );
if ( $opttype == MATCH || $opttype == LAST ) { if ( $opttype & ( MATCH | NFACCT ) ) {
if ( $globals{KLUDGEFREE} ) { if ( $globals{KLUDGEFREE} ) {
unless ( reftype $value1 ) { unless ( reftype $value1 ) {
unless ( reftype $value ) { unless ( reftype $value ) {
@ -821,6 +826,8 @@ sub set_rule_option( $$$ ) {
push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value ); push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
push @{$ruleref->{matches}}, $option; push @{$ruleref->{matches}}, $option;
$ruleref->{complex} = 1; $ruleref->{complex} = 1;
record_nfobject( $value ) if $opttype == NFACCT;
} else { } else {
assert( ! reftype $value ); assert( ! reftype $value );
$ruleref->{$option} = join(' ', $value1, $value ) unless $value1 eq $value; $ruleref->{$option} = join(' ', $value1, $value ) unless $value1 eq $value;
@ -844,6 +851,7 @@ sub set_rule_option( $$$ ) {
} else { } else {
$ruleref->{$option} = $value; $ruleref->{$option} = $value;
push @{$ruleref->{matches}}, $option; push @{$ruleref->{matches}}, $option;
record_nfobject( $value ) if $opttype == NFACCT;
} }
} }
@ -992,8 +1000,12 @@ sub format_rule( $$;$ ) {
# #
my $ruleref = $rulerefp->{complex} ? clone_rule( $rulerefp ) : $rulerefp; my $ruleref = $rulerefp->{complex} ? clone_rule( $rulerefp ) : $rulerefp;
for ( @unique_options ) { for ( @{$ruleref->{matches}} ) {
if ( exists $ruleref->{$_} ) { my $type = $opttype{$_} || 0;
next if $type & ( CONTROL | TARGET );
if ( $type == UNIQUE ) {
my $value = $ruleref->{$_}; my $value = $ruleref->{$_};
$rule .= ' !' if $value =~ s/^! //; $rule .= ' !' if $value =~ s/^! //;
@ -1003,25 +1015,13 @@ sub format_rule( $$;$ ) {
} else { } else {
$rule .= join( '' , ' --', $_, ' ', $value ); $rule .= join( '' , ' --', $_, ' ', $value );
} }
next;
} else {
$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
} }
} }
$rule .= format_option( 'policy', $ruleref->{policy} ) if defined $ruleref->{policy};
if ( defined ( my $state = $ruleref->{'conntrack --ctstate'} ) ) {
$rule .= format_option( 'conntrack --ctstate' , $state );
} elsif ( defined ( $state = $ruleref->{state} ) ) {
$rule .= format_option( 'state', $state );
}
for ( grep ! $opttype{$_}, @{$ruleref->{matches}} ) {
$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
}
for ( grep( ( $opttype{$_} || 0 ) == LAST , @{$ruleref->{matches}} ) ) {
$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
}
if ( $ruleref->{target} ) { if ( $ruleref->{target} ) {
$rule .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} ); $rule .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
$rule .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts}; $rule .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
@ -1075,8 +1075,13 @@ sub merge_rules( $$$ ) {
my $target = $fromref->{target}; my $target = $fromref->{target};
my %added;
for my $option ( @unique_options ) { for my $option ( @unique_options ) {
$toref->{$option} = $fromref->{$option} if exists $fromref->{$option}; if ( exists $fromref->{$option} ) {
push( @{$toref->{matches}}, $option ) unless exists $toref->{$option};
$toref->{$option} = $fromref->{$option};
}
} }
for my $option ( grep ! $opttype{$_}, keys %$fromref ) { for my $option ( grep ! $opttype{$_}, keys %$fromref ) {
@ -1095,10 +1100,6 @@ sub merge_rules( $$$ ) {
set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy}; set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
for my $option ( grep( ( $opttype{$_} || 0 ) == LAST, keys %$fromref ) ) {
set_rule_option( $toref, $option, $fromref->{$option} );
}
unless ( $toref->{comment} ) { unless ( $toref->{comment} ) {
$toref->{comment} = $fromref->{comment} if exists $fromref->{comment}; $toref->{comment} = $fromref->{comment} if exists $fromref->{comment};
} }
@ -5436,7 +5437,7 @@ sub match_source_net( $;$\$ ) {
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
my @objects = split_list $3, 'nfacct'; my @objects = split_list $3, 'nfacct';
$result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects; $result .= "-m nfacct --nfacct-name $_ " for @objects;
} }
return $result; return $result;
@ -5454,7 +5455,7 @@ sub match_source_net( $;$\$ ) {
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
my @objects = split_list $3, 'nfacct'; my @objects = split_list $3, 'nfacct';
$result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects; $result .= "-m nfacct --nfacct-name $_ " for @objects;
} }
} }
@ -5602,7 +5603,7 @@ sub match_dest_net( $;$ ) {
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
my @objects = split_list $3, 'nfacct'; my @objects = split_list $3, 'nfacct';
$result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects; $result .= "-m nfacct --nfacct-name $_ " for @objects;
} }
return $result; return $result;
@ -5622,7 +5623,7 @@ sub match_dest_net( $;$ ) {
if ( $3 ) { if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's'; require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
my @objects = split_list $3, 'nfacct'; my @objects = split_list $3, 'nfacct';
$result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects; $result .= "-m nfacct --nfacct-name $_ " for @objects;
} }
return $result; return $result;
@ -6803,9 +6804,10 @@ sub handle_original_dest( $$$ ) {
# #
# Handles non-trivial exclusion. Updates the passed rule and returns ( $rule, $done ) # Handles non-trivial exclusion. Updates the passed rule and returns ( $rule, $done )
# #
sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) { sub handle_exclusion( $$$$$$$$$$$$$$$$$$$ ) {
my ( $disposition, my ( $disposition,
$table, $table,
$prerule,
$rule, $rule,
$restriction, $restriction,
$inets, $inets,
@ -6887,7 +6889,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
for my $dnet ( split_host_list( $dnets, $config{DEFER_DNS_RESOLUTION} ) ) { for my $dnet ( split_host_list( $dnets, $config{DEFER_DNS_RESOLUTION} ) ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE}; $source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) ); add_expanded_jump( $chainref, $echainref, 0, join( '', $prerule, $source_match, match_dest_net( $dnet, $restriction ), $onet, $rule ) );
} }
conditional_rule_end( $chainref ) if $cond; conditional_rule_end( $chainref ) if $cond;
@ -6947,11 +6949,12 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
# #
# Returns the destination interface specified in the rule, if any. # Returns the destination interface specified in the rule, if any.
# #
sub expand_rule( $$$$$$$$$$;$ ) sub expand_rule( $$$$$$$$$$$;$ )
{ {
my ($chainref , # Chain my ($chainref , # Chain
$restriction, # Determines what to do with interface names in the SOURCE or DEST $restriction, # Determines what to do with interface names in the SOURCE or DEST
$callersrule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST $prerule, # Matches that go at the front of the rule
$rule, # Caller's matches that don't depend on the SOURCE, DEST and ORIGINAL DEST
$source, # SOURCE $source, # SOURCE
$dest, # DEST $dest, # DEST
$origdest, # ORIGINAL DEST $origdest, # ORIGINAL DEST
@ -6971,7 +6974,6 @@ sub expand_rule( $$$$$$$$$$;$ )
my ( $jump, $mac, $targetref, $basictarget ); my ( $jump, $mac, $targetref, $basictarget );
our @ends = (); our @ends = ();
my $deferdns = $config{DEFER_DNS_RESOLUTION}; my $deferdns = $config{DEFER_DNS_RESOLUTION};
my $rule = '';
if ( $target ) { if ( $target ) {
( $basictarget, my $rest ) = split ' ', $target, 2; ( $basictarget, my $rest ) = split ' ', $target, 2;
@ -7078,7 +7080,8 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
( $rule, $done ) = handle_exclusion( $disposition, ( $rule, $done ) = handle_exclusion( $disposition,
$table, $table,
$rule . $callersrule, $prerule,
$rule,
$restriction, $restriction,
$inets, $inets,
$iexcl, $iexcl,
@ -7115,7 +7118,7 @@ sub expand_rule( $$$$$$$$$$;$ )
for my $dnet ( split_host_list( $dnets, $deferdns ) ) { for my $dnet ( split_host_list( $dnets, $deferdns ) ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE}; $source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
my $dest_match = match_dest_net( $dnet, $restriction ); my $dest_match = match_dest_net( $dnet, $restriction );
my $matches = join( '', $source_match, $dest_match, $onet, $rule, $callersrule ); my $matches = join( '', $source_match, $dest_match, $onet, $rule );
my $cond3 = conditional_rule( $chainref, $dnet ); my $cond3 = conditional_rule( $chainref, $dnet );
@ -7126,7 +7129,7 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $targetref ) { if ( $targetref ) {
add_expanded_jump( $chainref, $targetref , 0, $matches ); add_expanded_jump( $chainref, $targetref , 0, $matches );
} else { } else {
add_rule( $chainref, $matches . $jump , 1 ); add_rule( $chainref, $prerule . $matches . $jump , 1 );
} }
} elsif ( $disposition eq 'LOG' || $disposition eq 'COUNT' ) { } elsif ( $disposition eq 'LOG' || $disposition eq 'COUNT' ) {
# #

4
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -118,6 +118,7 @@ sub process_tos() {
expand_rule expand_rule
$chainref , $chainref ,
$restriction , $restriction ,
'',
do_proto( $proto, $ports, $sports ) . do_test( $mark , $globals{TC_MASK} ) , do_proto( $proto, $ports, $sports ) . do_test( $mark , $globals{TC_MASK} ) ,
$src , $src ,
$dst , $dst ,
@ -283,6 +284,7 @@ sub setup_blacklist() {
expand_rule( expand_rule(
$chainref , $chainref ,
NO_RESTRICT , NO_RESTRICT ,
'' ,
do_proto( $protocol , $ports, '' ) , do_proto( $protocol , $ports, '' ) ,
$networks, $networks,
'', '',
@ -303,6 +305,7 @@ sub setup_blacklist() {
expand_rule( expand_rule(
$chainref1 , $chainref1 ,
NO_RESTRICT , NO_RESTRICT ,
'' ,
do_proto( $protocol , $ports, '' ) , do_proto( $protocol , $ports, '' ) ,
'', '',
$networks, $networks,
@ -733,6 +736,7 @@ sub process_stoppedrules() {
for my $proto ( split_list $protos, 'Protocol' ) { for my $proto ( split_list $protos, 'Protocol' ) {
expand_rule( $chainref , expand_rule( $chainref ,
$restriction , $restriction ,
'' ,
do_proto( $proto, $ports, $sports ) , do_proto( $proto, $ports, $sports ) ,
$source , $source ,
$dest , $dest ,

4
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -324,6 +324,7 @@ sub process_one_masq1( $$$$$$$$$$ )
# #
expand_rule( $chainref , expand_rule( $chainref ,
POSTROUTE_RESTRICT , POSTROUTE_RESTRICT ,
'' ,
$baserule . $rule , $baserule . $rule ,
$networks , $networks ,
$destnets , $destnets ,
@ -757,6 +758,7 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
$firewallsource ? 'OUTPUT' : $firewallsource ? 'OUTPUT' :
dnat_chain $sourceref->{name} ) ) , dnat_chain $sourceref->{name} ) ) ,
$firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT , $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
'' ,
$rule , $rule ,
$source , $source ,
$origdest , $origdest ,
@ -826,6 +828,7 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
# #
expand_rule( $chn, expand_rule( $chn,
PREROUTE_RESTRICT, PREROUTE_RESTRICT,
'', # Prerule
'', # Rule '', # Rule
'', # Source '', # Source
'', # Dest '', # Dest
@ -844,6 +847,7 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
expand_rule( $nonat_chain , expand_rule( $nonat_chain ,
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
'' ,
$rule , $rule ,
$source , $source ,
$dest , $dest ,

3
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -143,6 +143,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
expand_rule( $chainref , expand_rule( $chainref ,
$restriction , $restriction ,
'',
$rule, $rule,
$source , $source ,
$dest , $dest ,
@ -185,6 +186,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
# #
expand_rule( ensure_raw_chain( $actionchain ) , expand_rule( ensure_raw_chain( $actionchain ) ,
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
'',
$rule , $rule ,
$source , $source ,
$dest , $dest ,
@ -198,6 +200,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ? ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
OUTPUT_RESTRICT : OUTPUT_RESTRICT :
PREROUTE_RESTRICT ) , PREROUTE_RESTRICT ) ,
'' ,
$rule , $rule ,
$source , $source ,
$dest , $dest ,

1
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2666,6 +2666,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
expand_rule( $chainref , expand_rule( $chainref ,
$restriction , $restriction ,
'' ,
$rule , $rule ,
$source , $source ,
$dest , $dest ,

3
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -634,6 +634,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
expand_rule( $chainref, expand_rule( $chainref,
$restrictions{$chain} | $restriction, $restrictions{$chain} | $restriction,
'' ,
$match . $match .
do_user( $user ) . do_user( $user ) .
do_test( $testval, $globals{TC_MASK} ) . do_test( $testval, $globals{TC_MASK} ) .
@ -656,6 +657,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
} }
} elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} | $restriction, $restrictions{$chain} | $restriction,
'',
do_proto( $proto, $ports, $sports) . $matches . do_proto( $proto, $ports, $sports) . $matches .
do_user( $user ) . do_user( $user ) .
do_test( $testval, $globals{TC_MASK} ) . do_test( $testval, $globals{TC_MASK} ) .
@ -2344,6 +2346,7 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
expand_rule( ensure_mangle_chain( $chain1 ) , expand_rule( ensure_mangle_chain( $chain1 ) ,
$restrictions{$chain1} , $restrictions{$chain1} ,
'' ,
$state . $state .
do_proto( $proto, $dport, $sport ) . do_proto( $proto, $dport, $sport ) .
do_user( $user ) . do_user( $user ) .

20
Shorewall/manpages/shorewall-accounting.xml
View File

@ -293,9 +293,20 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">INLINE</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.16. Allows freeform iptables
matches to be specified following a ';'. In the generated
iptables rule(s), the freeform matches will follow any matches
that are generated by the column contents.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>[,...])</term> role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>[,...])[!]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.7. Provides a form of accounting <para>Added in Shorewall 4.5.7. Provides a form of accounting
@ -312,6 +323,13 @@
<replaceable>object</replaceable> could be specified. <replaceable>object</replaceable> could be specified.
Beginning with Shorewall 4.5.16, an arbitrary number of Beginning with Shorewall 4.5.16, an arbitrary number of
objects may be given.</para> objects may be given.</para>
<para>With Shorewall 4.5.16 or later, <emphasis
role="bold">!</emphasis> may be specified to indicate that the
nfacct <replaceable>object</replaceable>(s) will be
incremented unconditionally. When omitted, the
<replaceable>object</replaceable>(s) will be incremented only
if all of the matches in the rule succeed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

20
Shorewall6/manpages/shorewall6-accounting.xml
View File

@ -235,9 +235,20 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">INLINE</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.16. Allows freeform ip6tables
matches to be specified following a ';'. In the generated
ip6tables rule(s), the freeform matches will follow any
matches that are generated by the column contents.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>[,...])</term> role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>[,...])[!]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.7. Provides a form of accounting <para>Added in Shorewall 4.5.7. Provides a form of accounting
@ -254,6 +265,13 @@
<replaceable>object</replaceable> could be specified. <replaceable>object</replaceable> could be specified.
Beginning with Shorewall 4.5.16, an arbitrary number of Beginning with Shorewall 4.5.16, an arbitrary number of
objects may be given.</para> objects may be given.</para>
<para>With Shorewall 4.5.16 or later, <emphasis
role="bold">!</emphasis> may be specified to indicate that the
nfacct <replaceable>object</replaceable>(s) will be
incremented unconditionally. When omitted, the
<replaceable>object</replaceable>(s) will be incremented only
if all of the matches in the rule succeed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>