mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-21 23:23:13 +01:00
Add support for nfacct
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
87c0f934aa
commit
735b7c2cf5
@ -615,6 +615,20 @@ show_connections_filter() {
|
||||
fi
|
||||
}
|
||||
|
||||
show_nfacct() {
|
||||
if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
|
||||
error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
|
||||
NFACCT=
|
||||
else
|
||||
NFACCT=$(mywhich nfacct)
|
||||
[ -n "$NFACCT" ] || "No NF Accounting defined"
|
||||
fi
|
||||
|
||||
if [ -n "$NFACCT" ]; then
|
||||
$NFACCT list
|
||||
echo
|
||||
fi
|
||||
}
|
||||
#
|
||||
# Show Command Executor
|
||||
#
|
||||
@ -920,6 +934,12 @@ show_command() {
|
||||
echo
|
||||
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
|
||||
;;
|
||||
nfacct)
|
||||
[ $# -gt 1 ] && usage 1
|
||||
echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
|
||||
echo
|
||||
show_nfacct
|
||||
;;
|
||||
*)
|
||||
case "$g_program" in
|
||||
*-lite)
|
||||
@ -1202,6 +1222,9 @@ do_dump_command() {
|
||||
perip_accounting
|
||||
fi
|
||||
|
||||
heading "NF Accounting"
|
||||
show_nfacct
|
||||
|
||||
if qt mywhich setkey; then
|
||||
heading "PFKEY SPD"
|
||||
setkey -DP
|
||||
@ -2109,6 +2132,19 @@ determine_capabilities() {
|
||||
|
||||
qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
|
||||
|
||||
if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
|
||||
error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
|
||||
NFACCT=
|
||||
else
|
||||
NFACCT=$(mywhich nfacct)
|
||||
fi
|
||||
|
||||
if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
|
||||
qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
|
||||
qt $g_tool -D $chain -m nfacct --nfacct-name $chain
|
||||
qt $NFACCT del $chain
|
||||
fi
|
||||
|
||||
if [ -n "$MANGLE_ENABLED" ]; then
|
||||
qt $g_tool -t mangle -N $chain
|
||||
|
||||
@ -2131,12 +2167,6 @@ determine_capabilities() {
|
||||
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
|
||||
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
|
||||
|
||||
if qt nfacct add $chain; then
|
||||
qt $g_tool -t mangle -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
|
||||
qt $g_tool -t mangle -D $chain -m nfacct --nfacct-name $chain
|
||||
qt nfacct del $chain
|
||||
fi
|
||||
|
||||
qt $g_tool -t mangle -F $chain
|
||||
qt $g_tool -t mangle -X $chain
|
||||
|
||||
|
@ -236,6 +236,11 @@ sub process_accounting_rule( ) {
|
||||
}
|
||||
} elsif ( $action =~ /^NFLOG/ ) {
|
||||
$target = validate_level $action;
|
||||
} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
|
||||
require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
|
||||
$nfobjects{$1} = 1;
|
||||
$target = '';
|
||||
$rule .= "-m nfacct --nfacct-name $1 ";
|
||||
} else {
|
||||
( $action, my $cmd ) = split /:/, $action;
|
||||
|
||||
|
@ -36,7 +36,7 @@ use Shorewall::IPAddrs;
|
||||
use strict;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw/
|
||||
our @EXPORT = qw(
|
||||
DONT_OPTIMIZE
|
||||
DONT_DELETE
|
||||
DONT_MOVE
|
||||
@ -86,10 +86,10 @@ our @EXPORT = qw/
|
||||
$nat_table
|
||||
$mangle_table
|
||||
$filter_table
|
||||
/;
|
||||
);
|
||||
|
||||
our %EXPORT_TAGS = (
|
||||
internal => [ qw/ STANDARD
|
||||
internal => [ qw( STANDARD
|
||||
NATRULE
|
||||
BUILTIN
|
||||
NONAT
|
||||
@ -238,13 +238,15 @@ our %EXPORT_TAGS = (
|
||||
set_global_variables
|
||||
save_dynamic_chains
|
||||
load_ipsets
|
||||
create_nfobjects
|
||||
create_netfilter_load
|
||||
preview_netfilter_load
|
||||
create_chainlist_reload
|
||||
create_stop_load
|
||||
%targets
|
||||
%dscpmap
|
||||
/ ],
|
||||
%nfobjects
|
||||
) ],
|
||||
);
|
||||
|
||||
Exporter::export_ok_tags('internal');
|
||||
@ -334,6 +336,7 @@ my $comment;
|
||||
my @comments;
|
||||
my $export;
|
||||
my %renamed;
|
||||
our %nfobjects;
|
||||
|
||||
#
|
||||
# Target Types
|
||||
@ -662,7 +665,8 @@ sub initialize( $$$ ) {
|
||||
snmp => UDP,
|
||||
tftp => UDP);
|
||||
|
||||
%isocodes = ();
|
||||
%isocodes = ();
|
||||
%nfobjects = ();
|
||||
|
||||
#
|
||||
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
|
||||
@ -5406,6 +5410,7 @@ sub set_chain_variables() {
|
||||
} else {
|
||||
emit 'IPSET=ipset';
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
@ -6872,6 +6877,32 @@ sub load_ipsets() {
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Create nfacct objects if needed
|
||||
#
|
||||
sub create_nfobjects() {
|
||||
|
||||
my @objects = ( keys %nfobjects );
|
||||
|
||||
if ( @objects ) {
|
||||
if ( $config{NFACCT} ) {
|
||||
emit( qq(NFACCT="$config{NFACCT}") ,
|
||||
'[ -x "$NFACCT" ] || startup_error "NFACCT=$NFACCT does not exist or is not executable"'
|
||||
);
|
||||
} else {
|
||||
emit( 'NFACCT=$(mywhich nfacct)' ,
|
||||
'[ -n "$NFACCT" ] || startup_error "No nfacct utility found"',
|
||||
''
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
for ( keys %nfobjects ) {
|
||||
emit( qq(if ! qt \$NFACCT get $_; then),
|
||||
qq( \$NFACCT add $_),
|
||||
qq(fi\n) );
|
||||
}
|
||||
}
|
||||
#
|
||||
#
|
||||
# Generate the netfilter input
|
||||
|
@ -368,6 +368,7 @@ sub generate_script_3($) {
|
||||
emit '';
|
||||
|
||||
load_ipsets;
|
||||
create_nfobjects;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
||||
|
@ -573,6 +573,7 @@ sub initialize( $;$ ) {
|
||||
IPSECFILE => undef,
|
||||
LOCKFILE => undef,
|
||||
GEOIPDIR => undef,
|
||||
NFACCT => undef,
|
||||
#
|
||||
# Default Actions/Macros
|
||||
#
|
||||
@ -3223,7 +3224,7 @@ sub NFAcct_Match() {
|
||||
|
||||
if ( qt1( "nfacct add $sillyname" ) ) {
|
||||
$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
|
||||
qt( "iptables -D $sillyname -m nfacct $sillyname" );
|
||||
qt( "$iptables -D $sillyname -m nfacct --nfacct-name $sillyname" );
|
||||
qt( "nfacct del $sillyname" );
|
||||
}
|
||||
|
||||
|
@ -69,6 +69,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
@ -80,6 +80,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
@ -78,6 +78,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
@ -81,6 +81,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
@ -69,6 +69,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
@ -294,8 +294,25 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>NFLOG[(nflog-parameters)] - Added in
|
||||
Shorewall-4.4.20.</term>
|
||||
<term><emphasis
|
||||
role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.7. Provides a form of accounting
|
||||
that survives <command>shorewall stop/shorewall</command>
|
||||
start and <command>shorewall restart</command>. Requires the
|
||||
NFaccnt Match capability in your kernel and iptables.
|
||||
<replaceable>object</replaceable> names an nfacct object (see
|
||||
man nfaccnt(8)). Multiple rules can specify the same
|
||||
<replaceable>object</replaceable>; all packets that match any
|
||||
of the rules increment the packet and bytes count of the
|
||||
object.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
|
||||
- Added in Shorewall-4.4.20.</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes each matching packet to be sent via the currently
|
||||
@ -306,7 +323,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>COMMENT</term>
|
||||
<term><emphasis role="bold">COMMENT</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The remainder of the line is treated as a comment which
|
||||
|
@ -96,7 +96,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -106,7 +106,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -116,7 +116,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -126,7 +126,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -482,7 +482,7 @@
|
||||
</itemizedlist>
|
||||
|
||||
<blockquote>
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<para>If CONFIG_PATH is not given or if it is set to the empty
|
||||
value then the contents of /usr/share/shorewall/configpath are
|
||||
@ -829,7 +829,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<blockquote>
|
||||
<para>If this variable is not set or is given an empty value
|
||||
@ -1039,7 +1039,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
@ -1056,7 +1056,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
control your firewall after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
@ -1437,6 +1437,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFACCT=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
|
||||
utiliity. If not specified, Shorewall will use the PATH settting to
|
||||
find the program.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NULL_ROUTE_RFC1918=</emphasis>[<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
|
||||
@ -1709,7 +1720,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -68,6 +68,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
@ -68,6 +68,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
@ -68,6 +68,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
@ -68,6 +68,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
@ -68,6 +68,8 @@ LOCKFILE=
|
||||
|
||||
MODULESDIR=
|
||||
|
||||
NFACCT=
|
||||
|
||||
PERL=/usr/bin/perl
|
||||
|
||||
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
|
||||
|
@ -236,8 +236,25 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>NFLOG[(nflog-parameters)] - Added in
|
||||
Shorewall-4.4.20.</term>
|
||||
<term><emphasis
|
||||
role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.7. Provides a form of accounting
|
||||
that survives <command>shorewall stop/shorewall</command>
|
||||
start and <command>shorewall restart</command>. Requires the
|
||||
NFaccnt Match capability in your kernel and iptables.
|
||||
<replaceable>object</replaceable> names an nfacct object (see
|
||||
man nfaccnt(8)). Multiple rules can specify the same
|
||||
<replaceable>object</replaceable>; all packets that match any
|
||||
of the rules increment the packet and bytes count of the
|
||||
object.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
|
||||
- Added in Shorewall-4.4.20.</term>
|
||||
|
||||
<listitem>
|
||||
<para>Causes each matching packet to be sent via the currently
|
||||
@ -248,7 +265,7 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>COMMENT</term>
|
||||
<term><emphasis role="bold">COMMENT</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The remainder of the line is treated as a comment which
|
||||
|
@ -82,7 +82,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -92,7 +92,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -102,7 +102,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -112,7 +112,7 @@
|
||||
role="bold">none</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -902,7 +902,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<blockquote>
|
||||
<para>For example, using the default LOGFORMAT, the log prefix for
|
||||
@ -919,7 +919,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
control your firewall after you enable this option.</para>
|
||||
</important>
|
||||
|
||||
<para></para>
|
||||
<para/>
|
||||
|
||||
<caution>
|
||||
<para>Do not use this option if the resulting log messages will
|
||||
@ -1261,6 +1261,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFACCT=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
|
||||
utiliity. If not specified, Shorewall will use the PATH settting to
|
||||
find the program.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">OPTIMIZE=</emphasis>[<replaceable>value</replaceable>]</term>
|
||||
@ -1507,7 +1518,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
role="bold">"</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para></para>
|
||||
<para/>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -296,7 +296,7 @@
|
||||
<emphasis role="bold">OUTPUT</emphasis> and <emphasis
|
||||
role="bold">FORWARD</emphasis> and must appear in that order (although any
|
||||
of them may be omitted). The first non-commentary record in the accounting
|
||||
file must be a section header when sectioning is used. </para>
|
||||
file must be a section header when sectioning is used.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
|
||||
added to shorewall.conf and shorewall6.conf. That setting determines the
|
||||
@ -562,4 +562,54 @@ IP: 70.90.191.123 SRC packets: 42 bytes: 4604 DST packets: 44 bytes: 10662
|
||||
gateway:~#
|
||||
</programlisting>
|
||||
</section>
|
||||
|
||||
<section id="nfacct">
|
||||
<title>Accounting using nfacct</title>
|
||||
|
||||
<para>Beginning with the 3.3 kernels, Netfilter supports a form of
|
||||
accounting (nfacct) that is triggered by iptables rules but that survives
|
||||
purging and/or reloading the Netfilter ruleset. Shorewall support for this
|
||||
form of accounting was added in Shorewall 4.5.7.</para>
|
||||
|
||||
<para>As of this writing (late July 2012), Fedora 17 has partial support
|
||||
for this feature but not all. It is necessary to download and build the
|
||||
following:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>libnetfilter_acct</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>nfacct</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The following Fedora packages are also required:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>libnetlink and libnetlink-dev</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>libmnl and libmnl-dev</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The tarballs are available from the Netfilter download sites.</para>
|
||||
|
||||
<para>The nfacct utility can create, delete and display <firstterm>nfacct
|
||||
objects</firstterm>. These named objects consist of a packet and byte
|
||||
counter. Packets matching those netfilter rules that use the nfacct match
|
||||
cause the packet and byte count in the object named in the match to be
|
||||
incremented.</para>
|
||||
|
||||
<para>To use nfaccnt with Shorewall, use the NFACCT target. See <ulink
|
||||
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)
|
||||
for details.</para>
|
||||
|
||||
<para>The <command>shorewall show nfacct</command> command is a thin
|
||||
wrapper around the <command>nfacct list</command> command.</para>
|
||||
</section>
|
||||
</article>
|
||||
|
Loading…
Reference in New Issue
Block a user