SHOREWALL6-ACCOUNTI(5) | Configuration Files | SHOREWALL6-ACCOUNTI(5) |
NAME¶
accounting - Shorewall6 Accounting fileSYNOPSIS¶
/etc/shorewall6/accounting
DESCRIPTION¶
Accounting rules exist simply to count packets and bytes in categories that you define in this file. You may display these rules and their packet and byte counters using the shorewall6 show accounting command. Beginning with Shorewall 4.4.18, the accounting structure can be created with three root chains:•accountin: Rules that are valid in the
INPUT chain (may not specify an output interface).
•accountout: Rules that are valid in the
OUTPUT chain (may not specify an input interface or a MAC address).
•accounting: Other rules.
The new structure is enabled by sectioning the accounting file in a manner
similar to the rules file[1]. The sections are INPUT,
OUTPUT and FORWARD and must appear in that order (although any
of them may be omitted). The first non-commentary record in the accounting
file must be a section header when sectioning is used.
•A jump to a user-defined accounting chain must
appear before entries that add rules to that chain. This eliminates loops and
unreferenced chains.
•An output interface may not be specified in the
PREROUTING and INPUT sections.
•In the OUTPUT and POSTROUTING
sections:
•An input interface may not be specified
•Jumps to a chain defined in the INPUT or
PREROUTING sections that specifies an input interface are
prohibited
•MAC addresses may not be used
•Jump to a chain defined in the INPUT or
PREROUTING section that specifies a MAC address are prohibited.
•The default value of the CHAIN column is:
•accountin in the INPUT
section
•accountout in the OUTPUT
section
•accountfwd in the FORWARD
section
•accountpre in the PREROUTING
section
•accountpost in the POSTROUTING
section
•Traffic addressed to the firewall goes through
the rules defined in the INPUT section.
•Traffic originating on the firewall goes through
the rules defined in the OUTPUT section.
•Traffic being forwarded through the firewall goes
through the rules from the FORWARD sections.
The columns in the file are as follows (where the column name is followed by a
different name in parentheses, the different name is used in the alternate
specification syntax).
ACTION -
{COUNT|DONE|chain[:{COUNT|JUMP}]|[?]COMMENT
comment}
What to do when a matching packet is found.
COUNT
CHAIN - {-|chain}
Simply count the match and continue with the next
rule
DONE
Count the match and don't attempt to match any other
accounting rules in the chain specified in the CHAIN column.
chain[:COUNT]
Where chain is the name of a chain; shorewall6
will create the chain automatically if it doesn't already exist. If a second
chain is mentioned in the CHAIN column, then a jump from this second chain to
chain is created. If no chain is named in the CHAIN column, then a jump
from the default chain to chain is created. If :COUNT is
included, a counting rule matching this entry will be added to chain.
The chain may not exceed 29 characters in length and may be composed of
letters, digits, dash ('-') and underscore ('_').
chain:JUMP
Like the previous option without the :COUNT
part.
INLINE
Added in Shorewall 4.5.16. Allows free form ip6tables
matches to be specified following a ';'. In the generated ip6tables rule(s),
the free form matches will follow any matches that are generated by the column
contents.
NFACCT({object[!]}[,...])
Added in Shorewall 4.5.7. Provides a form of accounting
that survives shorewall stop/shorewall start and shorewall
restart. Requires the NFaccnt Match capability in your kernel and
iptables. object names an nfacct object (see man nfaccnt(8)). Multiple
rules can specify the same object; all packets that match any of the
rules increment the packet and bytes count of the object.
Prior to Shorewall 4.5.16, only one object could be specified. Beginning
with Shorewall 4.5.16, an arbitrary number of objects may be given.
With Shorewall 4.5.16 or later, an nfacct object in the list may
optionally be followed by ! to indicate that the nfacct object
will be incremented unconditionally for each packet. When ! is omitted,
the object will be incremented only if all of the matches in the rule
succeed.
NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
Causes each matching packet to be sent via the currently
loaded logging back end (usually nfnetlink_log) where it is available to
accounting daemons through a netlink socket.
[?]COMMENT
The remainder of the line is treated as a comment which
is attached to subsequent rules until another COMMENT line is found or until
the end of the file is reached. To stop adding comments to rules, use a line
with only the word COMMENT.
Note
Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is
preferred.
The name of a chain. If specified as - the
accounting chain is assumed when the file is un-sectioned. When the
file is sectioned, the default is one of accountin, accountout, etc. depending
on the section. This is the chain where the accounting rule is added. The
chain will be created if it doesn't already exist. The chain may
not exceed 29 characters in length.
SOURCE -
{-|any|all|interface|interface
: [address]|address}
Packet Source.
The name of an interface, an address (host or net) or an
interface name followed by ":" and a host or net
address. An ipset name is also accepted as an address.
DESTINATION (dest) -
{-|any|all|interface|interface
:[address ]|address}
Packet Destination.
Format same as SOURCE column.
PROTOCOL (proto) -
{-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
A protocol-name (from protocols(5)), a
protocol-number, ipp2p, ipp2p:udp or ipp2p:all
Beginning with Shorewall 4.5.12, this column can accept a comma-separated list
of protocols.
DEST PORT(S) (dport) -
{-|any|all|ipp2p-option|
port-name-or-number[, port-name-or-number]...}
Destination Port number. Service name from services(5) or
port number. May only be specified if the protocol is TCP (6), UDP
(17), DCCP (33), SCTP (132) or UDPLITE (136).
You may place a comma-separated list of port names or numbers in this column if
your kernel and ip6tables include multi-port match support.
If the PROTOCOL is ipp2p then this column must contain an
ipp2p-option ("ip6tables -m ipp2p --help") without the
leading "--". If no option is given in this column, ipp2p is
assumed.
SOURCE PORT(S) (sport) -
{-|any|all|port-name-or-number[,
port-name-or-number]...}
Service name from services(5) or port number. May
only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
or UDPLITE (136).
You may place a comma-separated list of port numbers in this column if your
kernel and ip6tables include multi-port match support.
Beginning with Shorewall 4.5.15, you may place '=' in this column, provided that
the DEST PORT(S) column is non-empty. This causes the rule to match when
either the source port or the destination port in a packet matches one of the
ports specified in DEST PORTS(S). Use of '=' requires multi-port match in your
iptables and kernel.
USER/GROUP (user) -
[!][user-name-or-number][:group-name-or-number][
+program-name]
This column may only be non-empty if the CHAIN is
OUTPUT.
When this column is non-empty, the rule applies only if the program generating
the output is running under the effective user and/or group
specified (or is NOT running under that id if "!" is given).
Examples:
joe
MARK - [!]value[/mask][:C]
program must be run by joe
:kids
program must be run by a member of the 'kids' group
!:kids
program must not be run by a member of the 'kids'
group
+upnpd
#program named upnpd
Important
The ability to specify a program name was removed from Netfilter in kernel
version 2.6.14.
Defines a test on the existing packet or connection mark.
The rule will match only if the test returns true.
If you don't want to define a test but need to specify anything in the following
columns, place a "-" in this field.
!
IPSEC - option-list (Optional - Added in Shorewall
4.4.13 but broken until 4.5.4.1 )
Inverts the test (not equal)
value
Value of the packet or connection mark.
mask
A mask to be applied to the mark before testing.
:C
Designates a connection mark. If omitted, the packet
mark's value is tested.
The option-list consists of a comma-separated list of
options from the following list. Only packets that will be encrypted or have
been decrypted via an SA that matches these options will have their source
address changed. May only be specified when sections are used.
reqid=number
HEADERS - [!][any:|exactly:]header-list (Optional - Added in
Shorewall 4.4.15)
where number is specified using setkey(8) using
the 'unique: number option for the SPD level.
spi=<number>
where number is the SPI of the SA used to
encrypt/decrypt packets.
proto=ah|esp|ipcomp
IPSEC Encapsulation Protocol
mss=number
sets the MSS field in TCP packets
mode=transport|tunnel
IPSEC mode
tunnel-src=address[/mask]
only available with mode=tunnel
tunnel-dst=address[/mask]
only available with mode=tunnel
strict
Means that packets must match all rules.
next
Separates rules; can only be used with strict
yes or ipsec
When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulated to match the
rule.
no or none
When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulated to match the
rule.
in
May only be used in the FORWARD section and must be the
first or the only item the list. Indicates that matching packets have been
decrypted in input.
out
May only be used in the FORWARD section and must be the
first or the only item in the list. Indicates that matching packets will be
encrypted on output.
If this column is non-empty and sections are not used, then:
•A chain NAME appearing in the ACTION column must
be a chain branched either directly or indirectly from the accipsecin
or accipsecout chain.
•The CHAIN column must contain either
accipsecin or accipsecout or a chain branched either directly or
indirectly from those chains.
•These rules will NOT appear in the
accounting chain.
The header-list consists of a comma-separated list
of headers from the following list.
auth, ah, or 51
In all of the above columns except ACTION and CHAIN, the values
-, any and all may be used as wildcards. Omitted trailing
columns are also treated as wildcards.
Authentication Headers extension header.
esp, or 50
Encrypted Security Payload extension header.
hop, hop-by-hop or 0
Hop-by-hop options extension header.
route, ipv6-route or 41
IPv6 Route extension header.
frag, ipv6-frag or 44
IPv6 fragmentation extension header.
none, ipv6-nonxt or 59
No next header
proto, protocol or 255
Any protocol header.
If any: is specified, the rule will match if any of the listed headers
are present. If exactly: is specified, the will match packets that
exactly include all specified headers. If neither is given, any: is
assumed.
If ! is entered, the rule will match those packets which would not be
matched when ! is omitted.FILES¶
/etc/shorewall6/accountingSEE ALSO¶
http://www.shorewall.net/Accounting.html[2] http://www.shorewall.net/shorewall_logging.html[3] http://www.shorewall.net/configuration_file_basics.htm#Pairs[4] shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)NOTES¶
- 1.
- rules file
10/19/2014 | Configuration Files |