ipacset
is part of the
ipac
linux ip accounting package.
ipacset
reads
config-file
or, if omitted, the file
/etc/ipac.conf
and sets the kernel ip accounting rules by calling the appropriate control
tool. The tool is
ipfwadm(8)
if you use a linux kernel version 2.0.* or
ipchains(8)
if you have linux 2.1.* or 2.2.*.
Each rule can be seen as a single counter which separately counts specific
ip traffic data. The definition of which rule counts which data is in the
config file.
ipacset
stores the names of the rules from the config file in the file
/var/run/ip-accounting-rules
whenever it runs.
fetchipac(8)
uses the information from this file.
OPTIONS
-D
run in "debug" mode; reads the configuration file and prints the
commands it would execute.
--fix-chains
When using ipchains, only set up the correct chains and jump rules for
ipac, then exit. (When using ipfwadm, just exit.)
CONFIG FILE FORMAT
The config file, normally
/etc/ipac.conf,
consists of lines with one rule per line. Lines beginning with # and
empty lines are ignored. Every other line has six fields which are
separated by pipeline characters (|). The fields are
Name of rule, direction, interface, protocol,
source and destination.
There are no extra spaces allowed between the pipeline characters andthe field content!
Name of rule
is a name for the rule. The name's function is to identify the rule.
It can have any length
and any character in it, without "|". Don't make it longer than 40
characters.
If you have two or more rules with exactly the same name, ipac sees them as
one and the traffic counted by both of them is summarized. Both rules are
sort of ORed together.
direction
Specify the direction the data goes through an interface. Data is counted
only if the direction matches.
It can be either
in
(count data coming in via an interface),
out
(count data going out through an interface) or
both
(count both in- and outgoing data).
interface
This identifies an interface where the traffic is to be counted. The name
of the interface (for example
eth0)
should be used. A depreciated way to specify it is by
its ip number in dotted quad format (e.g.
123.123.123.123
- this is depreciated because the new
ipchains
firewall code does not support it; if you have ipchains, the meaning is
"use the first interface which had this ip number when
ipacset was run"; if you
have ipfwadm, it means "use the interface which has this ip number when
an ip packet passes").
If empty, the traffic is counted for any interface.
protocol
This is to specify which protocols the traffic that is counted belongs to.
It can be either
tcp, udp, icmp or all.
source, destination
These specify the source ip address/es and port numbers the data comes from
and the destination ip address/es and port numbers it goes to. Only if both
match, the data is counted by this rule.
The syntax of source and destination
matches exactly the syntax of corresponding options of the kernel ip
accounting / firewall control tool.
If you run a
2.0.*
kernel, this is
ipfwadm(8),
and the -S and -D parameter syntax in its man page describes the syntax
of these fields.
If you run a
2.1.*
or
2.2.*
kernel, the tool is called
ipchains(8),
and the parameters
in question are -s / --source and -d / --destination.
As a matter of fact, these two settings
are simply passed over to the control tool - with one exception: Since
ipchains limits the number of tcp/udp/icmp port numbers in source and
destination to one (or one range), the old ipfwadm behavior is emulated
for 2.2.* kernels
(a list of port specifications, separated by space, is accepted).
BUGS
The settings
ipacset
makes can be corrupted by other scripts or tools which add or delete
firewall rules in the kernel tables. Specifically, if ipchains is used
and something deletes ipac's "jump" rules from the standard chains
input
and/or
output,
ipac will no longer count anything. This can also happen if you flush
a standard chain
(ipchains-F
or
--flush).
fetchipac
most likely detects corrupted settings and automagically runs
ipacset --fix-chains
(see section OPTIONS) to fix this condition. However, all data about
traffic passing between the call to
ipchains --flush
and the next call to
fetchipac
will be lost.
To avoid the loss of accounting information, always run
ipacset --fix-chains
immediately after the jump rules were deleted (or may have been deleted).
ipacset
will make sure everything is set up correctly.