is part of the
linux ip accounting package.
or, if omitted, the file
and sets the kernel ip accounting rules by calling the appropriate control
tool. The tool is
if you use a linux kernel version 2.0.* or
if you have linux 2.1.* or 2.2.*.
Each rule can be seen as a single counter which separately counts specific
ip traffic data. The definition of which rule counts which data is in the
stores the names of the rules from the config file in the file
whenever it runs.
uses the information from this file.
run in "debug" mode; reads the configuration file and prints the
commands it would execute.
When using ipchains, only set up the correct chains and jump rules for
ipac, then exit. (When using ipfwadm, just exit.)
CONFIG FILE FORMAT
The config file, normally
consists of lines with one rule per line. Lines beginning with # and
empty lines are ignored. Every other line has six fields which are
separated by pipeline characters (|). The fields are
Name of rule, direction, interface, protocol,
source and destination.
There are no extra spaces allowed between the pipeline characters andthe field content!
Name of rule
is a name for the rule. The name's function is to identify the rule.
It can have any length
and any character in it, without "|". Don't make it longer than 40
If you have two or more rules with exactly the same name, ipac sees them as
one and the traffic counted by both of them is summarized. Both rules are
sort of ORed together.
Specify the direction the data goes through an interface. Data is counted
only if the direction matches.
It can be either
(count data coming in via an interface),
(count data going out through an interface) or
(count both in- and outgoing data).
This identifies an interface where the traffic is to be counted. The name
of the interface (for example
should be used. A depreciated way to specify it is by
its ip number in dotted quad format (e.g.
- this is depreciated because the new
firewall code does not support it; if you have ipchains, the meaning is
"use the first interface which had this ip number when
ipacset was run"; if you
have ipfwadm, it means "use the interface which has this ip number when
an ip packet passes").
If empty, the traffic is counted for any interface.
This is to specify which protocols the traffic that is counted belongs to.
It can be either
tcp, udp, icmp or all.
These specify the source ip address/es and port numbers the data comes from
and the destination ip address/es and port numbers it goes to. Only if both
match, the data is counted by this rule.
The syntax of source and destination
matches exactly the syntax of corresponding options of the kernel ip
accounting / firewall control tool.
If you run a
kernel, this is
and the -S and -D parameter syntax in its man page describes the syntax
of these fields.
If you run a
kernel, the tool is called
and the parameters
in question are -s / --source and -d / --destination.
As a matter of fact, these two settings
are simply passed over to the control tool - with one exception: Since
ipchains limits the number of tcp/udp/icmp port numbers in source and
destination to one (or one range), the old ipfwadm behavior is emulated
for 2.2.* kernels
(a list of port specifications, separated by space, is accepted).
makes can be corrupted by other scripts or tools which add or delete
firewall rules in the kernel tables. Specifically, if ipchains is used
and something deletes ipac's "jump" rules from the standard chains
ipac will no longer count anything. This can also happen if you flush
a standard chain
most likely detects corrupted settings and automagically runs
(see section OPTIONS) to fix this condition. However, all data about
traffic passing between the call to
and the next call to
will be lost.
To avoid the loss of accounting information, always run
immediately after the jump rules were deleted (or may have been deleted).
will make sure everything is set up correctly.