Add ACCOUNTING_TABLE option

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/shorewall.conf

@@ -196,6 +196,8 @@ COMPLETE=Yes
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/one-interface/shorewall.conf

@@ -207,6 +207,8 @@ COMPLETE=No
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -207,6 +207,8 @@ COMPLETE=No
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -214,6 +214,8 @@ COMPLETE=No
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/Universal/shorewall6.conf

@@ -159,6 +159,8 @@ COMPLETE=Yes
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/one-interface/shorewall6.conf

@@ -161,6 +161,8 @@ COMPLETE=No
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -161,6 +161,8 @@ COMPLETE=No
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -161,6 +161,8 @@ COMPLETE=No
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/Perl/Shorewall/Accounting.pm

@@ -50,22 +50,29 @@ my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
 my $sectionname;
+my $acctable;
 
 #
 # Sections in the Accounting File
 #
 
 use constant {
-	      LEGACY  => 0,
-	      INPUT   => 1,
-	      OUTPUT  => 2,
-	      FORWARD => 3 };
+	      LEGACY      => 0,
+	      PREROUTING  => 1,
+	      INPUT       => 2,
+	      OUTPUT      => 3,
+	      FORWARD     => 4,
+	      POSTROUTING => 5
+	  };
 #
 # Map names to values
 #
-our %asections = ( INPUT   => INPUT,
-		   FORWARD => FORWARD,
-		   OUTPUT  => OUTPUT );
+our %asections = ( PREROUTING  => PREROUTING,
+		   INPUT       => INPUT,
+		   FORWARD     => FORWARD,
+		   OUTPUT      => OUTPUT,
+		   POSTROUTING => POSTROUTING
+		 );
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -108,10 +115,19 @@ sub process_section ($) {
     } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
 	$defaultrestriction = OUTPUT_RESTRICT;
-    } else {
+    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
 	$defaultrestriction = NO_RESTRICT;
-    }
+     } else {
+	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
+	 if ( $sectionname eq 'PREROUTING' ) {
+	     $defaultchain = 'accountpre';
+	     $defaultrestriction = PREROUTE_RESTRICT;
+	 } else {
+	     $defaultchain = 'accountpost';
+	     $defaultrestriction = POSTROUTE_RESTRICT;
+	 }
+     }
 
     $asection = $newsect;
 }
@@ -121,6 +137,8 @@ sub process_section ($) {
 #
 sub process_accounting_rule( ) {
 
+    $acctable = $config{ACCOUNTING_TABLE};
+
     $jumpchainref = 0;
 
     my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
@@ -261,7 +279,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = $filter_table->{$chain};
+    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
     my $dir;
 
     if ( ! $chainref ) {
@@ -376,41 +394,51 @@ sub setup_accounting() {
 	clear_comment;
 
 	if ( $nonEmpty ) {
+	    my $tableref = $chain_table{$acctable};
+
 	    if ( have_bridges || $asection ) {
-		if ( $filter_table->{accountin} ) {
-		    add_jump( $filter_table->{INPUT}, 'accountin', 0, '', 0, 0 );
+		if ( $tableref->{accountin} ) {
+		    add_jump( $tableref->{INPUT}, 'accountin', 0, '', 0, 0 );
 		}
 
-		if ( $filter_table->{accounting} ) {
+		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
-			add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+			add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
 		    }
 		}
 
-		if ( $filter_table->{accountfwd} ) {
-		    add_jump( $filter_table->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		if ( $tableref->{accountfwd} ) {
+		    add_jump( $tableref->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
 		}
 
-		if ( $filter_table->{accountout} ) {
-		    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+		if ( $tableref->{accountout} ) {
+		    add_jump( $tableref->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 		}
-	    } elsif ( $filter_table->{accounting} ) {
+
+		if ( $tableref->{accountpre} ) {
+		    add_jump( $tableref->{PREROUTING}, 'accountpre', 0, '', 0, 0 );
+		}
+
+		if ( $tableref->{accountpost} ) {
+		    add_jump( $tableref->{POSTROUTING}, 'accountpost', 0, '', 0, 0 );
+		}
+	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
 		}
 	    }
 
-	    if ( $filter_table->{accipsecin} ) {
+	    if ( $tableref->{accipsecin} ) {
 		for my $chain ( qw/INPUT FORWARD/ ) {
-		    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accipsecin', 0,  '', 0, 0 );
 		}
 	    }
 
-	    if ( $filter_table->{accipsecout} ) {
+	    if ( $tableref->{accipsecout} ) {
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+		    add_jump( $tableref->{$chain}, 'accipsecout', 0, '', 0, 0 );
 		}
 	    }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -1382,7 +1382,9 @@ sub ensure_accounting_chain( $$$ )
 {
     my ($chain, $ipsec, $restriction ) = @_;
 
-    my $chainref = $filter_table->{$chain};
+    my $table = $config{ACCOUNTING_TABLE};
+
+    my $chainref = $chain_table{$table}{$chain};
 
     if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in an accounting rule" unless $chainref->{accounting};
@@ -1390,7 +1392,7 @@ sub ensure_accounting_chain( $$$ )
     } else {
 	fatal_error "Chain name ($chain) too long" if length $chain > 29;
 	fatal_error "Invalid Chain name ($chain)" unless $chain =~ /^[-\w]+$/ && ! ( $builtin_target{$chain} || $config_files{$chain} );
-	$chainref = new_chain 'filter' , $chain;
+	$chainref = new_chain $table , $chain;
 	$chainref->{accounting}  = 1;
 	$chainref->{referenced}  = 1;
 	$chainref->{restriction} = $restriction;

Shorewall/Perl/Shorewall/Config.pm

@@ -526,6 +526,7 @@ sub initialize( $ ) {
 	  ZONE2ZONE => undef,
 	  ACCOUNTING => undef,
 	  OPTIMIZE_ACCOUNTING => undef,
+	  ACCOUNTING_TABLE => undef,
 	  DYNAMIC_BLACKLIST => undef,
 	  LOAD_HELPERS_ONLY => undef,
 	  REQUIRE_INTERFACE => undef,
@@ -3277,8 +3278,17 @@ sub get_configuration( $ ) {
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'WIDE_TC_MARKS'              , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
+
     default_yes_no 'ACCOUNTING'                 , 'Yes';
     default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
+    
+    if ( defined $config{ACCOUNTING_TABLE} ) {
+	my $value = $config{ACCOUNTING_TABLE};
+	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
+    } else {
+	$config{ACCOUNTING_TABLE} = 'filter';
+    }
+
     default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';

Shorewall/configfiles/shorewall.conf

@@ -196,6 +196,8 @@ COMPLETE=No
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/releasenotes.txt

@@ -47,6 +47,21 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     is compatible with 4.4.19 in that if a relative path name is
     supplied, then '/usr/' is prepended to the name.
 
+2)  A new ACCOUNTING_TABLE option has been added to shorewall.conf and
+    shorwall6.conf. The setting determines the Netfilter table (filter
+    or mangle) where accounting rules are created.
+
+    When ACCOUNTING_TABLE=mangle, the allowable sections in the
+    accounting file are as follows:
+
+	PREROUTING
+        INPUT
+	OUTPUT
+	FORWARD
+	POSTROUTING
+
+    Present sections must appear in that order.
+
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------

Shorewall6/shorewall6.conf

@@ -159,6 +159,8 @@ COMPLETE=No
 
 EXPORTMODULES=Yes
 
+ACCOUNTING_TABLE=filter
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

docs/Accounting.xml

@@ -296,8 +296,18 @@
     <emphasis role="bold">OUTPUT</emphasis> and <emphasis
     role="bold">FORWARD</emphasis> and must appear in that order (although any
     of them may be omitted). The first non-commentary record in the accounting
-    file must be a section header when sectioning is used. Section headers
-    have the form:</para>
+    file must be a section header when sectioning is used. </para>
+
+    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
+    added to shorewall.conf and shorewall6.conf. That setting determines the
+    Netfilter table (filter or mangle) where the accounting rules are added.
+    When ACCOUNTING_TABLE=mangle is specified, the available sections are
+    <emphasis role="bold">PREROUTING</emphasis>, <emphasis
+    role="bold">INPUT</emphasis>, <emphasis role="bold">OUTPUT</emphasis>,
+    <emphasis role="bold">FORWARD</emphasis> and <emphasis
+    role="bold">POSTROUTING</emphasis>.</para>
+
+    <para>Section headers have the form:</para>
 
     <para><option>SECTION</option>
     <replaceable>section-name</replaceable></para>
@@ -316,11 +326,13 @@
 
       <listitem>
         <para>You may not specify an output interface in the <emphasis
-        role="bold">INPUT</emphasis> section.</para>
+        role="bold">PREROUTING</emphasis> and <emphasis
+        role="bold">INPUT</emphasis> sections.</para>
       </listitem>
 
       <listitem>
-        <para>In the OUTPUT section:</para>
+        <para>In the <emphasis role="bold">OUTPUT</emphasis> and <emphasis
+        role="bold">POSTROUTING</emphasis> sections:</para>
 
         <itemizedlist>
           <listitem>
@@ -329,7 +341,8 @@
 
           <listitem>
             <para>You may not jump to a chain defined in the <emphasis
-            role="bold">INPUT</emphasis> section that specifies an input
+            role="bold">INPUT</emphasis> or <emphasis
+            role="bold">PREROUTING</emphasis> sections that specifies an input
             interface</para>
           </listitem>
 
@@ -339,8 +352,9 @@
 
           <listitem>
             <para>You may not jump to a chain defined in the <emphasis
-            role="bold">INPUT</emphasis> section that specifies specifies a
-            MAC address.</para>
+            role="bold">INPUT</emphasis> or <emphasis
+            role="bold">PREROUTING</emphasis> section that specifies specifies
+            a MAC address.</para>
           </listitem>
         </itemizedlist>
       </listitem>
@@ -363,6 +377,16 @@
             <para><emphasis role="bold">accountfwd</emphasis> in the <emphasis
             role="bold">FORWARD</emphasis> section</para>
           </listitem>
+
+          <listitem>
+            <para><emphasis role="bold">accountpre</emphasis> in the <emphasis
+            role="bold">PREROUTING</emphasis> section</para>
+          </listitem>
+
+          <listitem>
+            <para><emphasis role="bold">accountpost</emphasis> in the
+            <emphasis role="bold">POSTROUTING</emphasis> section</para>
+          </listitem>
         </itemizedlist>
       </listitem>