extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

More documentation updates for -C

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-11-02 09:25:58 -08:00
parent c97226c46c
commit 2f545012a6
5 changed files with 130 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -848,6 +848,14 @@
restored from the file specified by the RESTOREFILE option in <ulink restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<caution>
<para>If your iptables ruleset depends on variables that are
detected at run-time, either in your params file or by
Shorewall-generated code, <command>restore</command> will use the
values that were current when the ruleset was saved, which may be
different from the current values.</para>
</caution>
<para>The <option>-C</option> option was added in Shorewall 4.6.5. <para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the <option>-C</option> option was specified during <emphasis If the <option>-C</option> option was specified during <emphasis
role="bold">shorewall save</emphasis>, then the counters saved by role="bold">shorewall save</emphasis>, then the counters saved by

8
Shorewall/manpages/shorewall.xml
View File

@ -1435,6 +1435,14 @@
restored from the file specified by the RESTOREFILE option in <ulink restored from the file specified by the RESTOREFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<caution>
<para>If your iptables ruleset depends on variables that are
detected at run-time, either in your params file or by
Shorewall-generated code, <command>restore</command> will use the
values that were current when the ruleset was saved, which may be
different from the current values.</para>
</caution>
<para>The <option>-n</option> option causes Shorewall to avoid <para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para> updating the routing table(s).</para>

8
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -821,6 +821,14 @@
start</emphasis> except that it assumes that the firewall is already start</emphasis> except that it assumes that the firewall is already
started. Existing connections are maintained.</para> started. Existing connections are maintained.</para>
<caution>
<para>If your ip6tables ruleset depends on variables that are
detected at run-time, either in your params file or by
Shorewall-generated code, <command>restore</command> will use the
values that were current when the ruleset was saved, which may be
different from the current values.</para>
</caution>
<para>The <option>-n</option> option causes shorewall6-lite to avoid <para>The <option>-n</option> option causes shorewall6-lite to avoid
updating the routing table(s).</para> updating the routing table(s).</para>

8
Shorewall6/manpages/shorewall6.xml
View File

@ -1324,6 +1324,14 @@
restored from the file specified by the RESTOREFILE option in <ulink restored from the file specified by the RESTOREFILE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<caution>
<para>If your ip6tables ruleset depends on variables that are
detected at run-time, either in your params file or by
Shorewall-generated code, <command>restore</command> will use the
values that were current when the ruleset was saved, which may be
different from the current values.</para>
</caution>
<para>The <option>-C</option> option was added in Shorewall 4.6.5. <para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the <option>-C</option> option was specified during <emphasis If the <option>-C</option> option was specified during <emphasis
role="bold">shorewall6 save</emphasis>, then the counters saved by role="bold">shorewall6 save</emphasis>, then the counters saved by

98
docs/Accounting.xml
View File

@ -612,4 +612,102 @@ gateway:~#
<para>The <command>shorewall show nfacct</command> command is a thin <para>The <command>shorewall show nfacct</command> command is a thin
wrapper around the <command>nfacct list</command> command.</para> wrapper around the <command>nfacct list</command> command.</para>
</section> </section>
<section>
<title>Preserving Counters over Restart and Reboot</title>
<para>Beginning with Shorewall 4.6.5, it is possible to preserve
<emphasis>all</emphasis> ip[6]tables packet and byte counters over
restarts and reboots through use of the <option>-C</option> option. This
option is available in several commands.</para>
<variablelist>
<varlistentry>
<term>save</term>
<listitem>
<para> Causes the packet and byte counters to be saved along with
the chains and rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>restore</term>
<listitem>
<para>Causes the packet and byte counters (if saved) to be restored
along with the chains and rules. </para>
<caution>
<para>If your iptables ruleset depends on variables that are
detected at run-time, either in your params file or by
Shorewall-generated code, <command>restore</command> will use the
values that were detected when the ruleset was saved, which may be
different from the current values.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term>start</term>
<listitem>
<para>With Shorewall and Shorewall6, the -C option only has an
effect if the <option>-f </option>option is also specified. If a
previously-saved configuration is restored, then the packet and byte
counters (if saved) will be restored along with the chains and
rules. </para>
<caution>
<para>If your iptables ruleset depends on variables that are
detected at run-time, either in your params file or by
Shorewall-generated code, <option>-C</option> will use the values
that were detected when the ruleset was saved, which may be
different from the current values.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term>restart</term>
<listitem>
<para>If an existing compiled script is used (no recompilation
required) and if that script generated the current running
configuration, then the current netfilter configuration is reloaded
as is so as to preserve the current packet and byte counters.</para>
<caution>
<para>If your iptables ruleset depends on variables that are
detected at run-time, either in your params file or by
Shorewall-generated code, <option>-C</option> will use the values
that were detected when the ruleset was previously started, which
may be different from the current values.</para>
</caution>
</listitem>
</varlistentry>
</variablelist>
<para> If you wish to (approximately) preserve the counters over a
possibly unexpected reboot, then: </para>
<itemizedlist>
<listitem>
<para>Create a cron job that periodically executes 'shorewall save
<option>-C</option>'.</para>
</listitem>
<listitem>
<para>Specify the<option> -C</option> and <option>-f</option> options
in the STARTOPTIONS variable in either
<filename>/etc/default/shorewall</filename> (
<filename>/etc/default/shorewall6</filename>, etc.) or
<filename>/etc/sysconfig/shorewall</filename>
(<filename>/etc/sysconfig/shorewall</filename>6, etc.), whichever is
supported by your distribution. Note that not all distributions
include these files so you may have to create the one(s) you
need.</para>
</listitem>
</itemizedlist>
</section>
</article> </article>