Replace SAVE_COUNTERS with the -C command option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-11-01 09:37:57 -07:00
parent 4546cbaff7
commit 8fb73026c8
23 changed files with 237 additions and 118 deletions

View File

@ -493,7 +493,7 @@ save_config() {
[ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
[ -n "$SAVE_COUNTERS" ] && iptables_save="$iptables_save --counters"
[ -n "$g_counters" iptables_save="$iptables_save --counters"
if product_is_started ; then
[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
@ -1631,6 +1631,10 @@ restore_command() {
g_purge=Yes
option=${option%p}
;;
C*)
g_counters=Yes
option=${option#C}
;;
*)
usage 1
;;
@ -3115,6 +3119,38 @@ reject_command() {
}
save_command() {
local finished
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
option=$1
case $option in
-*)
option=${option#-}
while [ -n "$option" ]; do
case $option in
-)
finished=1
option=
;;
C*)
g_counters=Yes
option=${option#C}
;;
*)
usage 1
;;
esac
done
shift
;;
*)
finished=1
;;
esac
done
case $# in
1)
;;
@ -3458,6 +3494,10 @@ start_command() {
g_fast=Yes
option=${option#f}
;;
C*)
g_counters=Yes
option=${option#C}
;;
p*)
[ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
g_purge=Yes
@ -3519,6 +3559,10 @@ restart_command() {
g_purge=Yes
option=${option%p}
;;
C*)
g_counters=Yes
option=${option#C}
;;
*)
usage 1
;;
@ -3592,10 +3636,10 @@ usage() # $1 = exit status
echo " logwatch [<refresh interval>]"
echo " reject <address> ..."
echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
echo " restore [ -n ] [ -p ] [ <file name> ]"
echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
echo " run <command> [ <parameter> ... ]"
echo " save [ <file name> ]"
echo " save [ -C ] [ <file name> ]"
echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
echo " [ show | list | ls ] [ -f ] capabilities"
echo " [ show | list | ls ] arptables"
@ -3620,7 +3664,7 @@ usage() # $1 = exit status
echo " [ show | list | ls ] tc [ device ]"
echo " [ show | list | ls ] vardir"
echo " [ show | list | ls ] zones"
echo " start [ -f ] [ -p ] [ <directory> ]"
echo " start [ -f ] [ -p ] [ -C ] [ <directory> ]"
echo " stop"
echo " status [ -i ]"
echo " version [ -a ]"
@ -3672,6 +3716,7 @@ shorewall_cli() {
g_directives=
g_inline=
g_tcrules=
g_counters=
VERBOSE=
VERBOSITY=1

View File

@ -157,6 +157,7 @@ run_it() {
[ -n "$g_timestamp" ] && options=${options}t
[ -n "$g_purge" ] && options=${options}p
[ -n "$g_recovering" ] && options=${options}r
[ -n "$g_counters" ] && options=${options}c
options="${options}V $VERBOSITY"

View File

@ -299,7 +299,7 @@
<arg><option>-n</option></arg>
<arg><option>-p</option></arg>
<arg><option>-p</option><arg><option>-C</option></arg></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -314,6 +314,8 @@
<arg choice="plain"><option>restore</option></arg>
<arg><option>-C</option></arg>
<arg><replaceable>filename</replaceable></arg>
</cmdsynopsis>
@ -340,7 +342,8 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>save</option></arg>
<arg
choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
<arg choice="opt"><replaceable>filename</replaceable></arg>
</cmdsynopsis>
@ -476,6 +479,8 @@
<arg><option>-p</option></arg>
<arg><option>-f</option></arg>
<arg><option>-C</option></arg>
</cmdsynopsis>
<cmdsynopsis>
@ -821,6 +826,12 @@
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the specified (or implicit) firewall script is the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
@ -836,6 +847,11 @@
<emphasis>filename</emphasis> is given then Shorewall-lite will be
restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the <option>-C</option> option was specified during <emphasis
role="bold">shorewall save</emphasis>, then the counters saved by
that operation will be restored.</para>
</listitem>
</varlistentry>
@ -867,6 +883,10 @@
<emphasis>filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-C</option> option, added in Shorewall 4.6.5,
causes the iptables packet and byte counters to be saved along with
the chains and rules.</para>
</listitem>
</varlistentry>
@ -1113,6 +1133,13 @@
url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
executable and is not older than the current filewall script, then
that saved configuration is restored.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when the <option>-f</option> option is also
specified. If the previously-saved configuration is restored, and if
the <option>-C</option> option was also specified in the <emphasis
role="bold">save</emphasis> command, then the packet and byte
counters will be restored.</para>
</listitem>
</varlistentry>

View File

@ -7908,17 +7908,15 @@ sub emitr1( $$ ) {
sub save_dynamic_chains() {
my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
push_indent;
if ( $config{SAVE_COUNTERS} ) {
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
emit( 'if [ "$COMMAND" = restart ]; then',
emit( 'if [ -n "$g_counters" ]; then' ,
" ${tool}-save --counters > \${VARDIR}/.${utility}-input",
"fi\n" );
}
"fi\n"
);
if ( have_capability 'IPTABLES_S' ) {
emit <<"EOF";
@ -8245,26 +8243,25 @@ sub create_netfilter_load( $ ) {
'# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility',
'#',
'setup_netfilter()',
'{' );
emit( ' local option' ) if $config{SAVE_COUNTERS};
'{'.
' local option',
);
push_indent;
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
if ( $config{SAVE_COUNTERS} ) {
emit( '',
'if [ "$COMMAND" = restart ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
' option="--counters"',
'',
' progress_message "Reusing existing ruleset..."',
'',
'else'
);
push_indent;
}
save_progress_message "Preparing $utility input...";
@ -8308,6 +8305,14 @@ sub create_netfilter_load( $ ) {
push @chains, $chainref;
}
}
#
# SHA1SUM chains for handling 'restart -s'
#
if ( $table eq 'filter' ) {
emit_unindented ':$shasum1 - [0:0]';
emit_unindented ':$shasum2 - [0:0]';
}
#
# Then emit the rules
#
@ -8323,18 +8328,14 @@ sub create_netfilter_load( $ ) {
enter_cmd_mode;
pop_indent, emit "fi\n" if $config{SAVE_COUNTERS};
pop_indent, emit "fi\n";
#
# Now generate the actual ip[6]tables-restore command
#
emit( 'exec 3>&-',
'' );
if ( $config{SAVE_COUNTERS} ) {
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' );
} else {
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
}
emit( '',
'progress_message2 "Running $command..."',
@ -8345,14 +8346,6 @@ sub create_netfilter_load( $ ) {
"fi\n"
);
if ( $config{SAVE_COUNTERS} ) {
emit( 'if [ -z "$options" ]; then',
' $g_tool -N $g_sha1sum1',
' $g_tool -N $g_sha1sum2',
'fi'
);
}
pop_indent;
emit "}\n";

View File

@ -352,7 +352,8 @@ sub generate_script_3($) {
emit "#\n# Start/Restart the Firewall\n#";
emit 'define_firewall() {';
emit( 'define_firewall() {',
' local options' );
push_indent;
@ -470,10 +471,12 @@ sub generate_script_3($) {
emit( '',
'if [ $COMMAND = restore ]; then',
' iptables_save_file=${VARDIR}/$(basename $0)-iptables',
' if [ -f $iptables_save_file ]; then' );
' if [ -f $iptables_save_file ]; then',
' [ -n "$g_counters" ] && options=--counters'
);
if ( $family == F_IPV4 ) {
emit( ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
emit( ' cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' );
emit( '',
' arptables_save_file=${VARDIR}/$(basename $0)-arptables',
@ -483,7 +486,7 @@ sub generate_script_3($) {
if $config{SAVE_ARPTABLES};
} else {
emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
emit ' cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux'
}
emit( ' else',

View File

@ -851,7 +851,6 @@ sub initialize( $;$$) {
REJECT_ACTION => undef,
INLINE_MATCHES => undef,
BASIC_FILTERS => undef,
SAVE_COUNTERS => undef,
#
# Packet Disposition
#
@ -1779,7 +1778,6 @@ sub finalize_script( $ ) {
$script = 0;
if ( $file ne '-' ) {
if ( $config{SAVE_COUNTERS} ) {
my $sha1sum = generate_sha1;
my $sha1sum1 = substr( $sha1sum, 0, 20 );
my $sha1sum2 = substr( $sha1sum, -20 );
@ -1792,7 +1790,6 @@ sub finalize_script( $ ) {
s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
print;
}
}
rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
@ -5686,7 +5683,6 @@ sub get_configuration( $$$$$ ) {
default_yes_no 'TRACK_RULES' , '';
default_yes_no 'INLINE_MATCHES' , '';
default_yes_no 'BASIC_FILTERS' , '';
default_yes_no 'SAVE_COUNTERS' , '';
require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};

View File

@ -29,6 +29,7 @@ usage() {
echo " -n Don't update routing configuration"
echo " -p Purge Conntrack Table"
echo " -t Timestamp progress Messages"
echo " -c Save/restore iptables counters"
echo " -V <verbosity> Set verbosity explicitly"
echo " -R <file> Override RESTOREFILE setting"
exit $1
@ -93,6 +94,10 @@ g_recovering=$RECOVERING
#
g_sha1sum1=
g_sha1sum2=
#
# Other Globals
#
g_counters=
initialize
@ -144,6 +149,10 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
g_recovering=Yes
option=${option#r}
;;
c*)
g_counters=Yes
option=${option#c}
;;
V*)
option=${option#V}

View File

@ -214,8 +214,6 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=Internal

View File

@ -225,8 +225,6 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=Internal

View File

@ -222,8 +222,6 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=Internal

View File

@ -225,8 +225,6 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=Internal

View File

@ -214,8 +214,6 @@ ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=Internal

View File

@ -534,6 +534,10 @@ start_command() {
g_inline=Yes
option=${option#i}
;;
C*)
g_counters=Yes
option=${option#C}
;;
*)
usage 1
;;
@ -943,6 +947,10 @@ restart_command() {
g_inline=Yes
option=${option#i}
;;
C*)
g_counters=Yes
option=${option#C}
;;
*)
usage 1
;;
@ -1673,12 +1681,12 @@ usage() # $1 = exit status
echo " reject <address> ..."
echo " reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
echo " reset [ <chain> ... ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
echo " restore [ -n ] [ -p ] [ <file name> ]"
echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
echo " restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
echo " run <command> [ <parameter> ... ]"
echo " safe-restart [ -t <timeout> ] [ <directory> ]"
echo " safe-start [ -t <timeout> ] [ <directory> ]"
echo " save [ <file name> ]"
echo " save [ -C ] [ <file name> ]"
echo " [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
echo " [ show | list | ls ] actions"
echo " [ show | list | ls ] [ -x ] {bl|blacklists}"
@ -1705,7 +1713,7 @@ usage() # $1 = exit status
echo " [ show | list | ls ] tc [ device ]"
echo " [ show | list | ls ] vardir"
echo " [ show | list | ls ] zones"
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ <directory> ]"
echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
echo " status [ -i ]"
echo " stop"
echo " try <directory> [ <timeout> ]"

View File

@ -2454,20 +2454,6 @@ INLINE - - - ; -j REJECT
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SAVE_COUNTERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.6.5.</para>
<para>When set to Yes, this option causes the <emphasis
role="bold">save</emphasis> and <emphasis
role="bold">restore</emphasis> commands to respectively save and
restore chain counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SAVE_ARPTABLES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

View File

@ -441,6 +441,8 @@
<arg><option>-i</option></arg>
<arg><option>-C</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -453,7 +455,7 @@
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
choice="plain"><option>restore</option><arg><option>-n</option></arg><arg><option>-p</option></arg><arg><option>-C</option></arg></arg>
<arg><replaceable>filename</replaceable></arg>
</cmdsynopsis>
@ -518,7 +520,8 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>save</option></arg>
<arg
choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
<arg choice="opt"><replaceable>filename</replaceable></arg>
</cmdsynopsis>
@ -672,6 +675,8 @@
<arg><option>-T</option><arg><option>-i</option></arg></arg>
<arg><option>-C</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -1406,6 +1411,14 @@
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
existing firewall script is used and if that script was the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
@ -1429,6 +1442,11 @@
causes the connection tracking table to be flushed; the
<command>conntrack</command> utility must be installed to use this
option.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the <option>-C</option> option was specified during <emphasis
role="bold">shorewall save</emphasis>, then the counters saved by
that operation will be restored.</para>
</listitem>
</varlistentry>
@ -1517,6 +1535,10 @@
<emphasis>filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-C</option> option, added in Shorewall 4.6.5,
causes the iptables packet and byte counters to be saved along with
the chains and rules.</para>
</listitem>
</varlistentry>
@ -1821,6 +1843,13 @@
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when the <option>-f</option> option is also
specified. If the previously-saved configuration is restored, and if
the <option>-C</option> option was also specified in the <emphasis
role="bold">save</emphasis> command, then the packet and byte
counters will be restored.</para>
</listitem>
</varlistentry>

View File

@ -301,6 +301,8 @@
<arg><option>-p</option></arg>
<arg><option>-C</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -314,6 +316,8 @@
<arg choice="plain"><option>restore</option></arg>
<arg><option>-C</option></arg>
<arg><replaceable>filename</replaceable></arg>
</cmdsynopsis>
@ -342,6 +346,8 @@
<arg choice="plain"><option>save</option></arg>
<arg><option>-C</option></arg>
<arg choice="opt"><replaceable>filename</replaceable></arg>
</cmdsynopsis>
@ -476,6 +482,8 @@
<arg><option>-p</option></arg>
<arg><option>-f</option></arg>
<arg><option>-C</option></arg>
</cmdsynopsis>
<cmdsynopsis>
@ -819,6 +827,12 @@
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the specified (or implicit) firewall script is the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
@ -834,6 +848,11 @@
<emphasis>filename</emphasis> is given then shorewall6-lite will be
restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the <option>-C</option> option was specified during <emphasis
role="bold">shorewall save</emphasis>, then the counters saved by
that operation will be restored.</para>
</listitem>
</varlistentry>
@ -865,6 +884,10 @@
<emphasis>filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option, added in Shorewall 4.6.5,
causes the ip6tables packet and byte counters to be saved along with
the chains and rules.</para>
</listitem>
</varlistentry>
@ -1111,6 +1134,13 @@
url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
executable and is not older than the current filewall script, then
that saved configuration is restored.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when the <option>-f</option> option is also
specified. If the previously-saved configuration is restored, and if
the <option>-C</option> option was also specified in the <emphasis
role="bold">save</emphasis> command, then the packet and byte
counters will be restored.</para>
</listitem>
</varlistentry>

View File

@ -189,8 +189,6 @@ REQUIRE_INTERFACE=Yes
RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=No

View File

@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=No

View File

@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=No

View File

@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=No

View File

@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes
SAVE_COUNTERS=No
SAVE_IPSETS=No
TC_ENABLED=No

View File

@ -2122,20 +2122,6 @@ INLINE - - - ; -j REJECT
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SAVE_COUNTERS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.6.5.</para>
<para>When set to Yes, this option causes the <emphasis
role="bold">save</emphasis> and <emphasis
role="bold">restore</emphasis> commands to respectively save and
restore chain counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis

View File

@ -400,7 +400,7 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><option>-i</option><arg><option>-C</option></arg></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -413,7 +413,8 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>restore</option></arg>
<arg
choice="plain"><option>restore</option><arg><option>-C</option></arg></arg>
<arg><replaceable>filename</replaceable></arg>
</cmdsynopsis>
@ -474,7 +475,8 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>save</option></arg>
<arg
choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
<arg choice="opt"><replaceable>filename</replaceable></arg>
</cmdsynopsis>
@ -599,7 +601,7 @@
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><option>-i</option><arg><option>-C</option></arg></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
@ -1298,6 +1300,14 @@
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
an existing firewall script is used and if that script was the one
that generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
@ -1313,6 +1323,11 @@
<emphasis>filename</emphasis> is given then Shorewall6 will be
restored from the file specified by the RESTOREFILE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the <option>-C</option> option was specified during <emphasis
role="bold">shorewall6 save</emphasis>, then the counters saved by
that operation will be restored.</para>
</listitem>
</varlistentry>
@ -1402,6 +1417,10 @@
<emphasis>filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option, added in Shorewall 4.6.5,
causes the ip6tables packet and byte counters to be saved along with
the chains and rules.</para>
</listitem>
</varlistentry>
@ -1667,6 +1686,13 @@
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when the <option>-f</option> option is also
specified. If the previously-saved configuration is restored, and if
the <option>-C</option> option was also specified in the <emphasis
role="bold">save</emphasis> command, then the packet and byte
counters will be restored along with the chains and rules.</para>
</listitem>
</varlistentry>