diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index bd88492d4..f57c208ba 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -6,6 +6,8 @@ Changes in Shorewall 4.4.17 Beta 3
3) Correct two defects in compiler module loading.
+4) Implement per-IP module loading.
+
Changes in Shorewall 4.4.17 Beta 2
1) Handle line containing only INCLUDE.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 9b6d10656..b04bec4c4 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -16,11 +16,14 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
Beta 3
-1) If the SOURCE column in /etc/shorewall6/rules contained [
],
- a spurious error was generated:
+1) If the SOURCE column in /etc/shorewall6/rules contained an IPv6
+ address enclosed in [...], a spurious error was generated:
ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)
+ The error did not occur if <...> was used to enclose the IPv6
+ address.
+
2) Two compiler defects in module loading have been corrected:
a) Previously, the kernel/net/ipv6/netfilter/ directory was not
@@ -69,6 +72,58 @@ Beta 1
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
+Beta 3
+
+1) This release adds support for per-IP accounting using the ACCOUNT
+ target. That target is only available when xtables-addons is
+ installed. This support has been successfully tested with
+ xtables-addons 1.32 on:
+
+ - Fedora 14
+ - Debian Squeeze
+
+ Versions of xtables-addons supporting the ACCOUNT target do not
+ install successfully on Debian Lenny.
+
+ Information about xtables-addons installation may be found at
+ http://www.shorewall.net/Dynamic.html#xtables-addons
+
+ This feature required addition of the "ACCOUNT Target" capability
+ so if you use a capabilities file, you will want to refresh it
+ after installing this release.
+
+ Per-IP accounting is configured in /etc/shorewall/accounting (it is
+ not currently supported in IPv6). In the ACTION column, enter:
+
+ ACCOUNT(,)
+
+ where:
+
+ is the name of an accounting table (you choose the
+ name). Rules specifying the same table will have their
+ per-IP counters accumulated in that table.
+
+ is an IPv4 in CIDR format. May be as large as a /8.
+
+ Example: Suppose your WAN interface is eth0 and your LAN interface
+ is eth1 with network 172.20.1.0/24. To account for all
+ traffic between the WAN and LAN interfaces:
+
+ #ACTION TABLE SOURCE DEST ...
+ ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
+ ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
+
+ This will create a net-loc table for counting packets and
+ bytes for traffic between the two interfaces. The table is dumped
+ using the iptaccount utility:
+
+ iptaccount [-f] -l net-loc
+
+ For each local IP address with non-zero counters, the packet and
+ byte count for both incoming traffic (IP is DST) and outgoing
+ traffic (IP is SRC) are listed. The -f option causes the table to
+ be flushed (reset all counters to zero).
+
Beta 2
1) Traditionally, the -lite products have used the modules (or
diff --git a/docs/Accounting.xml b/docs/Accounting.xml
index 950cdd691..4c018b871 100644
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -243,4 +243,71 @@
traffic activity. The article may be found at http://collectd.org/wiki/index.php/Plugin:IPTables.
+
+
+ Per-IP Accounting
+
+ Shorewall 4.4.17 added support for per-IP accounting using the
+ ACCOUNT target. That target is only available when xtables-addons is
+ installed. This support has been successfully tested with xtables-addons
+ 1.32 on:
+
+
+
+ Fedora 14
+
+
+
+ Debian Squeeze
+
+
+
+ Versions of xtables-addons supporting the ACCOUNT target do not
+ install successfully on Debian Lenny.
+
+ Information about xtables-addons installation may be found at here.
+
+ Per-IP accounting is configured in shorewall-accounting (5)
+ (it is currently not supported in IPv6). In the ACTION column,
+ enter:
+
+
+ ACCOUNT(table,network)
+
+
+ where
+
+
+ table is the name of an accounting
+ table (you choose the name). All rules specifying the same table will
+ have their per-IP counters accumulated in that table.
+
+ network is an IPv4 network in CIDR
+ notation. The network can be as large as a /8 (class A).
+
+
+ Example: Suppose your WAN interface is eth0 and your LAN interface
+ is eth1 with network 172.20.1.0/24. To account for all traffic between the
+ WAN and LAN interfaces:
+
+ #ACTION CHAIN SOURCE DEST ...
+ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
+ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0
+
+ This will create a net-loc table
+ for counting packets and bytes for traffic between the two interfaces. The
+ table is dumped using the iptaccount utility (part of
+ xtables-addons):
+
+ iptaccount [-f] -l net-loc
+
+ For each local IP address with non-zero counters, the packet and
+ byte count for both incoming traffic (IP is DST) and outgoing traffic (IP
+ is SRC) are listed. The -f option causes the table to be flushed (reset
+ all counters to zero) after printing.
+
diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml
index d511e7bea..cd6bf6cb2 100644
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -35,7 +35,7 @@
ACTION - {COUNT|DONE|chain[:{COUNT:JUMP}]|COUNT
+ role="bold">{COUNT:JUMP}]|ACCOUNT(table,network)|COUNT
comment}
@@ -86,6 +86,40 @@
+
+ ACCOUNT(table,network)
+
+
+ This action implements per-IP accounting and was added
+ in Shoreall 4.4.17. Requires the ACCOUNT
+ Target capability in your iptables and kernel (see
+ the output of shorewall show
+ capabilities).
+
+
+ table is the name of an
+ accounting table (you choose the name). All rules specifying
+ the same table will have their per-IP counters accumulated
+ in that table.
+
+ network is an IPv4
+ network in CIDR notation. The network can be as large as a
+ /8 (class A).
+
+
+ The counters in a table are
+ printed using the iptaccount utility. As of
+ February 2011, the ACCOUNT Target capability and the
+ iptaccount utility are only available when xtables-addons
+ is installed. See http://www.shorewall.net/Accounting.html#perIP
+ for additional information.
+
+
+
COMMENT