From 74fdd97b14b855261992b0fd7d15a0f41e3fe99d Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 9 Apr 2012 16:47:56 -0700
Subject: [PATCH] Warn about not using sections in the accounting file

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/manpages/shorewall-accounting.xml   | 11 +++++++++++
 Shorewall6/manpages/shorewall6-accounting.xml | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml
index 38c1a26e4..db4c47563 100644
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -57,6 +57,17 @@
     of them may be omitted). The first non-commentary record in the accounting
     file must be a section header when sectioning is used.</para>
 
+    <warning>
+      <para>If sections are not used, the Shorewall rules compiler cannot
+      detect certain violations of netfilter restrictions. These violations
+      can result in run-time errors such as the following:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">iptables-restore v1.4.13: Can't use -o
+        with INPUT</emphasis></para>
+      </blockquote>
+    </warning>
+
     <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
     added to shorewall.conf and shorewall6.conf. That setting determines the
     Netfilter table (filter or mangle) where the accounting rules are added.
diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml
index d8605053a..4285ec3ad 100644
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -57,6 +57,17 @@
     of them may be omitted). The first non-commentary record in the accounting
     file must be a section header when sectioning is used.</para>
 
+    <warning>
+      <para>If sections are not used, the Shorewall rules compiler cannot
+      detect certain violations of netfilter restrictions. These violations
+      can result in run-time errors such as the following:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">ip6tables-restore v1.4.13: Can't use -o
+        with INPUT</emphasis></para>
+      </blockquote>
+    </warning>
+
     <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
     added to shorewall.conf and shorewall6.conf. That setting determines the
     Netfilter table (filter or mangle) where the accounting rules are added.