diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 11fad5b93..d39d80684 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -615,6 +615,20 @@ show_connections_filter() {
fi
}
+show_nfacct() {
+ if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
+ error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
+ NFACCT=
+ else
+ NFACCT=$(mywhich nfacct)
+ [ -n "$NFACCT" ] || "No NF Accounting defined"
+ fi
+
+ if [ -n "$NFACCT" ]; then
+ $NFACCT list
+ echo
+ fi
+}
#
# Show Command Executor
#
@@ -920,6 +934,12 @@ show_command() {
echo
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
;;
+ nfacct)
+ [ $# -gt 1 ] && usage 1
+ echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+ echo
+ show_nfacct
+ ;;
*)
case "$g_program" in
*-lite)
@@ -1202,6 +1222,9 @@ do_dump_command() {
perip_accounting
fi
+ heading "NF Accounting"
+ show_nfacct
+
if qt mywhich setkey; then
heading "PFKEY SPD"
setkey -DP
@@ -2109,6 +2132,19 @@ determine_capabilities() {
qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
+ if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
+ error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
+ NFACCT=
+ else
+ NFACCT=$(mywhich nfacct)
+ fi
+
+ if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
+ qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
+ qt $g_tool -D $chain -m nfacct --nfacct-name $chain
+ qt $NFACCT del $chain
+ fi
+
if [ -n "$MANGLE_ENABLED" ]; then
qt $g_tool -t mangle -N $chain
@@ -2131,12 +2167,6 @@ determine_capabilities() {
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
- if qt nfacct add $chain; then
- qt $g_tool -t mangle -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
- qt $g_tool -t mangle -D $chain -m nfacct --nfacct-name $chain
- qt nfacct del $chain
- fi
-
qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain
diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm
index 3a8947fa3..7caab570b 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -236,6 +236,11 @@ sub process_accounting_rule( ) {
}
} elsif ( $action =~ /^NFLOG/ ) {
$target = validate_level $action;
+ } elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
+ require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
+ $nfobjects{$1} = 1;
+ $target = '';
+ $rule .= "-m nfacct --nfacct-name $1 ";
} else {
( $action, my $cmd ) = split /:/, $action;
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index b2d7c3009..967c59cb2 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -36,7 +36,7 @@ use Shorewall::IPAddrs;
use strict;
our @ISA = qw(Exporter);
-our @EXPORT = qw/
+our @EXPORT = qw(
DONT_OPTIMIZE
DONT_DELETE
DONT_MOVE
@@ -86,10 +86,10 @@ our @EXPORT = qw/
$nat_table
$mangle_table
$filter_table
- /;
+ );
our %EXPORT_TAGS = (
- internal => [ qw/ STANDARD
+ internal => [ qw( STANDARD
NATRULE
BUILTIN
NONAT
@@ -238,13 +238,15 @@ our %EXPORT_TAGS = (
set_global_variables
save_dynamic_chains
load_ipsets
+ create_nfobjects
create_netfilter_load
preview_netfilter_load
create_chainlist_reload
create_stop_load
%targets
%dscpmap
- / ],
+ %nfobjects
+ ) ],
);
Exporter::export_ok_tags('internal');
@@ -334,6 +336,7 @@ my $comment;
my @comments;
my $export;
my %renamed;
+our %nfobjects;
#
# Target Types
@@ -662,7 +665,8 @@ sub initialize( $$$ ) {
snmp => UDP,
tftp => UDP);
- %isocodes = ();
+ %isocodes = ();
+ %nfobjects = ();
#
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -5406,6 +5410,7 @@ sub set_chain_variables() {
} else {
emit 'IPSET=ipset';
}
+
}
#
@@ -6872,6 +6877,32 @@ sub load_ipsets() {
}
}
+#
+# Create nfacct objects if needed
+#
+sub create_nfobjects() {
+
+ my @objects = ( keys %nfobjects );
+
+ if ( @objects ) {
+ if ( $config{NFACCT} ) {
+ emit( qq(NFACCT="$config{NFACCT}") ,
+ '[ -x "$NFACCT" ] || startup_error "NFACCT=$NFACCT does not exist or is not executable"'
+ );
+ } else {
+ emit( 'NFACCT=$(mywhich nfacct)' ,
+ '[ -n "$NFACCT" ] || startup_error "No nfacct utility found"',
+ ''
+ );
+ }
+ }
+
+ for ( keys %nfobjects ) {
+ emit( qq(if ! qt \$NFACCT get $_; then),
+ qq( \$NFACCT add $_),
+ qq(fi\n) );
+ }
+}
#
#
# Generate the netfilter input
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index e96136ebb..c91906f89 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -368,6 +368,7 @@ sub generate_script_3($) {
emit '';
load_ipsets;
+ create_nfobjects;
if ( $family == F_IPV4 ) {
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 6a17aeb62..ce92a9952 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -573,6 +573,7 @@ sub initialize( $;$ ) {
IPSECFILE => undef,
LOCKFILE => undef,
GEOIPDIR => undef,
+ NFACCT => undef,
#
# Default Actions/Macros
#
@@ -3223,7 +3224,7 @@ sub NFAcct_Match() {
if ( qt1( "nfacct add $sillyname" ) ) {
$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
- qt( "iptables -D $sillyname -m nfacct $sillyname" );
+ qt( "$iptables -D $sillyname -m nfacct --nfacct-name $sillyname" );
qt( "nfacct del $sillyname" );
}
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 14fdba7ca..ef9d32565 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -69,6 +69,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 4f683a8c5..85f0453a6 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -80,6 +80,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index 712373b60..af96276c8 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -78,6 +78,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 8c01b801b..2a328debe 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -81,6 +81,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 7c5201f18..a03556c36 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -69,6 +69,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml
index 7178660c2..a43b9af69 100644
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -294,8 +294,25 @@
- NFLOG[(nflog-parameters)] - Added in
- Shorewall-4.4.20.
+ NFACCT(object)
+
+
+ Added in Shorewall 4.5.7. Provides a form of accounting
+ that survives shorewall stop/shorewall
+ start and shorewall restart. Requires the
+ NFaccnt Match capability in your kernel and iptables.
+ object names an nfacct object (see
+ man nfaccnt(8)). Multiple rules can specify the same
+ object; all packets that match any
+ of the rules increment the packet and bytes count of the
+ object.
+
+
+
+
+ NFLOG[(nflog-parameters)]
+ - Added in Shorewall-4.4.20.
Causes each matching packet to be sent via the currently
@@ -306,7 +323,7 @@
- COMMENT
+ COMMENT
The remainder of the line is treated as a comment which
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index c489c7038..423be404f 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
role="bold">none}
-
+
@@ -106,7 +106,7 @@
role="bold">none}
-
+
@@ -116,7 +116,7 @@
role="bold">none}
-
+
@@ -126,7 +126,7 @@
role="bold">none}
-
+
@@ -482,7 +482,7 @@
-
+
If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
@@ -829,7 +829,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
If this variable is not set or is given an empty value
@@ -1039,7 +1039,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
For example, using the default LOGFORMAT, the log prefix for
@@ -1056,7 +1056,7 @@ net all DROP infothen the chain name is 'net2all'
control your firewall after you enable this option.
-
+
Do not use this option if the resulting log messages will
@@ -1437,6 +1437,17 @@ net all DROP infothen the chain name is 'net2all'
+
+ NFACCT=[pathname]
+
+
+ Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
+ utiliity. If not specified, Shorewall will use the PATH settting to
+ find the program.
+
+
+
NULL_ROUTE_RFC1918=[Yes|No]
@@ -1709,7 +1720,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">"
-
+
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 24f0f57fe..27971e4ec 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index f320a0339..1c154e6fe 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index 015154449..931975362 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index d9e59a14a..3ea7fb22e 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 892346e7b..4c2c7a587 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR=
+NFACCT=
+
PERL=/usr/bin/perl
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml
index 733419dcd..43f377314 100644
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -236,8 +236,25 @@
- NFLOG[(nflog-parameters)] - Added in
- Shorewall-4.4.20.
+ NFACCT(object)
+
+
+ Added in Shorewall 4.5.7. Provides a form of accounting
+ that survives shorewall stop/shorewall
+ start and shorewall restart. Requires the
+ NFaccnt Match capability in your kernel and iptables.
+ object names an nfacct object (see
+ man nfaccnt(8)). Multiple rules can specify the same
+ object; all packets that match any
+ of the rules increment the packet and bytes count of the
+ object.
+
+
+
+
+ NFLOG[(nflog-parameters)]
+ - Added in Shorewall-4.4.20.
Causes each matching packet to be sent via the currently
@@ -248,7 +265,7 @@
- COMMENT
+ COMMENT
The remainder of the line is treated as a comment which
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index c7fd84e8c..58ea51084 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -82,7 +82,7 @@
role="bold">none}
-
+
@@ -92,7 +92,7 @@
role="bold">none}
-
+
@@ -102,7 +102,7 @@
role="bold">none}
-
+
@@ -112,7 +112,7 @@
role="bold">none}
-
+
@@ -902,7 +902,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
For example, using the default LOGFORMAT, the log prefix for
@@ -919,7 +919,7 @@ net all DROP infothen the chain name is 'net2all'
control your firewall after you enable this option.
-
+
Do not use this option if the resulting log messages will
@@ -1261,6 +1261,17 @@ net all DROP infothen the chain name is 'net2all'
+
+ NFACCT=[pathname]
+
+
+ Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
+ utiliity. If not specified, Shorewall will use the PATH settting to
+ find the program.
+
+
+
OPTIMIZE=[value]
@@ -1507,7 +1518,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">"
-
+
diff --git a/docs/Accounting.xml b/docs/Accounting.xml
index b873433dd..04869ae51 100644
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -296,7 +296,7 @@
OUTPUT and FORWARD and must appear in that order (although any
of them may be omitted). The first non-commentary record in the accounting
- file must be a section header when sectioning is used.
+ file must be a section header when sectioning is used.
Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
added to shorewall.conf and shorewall6.conf. That setting determines the
@@ -562,4 +562,54 @@ IP: 70.90.191.123 SRC packets: 42 bytes: 4604 DST packets: 44 bytes: 10662
gateway:~#
+
+
+ Accounting using nfacct
+
+ Beginning with the 3.3 kernels, Netfilter supports a form of
+ accounting (nfacct) that is triggered by iptables rules but that survives
+ purging and/or reloading the Netfilter ruleset. Shorewall support for this
+ form of accounting was added in Shorewall 4.5.7.
+
+ As of this writing (late July 2012), Fedora 17 has partial support
+ for this feature but not all. It is necessary to download and build the
+ following:
+
+
+
+ libnetfilter_acct
+
+
+
+ nfacct
+
+
+
+ The following Fedora packages are also required:
+
+
+
+ libnetlink and libnetlink-dev
+
+
+
+ libmnl and libmnl-dev
+
+
+
+ The tarballs are available from the Netfilter download sites.
+
+ The nfacct utility can create, delete and display nfacct
+ objects. These named objects consist of a packet and byte
+ counter. Packets matching those netfilter rules that use the nfacct match
+ cause the packet and byte count in the object named in the match to be
+ incremented.
+
+ To use nfaccnt with Shorewall, use the NFACCT target. See shorewall-accounting(5)
+ for details.
+
+ The shorewall show nfacct command is a thin
+ wrapper around the nfacct list command.
+