shorewall-accounting
5
accounting
Shorewall Accounting file
/etc/shorewall/accounting
Description
Accounting rules exist simply to count packets and bytes in
categories that you define in this file. You may display these rules and
their packet and byte counters using the shorewall show
accounting command.
The columns in the file are as follows.
ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|COMMENT
comment}
What to do when a matching packet is found.
COUNT
Simply count the match and continue with the next
rule
DONE
Count the match and don't attempt to match any other
accounting rules in the chain specified in the CHAIN column.
chain[:COUNT]
Where chain is the name of a chain;
Shorewall will create the chain automatically if it doesn't
already exist. Causes a jump to that chain to be added to the
chain specified in the CHAIN column. If :COUNT is included, a counting rule
matching this entry will be added to
chain
chain:JUMP
Like the previous option without the :COUNT part.
ACCOUNT(table,network)
This action implements per-IP accounting and was added
in Shoreall 4.4.17. Requires the ACCOUNT
Target capability in your iptables and kernel (see
the output of shorewall show
capabilities).
table is the name of an
accounting table (you choose the name). All rules specifying
the same table will have their per-IP counters accumulated
in that table.
network is an IPv4
network in CIDR notation. The network can be as large as a
/8 (class A).
One nice feature of per-IP accounting is that the
counters survive shorewall restart. This
has a downside, however. If you change the network associated
with an accounting table, then you must shorewall
stop; shorewall start to have a successful restart
(counters will be cleared).
The counters in a table are
printed using the iptaccount utility. For a
command synopsis, type:
iptaccount --help
As of February 2011, the ACCOUNT Target capability and
the iptaccount utility are only available when xtables-addons
is installed. See http://www.shorewall.net/Accounting.html#perIP
for additional information.
COMMENT
The remainder of the line is treated as a comment which
is attached to subsequent rules until another COMMENT line is
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word
COMMENT.
CHAIN - {-|chain}
The name of a chain. If specified as
- the accounting chain is assumed. This is the
chain where the accounting rule is added. The
chain will be created if it doesn't already
exist.
SOURCE - {-|any|all|interface|interface:address|address}
Packet Source.
The name of an interface, an
address (host or net) or an
interface name followed by ":" and a host
or net address.
DESTINATION - {-|any|all|interface|interface:address|address}
Packet Destination.
Format same as SOURCE
column.
PROTOCOL - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
A protocol-name (from protocols(5)), a
protocol-number, ipp2p, ipp2p:udp or ipp2p:all
DEST PORT(S) - {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
Destination Port number. Service name from services(5) or
port number. May only be specified if the
protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
(136).
You may place a comma-separated list of port names or numbers
in this column if your kernel and iptables include multiport match
support.
If the PROTOCOL is ipp2p then
this column must contain an ipp2p-option
("iptables -m ipp2p --help") without the leading "--". If no option
is given in this column, ipp2p is
assumed.
SOURCE PORT(S) - {-|any|all|port-name-or-number[,port-name-or-number]...}
Service name from services(5) or port
number. May only be specified if the protocol is TCP (6),
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).
You may place a comma-separated list of port numbers in this
column if your kernel and iptables include multiport match
support.
USER/GROUP - [!][user-name-or-number][:group-name-or-number][+program-name]
This column may only be non-empty if the CHAIN is OUTPUT.
When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
user and/or group
specified (or is NOT running under that id if "!" is given).
Examples:
joe
program must be run by joe
:kids
program must be run by a member of the 'kids'
group
!:kids
program must not be run by a member of the 'kids'
group
+upnpd
#program named upnpd
The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.
MARK - [!]value[/mask][:C]
Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.
If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.
!
Inverts the test (not equal)
value
Value of the packet or connection mark.
mask
A mask to be applied to the mark before testing.
:C
Designates a connection mark. If omitted, the packet
mark's value is tested.
IPSEC - option-list
(Optional - Added in Shorewall 4.4.13 )
The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their
source address changed.
reqid=number
where number is specified using
setkey(8) using the 'unique:number option
for the SPD level.
spi=<number>
where number is the SPI of the SA
used to encrypt/decrypt packets.
proto=ah|esp|ipcomp
IPSEC Encapsulation Protocol
mss=number
sets the MSS field in TCP packets
mode=transport|tunnel
IPSEC mode
tunnel-src=address[/mask]
only available with mode=tunnel
tunnel-dst=address[/mask]
only available with mode=tunnel
strict
Means that packets must match all rules.
next
Separates rules; can only be used with strict
yes or ipsec
When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.
no or none
When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.
If this column is non-empty, then:
A chain NAME may appearing in the ACTION column must be a
chain branched either directly or indirectly from the accountin or accountout chain.
The CHAIN column must contain either accountin or accountout or a chain branched either
directly or indirectly from those chains.
These rules will NOT appear in the accounting chain.
In all of the above columns except ACTION and CHAIN,
the values -, any and all may be
used as wildcards. Omitted trailing columns are also treated as
wildcards.
FILES
/etc/shorewall/accounting
See ALSO
http://shorewall.net/Accounting.html
shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)