More documentation updates for -C

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 07:33:43 +01:00 · 2014-11-02 09:25:58 -08:00 · 2014-11-02 09:25:58 -08:00 · 2f545012a6
commit 2f545012a6
parent c97226c46c
5 changed files with 130 additions and 0 deletions
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@ -848,6 +848,14 @@
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>

+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@ -1435,6 +1435,14 @@
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>

+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
          <para>The <option>-n</option> option causes Shorewall to avoid
          updating the routing table(s).</para>

--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@ -821,6 +821,14 @@
          start</emphasis> except that it assumes that the firewall is already
          started. Existing connections are maintained.</para>

+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
          <para>The <option>-n</option> option causes shorewall6-lite to avoid
          updating the routing table(s).</para>

--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@ -1324,6 +1324,14 @@
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>

+          <caution>
+            <para>If your ip6tables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall6 save</emphasis>, then the counters saved by
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@ -612,4 +612,102 @@ gateway:~#
    <para>The <command>shorewall show nfacct</command> command is a thin
    wrapper around the <command>nfacct list</command> command.</para>
  </section>
+
+  <section>
+    <title>Preserving Counters over Restart and Reboot</title>
+
+    <para>Beginning with Shorewall 4.6.5, it is possible to preserve
+    <emphasis>all</emphasis> ip[6]tables packet and byte counters over
+    restarts and reboots through use of the <option>-C</option> option. This
+    option is available in several commands.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>save</term>
+
+        <listitem>
+          <para> Causes the packet and byte counters to be saved along with
+          the chains and rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>restore</term>
+
+        <listitem>
+          <para>Causes the packet and byte counters (if saved) to be restored
+          along with the chains and rules. </para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were detected when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>start</term>
+
+        <listitem>
+          <para>With Shorewall and Shorewall6, the -C option only has an
+          effect if the <option>-f </option>option is also specified. If a
+          previously-saved configuration is restored, then the packet and byte
+          counters (if saved) will be restored along with the chains and
+          rules. </para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <option>-C</option> will use the values
+            that were detected when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>restart</term>
+
+        <listitem>
+          <para>If an existing compiled script is used (no recompilation
+          required) and if that script generated the current running
+          configuration, then the current netfilter configuration is reloaded
+          as is so as to preserve the current packet and byte counters.</para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <option>-C</option> will use the values
+            that were detected when the ruleset was previously started, which
+            may be different from the current values.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para> If you wish to (approximately) preserve the counters over a
+    possibly unexpected reboot, then: </para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Create a cron job that periodically executes 'shorewall save
+        <option>-C</option>'.</para>
+      </listitem>
+
+      <listitem>
+        <para>Specify the<option> -C</option> and <option>-f</option> options
+        in the STARTOPTIONS variable in either
+        <filename>/etc/default/shorewall</filename> (
+        <filename>/etc/default/shorewall6</filename>, etc.) or
+        <filename>/etc/sysconfig/shorewall</filename>
+        (<filename>/etc/sysconfig/shorewall</filename>6, etc.), whichever is
+        supported by your distribution. Note that not all distributions
+        include these files so you may have to create the one(s) you
+        need.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
 </article>