SHOREWALL6-ACCOUNTI(5) | Configuration Files | SHOREWALL6-ACCOUNTI(5) |
NAME¶
accounting - Shorewall6 Accounting fileSYNOPSIS¶
/etc/shorewall6/accounting
DESCRIPTION¶
Accounting rules exist simply to count packets and bytes in categories that you define in this file. You may display these rules and their packet and byte counters using the shorewall6 show accounting command.Beginning with Shorewall 4.4.18, the accounting structure can be created with three root chains:
The new structure is enabled by sectioning the accounting file in a manner similar to the rules file[1]. The sections are INPUT, OUTPUT and FORWARD and must appear in that order (although any of them may be omitted). The first non-commentary record in the accounting file must be a section header when sectioning is used.
Warning
If sections are not used, the Shorewall rules compiler cannot detect certain violations of netfilter restrictions. These violations can result in run-time errors such as the following:
ip6tables-restore v1.4.13: Can't use -o with INPUT
Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added to shorewall.conf and shorewall6.conf. That setting determines the Netfilter table (filter or mangle) where the accounting rules are added. When ACCOUNTING_TABLE=mangle is specified, the available sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
Section headers have the form:
[?]SECTIONsection-name
The optional "?" was added in Shorewalll 4.6.0 and is preferred. Existing configurations may be converted to use this form using the shorewall6 update command.
When sections are enabled:
The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).
ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|[?]COMMENT comment}
COUNT
DONE
chain[:COUNT]
chain:JUMP
INLINE
NFACCT({object[!]}[,...])
Prior to Shorewall 4.5.16, only one object could be specified. Beginning with Shorewall 4.5.16, an arbitrary number of objects may be given.
With Shorewall 4.5.16 or later, an nfacct object in the list may optionally be followed by ! to indicate that the nfacct object will be incremented unconditionally for each packet. When ! is omitted, the object will be incremented only if all of the matches in the rule succeed.
NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
?COMMENT
CHAIN - {-|chain}
SOURCE - {-|any|all|interface|interface:[address]|address}
The name of an interface, an address (host or net) or an interface name followed by ":" and a host or net address. An ipset name is also accepted as an address.
DEST - {-|any|all|interface|interface:[address]|address}
Format same as SOURCE column.
This column was formerly labelled DESTINATION.
PROTO - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
Beginning with Shorewall 4.5.12, this column can accept a comma-separated list of protocols.
This column was formerly labelled PROTOCOL.
DPORT - {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
You may place a comma-separated list of port names or numbers in this column if your kernel and ip6tables include multi-port match support.
If the PROTOCOL is ipp2p then this column must contain an ipp2p-option ("ip6tables -m ipp2p --help") without the leading "--". If no option is given in this column, ipp2p is assumed.
This column was formerly labelled DEST PORT(S).
SPORT - {-|any|all|port-name-or-number[,port-name-or-number]...}
You may place a comma-separated list of port numbers in this column if your kernel and ip6tables include multi-port match support.
Beginning with Shorewall 4.5.15, you may place '=' in this column, provided that the DPORT column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DPORT. Use of '=' requires multi-port match in your iptables and kernel.
This column was formerly labelled SOURCE PORT(S).
USER - [!][user-name-or-number][:group-name-or-number][+program-name]
When this column is non-empty, the rule applies only if the program generating the output is running under the effective user and/or group specified (or is NOT running under that id if "!" is given).
Examples:
joe
:kids
!:kids
+upnpd
Important
The ability to specify a program name was removed from Netfilter in kernel version 2.6.14.
This column was formerly labelled USER/GROUP.
MARK - [!]value[/mask][:C]
If you don't want to define a test but need to specify anything in the following columns, place a "-" in this field.
!
value
mask
:C
IPSEC - option-list (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1 )
reqid=number
spi=<number>
proto=ah|esp|ipcomp
mss=number
mode=transport|tunnel
tunnel-src=address[/mask]
tunnel-dst=address[/mask]
strict
next
yes or ipsec
no or none
in
out
If this column is non-empty and sections are not used, then:
HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall 4.4.15)
auth, ah, or 51
esp, or 50
hop, hop-by-hop or 0
route, ipv6-route or 41
frag, ipv6-frag or 44
none, ipv6-nonxt or 59
proto, protocol or 255
If any: is specified, the rule will match if any of the listed headers are present. If exactly: is specified, the will match packets that exactly include all specified headers. If neither is given, any: is assumed.
If ! is entered, the rule will match those packets which would not be matched when ! is omitted.
In all of the above columns except ACTION and CHAIN, the values -, any and all may be used as wildcards. Omitted trailing columns are also treated as wildcards.
FILES¶
/etc/shorewall6/accountingSEE ALSO¶
http://www.shorewall.net/Accounting.html[2]http://www.shorewall.net/shorewall_logging.html[3]
http://www.shorewall.net/configuration_file_basics.htm#Pairs[4]
shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
NOTES¶
- 1.
- rules file
03/16/2017 | Configuration Files |