111
# Where chain is the name of a chain; Shorewall will create the chain
112
# automatically if it doesn't already exist. Causes a jump to that chain
113
# to be added to the chain specified in the CHAIN column. If :COUNT is
114
# included, a counting rule matching this entry will be added to chain.
115
# The chain may not exceed 29 characters in length and may be composed of
116
# letters, digits, dash ('-') and underscore ('_').
111
# Where chain is the name of a chain; shorewall6 will create the chain
112
# automatically if it doesn't already exist. If a second chain is
113
# mentioned in the CHAIN column, the a jump from this second chain to
114
# chain is created. If no chain is named in the CHAIN column, then a jump
115
# from the default chain to chain is created. If :COUNT is included, a
116
# counting rule matching this entry will be added to chain. The chain may
117
# not exceed 29 characters in length and may be composed of letters,
118
# digits, dash ('-') and underscore ('_').
151
153
# utility are only available when xtables-addons is installed. See http:/
152
154
# /www.shorewall.net/Accounting.html#perIP for additional information.
158
# Added in Shorewall 4.5.16. Allows freeform iptables matches to be
159
# specified following a ';'. In the generated iptables rule(s), the
160
# freeform matches will follow any matches that are generated by the
163
# NFACCT({object[!]}[,...])
165
# Added in Shorewall 4.5.7. Provides a form of accounting that survives
166
# shorewall stop/shorewall start and shorewall restart. Requires the
167
# NFaccnt Match capability in your kernel and iptables. object names an
168
# nfacct object (see man nfaccnt(8)). Multiple rules can specify the same
169
# object; all packets that match any of the rules increment the packet
170
# and bytes count of the object.
172
# Prior to Shorewall 4.5.16, only one object could be specified.
173
# Beginning with Shorewall 4.5.16, an arbitrary number of objects may be
176
# With Shorewall 4.5.16 or later, an nfacct object in the list may
177
# optionally be followed by ! to indicate that the nfacct object will be
178
# incremented unconditionally for each packet. When ! is omitted, the
179
# object will be incremented only if all of the matches in the rule
154
182
# NFLOG[(nflog-parameters)] - Added in Shorewall-4.4.20.
156
184
# Causes each matching packet to be sent via the currently loaded logging
157
185
# backend (usually nfnetlink_log) where it is available to accounting
158
186
# daemons through a netlink socket.
162
190
# The remainder of the line is treated as a comment which is attached to
163
191
# subsequent rules until another COMMENT line is found or until the end
164
192
# of the file is reached. To stop adding comments to rules, use a line
165
193
# with only the word COMMENT.
197
# Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and
167
200
# CHAIN - {-|chain}
169
# The name of a chain. If specified as - the accounting chain is assumed.
170
# This is the chain where the accounting rule is added. The chain will be
171
# created if it doesn't already exist. The chain may not exceed 29 characters
202
# The name of a chain. If specified as - the accounting chain is assumed when
203
# the file is un-sectioned. When the file is sectioned, the default is one of
204
# accountin, accountout, etc. depending on the section. This is the chain
205
# where the accounting rule is added. The chain will be created if it doesn't
206
# already exist. The chain may not exceed 29 characters in length.
174
208
# SOURCE - {-|any|all|interface|interface:address|address}
178
212
# The name of an interface, an address (host or net) or an interface name
179
# followed by ":" and a host or net address.
213
# followed by ":" and a host or net address. An ipset name is also accepted
181
216
# DESTINATION (dest) - {-|any|all|interface|interface:address|address}
185
220
# Format same as SOURCE column.
187
# PROTOCOL (proto) - {-|any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
222
# PROTOCOL (proto) - {-|{any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
189
225
# A protocol-name (from protocols(5)), a protocol-number, ipp2p, ipp2p:udp or
228
# Beginning with Shorewall 4.5.12, this column can accept a comma-separated
192
231
# DEST PORT(S) (dport) - {-|any|all|ipp2p-option|port-name-or-number[,
193
232
# port-name-or-number]...}
212
251
# You may place a comma-separated list of port numbers in this column if your
213
252
# kernel and iptables include multiport match support.
254
# Beginning with Shorewall 4.5.15, you may place '=' in this column, provided
255
# that the DEST PORT(S) column is non-empty. This causes the rule to match
256
# when either the source port or the destination port in a packet matches one
257
# of the ports specified in DEST PORTS(S). Use of '=' requires multiport
258
# match in your iptables and kernel.
215
260
# USER/GROUP (user) - [!][user-name-or-number][:group-name-or-number][+