Description

shorewall-accounting 5 accounting Shorewall Accounting file /etc/shorewall/accounting Description Accounting rules exist simply to count packets and bytes in categories that you define in this file. You may display these rules and their packet and byte counters using the shorewall show accounting command. The columns in the file are as follows. ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|ACCOUNT(table,network)|COMMENT comment} What to do when a matching packet is found. COUNT Simply count the match and continue with the next rule DONE Count the match and don't attempt to match any other accounting rules in the chain specified in the CHAIN column. chain[:COUNT] Where chain is the name of a chain; Shorewall will create the chain automatically if it doesn't already exist. Causes a jump to that chain to be added to the chain specified in the CHAIN column. If :COUNT is included, a counting rule matching this entry will be added to chain. The chain may not exceed 29 characters in length and may be composed of letters, digits, dash ('-') and underscore ('_'). chain:JUMP Like the previous option without the :COUNT part. ACCOUNT(table,network) This action implements per-IP accounting and was added in Shorewall 4.4.17. Requires the ACCOUNT Target capability in your iptables and kernel (see the output of shorewall show capabilities). table is the name of an accounting table (you choose the name). All rules specifying the same name will have their per-IP counters accumulated in the same table. network is an IPv4 network in CIDR notation (e.g., 192.168.1.0/24). The network can be as large as a /8 (class A). One nice feature of per-IP accounting is that the counters survive shorewall restart. This has a downside, however. If you change the network associated with an accounting table, then you must shorewall stop; shorewall start to have a successful restart (counters will be cleared). The counters in a table are printed using the iptaccount utility. For a command synopsis, type: iptaccount --help As of February 2011, the ACCOUNT Target capability and the iptaccount utility are only available when xtables-addons is installed. See http://www.shorewall.net/Accounting.html#perIP for additional information. COMMENT The remainder of the line is treated as a comment which is attached to subsequent rules until another COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word COMMENT. CHAIN - {-|chain} The name of a chain. If specified as - the accounting chain is assumed. This is the chain where the accounting rule is added. The chain will be created if it doesn't already exist. The chain may not exceed 29 characters in length. SOURCE - {-|any|all|interface|interface:address|address} Packet Source. The name of an interface, an address (host or net) or an interface name followed by ":" and a host or net address. DESTINATION - {-|any|all|interface|interface:address|address} Packet Destination. Format same as SOURCE column. PROTOCOL - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]} A protocol-name (from protocols(5)), a protocol-number, ipp2p, ipp2p:udp or ipp2p:all DEST PORT(S) - {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...} Destination Port number. Service name from services(5) or port number. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136). You may place a comma-separated list of port names or numbers in this column if your kernel and iptables include multiport match support. If the PROTOCOL is ipp2p then this column must contain an ipp2p-option ("iptables -m ipp2p --help") without the leading "--". If no option is given in this column, ipp2p is assumed. SOURCE PORT(S) - {-|any|all|port-name-or-number[,port-name-or-number]...} Service name from services(5) or port number. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136). You may place a comma-separated list of port numbers in this column if your kernel and iptables include multiport match support. USER/GROUP - [!][user-name-or-number][:group-name-or-number][+program-name] This column may only be non-empty if the CHAIN is OUTPUT. When this column is non-empty, the rule applies only if the program generating the output is running under the effective user and/or group specified (or is NOT running under that id if "!" is given). Examples: joe program must be run by joe :kids program must be run by a member of the 'kids' group !:kids program must not be run by a member of the 'kids' group +upnpd #program named upnpd The ability to specify a program name was removed from Netfilter in kernel version 2.6.14. MARK - [!]value[/mask][:C] Defines a test on the existing packet or connection mark. The rule will match only if the test returns true. If you don't want to define a test but need to specify anything in the following columns, place a "-" in this field. ! Inverts the test (not equal) value Value of the packet or connection mark. mask A mask to be applied to the mark before testing. :C Designates a connection mark. If omitted, the packet mark's value is tested. IPSEC - option-list (Optional - Added in Shorewall 4.4.13 ) The option-list consists of a comma-separated list of options from the following list. Only packets that will be encrypted or have been de-crypted via an SA that matches these options will have their source address changed. reqid=number where number is specified using setkey(8) using the 'unique:number option for the SPD level. spi=<number> where number is the SPI of the SA used to encrypt/decrypt packets. proto=ah|esp|ipcomp IPSEC Encapsulation Protocol mss=number sets the MSS field in TCP packets mode=transport|tunnel IPSEC mode tunnel-src=address[/mask] only available with mode=tunnel tunnel-dst=address[/mask] only available with mode=tunnel strict Means that packets must match all rules. next Separates rules; can only be used with strict yes or ipsec When used by itself, causes all traffic that will be encrypted/encapsulated or has been decrypted/un-encapsulted to match the rule. no or none When used by itself, causes all traffic that will not be encrypted/encapsulated or has been decrypted/un-encapsulted to match the rule. If this column is non-empty, then: A chain NAME may appearing in the ACTION column must be a chain branched either directly or indirectly from the accountin or accountout chain. The CHAIN column must contain either accountin or accountout or a chain branched either directly or indirectly from those chains. These rules will NOT appear in the accounting chain. In all of the above columns except ACTION and CHAIN, the values -, any and all may be used as wildcards. Omitted trailing columns are also treated as wildcards. FILES /etc/shorewall/accounting See ALSO http://shorewall.net/Accounting.html shorewall(8), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)