Replace SAVE_COUNTERS with the -C command option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-03 03:59:16 +01:00 · 2014-11-01 09:37:57 -07:00 · 2014-11-01 09:37:57 -07:00 · 8fb73026c8
commit 8fb73026c8
parent 4546cbaff7
23 changed files with 237 additions and 118 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -493,7 +493,7 @@ save_config() {
    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
-    [ -n "$SAVE_COUNTERS" ] && iptables_save="$iptables_save --counters"
+    [ -n "$g_counters" iptables_save="$iptables_save --counters"
    if product_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@ -1631,6 +1631,10 @@ restore_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@ -3115,6 +3119,38 @@ reject_command() {
 }
 save_command() {
    local finished
    finished=0
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
 	1)
 	    ;;
@ -3458,6 +3494,10 @@ start_command() {
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
@ -3519,6 +3559,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@ -3592,10 +3636,10 @@ usage() # $1 = exit status
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ -p ] [ <file name> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
-    echo "   save [ <file name> ]"
+    echo "   save [ -C ] [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
@ -3620,7 +3664,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   start [ -f ] [ -p ] [ -C ] [ <directory> ]"
    echo "   stop"
    echo "   status [ -i ]"
    echo "   version [ -a ]"
@ -3672,6 +3716,7 @@ shorewall_cli() {
    g_directives=
    g_inline=
    g_tcrules=
    g_counters=
    VERBOSE=
    VERBOSITY=1
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@ -157,6 +157,7 @@ run_it() {
 	[ -n "$g_timestamp" ]  && options=${options}t
 	[ -n "$g_purge" ]      && options=${options}p
 	[ -n "$g_recovering" ] && options=${options}r
 	[ -n "$g_counters" ]   && options=${options}c
 	options="${options}V $VERBOSITY"
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@ -299,7 +299,7 @@
      <arg><option>-n</option></arg>
-      <arg><option>-p</option></arg>
+      <arg><option>-p</option><arg><option>-C</option></arg></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@ -314,6 +314,8 @@
      <arg choice="plain"><option>restore</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@ -340,7 +342,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>save</option></arg>
+      <arg
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@ -476,6 +479,8 @@
      <arg><option>-p</option></arg>
      <arg><option>-f</option></arg>
      <arg><option>-C</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@ -821,6 +826,12 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the specified (or implicit) firewall script is the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@ -836,6 +847,11 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
@ -867,6 +883,10 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@ -1113,6 +1133,13 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
          executable and is not older than the current filewall script, then
          that saved configuration is restored.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -7907,18 +7907,16 @@ sub emitr1( $$ ) {
 sub save_dynamic_chains() {
-    my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+    my $tool    = $family == F_IPV4 ? '${IPTABLES}'      : '${IP6TABLES}';
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;
-    if ( $config{SAVE_COUNTERS} ) {
+    emit( 'if [ -n "$g_counters" ]; then' ,
-	my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
+	  "    ${tool}-save --counters > \${VARDIR}/.${utility}-input",
-
+	  "fi\n"
-	emit( 'if [ "$COMMAND" = restart ]; then',
+	);
 	      "    ${tool}-save --counters > \${VARDIR}/.${utility}-input",
 	      "fi\n" );
    }
    if ( have_capability 'IPTABLES_S' ) {
 	emit <<"EOF";
@ -8245,26 +8243,25 @@ sub create_netfilter_load( $ ) {
 	   '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
 	   '#',
 	   'setup_netfilter()',
-	   '{' );
+	   '{'.
-
+	   '    local option',
-    emit( '    local option' ) if $config{SAVE_COUNTERS};
+	);
    push_indent;
    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
    my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
-    if ( $config{SAVE_COUNTERS} ) {
+    emit( '',
-	emit( '',
+	  'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
-	      'if [ "$COMMAND" = restart ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
+	  '    option="--counters"',
-	      '    option="--counters"',
+	  '',
-	      '',
+	  '    progress_message "Reusing existing ruleset..."',
-	      '    progress_message "Reusing existing ruleset..."',
+	  '',
-	      '',
+	  'else'
-	      'else'
+	);
-	    );
+
-	push_indent;
+    push_indent;
    }
    save_progress_message "Preparing $utility input...";
@ -8308,6 +8305,14 @@ sub create_netfilter_load( $ ) {
 		push @chains, $chainref;
 	    }
 	}
 	#
 	# SHA1SUM chains for handling 'restart -s'
 	#
 	if ( $table eq 'filter' ) {
 	    emit_unindented ':$shasum1 - [0:0]';
 	    emit_unindented ':$shasum2 - [0:0]';
 	}
 	#
 	# Then emit the rules
 	#
@ -8323,18 +8328,14 @@ sub create_netfilter_load( $ ) {
    enter_cmd_mode;
-    pop_indent, emit "fi\n" if $config{SAVE_COUNTERS};
+    pop_indent, emit "fi\n";
    #
    # Now generate the actual ip[6]tables-restore command
    #
    emit(  'exec 3>&-',
 	   '' );
-    if ( $config{SAVE_COUNTERS} ) {
+    emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
 	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
    } else {
 	emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
    }
    emit( '',
 	  'progress_message2 "Running $command..."',
@ -8345,14 +8346,6 @@ sub create_netfilter_load( $ ) {
 	  "fi\n"
 	);
    if ( $config{SAVE_COUNTERS} ) {
 	emit( 'if [ -z "$options" ]; then',
 	      '    $g_tool -N $g_sha1sum1',
 	      '    $g_tool -N $g_sha1sum2',
 	      'fi'
 	    );
    }
    pop_indent;
    emit "}\n";
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -352,7 +352,8 @@ sub generate_script_3($) {
    emit "#\n# Start/Restart the Firewall\n#";
-    emit 'define_firewall() {';
+    emit( 'define_firewall() {',
 	  '    local options' );
    push_indent;
@ -470,10 +471,12 @@ sub generate_script_3($) {
    emit( '',
 	  'if [ $COMMAND = restore ]; then',
 	  '    iptables_save_file=${VARDIR}/$(basename $0)-iptables',
-	  '    if [ -f $iptables_save_file ]; then' );
+	  '    if [ -f $iptables_save_file ]; then',
 	  '        [ -n "$g_counters" ] && options=--counters'
 	);
    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );
 	emit( '',
 	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@ -483,7 +486,7 @@ sub generate_script_3($) {
 	    if $config{SAVE_ARPTABLES};
    } else {
-	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
    }
    emit( '    else',
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -851,7 +851,6 @@ sub initialize( $;$$) {
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
 	  BASIC_FILTERS => undef,
 	  SAVE_COUNTERS => undef,
 	  #
 	  # Packet Disposition
 	  #
@ -1779,19 +1778,17 @@ sub finalize_script( $ ) {
    $script = 0;
    if ( $file ne '-' ) {
-	if ( $config{SAVE_COUNTERS} ) {
+	my $sha1sum  = generate_sha1;
-	    my $sha1sum  = generate_sha1;
+	my $sha1sum1 = substr( $sha1sum, 0, 20 );
-	    my $sha1sum1 = substr( $sha1sum, 0, 20 );
+	my $sha1sum2 = substr( $sha1sum, -20 );
 	    my $sha1sum2 = substr( $sha1sum, -20 );
-	    @ARGV = ( $tempfile );
+	@ARGV = ( $tempfile );
-	    $^I = '';
+	$^I = '';
-	    while ( <> ) {
+	while ( <> ) {
-		s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
-		s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
+	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
-		print;
+	    print;
 	    }
 	}
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
@ -5686,7 +5683,6 @@ sub get_configuration( $$$$$ ) {
    default_yes_no 'TRACK_RULES'                , '';
    default_yes_no 'INLINE_MATCHES'             , '';
    default_yes_no 'BASIC_FILTERS'              , '';
    default_yes_no 'SAVE_COUNTERS'              , '';
    require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@ -29,6 +29,7 @@ usage() {
    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
    echo "   -c               Save/restore iptables counters"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
@ -93,6 +94,10 @@ g_recovering=$RECOVERING
 #
 g_sha1sum1=
 g_sha1sum2=
 #
 # Other Globals
 #
 g_counters=
 initialize
@ -144,6 +149,10 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			g_recovering=Yes
 			option=${option#r}
 			;;
 		    c*)
 			g_counters=Yes
 			option=${option#c}
 			;;
 		    V*)
 			option=${option#V}
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -214,8 +214,6 @@ ROUTE_FILTER=No
 SAVE_ARPTABLES=No
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -225,8 +225,6 @@ ROUTE_FILTER=No
 SAVE_ARPTABLES=No
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -222,8 +222,6 @@ ROUTE_FILTER=No
 SAVE_ARPTABLES=No
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -225,8 +225,6 @@ ROUTE_FILTER=No
 SAVE_ARPTABLES=No
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -214,8 +214,6 @@ ROUTE_FILTER=No
 SAVE_ARPTABLES=No
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@ -534,6 +534,10 @@ start_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@ -943,6 +947,10 @@ restart_command() {
 			    g_inline=Yes
 			    option=${option#i}
 			    ;;
 			C*)
 			    g_counters=Yes
 			    option=${option#C}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@ -1673,12 +1681,12 @@ usage() # $1 = exit status
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
-    echo "   restore [ -n ] [ -p ] [ <file name> ]"
+    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
-    echo "   save [ <file name> ]"
+    echo "   save [ -C ] [ <file name> ]"
    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] actions"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
@ -1705,7 +1713,7 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] tc [ device ]"
    echo "   [ show | list | ls ] vardir"
    echo "   [ show | list | ls ] zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
    echo "   status [ -i ]"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -2454,20 +2454,6 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SAVE_COUNTERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.6.5.</para>
          <para>When set to Yes, this option causes the <emphasis
          role="bold">save</emphasis> and <emphasis
          role="bold">restore</emphasis> commands to respectively save and
          restore chain counters.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SAVE_ARPTABLES=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@ -441,6 +441,8 @@
      <arg><option>-i</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@ -453,7 +455,7 @@
      <arg>-<replaceable>options</replaceable></arg>
      <arg
-      choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg><arg><option>-C</option></arg></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@ -518,7 +520,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>save</option></arg>
+      <arg
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@ -672,6 +675,8 @@
      <arg><option>-T</option><arg><option>-i</option></arg></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@ -1406,6 +1411,14 @@
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when AUTOMAKE=Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
          existing firewall script is used and if that script was the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@ -1429,6 +1442,11 @@
          causes the connection tracking table to be flushed; the
          <command>conntrack</command> utility must be installed to use this
          option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
@ -1517,6 +1535,10 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the iptables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@ -1821,6 +1843,13 @@
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@ -301,6 +301,8 @@
      <arg><option>-p</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@ -314,6 +316,8 @@
      <arg choice="plain"><option>restore</option></arg>
      <arg><option>-C</option></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@ -342,6 +346,8 @@
      <arg choice="plain"><option>save</option></arg>
      <arg><option>-C</option></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@ -476,6 +482,8 @@
      <arg><option>-p</option></arg>
      <arg><option>-f</option></arg>
      <arg><option>-C</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@ -819,6 +827,12 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the specified (or implicit) firewall script is the one that
          generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@ -834,6 +848,11 @@
          <emphasis>filename</emphasis> is given then shorewall6-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
@ -865,6 +884,10 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the ip6tables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@ -1111,6 +1134,13 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
          executable and is not older than the current filewall script, then
          that saved configuration is restored.</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -189,8 +189,6 @@ REQUIRE_INTERFACE=Yes
 RESTORE_ROUTEMARKS=Yes
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=No
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=No
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=No
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=No
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No
 RESTORE_ROUTEMARKS=Yes
 SAVE_COUNTERS=No
 SAVE_IPSETS=No
 TC_ENABLED=No
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -2122,20 +2122,6 @@ INLINE          -       -       -       ; -j REJECT
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SAVE_COUNTERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.6.5.</para>
          <para>When set to Yes, this option causes the <emphasis
          role="bold">save</emphasis> and <emphasis
          role="bold">restore</emphasis> commands to respectively save and
          restore chain counters.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@ -400,7 +400,7 @@
      <arg><option>-T</option></arg>
-      <arg><option>-i</option></arg>
+      <arg><option>-i</option><arg><option>-C</option></arg></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@ -413,7 +413,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>restore</option></arg>
+      <arg
      choice="plain"><option>restore</option><arg><option>-C</option></arg></arg>
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@ -474,7 +475,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>save</option></arg>
+      <arg
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
@ -599,7 +601,7 @@
      <arg><option>-T</option></arg>
-      <arg><option>-i</option></arg>
+      <arg><option>-i</option><arg><option>-C</option></arg></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@ -1298,6 +1300,14 @@
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when AUTOMAKE=Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
          an existing firewall script is used and if that script was the one
          that generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>
@ -1313,6 +1323,11 @@
          <emphasis>filename</emphasis> is given then Shorewall6 will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during <emphasis
          role="bold">shorewall6 save</emphasis>, then the counters saved by
          that operation will be restored.</para>
        </listitem>
      </varlistentry>
@ -1402,6 +1417,10 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the ip6tables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>
@ -1667,6 +1686,13 @@
          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the <emphasis
          role="bold">save</emphasis> command, then the packet and byte
          counters will be restored along with the chains and rules.</para>
        </listitem>
      </varlistentry>