'\" t
.\" Title: shorewall6-accounting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2
.\" Date: 06/28/2012
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
.TH "SHOREWALL6\-ACCOUNTI" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
accounting \- Shorewall6 Accounting file
.SH "SYNOPSIS"
.HP \w'\fB/etc/shorewall6/accounting\fR\ 'u
\fB/etc/shorewall6/accounting\fR
.SH "DESCRIPTION"
.PP
Accounting rules exist simply to count packets and bytes in categories that you define in this file\&. You may display these rules and their packet and byte counters using the
\fBshorewall6 show accounting\fR
command\&.
.PP
Beginning with Shorewall 4\&.4\&.18, the accounting structure can be created with three root chains:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBaccountin\fR: Rules that are valid in the
\fBINPUT\fR
chain (may not specify an output interface)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBaccountout\fR: Rules that are valid in the OUTPUT chain (may not specify an input interface or a MAC address)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBaccounting\fR: Other rules\&.
.RE
.PP
The new structure is enabled by sectioning the accounting file in a manner similar to the
\m[blue]\fBrules file\fR\m[]\&\s-2\u[1]\d\s+2\&. The sections are
\fBINPUT\fR,
\fBOUTPUT\fR
and
\fBFORWARD\fR
and must appear in that order (although any of them may be omitted)\&. The first non\-commentary record in the accounting file must be a section header when sectioning is used\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
.PP
If sections are not used, the Shorewall rules compiler cannot detect certain violations of netfilter restrictions\&. These violations can result in run\-time errors such as the following:
.PP
\fBip6tables\-restore v1\&.4\&.13: Can\*(Aqt use \-o with INPUT\fR
.sp .5v
.RE
.PP
Beginning with Shorewall 4\&.4\&.20, the ACCOUNTING_TABLE setting was added to shorewall\&.conf and shorewall6\&.conf\&. That setting determines the Netfilter table (filter or mangle) where the accounting rules are added\&. When ACCOUNTING_TABLE=mangle is specified, the available sections are
\fBPREROUTING\fR,
\fBINPUT\fR,
\fBOUTPUT\fR,
\fBFORWARD\fR
and
\fBPOSTROUTING\fR\&.
.PP
Section headers have the form:
.PP
\fBSECTION\fR
\fIsection\-name\fR
.PP
When sections are enabled:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
A jump to a user\-defined accounting chain must appear before entries that add rules to that chain\&. This eliminates loops and unreferenced chains\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
An output interface may not be specified in the
\fBPREROUTING\fR
and
\fBINPUT\fR
sections\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
In the
\fBOUTPUT\fR
and
\fBPOSTROUTING\fR
sections:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
An input interface may not be specified
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Jumps to a chain defined in the
\fBINPUT\fR
or
\fBPREROUTING\fR
sections that specifies an input interface are prohibited
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
MAC addresses may not be used
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Jump to a chain defined in the
\fBINPUT\fR
or
\fBPREROUTING\fR
section that specifies a MAC address are prohibited\&.
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The default value of the CHAIN column is:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBaccountin\fR
in the
\fBINPUT\fR
section
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBaccounout\fR
in the
\fBOUTPUT\fR
section
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBaccountfwd\fR
in the
\fBFORWARD\fR
section
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBaccountpre\fR
in the
\fBPREROUTING\fR
section
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBaccountpost\fR
in the
\fBPOSTROUTING\fR
section
.RE
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Traffic addressed to the firewall goes through the rules defined in the INPUT section\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Traffic originating on the firewall goes through the rules defined in the OUTPUT section\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Traffic being forwarded through the firewall goes through the rules from the FORWARD sections\&.
.RE
.PP
The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&.
.PP
\fBACTION\fR \- {\fBCOUNT\fR|\fBDONE\fR|\fIchain\fR[:\fB{COUNT|JUMP}\fR]|COMMENT \fIcomment\fR}
.RS 4
What to do when a matching packet is found\&.
.PP
\fBCOUNT\fR
.RS 4
Simply count the match and continue with the next rule
.RE
.PP
\fBDONE\fR
.RS 4
Count the match and don\*(Aqt attempt to match any other accounting rules in the chain specified in the
\fBCHAIN\fR
column\&.
.RE
.PP
\fIchain\fR[\fB:\fR\fBCOUNT\fR]
.RS 4
Where
\fIchain\fR
is the name of a chain; shorewall6 will create the chain automatically if it doesn\*(Aqt already exist\&. Causes a jump to that chain to be added to the chain specified in the CHAIN column\&. If
\fB:COUNT\fR
is included, a counting rule matching this entry will be added to
\fIchain\fR\&. The
\fIchain\fR
may not exceed 29 characters in length and may be composed of letters, digits, dash (\*(Aq\-\*(Aq) and underscore (\*(Aq_\*(Aq)\&.
.RE
.PP
\fIchain\fR:JUMP
.RS 4
Like the previous option without the
\fB:COUNT\fR
part\&.
.RE
.PP
NFLOG[(nflog\-parameters)] \- Added in Shorewall\-4\&.4\&.20\&.
.RS 4
Causes each matching packet to be sent via the currently loaded logging backend (usually nfnetlink_log) where it is available to accounting daemons through a netlink socket\&.
.RE
.PP
COMMENT
.RS 4
The remainder of the line is treated as a comment which is attached to subsequent rules until another COMMENT line is found or until the end of the file is reached\&. To stop adding comments to rules, use a line with only the word COMMENT\&.
.RE
.RE
.PP
\fBCHAIN\fR \- {\fB\-\fR|\fIchain\fR}
.RS 4
The name of a
\fIchain\fR\&. If specified as
\fB\-\fR
the
\fBaccounting\fR
chain is assumed\&. This is the chain where the accounting rule is added\&. The
\fIchain\fR
will be created if it doesn\*(Aqt already exist\&. The
\fIchain\fR
may not exceed 29 characters in length\&.
.RE
.PP
\fBSOURCE\fR \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIinterface\fR|\fIinterface\fR\fB:\fR\fB\fB[\fR\fR\fIaddress\fR\fB]\fR|\fIaddress\fR}
.RS 4
Packet Source\&.
.sp
The name of an
\fIinterface\fR, an
\fIaddress\fR
(host or net) or an
\fIinterface\fR
name followed by ":" and a host or net
\fIaddress\fR\&.
.RE
.PP
\fBDESTINATION\fR (dest) \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIinterface\fR|\fIinterface\fR\fB:[\fR\fIaddress\fR\fB]\fR|\fIaddress\fR}
.RS 4
Packet Destination\&.
.sp
Format same as
\fBSOURCE\fR
column\&.
.RE
.PP
\fBPROTOCOL\fR (proto) \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIprotocol\-name\fR|\fIprotocol\-number\fR|\fBipp2p\fR[\fB:\fR{\fBudp\fR|\fBall\fR}]}
.RS 4
A
\fIprotocol\-name\fR
(from protocols(5)), a
\fIprotocol\-number\fR,
\fBipp2p\fR,
\fBipp2p:udp\fR
or
\fBipp2p:all\fR
.RE
.PP
\fBDEST PORT(S)\fR (dport) \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIipp2p\-option\fR|\fIport\-name\-or\-number\fR[,\fIport\-name\-or\-number\fR]\&.\&.\&.}
.RS 4
Destination Port number\&. Service name from services(5) or
\fIport number\fR\&. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136)\&.
.sp
You may place a comma\-separated list of port names or numbers in this column if your kernel and ip6tables include multiport match support\&.
.sp
If the PROTOCOL is
\fBipp2p\fR
then this column must contain an
\fIipp2p\-option\fR
("ip6tables \-m ipp2p \-\-help") without the leading "\-\-"\&. If no option is given in this column,
\fBipp2p\fR
is assumed\&.
.RE
.PP
\fBSOURCE PORT(S)\fR (sport) \- {\fB\-\fR|\fBany\fR|\fBall\fR|\fIport\-name\-or\-number\fR[,\fIport\-name\-or\-number\fR]\&.\&.\&.}
.RS 4
Service name from services(5) or
\fIport number\fR\&. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136)\&.
.sp
You may place a comma\-separated list of port numbers in this column if your kernel and ip6tables include multiport match support\&.
.RE
.PP
\fBUSER/GROUP\fR (user) \- [\fB!\fR][\fIuser\-name\-or\-number\fR][\fB:\fR\fIgroup\-name\-or\-number\fR][\fB+\fR\fIprogram\-name\fR]
.RS 4
This column may only be non\-empty if the
\fBCHAIN\fR
is
\fBOUTPUT\fR\&.
.sp
When this column is non\-empty, the rule applies only if the program generating the output is running under the effective
\fIuser\fR
and/or
\fIgroup\fR
specified (or is NOT running under that id if "!" is given)\&.
.sp
Examples:
.PP
joe
.RS 4
program must be run by joe
.RE
.PP
:kids
.RS 4
program must be run by a member of the \*(Aqkids\*(Aq group
.RE
.PP
!:kids
.RS 4
program must not be run by a member of the \*(Aqkids\*(Aq group
.RE
.PP
+upnpd
.RS 4
#program named upnpd
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBImportant\fR
.ps -1
.br
The ability to specify a program name was removed from Netfilter in kernel version 2\&.6\&.14\&.
.sp .5v
.RE
.RE
.RE
.PP
\fBMARK\fR \- [\fB!\fR]\fIvalue\fR[/\fImask\fR][\fB:C\fR]
.RS 4
Defines a test on the existing packet or connection mark\&. The rule will match only if the test returns true\&.
.sp
If you don\*(Aqt want to define a test but need to specify anything in the following columns, place a "\-" in this field\&.
.PP
!
.RS 4
Inverts the test (not equal)
.RE
.PP
\fIvalue\fR
.RS 4
Value of the packet or connection mark\&.
.RE
.PP
\fImask\fR
.RS 4
A mask to be applied to the mark before testing\&.
.RE
.PP
\fB:C\fR
.RS 4
Designates a connection mark\&. If omitted, the packet mark\*(Aqs value is tested\&.
.RE
.RE
.PP
\fBIPSEC \- \fR\fB\fIoption\-list\fR\fR\fB (Optional \- Added in Shorewall 4\&.4\&.13 but broken until 4\&.5\&.4\&.1 )\fR
.RS 4
The option\-list consists of a comma\-separated list of options from the following list\&. Only packets that will be encrypted or have been de\-crypted via an SA that matches these options will have their source address changed\&. May only be specified when sections are used\&.
.PP
\fBreqid=\fR\fInumber\fR
.RS 4
where
\fInumber\fR
is specified using setkey(8) using the \*(Aqunique:\fInumber\fR
option for the SPD level\&.
.RE
.PP
\fBspi=\fR
.RS 4
where
\fInumber\fR
is the SPI of the SA used to encrypt/decrypt packets\&.
.RE
.PP
\fBproto=\fR\fBah\fR|\fBesp\fR|\fBipcomp\fR
.RS 4
IPSEC Encapsulation Protocol
.RE
.PP
\fBmss=\fR\fInumber\fR
.RS 4
sets the MSS field in TCP packets
.RE
.PP
\fBmode=\fR\fBtransport\fR|\fBtunnel\fR
.RS 4
IPSEC mode
.RE
.PP
\fBtunnel\-src=\fR\fIaddress\fR[/\fImask\fR]
.RS 4
only available with mode=tunnel
.RE
.PP
\fBtunnel\-dst=\fR\fIaddress\fR[/\fImask\fR]
.RS 4
only available with mode=tunnel
.RE
.PP
\fBstrict\fR
.RS 4
Means that packets must match all rules\&.
.RE
.PP
\fBnext\fR
.RS 4
Separates rules; can only be used with strict
.RE
.PP
\fByes\fR or \fBipsec\fR
.RS 4
When used by itself, causes all traffic that will be encrypted/encapsulated or has been decrypted/un\-encapsulted to match the rule\&.
.RE
.PP
\fBno\fR or \fBnone\fR
.RS 4
When used by itself, causes all traffic that will not be encrypted/encapsulated or has been decrypted/un\-encapsulted to match the rule\&.
.RE
.PP
\fBin\fR
.RS 4
May only be used in the FORWARD section and must be the first or the only item the list\&. Indicates that matching packets have been decrypted in input\&.
.RE
.PP
\fBout\fR
.RS 4
May only be used in the FORWARD section and must be the first or the only item in the list\&. Indicates that matching packets will be encrypted on output\&.
.RE
.sp
If this column is non\-empty and sections are not used, then:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
A chain NAME appearing in the ACTION column must be a chain branched either directly or indirectly from the
\fBaccipsecin\fR
or
\fBaccipsecout\fR
chain\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
The CHAIN column must contain either
\fBaccipsecin\fR
or
\fBaccipsecout\fR
or a chain branched either directly or indirectly from those chains\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
These rules will NOT appear in the
\fBaccounting\fR
chain\&.
.RE
.RE
.PP
\fBHEADERS \- [!][any:|exactly:]\fR\fIheader\-list \fR(Optional \- Added in Shorewall 4\&.4\&.15)
.RS 4
The
\fIheader\-list\fR
consists of a comma\-separated list of headers from the following list\&.
.PP
\fBauth\fR, \fBah\fR, or \fB51\fR
.RS 4
Authentication Headers
extension header\&.
.RE
.PP
\fBesp\fR, or \fB50\fR
.RS 4
Encrypted Security Payload
extension header\&.
.RE
.PP
\fBhop\fR, \fBhop\-by\-hop\fR or \fB0\fR
.RS 4
Hop\-by\-hop options extension header\&.
.RE
.PP
\fBroute\fR, \fBipv6\-route\fR or \fB41\fR
.RS 4
IPv6 Route extension header\&.
.RE
.PP
\fBfrag\fR, \fBipv6\-frag\fR or \fB44\fR
.RS 4
IPv6 fragmentation extension header\&.
.RE
.PP
\fBnone\fR, \fBipv6\-nonxt\fR or \fB59\fR
.RS 4
No next header
.RE
.PP
\fBproto\fR, \fBprotocol\fR or \fB255\fR
.RS 4
Any protocol header\&.
.RE
.sp
If
\fBany:\fR
is specified, the rule will match if any of the listed headers are present\&. If
\fBexactly:\fR
is specified, the will match packets that exactly include all specified headers\&. If neither is given,
\fBany:\fR
is assumed\&.
.sp
If
\fB!\fR
is entered, the rule will match those packets which would not be matched when
\fB!\fR
is omitted\&.
.RE
.PP
In all of the above columns except
\fBACTION\fR
and
\fBCHAIN\fR, the values
\fB\-\fR,
\fBany\fR
and
\fBall\fR
may be used as wildcards\&. Omitted trailing columns are also treated as wildcards\&.
.SH "FILES"
.PP
/etc/shorewall6/accounting
.SH "SEE ALSO"
.PP
\m[blue]\fBhttp://shorewall\&.net/Accounting\&.html\fR\m[]\&\s-2\u[2]\d\s+2
.PP
\m[blue]\fBhttp://shorewall\&.net/shorewall_logging\&.html\fR\m[]
.PP
\m[blue]\fBhttp://shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]
.PP
shorewall6(8), shorewall6\-actions(5), shorewall6\-blacklist(5), shorewall6\-hosts(5), shorewall6\-interfaces(5), shorewall6\-maclist(5), shoewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-tcrules(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall6\-zones(5)
.SH "NOTES"
.IP " 1." 4
rules file
.RS 4
\%http://www.shorewall.net/manpages6/shorewall-rules.html
.RE
.IP " 2." 4
http://shorewall.net/Accounting.html
.RS 4
\%http://shorewall.net/Accounting.html
.RE