From 26cea4336ea02c2253a61274409963ba598f6dd2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 30 Jan 2011 08:33:06 -0800 Subject: [PATCH] Document per-IP accounting --- Shorewall/changelog.txt | 2 + Shorewall/releasenotes.txt | 59 ++++++++++++++++++++++++++- docs/Accounting.xml | 67 +++++++++++++++++++++++++++++++ manpages/shorewall-accounting.xml | 36 ++++++++++++++++- 4 files changed, 161 insertions(+), 3 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index bd88492d4..f57c208ba 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in Shorewall 4.4.17 Beta 3 3) Correct two defects in compiler module loading. +4) Implement per-IP module loading. + Changes in Shorewall 4.4.17 Beta 2 1) Handle line containing only INCLUDE. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 9b6d10656..b04bec4c4 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -16,11 +16,14 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES Beta 3 -1) If the SOURCE column in /etc/shorewall6/rules contained [
], - a spurious error was generated: +1) If the SOURCE column in /etc/shorewall6/rules contained an IPv6 + address enclosed in [...], a spurious error was generated: ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20) + The error did not occur if <...> was used to enclose the IPv6 + address. + 2) Two compiler defects in module loading have been corrected: a) Previously, the kernel/net/ipv6/netfilter/ directory was not @@ -69,6 +72,58 @@ Beta 1 I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- +Beta 3 + +1) This release adds support for per-IP accounting using the ACCOUNT + target. That target is only available when xtables-addons is + installed. This support has been successfully tested with + xtables-addons 1.32 on: + + - Fedora 14 + - Debian Squeeze + + Versions of xtables-addons supporting the ACCOUNT target do not + install successfully on Debian Lenny. + + Information about xtables-addons installation may be found at + http://www.shorewall.net/Dynamic.html#xtables-addons + + This feature required addition of the "ACCOUNT Target" capability + so if you use a capabilities file, you will want to refresh it + after installing this release. + + Per-IP accounting is configured in /etc/shorewall/accounting (it is + not currently supported in IPv6). In the ACTION column, enter: + + ACCOUNT(,) + + where: + +
is the name of an accounting table (you choose the + name). Rules specifying the same table will have their + per-IP counters accumulated in that table. + + is an IPv4 in CIDR format. May be as large as a /8. + + Example: Suppose your WAN interface is eth0 and your LAN interface + is eth1 with network 172.20.1.0/24. To account for all + traffic between the WAN and LAN interfaces: + + #ACTION TABLE SOURCE DEST ... + ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1 + ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1 + + This will create a net-loc table for counting packets and + bytes for traffic between the two interfaces. The table is dumped + using the iptaccount utility: + + iptaccount [-f] -l net-loc + + For each local IP address with non-zero counters, the packet and + byte count for both incoming traffic (IP is DST) and outgoing + traffic (IP is SRC) are listed. The -f option causes the table to + be flushed (reset all counters to zero). + Beta 2 1) Traditionally, the -lite products have used the modules (or diff --git a/docs/Accounting.xml b/docs/Accounting.xml index 950cdd691..4c018b871 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -243,4 +243,71 @@ traffic activity. The article may be found at http://collectd.org/wiki/index.php/Plugin:IPTables. + +
+ Per-IP Accounting + + Shorewall 4.4.17 added support for per-IP accounting using the + ACCOUNT target. That target is only available when xtables-addons is + installed. This support has been successfully tested with xtables-addons + 1.32 on: + + + + Fedora 14 + + + + Debian Squeeze + + + + Versions of xtables-addons supporting the ACCOUNT target do not + install successfully on Debian Lenny. + + Information about xtables-addons installation may be found at here. + + Per-IP accounting is configured in shorewall-accounting (5) + (it is currently not supported in IPv6). In the ACTION column, + enter: + + + ACCOUNT(table,network) + + + where + + + table is the name of an accounting + table (you choose the name). All rules specifying the same table will + have their per-IP counters accumulated in that table. + + network is an IPv4 network in CIDR + notation. The network can be as large as a /8 (class A). + + + Example: Suppose your WAN interface is eth0 and your LAN interface + is eth1 with network 172.20.1.0/24. To account for all traffic between the + WAN and LAN interfaces: + + #ACTION CHAIN SOURCE DEST ... +ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1 +ACCOUNT(net-loc,172.20.1.0/24) - eth1 eth0 + + This will create a net-loc table + for counting packets and bytes for traffic between the two interfaces. The + table is dumped using the iptaccount utility (part of + xtables-addons): + + iptaccount [-f] -l net-loc + + For each local IP address with non-zero counters, the packet and + byte count for both incoming traffic (IP is DST) and outgoing traffic (IP + is SRC) are listed. The -f option causes the table to be flushed (reset + all counters to zero) after printing. +
diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml index d511e7bea..cd6bf6cb2 100644 --- a/manpages/shorewall-accounting.xml +++ b/manpages/shorewall-accounting.xml @@ -35,7 +35,7 @@ ACTION - {COUNT|DONE|chain[:{COUNT:JUMP}]|COUNT + role="bold">{COUNT:JUMP}]|ACCOUNT(table,network)|COUNT comment} @@ -86,6 +86,40 @@ + + ACCOUNT(table,network) + + + This action implements per-IP accounting and was added + in Shoreall 4.4.17. Requires the ACCOUNT + Target capability in your iptables and kernel (see + the output of shorewall show + capabilities). + + + table is the name of an + accounting table (you choose the name). All rules specifying + the same table will have their per-IP counters accumulated + in that table. + + network is an IPv4 + network in CIDR notation. The network can be as large as a + /8 (class A). + + + The counters in a table are + printed using the iptaccount utility. As of + February 2011, the ACCOUNT Target capability and the + iptaccount utility are only available when xtables-addons + is installed. See http://www.shorewall.net/Accounting.html#perIP + for additional information. + + + COMMENT