accounting — Shorewall6 Accounting file




Accounting rules exist simply to count packets and bytes in categories that you define in this file. You may display these rules and their packet and byte counters using the shorewall6 show accounting command.

Beginning with Shorewall 4.4.18, the accounting structure can be created with three root chains:

  • accountin: Rules that are valid in the INPUT chain (may not specify an output interface).

  • accountout: Rules that are valid in the OUTPUT chain (may not specify an input interface or a MAC address).

  • accounting: Other rules.

The new structure is enabled by sectioning the accounting file in a manner similar to the rules file. The sections are INPUT, OUTPUT and FORWARD and must appear in that order (although any of them may be omitted). The first non-commentary record in the accounting file must be a section header when sectioning is used.


If sections are not used, the Shorewall rules compiler cannot detect certain violations of netfilter restrictions. These violations can result in run-time errors such as the following:

ip6tables-restore v1.4.13: Can't use -o with INPUT

Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was added to shorewall.conf and shorewall6.conf. That setting determines the Netfilter table (filter or mangle) where the accounting rules are added. When ACCOUNTING_TABLE=mangle is specified, the available sections are PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING.

Section headers have the form:

[?]SECTION section-name

The optional "?" was added in Shorewalll 4.6.0 and is preferred. Existing configurations may be converted to use this form using the shorewall6 update command.

When sections are enabled:

  • A jump to a user-defined accounting chain must appear before entries that add rules to that chain. This eliminates loops and unreferenced chains.

  • An output interface may not be specified in the PREROUTING and INPUT sections.

  • In the OUTPUT and POSTROUTING sections:

    • An input interface may not be specified

    • Jumps to a chain defined in the INPUT or PREROUTING sections that specifies an input interface are prohibited

    • MAC addresses may not be used

    • Jump to a chain defined in the INPUT or PREROUTING section that specifies a MAC address are prohibited.

  • The default value of the CHAIN column is:

    • accountin in the INPUT section

    • accountout in the OUTPUT section

    • accountfwd in the FORWARD section

    • accountpre in the PREROUTING section

    • accountpost in the POSTROUTING section

  • Traffic addressed to the firewall goes through the rules defined in the INPUT section.

  • Traffic originating on the firewall goes through the rules defined in the OUTPUT section.

  • Traffic being forwarded through the firewall goes through the rules from the FORWARD sections.

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).


What to do when a matching packet is found.


Simply count the match and continue with the next rule


Count the match and don't attempt to match any other accounting rules in the chain specified in the CHAIN column.


Where chain is the name of a chain; shorewall6 will create the chain automatically if it doesn't already exist. If a second chain is mentioned in the CHAIN column, then a jump from this second chain to chain is created. If no chain is named in the CHAIN column, then a jump from the default chain to chain is created. If :COUNT is included, a counting rule matching this entry will be added to chain. The chain may not exceed 29 characters in length and may be composed of letters, digits, dash ('-') and underscore ('_').


Like the previous option without the :COUNT part.


Added in Shorewall 4.5.16. Allows free form ip6tables matches to be specified following a ';'. In the generated ip6tables rule(s), the free form matches will follow any matches that are generated by the column contents.


Added in Shorewall 4.5.7. Provides a form of accounting that survives shorewall stop/shorewall start and shorewall restart. Requires the NFaccnt Match capability in your kernel and iptables. object names an nfacct object (see man nfaccnt(8)). Multiple rules can specify the same object; all packets that match any of the rules increment the packet and bytes count of the object.

Prior to Shorewall 4.5.16, only one object could be specified. Beginning with Shorewall 4.5.16, an arbitrary number of objects may be given.

With Shorewall 4.5.16 or later, an nfacct object in the list may optionally be followed by ! to indicate that the nfacct object will be incremented unconditionally for each packet. When ! is omitted, the object will be incremented only if all of the matches in the rule succeed.

NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.

Causes each matching packet to be sent via the currently loaded logging back end (usually nfnetlink_log) where it is available to accounting daemons through a netlink socket.


The remainder of the line is treated as a comment which is attached to subsequent rules until another ?COMMENT line is found or until the end of the file is reached. To stop adding comments to rules, use a line with only the word ?COMMENT.

CHAIN - {-|chain}

The name of a chain. If specified as - the accounting chain is assumed when the file is un-sectioned. When the file is sectioned, the default is one of accountin, accountout, etc. depending on the section. This is the chain where the accounting rule is added. The chain will be created if it doesn't already exist. The chain may not exceed 29 characters in length.

SOURCE - {-|any|all|interface|interface:[address]|address}

Packet Source.

The name of an interface, an address (host or net) or an interface name followed by ":" and a host or net address. An ipset name is also accepted as an address.

DESTINATION (dest) - {-|any|all|interface|interface:[address]|address}

Packet Destination.

Format same as SOURCE column.

PROTOCOL (proto) - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}

A protocol-name (from protocols(5)), a protocol-number, ipp2p, ipp2p:udp or ipp2p:all

Beginning with Shorewall 4.5.12, this column can accept a comma-separated list of protocols.

DEST PORT(S) (dport) - {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}

Destination Port number. Service name from services(5) or port number. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).

You may place a comma-separated list of port names or numbers in this column if your kernel and ip6tables include multi-port match support.

If the PROTOCOL is ipp2p then this column must contain an ipp2p-option ("ip6tables -m ipp2p --help") without the leading "--". If no option is given in this column, ipp2p is assumed.

SOURCE PORT(S) (sport) - {-|any|all|port-name-or-number[,port-name-or-number]...}

Service name from services(5) or port number. May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).

You may place a comma-separated list of port numbers in this column if your kernel and ip6tables include multi-port match support.

Beginning with Shorewall 4.5.15, you may place '=' in this column, provided that the DEST PORT(S) column is non-empty. This causes the rule to match when either the source port or the destination port in a packet matches one of the ports specified in DEST PORTS(S). Use of '=' requires multi-port match in your iptables and kernel.

USER/GROUP (user) - [!][user-name-or-number][:group-name-or-number][+program-name]

This column may only be non-empty if the CHAIN is OUTPUT.

When this column is non-empty, the rule applies only if the program generating the output is running under the effective user and/or group specified (or is NOT running under that id if "!" is given).



program must be run by joe


program must be run by a member of the 'kids' group


program must not be run by a member of the 'kids' group


#program named upnpd


The ability to specify a program name was removed from Netfilter in kernel version 2.6.14.

MARK - [!]value[/mask][:C]

Defines a test on the existing packet or connection mark. The rule will match only if the test returns true.

If you don't want to define a test but need to specify anything in the following columns, place a "-" in this field.


Inverts the test (not equal)


Value of the packet or connection mark.


A mask to be applied to the mark before testing.


Designates a connection mark. If omitted, the packet mark's value is tested.

IPSEC - option-list (Optional - Added in Shorewall 4.4.13 but broken until )

The option-list consists of a comma-separated list of options from the following list. Only packets that will be encrypted or have been decrypted via an SA that matches these options will have their source address changed. May only be specified when sections are used.


where number is specified using setkey(8) using the 'unique:number option for the SPD level.


where number is the SPI of the SA used to encrypt/decrypt packets.


IPSEC Encapsulation Protocol


sets the MSS field in TCP packets


IPSEC mode


only available with mode=tunnel


only available with mode=tunnel


Means that packets must match all rules.


Separates rules; can only be used with strict

yes or ipsec

When used by itself, causes all traffic that will be encrypted/encapsulated or has been decrypted/un-encapsulated to match the rule.

no or none

When used by itself, causes all traffic that will not be encrypted/encapsulated or has been decrypted/un-encapsulated to match the rule.


May only be used in the FORWARD section and must be the first or the only item the list. Indicates that matching packets have been decrypted in input.


May only be used in the FORWARD section and must be the first or the only item in the list. Indicates that matching packets will be encrypted on output.

If this column is non-empty and sections are not used, then:

  • A chain NAME appearing in the ACTION column must be a chain branched either directly or indirectly from the accipsecin or accipsecout chain.

  • The CHAIN column must contain either accipsecin or accipsecout or a chain branched either directly or indirectly from those chains.

  • These rules will NOT appear in the accounting chain.

HEADERS - [!][any:|exactly:]header-list (Optional - Added in Shorewall 4.4.15)

The header-list consists of a comma-separated list of headers from the following list.

auth, ah, or 51

Authentication Headers extension header.

esp, or 50

Encrypted Security Payload extension header.

hop, hop-by-hop or 0

Hop-by-hop options extension header.

route, ipv6-route or 41

IPv6 Route extension header.

frag, ipv6-frag or 44

IPv6 fragmentation extension header.

none, ipv6-nonxt or 59

No next header

proto, protocol or 255

Any protocol header.

If any: is specified, the rule will match if any of the listed headers are present. If exactly: is specified, the will match packets that exactly include all specified headers. If neither is given, any: is assumed.

If ! is entered, the rule will match those packets which would not be matched when ! is omitted.

In all of the above columns except ACTION and CHAIN, the values -, any and all may be used as wildcards. Omitted trailing columns are also treated as wildcards.




shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-mangle(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation

Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page