extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add support for nfacct

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-07-28 11:21:16 -07:00
parent 87c0f934aa
commit 735b7c2cf5
20 changed files with 229 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
Shorewall-core/lib.cli
View File

@ -615,6 +615,20 @@ show_connections_filter() {
fi fi
} }
show_nfacct() {
if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
NFACCT=
else
NFACCT=$(mywhich nfacct)
[ -n "$NFACCT" ] || "No NF Accounting defined"
fi
if [ -n "$NFACCT" ]; then
$NFACCT list
echo
fi
}
# #
# Show Command Executor # Show Command Executor
# #
@ -920,6 +934,12 @@ show_command() {
echo echo
[ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks; [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
;; ;;
nfacct)
[ $# -gt 1 ] && usage 1
echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
echo
show_nfacct
;;
*) *)
case "$g_program" in case "$g_program" in
*-lite) *-lite)
@ -1202,6 +1222,9 @@ do_dump_command() {
perip_accounting perip_accounting
fi fi
heading "NF Accounting"
show_nfacct
if qt mywhich setkey; then if qt mywhich setkey; then
heading "PFKEY SPD" heading "PFKEY SPD"
setkey -DP setkey -DP
@ -2109,6 +2132,19 @@ determine_capabilities() {
qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
NFACCT=
else
NFACCT=$(mywhich nfacct)
fi
if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
qt $g_tool -D $chain -m nfacct --nfacct-name $chain
qt $NFACCT del $chain
fi
if [ -n "$MANGLE_ENABLED" ]; then if [ -n "$MANGLE_ENABLED" ]; then
qt $g_tool -t mangle -N $chain qt $g_tool -t mangle -N $chain
@ -2131,12 +2167,6 @@ determine_capabilities() {
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
if qt nfacct add $chain; then
qt $g_tool -t mangle -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
qt $g_tool -t mangle -D $chain -m nfacct --nfacct-name $chain
qt nfacct del $chain
fi
qt $g_tool -t mangle -F $chain qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain qt $g_tool -t mangle -X $chain

5
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -236,6 +236,11 @@ sub process_accounting_rule( ) {
} }
} elsif ( $action =~ /^NFLOG/ ) { } elsif ( $action =~ /^NFLOG/ ) {
$target = validate_level $action; $target = validate_level $action;
} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
$nfobjects{$1} = 1;
$target = '';
$rule .= "-m nfacct --nfacct-name $1 ";
} else { } else {
( $action, my $cmd ) = split /:/, $action; ( $action, my $cmd ) = split /:/, $action;

41
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -36,7 +36,7 @@ use Shorewall::IPAddrs;
use strict; use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw/ our @EXPORT = qw(
DONT_OPTIMIZE DONT_OPTIMIZE
DONT_DELETE DONT_DELETE
DONT_MOVE DONT_MOVE
@ -86,10 +86,10 @@ our @EXPORT = qw/
$nat_table $nat_table
$mangle_table $mangle_table
$filter_table $filter_table
/; );
our %EXPORT_TAGS = ( our %EXPORT_TAGS = (
internal => [ qw/ STANDARD internal => [ qw( STANDARD
NATRULE NATRULE
BUILTIN BUILTIN
NONAT NONAT
@ -238,13 +238,15 @@ our %EXPORT_TAGS = (
set_global_variables set_global_variables
save_dynamic_chains save_dynamic_chains
load_ipsets load_ipsets
create_nfobjects
create_netfilter_load create_netfilter_load
preview_netfilter_load preview_netfilter_load
create_chainlist_reload create_chainlist_reload
create_stop_load create_stop_load
%targets %targets
%dscpmap %dscpmap
/ ], %nfobjects
) ],
); );
Exporter::export_ok_tags('internal'); Exporter::export_ok_tags('internal');
@ -334,6 +336,7 @@ my $comment;
my @comments; my @comments;
my $export; my $export;
my %renamed; my %renamed;
our %nfobjects;
# #
# Target Types # Target Types
@ -662,7 +665,8 @@ sub initialize( $$$ ) {
snmp => UDP, snmp => UDP,
tftp => UDP); tftp => UDP);
%isocodes = (); %isocodes = ();
%nfobjects = ();
# #
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined. # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@ -5406,6 +5410,7 @@ sub set_chain_variables() {
} else { } else {
emit 'IPSET=ipset'; emit 'IPSET=ipset';
} }
} }
# #
@ -6872,6 +6877,32 @@ sub load_ipsets() {
} }
} }
#
# Create nfacct objects if needed
#
sub create_nfobjects() {
my @objects = ( keys %nfobjects );
if ( @objects ) {
if ( $config{NFACCT} ) {
emit( qq(NFACCT="$config{NFACCT}") ,
'[ -x "$NFACCT" ] || startup_error "NFACCT=$NFACCT does not exist or is not executable"'
);
} else {
emit( 'NFACCT=$(mywhich nfacct)' ,
'[ -n "$NFACCT" ] || startup_error "No nfacct utility found"',
''
);
}
}
for ( keys %nfobjects ) {
emit( qq(if ! qt \$NFACCT get $_; then),
qq( \$NFACCT add $_),
qq(fi\n) );
}
}
# #
# #
# Generate the netfilter input # Generate the netfilter input

1
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -368,6 +368,7 @@ sub generate_script_3($) {
emit ''; emit '';
load_ipsets; load_ipsets;
create_nfobjects;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit ( 'if [ "$COMMAND" = refresh ]; then' , emit ( 'if [ "$COMMAND" = refresh ]; then' ,

3
Shorewall/Perl/Shorewall/Config.pm
View File

@ -573,6 +573,7 @@ sub initialize( $;$ ) {
IPSECFILE => undef, IPSECFILE => undef,
LOCKFILE => undef, LOCKFILE => undef,
GEOIPDIR => undef, GEOIPDIR => undef,
NFACCT => undef,
# #
# Default Actions/Macros # Default Actions/Macros
# #
@ -3223,7 +3224,7 @@ sub NFAcct_Match() {
if ( qt1( "nfacct add $sillyname" ) ) { if ( qt1( "nfacct add $sillyname" ) ) {
$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" ); $result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
qt( "iptables -D $sillyname -m nfacct $sillyname" ); qt( "$iptables -D $sillyname -m nfacct --nfacct-name $sillyname" );
qt( "nfacct del $sillyname" ); qt( "nfacct del $sillyname" );
} }

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -69,6 +69,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -80,6 +80,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -78,6 +78,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -81,6 +81,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

2
Shorewall/configfiles/shorewall.conf
View File

@ -69,6 +69,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl PERL=/usr/bin/perl

23
Shorewall/manpages/shorewall-accounting.xml
View File

@ -294,8 +294,25 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>NFLOG[(nflog-parameters)] - Added in <term><emphasis
Shorewall-4.4.20.</term> role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
<listitem>
<para>Added in Shorewall 4.5.7. Provides a form of accounting
that survives <command>shorewall stop/shorewall</command>
start and <command>shorewall restart</command>. Requires the
NFaccnt Match capability in your kernel and iptables.
<replaceable>object</replaceable> names an nfacct object (see
man nfaccnt(8)). Multiple rules can specify the same
<replaceable>object</replaceable>; all packets that match any
of the rules increment the packet and bytes count of the
object.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
- Added in Shorewall-4.4.20.</term>
<listitem> <listitem>
<para>Causes each matching packet to be sent via the currently <para>Causes each matching packet to be sent via the currently
@ -306,7 +323,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>COMMENT</term> <term><emphasis role="bold">COMMENT</emphasis></term>
<listitem> <listitem>
<para>The remainder of the line is treated as a comment which <para>The remainder of the line is treated as a comment which

29
Shorewall/manpages/shorewall.conf.xml
View File

@ -96,7 +96,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -106,7 +106,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -116,7 +116,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -126,7 +126,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -482,7 +482,7 @@
</itemizedlist> </itemizedlist>
<blockquote> <blockquote>
<para></para> <para/>
<para>If CONFIG_PATH is not given or if it is set to the empty <para>If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are value then the contents of /usr/share/shorewall/configpath are
@ -829,7 +829,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para></para> <para/>
<blockquote> <blockquote>
<para>If this variable is not set or is given an empty value <para>If this variable is not set or is given an empty value
@ -1039,7 +1039,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para></para> <para/>
<blockquote> <blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for <para>For example, using the default LOGFORMAT, the log prefix for
@ -1056,7 +1056,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para> control your firewall after you enable this option.</para>
</important> </important>
<para></para> <para/>
<caution> <caution>
<para>Do not use this option if the resulting log messages will <para>Do not use this option if the resulting log messages will
@ -1437,6 +1437,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFACCT=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
utiliity. If not specified, Shorewall will use the PATH settting to
find the program.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">NULL_ROUTE_RFC1918=</emphasis>[<emphasis <term><emphasis role="bold">NULL_ROUTE_RFC1918=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@ -1709,7 +1720,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term> role="bold">"</emphasis></term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -68,6 +68,8 @@ LOCKFILE=
MODULESDIR= MODULESDIR=
NFACCT=
PERL=/usr/bin/perl PERL=/usr/bin/perl
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"

23
Shorewall6/manpages/shorewall6-accounting.xml
View File

@ -236,8 +236,25 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>NFLOG[(nflog-parameters)] - Added in <term><emphasis
Shorewall-4.4.20.</term> role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
<listitem>
<para>Added in Shorewall 4.5.7. Provides a form of accounting
that survives <command>shorewall stop/shorewall</command>
start and <command>shorewall restart</command>. Requires the
NFaccnt Match capability in your kernel and iptables.
<replaceable>object</replaceable> names an nfacct object (see
man nfaccnt(8)). Multiple rules can specify the same
<replaceable>object</replaceable>; all packets that match any
of the rules increment the packet and bytes count of the
object.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
- Added in Shorewall-4.4.20.</term>
<listitem> <listitem>
<para>Causes each matching packet to be sent via the currently <para>Causes each matching packet to be sent via the currently
@ -248,7 +265,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>COMMENT</term> <term><emphasis role="bold">COMMENT</emphasis></term>
<listitem> <listitem>
<para>The remainder of the line is treated as a comment which <para>The remainder of the line is treated as a comment which

25
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -82,7 +82,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -92,7 +92,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -102,7 +102,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -112,7 +112,7 @@
role="bold">none</emphasis>}</term> role="bold">none</emphasis>}</term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -902,7 +902,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para></para> <para/>
<blockquote> <blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for <para>For example, using the default LOGFORMAT, the log prefix for
@ -919,7 +919,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para> control your firewall after you enable this option.</para>
</important> </important>
<para></para> <para/>
<caution> <caution>
<para>Do not use this option if the resulting log messages will <para>Do not use this option if the resulting log messages will
@ -1261,6 +1261,17 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFACCT=</emphasis>[<emphasis>pathname</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
utiliity. If not specified, Shorewall will use the PATH settting to
find the program.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">OPTIMIZE=</emphasis>[<replaceable>value</replaceable>]</term> role="bold">OPTIMIZE=</emphasis>[<replaceable>value</replaceable>]</term>
@ -1507,7 +1518,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term> role="bold">"</emphasis></term>
<listitem> <listitem>
<para></para> <para/>
</listitem> </listitem>
</varlistentry> </varlistentry>

52
docs/Accounting.xml
View File

@ -296,7 +296,7 @@
<emphasis role="bold">OUTPUT</emphasis> and <emphasis <emphasis role="bold">OUTPUT</emphasis> and <emphasis
role="bold">FORWARD</emphasis> and must appear in that order (although any role="bold">FORWARD</emphasis> and must appear in that order (although any
of them may be omitted). The first non-commentary record in the accounting of them may be omitted). The first non-commentary record in the accounting
file must be a section header when sectioning is used. </para> file must be a section header when sectioning is used.</para>
<para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
added to shorewall.conf and shorewall6.conf. That setting determines the added to shorewall.conf and shorewall6.conf. That setting determines the
@ -562,4 +562,54 @@ IP: 70.90.191.123 SRC packets: 42 bytes: 4604 DST packets: 44 bytes: 10662
gateway:~# gateway:~#
</programlisting> </programlisting>
</section> </section>
<section id="nfacct">
<title>Accounting using nfacct</title>
<para>Beginning with the 3.3 kernels, Netfilter supports a form of
accounting (nfacct) that is triggered by iptables rules but that survives
purging and/or reloading the Netfilter ruleset. Shorewall support for this
form of accounting was added in Shorewall 4.5.7.</para>
<para>As of this writing (late July 2012), Fedora 17 has partial support
for this feature but not all. It is necessary to download and build the
following:</para>
<itemizedlist>
<listitem>
<para>libnetfilter_acct</para>
</listitem>
<listitem>
<para>nfacct</para>
</listitem>
</itemizedlist>
<para>The following Fedora packages are also required:</para>
<itemizedlist>
<listitem>
<para>libnetlink and libnetlink-dev</para>
</listitem>
<listitem>
<para>libmnl and libmnl-dev</para>
</listitem>
</itemizedlist>
<para>The tarballs are available from the Netfilter download sites.</para>
<para>The nfacct utility can create, delete and display <firstterm>nfacct
objects</firstterm>. These named objects consist of a packet and byte
counter. Packets matching those netfilter rules that use the nfacct match
cause the packet and byte count in the object named in the match to be
incremented.</para>
<para>To use nfaccnt with Shorewall, use the NFACCT target. See <ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>(5)
for details.</para>
<para>The <command>shorewall show nfacct</command> command is a thin
wrapper around the <command>nfacct list</command> command.</para>
</section>
</article> </article>