<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall-accounting</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id289787"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>accounting — Shorewall Accounting file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">/etc/shorewall/accounting</code> </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id289823"></a><h2>Description</h2><p>Accounting rules exist simply to count packets and bytes in
    categories that you define in this file. You may display these rules and
    their packet and byte counters using the <span class="command"><strong>shorewall show
    accounting</strong></span> command.</p><p>The columns in the file are as follows.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>ACTION</strong></span> - {<span class="bold"><strong>COUNT</strong></span>|<span class="bold"><strong>DONE</strong></span>|<span class="emphasis"><em>chain</em></span>[:<span class="bold"><strong>COUNT</strong></span>]}</span></dt><dd><p>What to do when a matching packet is found.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>COUNT</strong></span></span></dt><dd><p>Simply count the match and continue with the next
                rule</p></dd><dt><span class="term"><span class="bold"><strong>DONE</strong></span></span></dt><dd><p>Count the match and don't attempt to match any other
                accounting rules in the chain specified in the <span class="bold"><strong>CHAIN</strong></span> column.</p></dd><dt><span class="term"><span class="emphasis"><em>chain</em></span>[<span class="bold"><strong>:</strong></span><span class="bold"><strong>COUNT</strong></span>]</span></dt><dd><p>Where <span class="emphasis"><em>chain</em></span> is the name of a chain;
                Shorewall will create the chain automatically if it doesn't
                already exist. Causes a jump to that chain to be added to the
                chain specified in the CHAIN column. If <span class="bold"><strong>:COUNT</strong></span> is included, a counting rule
                matching this entry will be added to
                <span class="emphasis"><em>chain</em></span></p></dd></dl></div></dd><dt><span class="term"><span class="bold"><strong>CHAIN</strong></span> - {<span class="bold"><strong>-</strong></span>|<span class="emphasis"><em>chain</em></span>}</span></dt><dd><p>The name of a <span class="emphasis"><em>chain</em></span>. If specified as
          <span class="bold"><strong>-</strong></span> the <span class="bold"><strong>accounting</strong></span> chain is assumed. This is the
          chain where the accounting rule is added. The
          <span class="emphasis"><em>chain</em></span> will be created if it doesn't already
          exist.</p></dd><dt><span class="term"><span class="bold"><strong>SOURCE</strong></span> - {<span class="bold"><strong>-</strong></span>|<span class="bold"><strong>any</strong></span>|<span class="bold"><strong>all</strong></span>|<span class="emphasis"><em>interface</em></span>|<span class="emphasis"><em>interface</em></span><span class="bold"><strong>:</strong></span><span class="emphasis"><em>address</em></span>|<span class="emphasis"><em>address</em></span>}</span></dt><dd><p>Packet Source.</p><p>The name of an <em class="replaceable"><code>interface</code></em>, an
          <em class="replaceable"><code>address</code></em> (host or net) or an
          <em class="replaceable"><code>interface</code></em> name followed by ":" and a host
          or net <em class="replaceable"><code>address</code></em>.</p></dd><dt><span class="term"><span class="bold"><strong>DESTINATION</strong></span> - {<span class="bold"><strong>-</strong></span>|<span class="bold"><strong>any</strong></span>|<span class="bold"><strong>all</strong></span>|<span class="emphasis"><em>interface</em></span>|<span class="emphasis"><em>interface</em></span><span class="bold"><strong>:</strong></span><span class="emphasis"><em>address</em></span>|<span class="emphasis"><em>address</em></span>}</span></dt><dd><p>Packet Destination.</p><p>Format same as <span class="bold"><strong>SOURCE</strong></span>
          column.</p></dd><dt><span class="term"><span class="bold"><strong>PROTOCOL</strong></span> - {<span class="bold"><strong>-</strong></span>|<span class="bold"><strong>any</strong></span>|<span class="bold"><strong>all</strong></span>|<span class="emphasis"><em>protocol-name</em></span>|<span class="emphasis"><em>protocol-number</em></span>|<span class="bold"><strong>ipp2p</strong></span>[<span class="bold"><strong>:</strong></span>{<span class="bold"><strong>udp</strong></span>|<span class="bold"><strong>all</strong></span>}]}</span></dt><dd><p>A <span class="emphasis"><em>protocol-name</em></span> (from protocols(5)), a
          <span class="emphasis"><em>protocol-number</em></span>, <span class="bold"><strong>ipp2p</strong></span>, <span class="bold"><strong>ipp2p:udp</strong></span> or <span class="bold"><strong>ipp2p:all</strong></span></p></dd><dt><span class="term"><span class="bold"><strong>DEST PORT(S)</strong></span> - {<span class="bold"><strong>-</strong></span>|<span class="bold"><strong>any</strong></span>|<span class="bold"><strong>all</strong></span>|<span class="emphasis"><em>ipp2p-option</em></span>|<span class="emphasis"><em>port-name-or-number</em></span>[,<span class="emphasis"><em>port-name-or-number</em></span>]...}</span></dt><dd><p>Destination Port number. Service name from services(5) or
          <span class="emphasis"><em>port number</em></span>. May only be specified if the
          protocol is <span class="bold"><strong>tcp</strong></span> or <span class="bold"><strong>udp</strong></span> (6 or 17).</p><p>You may place a comma-separated list of port names or numbers
          in this column if your kernel and iptables include multiport match
          support.</p><p>If the PROTOCOL is <span class="bold"><strong>ipp2p</strong></span> then
          this column must contain an <span class="emphasis"><em>ipp2p-option</em></span>
          ("iptables -m ipp2p --help") without the leading "--". If no option
          is given in this column, <span class="bold"><strong>ipp2p</strong></span> is
          assumed.</p></dd><dt><span class="term"><span class="bold"><strong>SOURCE PORT(S)</strong></span> - {<span class="bold"><strong>-</strong></span>|<span class="bold"><strong>any</strong></span>|<span class="bold"><strong>all</strong></span>|<span class="emphasis"><em>port-name-or-number</em></span>[,<span class="emphasis"><em>port-name-or-number</em></span>]...}</span></dt><dd><p>Service name from services(5) or <span class="emphasis"><em>port
          number</em></span>. May only be specified if the protocol is TCP or
          UDP (6 or 17).</p><p>You may place a comma-separated list of port numbers in this
          column if your kernel and iptables include multiport match
          support.</p></dd><dt><span class="term"><span class="bold"><strong>USER/GROUP</strong></span> - [<span class="bold"><strong>!</strong></span>][<span class="emphasis"><em>user-name-or-number</em></span>][<span class="bold"><strong>:</strong></span><span class="emphasis"><em>group-name-or-number</em></span>][<span class="bold"><strong>+</strong></span><span class="emphasis"><em>program-name</em></span>]</span></dt><dd><p>This column may only be non-empty if the <span class="bold"><strong>CHAIN</strong></span> is <span class="bold"><strong>OUTPUT</strong></span>.</p><p>When this column is non-empty, the rule applies only if the
          program generating the output is running under the effective
          <span class="emphasis"><em>user</em></span> and/or <span class="emphasis"><em>group</em></span>
          specified (or is NOT running under that id if "!" is given).</p><p>Examples:</p><div class="variablelist"><dl><dt><span class="term">joe</span></dt><dd><p>program must be run by joe</p></dd><dt><span class="term">:kids</span></dt><dd><p>program must be run by a member of the 'kids'
                group</p></dd><dt><span class="term">!:kids</span></dt><dd><p>program must not be run by a member of the 'kids'
                group</p></dd><dt><span class="term">+upnpd</span></dt><dd><p>#program named upnpd</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</p></div></dd></dl></div></dd><dt><span class="term"><span class="bold"><strong>MARK</strong></span> - [<span class="bold"><strong>!</strong></span>]<span class="emphasis"><em>value</em></span>[/<span class="emphasis"><em>mask</em></span>][<span class="bold"><strong>:C</strong></span>]</span></dt><dd><p>Defines a test on the existing packet or connection mark. The
          rule will match only if the test returns true.</p><p>If you don't want to define a test but need to specify
          anything in the following columns, place a "-" in this field.</p><div class="variablelist"><dl><dt><span class="term">!</span></dt><dd><p>Inverts the test (not equal)</p></dd><dt><span class="term"><span class="emphasis"><em>value</em></span></span></dt><dd><p>Value of the packet or connection mark.</p></dd><dt><span class="term"><span class="emphasis"><em>mask</em></span></span></dt><dd><p>A mask to be applied to the mark before testing.</p></dd><dt><span class="term"><span class="bold"><strong>:C</strong></span></span></dt><dd><p>Designates a connection mark. If omitted, the packet
                mark's value is tested. This option is only supported by
                Shorewall-perl.</p></dd></dl></div></dd></dl></div><p>In all of the above columns except <span class="bold"><strong>ACTION</strong></span> and <span class="bold"><strong>CHAIN</strong></span>,
    the values <span class="bold"><strong>-</strong></span>, <span class="bold"><strong>any</strong></span> and <span class="bold"><strong>all</strong></span> may be
    used as wildcards. Omitted trailing columns are also treated as
    wildcards.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id299019"></a><h2>FILES</h2><p>/etc/shorewall/accounting</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id299028"></a><h2>See ALSO</h2><p><a class="ulink" href="http://shorewall.net/Accounting.html" target="_self">http://shorewall.net/Accounting.html
    </a></p><p>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</p></div></div></body></html>