Provided by:
shorewall6_4.4.26.1-1_all 
NAME
accounting - Shorewall6 Accounting file
SYNOPSIS
/etc/shorewall6/accounting
DESCRIPTION
Accounting rules exist simply to count packets and bytes in categories
that you define in this file. You may display these rules and their
packet and byte counters using the shorewall6 show accounting command.
Beginning with Shorewall 4.4.18, the accounting structure can be
created with three root chains:
o accountin: Rules that are valid in the INPUT chain (may not specify
an output interface).
o accountout: Rules that are valid in the OUTPUT chain (may not
specify an input interface or a MAC address).
o accounting: Other rules.
The new structure is enabled by sectioning the accounting file in a
manner similar to the rules file[1]. The sections are INPUT, OUTPUT and
FORWARD and must appear in that order (although any of them may be
omitted). The first non-commentary record in the accounting file must
be a section header when sectioning is used.
Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added
to shorewall.conf and shorewall6.conf. That setting determines the
Netfilter table (filter or mangle) where the accounting rules are
added. When ACCOUNTING_TABLE=mangle is specified, the available
sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.
Section headers have the form:
SECTION section-name
When sections are enabled:
o A jump to a user-defined accounting chain before entries that add
rules to that chain.
o This eliminates loops and unreferenced chains.
o An output interface may not be specified in the PREROUTING and
INPUT sections.
o In the OUTPUT and POSTROUTING sections:
o An input interface may not be specified
o Jumps to a chain defined in the INPUT or PREROUTING sections
that specifies an input interface are prohibited
o MAC addresses may not be used
o Jump to a chain defined in the INPUT or PREROUTING section that
specifies a MAC address are prohibited.
o The default value of the CHAIN column is:
o accountin in the INPUT section
o accounout in the OUTPUT section
o accountfwd in the FORWARD section
o accountpre in the PREROUTING section
o accountpost in the POSTROUTING section
o Traffic addressed to the firewall goes through the rules defined in
the INPUT section.
o Traffic originating on the firewall goes through the rules defined
in the OUTPUT section.
o Traffic being forwarded through the firewall goes through the rules
from the FORWARD sections.
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used
in the alternate specification syntax).
ACTION - {COUNT|DONE|chain[:{COUNT|JUMP}]|COMMENT comment}
What to do when a matching packet is found.
COUNT
Simply count the match and continue with the next rule
DONE
Count the match and don't attempt to match any other accounting
rules in the chain specified in the CHAIN column.
chain[:COUNT]
Where chain is the name of a chain; shorewall6 will create the
chain automatically if it doesn't already exist. Causes a jump
to that chain to be added to the chain specified in the CHAIN
column. If :COUNT is included, a counting rule matching this
entry will be added to chain. The chain may not exceed 29
characters in length and may be composed of letters, digits,
dash ('-') and underscore ('_').
chain:JUMP
Like the previous option without the :COUNT part.
NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
Causes each matching packet to be sent via the currently loaded
logging backend (usually nfnetlink_log) where it is available
to accounting daemons through a netlink socket.
COMMENT
The remainder of the line is treated as a comment which is
attached to subsequent rules until another COMMENT line is
found or until the end of the file is reached. To stop adding
comments to rules, use a line with only the word COMMENT.
CHAIN - {-|chain}
The name of a chain. If specified as - the accounting chain is
assumed. This is the chain where the accounting rule is added. The
chain will be created if it doesn't already exist. The chain may
not exceed 29 characters in length.
SOURCE - {-|any|all|interface|interface:[address]|address}
Packet Source.
The name of an interface, an address (host or net) or an interface
name followed by ":" and a host or net address.
DESTINATION (dest) - {-|any|all|interface|interface:[address]|address}
Packet Destination.
Format same as SOURCE column.
PROTOCOL (proto) -
{-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
A protocol-name (from protocols(5)), a protocol-number, ipp2p,
ipp2p:udp or ipp2p:all
DEST PORT(S) (dport) -
{-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
Destination Port number. Service name from services(5) or port
number. May only be specified if the protocol is TCP (6), UDP (17),
DCCP (33), SCTP (132) or UDPLITE (136).
You may place a comma-separated list of port names or numbers in
this column if your kernel and ip6tables include multiport match
support.
If the PROTOCOL is ipp2p then this column must contain an
ipp2p-option ("ip6tables -m ipp2p --help") without the leading
"--". If no option is given in this column, ipp2p is assumed.
SOURCE PORT(S) (sport) -
{-|any|all|port-name-or-number[,port-name-or-number]...}
Service name from services(5) or port number. May only be specified
if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
UDPLITE (136).
You may place a comma-separated list of port numbers in this column
if your kernel and ip6tables include multiport match support.
USER/GROUP (user) -
[!][user-name-or-number][:group-name-or-number][+program-name]
This column may only be non-empty if the CHAIN is OUTPUT.
When this column is non-empty, the rule applies only if the program
generating the output is running under the effective user and/or
group specified (or is NOT running under that id if "!" is given).
Examples:
joe
program must be run by joe
:kids
program must be run by a member of the 'kids' group
!:kids
program must not be run by a member of the 'kids' group
+upnpd
#program named upnpd
Important
The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.
MARK - [!]value[/mask][:C]
Defines a test on the existing packet or connection mark. The rule
will match only if the test returns true.
If you don't want to define a test but need to specify anything in
the following columns, place a "-" in this field.
!
Inverts the test (not equal)
value
Value of the packet or connection mark.
mask
A mask to be applied to the mark before testing.
:C
Designates a connection mark. If omitted, the packet mark's
value is tested.
IPSEC - option-list (Optional - Added in Shorewall 4.4.13 )
The option-list consists of a comma-separated list of options from
the following list. Only packets that will be encrypted or have
been de-crypted via an SA that matches these options will have
their source address changed.
reqid=number
where number is specified using setkey(8) using the
'unique:number option for the SPD level.
spi=<number>
where number is the SPI of the SA used to encrypt/decrypt
packets.
proto=ah|esp|ipcomp
IPSEC Encapsulation Protocol
mss=number
sets the MSS field in TCP packets
mode=transport|tunnel
IPSEC mode
tunnel-src=address[/mask]
only available with mode=tunnel
tunnel-dst=address[/mask]
only available with mode=tunnel
strict
Means that packets must match all rules.
next
Separates rules; can only be used with strict
yes or ipsec
When used by itself, causes all traffic that will be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.
no or none
When used by itself, causes all traffic that will not be
encrypted/encapsulated or has been decrypted/un-encapsulted to
match the rule.
If this column is non-empty, then:
o A chain NAME may appearing in the ACTION column must be a chain
branched either directly or indirectly from the accountin or
accountout chain.
o The CHAIN column must contain either accountin or accountout or
a chain branched either directly or indirectly from those
chains.
These rules will NOT appear in the accounting chain.
HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall
4.4.15)
The header-list consists of a comma-separated list of headers from
the following list.
auth, ah, or 51
Authentication Headers extension header.
esp, or 50
Encrypted Security Payload extension header.
hop, hop-by-hop or 0
Hop-by-hop options extension header.
route, ipv6-route or 41
IPv6 Route extension header.
frag, ipv6-frag or 44
IPv6 fragmentation extension header.
none, ipv6-nonxt or 59
No next header
proto, protocol or 255
Any protocol header.
If any: is specified, the rule will match if any of the listed
headers are present. If exactly: is specified, the will match
packets that exactly include all specified headers. If neither is
given, any: is assumed.
If ! is entered, the rule will match those packets which would not
be matched when ! is omitted.
In all of the above columns except ACTION and CHAIN, the values -, any
and all may be used as wildcards. Omitted trailing columns are also
treated as wildcards.
FILES
/etc/shorewall6/accounting
SEE ALSO
http://shorewall.net/Accounting.html[2]
http://shorewall.net/shorewall_logging.html
http://shorewall.net/configuration_file_basics.htm#Pairs
shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)
NOTES
1. rules file
http://www.shorewall.net/manpages6/shorewall-rules.html
2. http://shorewall.net/Accounting.html
http://shorewall.net/Accounting.html
[FIXME: source] 12/13/2011 SHOREWALL6-ACCOUNTI(5)