shorewall6-accounting5accountingShorewall6 Accounting file/etc/shorewall6/accountingDescriptionAccounting rules exist simply to count packets and bytes in
categories that you define in this file. You may display these rules and
their packet and byte counters using the shorewall6 show
accounting command.The columns in the file are as follows.ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|COMMENT
comment}What to do when a matching packet is found.COUNTSimply count the match and continue with the next
ruleDONECount the match and don't attempt to match any other
accounting rules in the chain specified in the CHAIN column.chain[:COUNT]Where chain is the name of a chain;
shorewall6 will create the chain automatically if it doesn't
already exist. Causes a jump to that chain to be added to the
chain specified in the CHAIN column. If :COUNT is included, a counting rule
matching this entry will be added to
chain. The chain may
not exceed 29 characters in length and may be composed of
letters, digits, dash ('-') and underscore ('_').To avoid problems, we recomment that chain names that
you create should begin with a capital letter and contain a
digit, a dash ('-') or an underscore ('_').chain:JUMPLike the previous option without the :COUNT part.COMMENTThe remainder of the line is treated as a comment which
is attached to subsequent rules until another COMMENT line is
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word
COMMENT.CHAIN - {-|chain}The name of a chain. If specified as
- the accounting chain is assumed. This is the
chain where the accounting rule is added. The
chain will be created if it doesn't already
exist. The chain may not exceed 29 characters
in length.To avoid problems, we recomment that chain names that you
create should begin with a capital letter and contain a digit, a
dash ('-') or an underscore ('_').SOURCE - {-|any|all|interface|interface:address|address}Packet Source.The name of an interface, an
address (host or net) or an
interface name followed by ":" and a host
or net address.DESTINATION - {-|any|all|interface|interfaceaddress|address}Packet Destination.Format same as SOURCE
column.PROTOCOL - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}A protocol-name (from protocols(5)), a
protocol-number, ipp2p, ipp2p:udp or ipp2p:allDEST PORT(S) - {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}Destination Port number. Service name from services(5) or
port number. May only be specified if the
protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
(136).You may place a comma-separated list of port names or numbers
in this column if your kernel and ip6tables include multiport match
support.If the PROTOCOL is ipp2p then
this column must contain an ipp2p-option
("ip6tables -m ipp2p --help") without the leading "--". If no option
is given in this column, ipp2p is
assumed.SOURCE PORT(S) - {-|any|all|port-name-or-number[,port-name-or-number]...}Service name from services(5) or port
number. May only be specified if the protocol is TCP (6),
UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).You may place a comma-separated list of port numbers in this
column if your kernel and ip6tables include multiport match
support.USER/GROUP - [!][user-name-or-number][:group-name-or-number][+program-name]This column may only be non-empty if the CHAIN is OUTPUT.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
user and/or group
specified (or is NOT running under that id if "!" is given).Examples:joeprogram must be run by joe:kidsprogram must be run by a member of the 'kids'
group!:kidsprogram must not be run by a member of the 'kids'
group+upnpd#program named upnpdThe ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.MARK - [!]value[/mask][:C]Defines a test on the existing packet or connection mark. The
rule will match only if the test returns true.If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.!Inverts the test (not equal)valueValue of the packet or connection mark.maskA mask to be applied to the mark before testing.:CDesignates a connection mark. If omitted, the packet
mark's value is tested.IPSEC - option-list
(Optional - Added in Shorewall 4.4.13 )The option-list consists of a comma-separated list of options
from the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have their
source address changed.reqid=numberwhere number is specified using
setkey(8) using the 'unique:number option
for the SPD level.spi=<number>where number is the SPI of the SA
used to encrypt/decrypt packets.proto=ah|esp|ipcompIPSEC Encapsulation Protocolmss=numbersets the MSS field in TCP packetsmode=transport|tunnelIPSEC modetunnel-src=address[/mask]only available with mode=tunneltunnel-dst=address[/mask]only available with mode=tunnelstrictMeans that packets must match all rules.nextSeparates rules; can only be used with strictyes or ipsecWhen used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.no or noneWhen used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.If this column is non-empty, then:A chain NAME may appearing in the ACTION column must be a
chain branched either directly or indirectly from the accountin or accountout chain.The CHAIN column must contain either accountin or accountout or a chain branched either
directly or indirectly from those chains.These rules will NOT appear in the accounting chain.HEADERS -
[!][any:|exactly:]header-list
(Optional - Added in Shorewall 4.4.15)The header-list consists of a
comma-separated list of headers from the following list.auth, ah, or 51Authentication Headers extension
header.esp, or 50Encrypted Security Payload
extension header.hop, hop-by-hop or 0Hop-by-hop options extension header.route, ipv6-route or 41IPv6 Route extension header.frag, ipv6-frag or 44IPv6 fragmentation extension header.none, ipv6-nonxt or 59No next headerproto, protocol or 255Any protocol header.If any: is specified, the
rule will match if any of the listed headers are present. If
exactly: is specified, the will
match packets that exactly include all specified headers. If neither
is given, any: is assumed.If ! is entered, the rule
will match those packets which would not be matched when ! is omitted.In all of the above columns except ACTION and CHAIN,
the values -, any and all may be
used as wildcards. Omitted trailing columns are also treated as
wildcards.FILES/etc/shorewall6/accountingSee ALSOhttp://shorewall.net/Accounting.html
shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)