From 2f545012a6c9054130b704e0a7d01fff41718b16 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 2 Nov 2014 09:25:58 -0800 Subject: [PATCH] More documentation updates for -C Signed-off-by: Tom Eastep --- Shorewall-lite/manpages/shorewall-lite.xml | 8 ++ Shorewall/manpages/shorewall.xml | 8 ++ Shorewall6-lite/manpages/shorewall6-lite.xml | 8 ++ Shorewall6/manpages/shorewall6.xml | 8 ++ docs/Accounting.xml | 98 ++++++++++++++++++++ 5 files changed, 130 insertions(+) diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index 0ecacad2a..ae3b19b25 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -848,6 +848,14 @@ restored from the file specified by the RESTOREFILE option in shorewall.conf(5). + + If your iptables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, restore will use the + values that were current when the ruleset was saved, which may be + different from the current values. + + The option was added in Shorewall 4.6.5. If the option was specified during shorewall save, then the counters saved by diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 3c5c6ed90..73e3593b5 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -1435,6 +1435,14 @@ restored from the file specified by the RESTOREFILE option in shorewall.conf(5). + + If your iptables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, restore will use the + values that were current when the ruleset was saved, which may be + different from the current values. + + The option causes Shorewall to avoid updating the routing table(s). diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index 0b63b6343..3b81aa78b 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -821,6 +821,14 @@ start except that it assumes that the firewall is already started. Existing connections are maintained. + + If your ip6tables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, restore will use the + values that were current when the ruleset was saved, which may be + different from the current values. + + The option causes shorewall6-lite to avoid updating the routing table(s). diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index e89890526..f7cd420af 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -1324,6 +1324,14 @@ restored from the file specified by the RESTOREFILE option in shorewall6.conf(5). + + If your ip6tables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, restore will use the + values that were current when the ruleset was saved, which may be + different from the current values. + + The option was added in Shorewall 4.6.5. If the option was specified during shorewall6 save, then the counters saved by diff --git a/docs/Accounting.xml b/docs/Accounting.xml index 7104e37ae..fd33dd011 100644 --- a/docs/Accounting.xml +++ b/docs/Accounting.xml @@ -612,4 +612,102 @@ gateway:~# The shorewall show nfacct command is a thin wrapper around the nfacct list command. + +
+ Preserving Counters over Restart and Reboot + + Beginning with Shorewall 4.6.5, it is possible to preserve + all ip[6]tables packet and byte counters over + restarts and reboots through use of the option. This + option is available in several commands. + + + + save + + + Causes the packet and byte counters to be saved along with + the chains and rules. + + + + + restore + + + Causes the packet and byte counters (if saved) to be restored + along with the chains and rules. + + + If your iptables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, restore will use the + values that were detected when the ruleset was saved, which may be + different from the current values. + + + + + + start + + + With Shorewall and Shorewall6, the -C option only has an + effect if the option is also specified. If a + previously-saved configuration is restored, then the packet and byte + counters (if saved) will be restored along with the chains and + rules. + + + If your iptables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, will use the values + that were detected when the ruleset was saved, which may be + different from the current values. + + + + + + restart + + + If an existing compiled script is used (no recompilation + required) and if that script generated the current running + configuration, then the current netfilter configuration is reloaded + as is so as to preserve the current packet and byte counters. + + + If your iptables ruleset depends on variables that are + detected at run-time, either in your params file or by + Shorewall-generated code, will use the values + that were detected when the ruleset was previously started, which + may be different from the current values. + + + + + + If you wish to (approximately) preserve the counters over a + possibly unexpected reboot, then: + + + + Create a cron job that periodically executes 'shorewall save + '. + + + + Specify the and options + in the STARTOPTIONS variable in either + /etc/default/shorewall ( + /etc/default/shorewall6, etc.) or + /etc/sysconfig/shorewall + (/etc/sysconfig/shorewall6, etc.), whichever is + supported by your distribution. Note that not all distributions + include these files so you may have to create the one(s) you + need. + + +