diff --git a/docs/Accounting.xml b/docs/Accounting.xml
index 64d19cc6c..b873433dd 100644
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -353,8 +353,8 @@
You may not jump to a chain defined in the INPUT or PREROUTING section that specifies specifies
- a MAC address.
+ role="bold">PREROUTING section that specifies a MAC
+ address.
diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml
index 582c6f806..41d9769bd 100644
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -28,6 +28,143 @@
their packet and byte counters using the shorewall show
accounting command.
+ Beginning with Shorewall 4.4.18, the accounting structure can be
+ created with three root chains:
+
+
+
+ accountin: Rules that are valid
+ in the INPUT chain (may not specify
+ an output interface).
+
+
+
+ accountout: Rules that are
+ valid in the OUTPUT chain (may not specify an input interface or a MAC
+ address).
+
+
+
+ accounting: Other rules.
+
+
+
+ The new structure is enabled by sectioning the accounting file in a
+ manner similar to the rules
+ file. The sections are INPUT,
+ OUTPUT and FORWARD and must appear in that order (although any
+ of them may be omitted). The first non-commentary record in the accounting
+ file must be a section header when sectioning is used.
+
+ Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
+ added to shorewall.conf and shorewall6.conf. That setting determines the
+ Netfilter table (filter or mangle) where the accounting rules are added.
+ When ACCOUNTING_TABLE=mangle is specified, the available sections are
+ PREROUTING, INPUT, OUTPUT,
+ FORWARD and POSTROUTING.
+
+ Section headers have the form:
+
+
+ section-name
+
+ When sections are enabled:
+
+
+
+ A jump to a user-defined accounting chain before entries that
+ add rules to that chain.
+
+
+
+ This eliminates loops and unreferenced chains.
+
+
+
+ An output interface may not be specified in the PREROUTING and INPUT sections.
+
+
+
+ In the OUTPUT and POSTROUTING sections:
+
+
+
+ An input interface may not be specified
+
+
+
+ Jumps to a chain defined in the INPUT or PREROUTING sections that specifies an input
+ interface are prohibited
+
+
+
+ MAC addresses may not be used
+
+
+
+ Jump to a chain defined in the INPUT or PREROUTING section that specifies a MAC
+ address are prohibited.
+
+
+
+
+
+ The default value of the CHAIN column is:
+
+
+
+ accountin in the INPUT section
+
+
+
+ accounout in the OUTPUT section
+
+
+
+ accountfwd in the FORWARD section
+
+
+
+ accountpre in the PREROUTING section
+
+
+
+ accountpost in the
+ POSTROUTING section
+
+
+
+
+
+ Traffic addressed to the firewall goes through the rules defined
+ in the INPUT section.
+
+
+
+ Traffic originating on the firewall goes through the rules
+ defined in the OUTPUT section.
+
+
+
+ Traffic being forwarded through the firewall goes through the
+ rules from the FORWARD sections.
+
+
+
The columns in the file are as follows.
diff --git a/manpages6/shorewall6-accounting.xml b/manpages6/shorewall6-accounting.xml
index 85790f2c9..09a84420c 100644
--- a/manpages6/shorewall6-accounting.xml
+++ b/manpages6/shorewall6-accounting.xml
@@ -28,6 +28,143 @@
their packet and byte counters using the shorewall6 show
accounting command.
+ Beginning with Shorewall 4.4.18, the accounting structure can be
+ created with three root chains:
+
+
+
+ accountin: Rules that are valid
+ in the INPUT chain (may not specify
+ an output interface).
+
+
+
+ accountout: Rules that are
+ valid in the OUTPUT chain (may not specify an input interface or a MAC
+ address).
+
+
+
+ accounting: Other rules.
+
+
+
+ The new structure is enabled by sectioning the accounting file in a
+ manner similar to the rules
+ file. The sections are INPUT,
+ OUTPUT and FORWARD and must appear in that order (although any
+ of them may be omitted). The first non-commentary record in the accounting
+ file must be a section header when sectioning is used.
+
+ Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
+ added to shorewall.conf and shorewall6.conf. That setting determines the
+ Netfilter table (filter or mangle) where the accounting rules are added.
+ When ACCOUNTING_TABLE=mangle is specified, the available sections are
+ PREROUTING, INPUT, OUTPUT,
+ FORWARD and POSTROUTING.
+
+ Section headers have the form:
+
+
+ section-name
+
+ When sections are enabled:
+
+
+
+ A jump to a user-defined accounting chain before entries that
+ add rules to that chain.
+
+
+
+ This eliminates loops and unreferenced chains.
+
+
+
+ An output interface may not be specified in the PREROUTING and INPUT sections.
+
+
+
+ In the OUTPUT and POSTROUTING sections:
+
+
+
+ An input interface may not be specified
+
+
+
+ Jumps to a chain defined in the INPUT or PREROUTING sections that specifies an input
+ interface are prohibited
+
+
+
+ MAC addresses may not be used
+
+
+
+ Jump to a chain defined in the INPUT or PREROUTING section that specifies a MAC
+ address are prohibited.
+
+
+
+
+
+ The default value of the CHAIN column is:
+
+
+
+ accountin in the INPUT section
+
+
+
+ accounout in the OUTPUT section
+
+
+
+ accountfwd in the FORWARD section
+
+
+
+ accountpre in the PREROUTING section
+
+
+
+ accountpost in the
+ POSTROUTING section
+
+
+
+
+
+ Traffic addressed to the firewall goes through the rules defined
+ in the INPUT section.
+
+
+
+ Traffic originating on the firewall goes through the rules
+ defined in the OUTPUT section.
+
+
+
+ Traffic being forwarded through the firewall goes through the
+ rules from the FORWARD sections.
+
+
+
The columns in the file are as follows.