From 8fb73026c8f603dfcc94ff74c7c3c762ead5f724 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 1 Nov 2014 09:37:57 -0700 Subject: [PATCH] Replace SAVE_COUNTERS with the -C command option Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 55 ++++++++++++++-- Shorewall-core/lib.common | 1 + Shorewall-lite/manpages/shorewall-lite.xml | 31 ++++++++- Shorewall/Perl/Shorewall/Chains.pm | 65 +++++++++---------- Shorewall/Perl/Shorewall/Compiler.pm | 11 ++-- Shorewall/Perl/Shorewall/Config.pm | 22 +++---- Shorewall/Perl/prog.footer | 9 +++ Shorewall/Samples/Universal/shorewall.conf | 2 - .../Samples/one-interface/shorewall.conf | 2 - .../Samples/three-interfaces/shorewall.conf | 2 - .../Samples/two-interfaces/shorewall.conf | 2 - Shorewall/configfiles/shorewall.conf | 2 - Shorewall/lib.cli-std | 16 +++-- Shorewall/manpages/shorewall.conf.xml | 14 ---- Shorewall/manpages/shorewall.xml | 33 +++++++++- Shorewall6-lite/manpages/shorewall6-lite.xml | 30 +++++++++ Shorewall6/Samples6/Universal/shorewall6.conf | 2 - .../Samples6/one-interface/shorewall6.conf | 2 - .../Samples6/three-interfaces/shorewall6.conf | 2 - .../Samples6/two-interfaces/shorewall6.conf | 2 - Shorewall6/configfiles/shorewall6.conf | 2 - Shorewall6/manpages/shorewall6.conf.xml | 14 ---- Shorewall6/manpages/shorewall6.xml | 34 ++++++++-- 23 files changed, 237 insertions(+), 118 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 910e2e72f..9a56cff37 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -493,7 +493,7 @@ save_config() { [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2 - [ -n "$SAVE_COUNTERS" ] && iptables_save="$iptables_save --counters" + [ -n "$g_counters" iptables_save="$iptables_save --counters" if product_is_started ; then [ -d ${VARDIR} ] || mkdir -p ${VARDIR} @@ -1631,6 +1631,10 @@ restore_command() { g_purge=Yes option=${option%p} ;; + C*) + g_counters=Yes + option=${option#C} + ;; *) usage 1 ;; @@ -3115,6 +3119,38 @@ reject_command() { } save_command() { + local finished + finished=0 + + while [ $finished -eq 0 -a $# -gt 0 ]; do + option=$1 + case $option in + -*) + option=${option#-} + + while [ -n "$option" ]; do + case $option in + -) + finished=1 + option= + ;; + C*) + g_counters=Yes + option=${option#C} + ;; + *) + usage 1 + ;; + esac + done + shift + ;; + *) + finished=1 + ;; + esac + done + case $# in 1) ;; @@ -3458,6 +3494,10 @@ start_command() { g_fast=Yes option=${option#f} ;; + C*) + g_counters=Yes + option=${option#C} + ;; p*) [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system" g_purge=Yes @@ -3519,6 +3559,10 @@ restart_command() { g_purge=Yes option=${option%p} ;; + C*) + g_counters=Yes + option=${option#C} + ;; *) usage 1 ;; @@ -3592,10 +3636,10 @@ usage() # $1 = exit status echo " logwatch []" echo " reject
..." echo " reset [ ... ]" - echo " restart [ -n ] [ -p ] [ -f ] [ ]" - echo " restore [ -n ] [ -p ] [ ]" + echo " restart [ -n ] [ -p ] [ -f ] [ -C ] [ ]" + echo " restore [ -n ] [ -p ] [ -C ] [ ]" echo " run [ ... ]" - echo " save [ ]" + echo " save [ -C ] [ ]" echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]" echo " [ show | list | ls ] [ -f ] capabilities" echo " [ show | list | ls ] arptables" @@ -3620,7 +3664,7 @@ usage() # $1 = exit status echo " [ show | list | ls ] tc [ device ]" echo " [ show | list | ls ] vardir" echo " [ show | list | ls ] zones" - echo " start [ -f ] [ -p ] [ ]" + echo " start [ -f ] [ -p ] [ -C ] [ ]" echo " stop" echo " status [ -i ]" echo " version [ -a ]" @@ -3672,6 +3716,7 @@ shorewall_cli() { g_directives= g_inline= g_tcrules= + g_counters= VERBOSE= VERBOSITY=1 diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common index 75be7261d..39c8a135d 100644 --- a/Shorewall-core/lib.common +++ b/Shorewall-core/lib.common @@ -157,6 +157,7 @@ run_it() { [ -n "$g_timestamp" ] && options=${options}t [ -n "$g_purge" ] && options=${options}p [ -n "$g_recovering" ] && options=${options}r + [ -n "$g_counters" ] && options=${options}c options="${options}V $VERBOSITY" diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index fb7173ff0..0ecacad2a 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -299,7 +299,7 @@ - + directory @@ -314,6 +314,8 @@ + + filename @@ -340,7 +342,8 @@ -options - + filename @@ -476,6 +479,8 @@ + + @@ -821,6 +826,12 @@ The option causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option. + + The option was added in Shorewall 4.6.5. + If the specified (or implicit) firewall script is the one that + generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. @@ -836,6 +847,11 @@ filename is given then Shorewall-lite will be restored from the file specified by the RESTOREFILE option in shorewall.conf(5). + + The option was added in Shorewall 4.6.5. + If the option was specified during shorewall save, then the counters saved by + that operation will be restored. @@ -867,6 +883,10 @@ filename is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall.conf(5). + + The option, added in Shorewall 4.6.5, + causes the iptables packet and byte counters to be saved along with + the chains and rules. @@ -1113,6 +1133,13 @@ url="shorewall.conf.html">shorewall.conf(5) exists, is executable and is not older than the current filewall script, then that saved configuration is restored. + + The option was added in Shorewall 4.6.5 + and is only meaningful when the option is also + specified. If the previously-saved configuration is restored, and if + the option was also specified in the save command, then the packet and byte + counters will be restored. diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index a5d82ccae..cd2927ef5 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -7907,18 +7907,16 @@ sub emitr1( $$ ) { sub save_dynamic_chains() { - my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}'; + my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}'; + my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' ); push_indent; - if ( $config{SAVE_COUNTERS} ) { - my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; - - emit( 'if [ "$COMMAND" = restart ]; then', - " ${tool}-save --counters > \${VARDIR}/.${utility}-input", - "fi\n" ); - } + emit( 'if [ -n "$g_counters" ]; then' , + " ${tool}-save --counters > \${VARDIR}/.${utility}-input", + "fi\n" + ); if ( have_capability 'IPTABLES_S' ) { emit <<"EOF"; @@ -8245,26 +8243,25 @@ sub create_netfilter_load( $ ) { '# Create the input to iptables-restore/ip6tables-restore and pass that input to the utility', '#', 'setup_netfilter()', - '{' ); - - emit( ' local option' ) if $config{SAVE_COUNTERS}; + '{'. + ' local option', + ); push_indent; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE'; - if ( $config{SAVE_COUNTERS} ) { - emit( '', - 'if [ "$COMMAND" = restart ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then', - ' option="--counters"', - '', - ' progress_message "Reusing existing ruleset..."', - '', - 'else' - ); - push_indent; - } + emit( '', + 'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then', + ' option="--counters"', + '', + ' progress_message "Reusing existing ruleset..."', + '', + 'else' + ); + + push_indent; save_progress_message "Preparing $utility input..."; @@ -8308,6 +8305,14 @@ sub create_netfilter_load( $ ) { push @chains, $chainref; } } + # + # SHA1SUM chains for handling 'restart -s' + # + if ( $table eq 'filter' ) { + emit_unindented ':$shasum1 - [0:0]'; + emit_unindented ':$shasum2 - [0:0]'; + } + # # Then emit the rules # @@ -8323,18 +8328,14 @@ sub create_netfilter_load( $ ) { enter_cmd_mode; - pop_indent, emit "fi\n" if $config{SAVE_COUNTERS}; + pop_indent, emit "fi\n"; # # Now generate the actual ip[6]tables-restore command # emit( 'exec 3>&-', '' ); - if ( $config{SAVE_COUNTERS} ) { - emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' ); - } else { - emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY ); - } + emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command="$' . $UTILITY . ' $option"' ); emit( '', 'progress_message2 "Running $command..."', @@ -8345,14 +8346,6 @@ sub create_netfilter_load( $ ) { "fi\n" ); - if ( $config{SAVE_COUNTERS} ) { - emit( 'if [ -z "$options" ]; then', - ' $g_tool -N $g_sha1sum1', - ' $g_tool -N $g_sha1sum2', - 'fi' - ); - } - pop_indent; emit "}\n"; diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 9d0e14c11..d36f7430a 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -352,7 +352,8 @@ sub generate_script_3($) { emit "#\n# Start/Restart the Firewall\n#"; - emit 'define_firewall() {'; + emit( 'define_firewall() {', + ' local options' ); push_indent; @@ -470,10 +471,12 @@ sub generate_script_3($) { emit( '', 'if [ $COMMAND = restore ]; then', ' iptables_save_file=${VARDIR}/$(basename $0)-iptables', - ' if [ -f $iptables_save_file ]; then' ); + ' if [ -f $iptables_save_file ]; then', + ' [ -n "$g_counters" ] && options=--counters' + ); if ( $family == F_IPV4 ) { - emit( ' cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' ); + emit( ' cat $iptables_save_file | $IPTABLES_RESTORE $options # Use this nonsensical form to appease SELinux' ); emit( '', ' arptables_save_file=${VARDIR}/$(basename $0)-arptables', @@ -483,7 +486,7 @@ sub generate_script_3($) { if $config{SAVE_ARPTABLES}; } else { - emit ' cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux' + emit ' cat $iptables_save_file | $IP6TABLES_RESTORE $options # Use this nonsensical form to appease SELinux' } emit( ' else', diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 35a1dde58..de5b3c891 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -851,7 +851,6 @@ sub initialize( $;$$) { REJECT_ACTION => undef, INLINE_MATCHES => undef, BASIC_FILTERS => undef, - SAVE_COUNTERS => undef, # # Packet Disposition # @@ -1779,19 +1778,17 @@ sub finalize_script( $ ) { $script = 0; if ( $file ne '-' ) { - if ( $config{SAVE_COUNTERS} ) { - my $sha1sum = generate_sha1; - my $sha1sum1 = substr( $sha1sum, 0, 20 ); - my $sha1sum2 = substr( $sha1sum, -20 ); + my $sha1sum = generate_sha1; + my $sha1sum1 = substr( $sha1sum, 0, 20 ); + my $sha1sum2 = substr( $sha1sum, -20 ); - @ARGV = ( $tempfile ); - $^I = ''; + @ARGV = ( $tempfile ); + $^I = ''; - while ( <> ) { - s/g_sha1sum1=/g_sha1sum1=$sha1sum1/; - s/g_sha1sum2=/g_sha1sum2=$sha1sum2/; - print; - } + while ( <> ) { + s/g_sha1sum1=/g_sha1sum1=$sha1sum1/; + s/g_sha1sum2=/g_sha1sum2=$sha1sum2/; + print; } rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!"; @@ -5686,7 +5683,6 @@ sub get_configuration( $$$$$ ) { default_yes_no 'TRACK_RULES' , ''; default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'BASIC_FILTERS' , ''; - default_yes_no 'SAVE_COUNTERS' , ''; require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS}; diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 9ecf32633..7b21d30fa 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -29,6 +29,7 @@ usage() { echo " -n Don't update routing configuration" echo " -p Purge Conntrack Table" echo " -t Timestamp progress Messages" + echo " -c Save/restore iptables counters" echo " -V Set verbosity explicitly" echo " -R Override RESTOREFILE setting" exit $1 @@ -93,6 +94,10 @@ g_recovering=$RECOVERING # g_sha1sum1= g_sha1sum2= +# +# Other Globals +# +g_counters= initialize @@ -144,6 +149,10 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do g_recovering=Yes option=${option#r} ;; + c*) + g_counters=Yes + option=${option#c} + ;; V*) option=${option#V} diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 2bd7cdd41..80db37da5 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -214,8 +214,6 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 92452ef72..033a1323c 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -225,8 +225,6 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index a184fd443..b2877a3b2 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -222,8 +222,6 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index b211c46a2..b28975409 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -225,8 +225,6 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index c00b664ec..ceae87b3b 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -214,8 +214,6 @@ ROUTE_FILTER=No SAVE_ARPTABLES=No -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=Internal diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index a3490c6ea..5f04c5c21 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -534,6 +534,10 @@ start_command() { g_inline=Yes option=${option#i} ;; + C*) + g_counters=Yes + option=${option#C} + ;; *) usage 1 ;; @@ -943,6 +947,10 @@ restart_command() { g_inline=Yes option=${option#i} ;; + C*) + g_counters=Yes + option=${option#C} + ;; *) usage 1 ;; @@ -1673,12 +1681,12 @@ usage() # $1 = exit status echo " reject
..." echo " reload [ -s ] [ -c ] [ -r ] [ -T ] [ -i ] [ ] " echo " reset [ ... ]" - echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ ]" - echo " restore [ -n ] [ -p ] [ ]" + echo " restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ ]" + echo " restore [ -n ] [ -p ] [ -C ] [ ]" echo " run [ ... ]" echo " safe-restart [ -t ] [ ]" echo " safe-start [ -t ] [ ]" - echo " save [ ]" + echo " save [ -C ] [ ]" echo " [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [ [ ... ]" echo " [ show | list | ls ] actions" echo " [ show | list | ls ] [ -x ] {bl|blacklists}" @@ -1705,7 +1713,7 @@ usage() # $1 = exit status echo " [ show | list | ls ] tc [ device ]" echo " [ show | list | ls ] vardir" echo " [ show | list | ls ] zones" - echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ ]" + echo " start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ -i ] [ -C ] [ ]" echo " status [ -i ]" echo " stop" echo " try [ ]" diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 3c3323217..0a1325b31 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -2454,20 +2454,6 @@ INLINE - - - ; -j REJECT - - SAVE_COUNTERS=[Yes|No] - - - Added in Shorewall 4.6.5. - - When set to Yes, this option causes the save and restore commands to respectively save and - restore chain counters. - - - SAVE_ARPTABLES={Yes|No} diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 39db5ee9f..3c5c6ed90 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -441,6 +441,8 @@ + + directory @@ -453,7 +455,7 @@ -options + choice="plain"> filename @@ -518,7 +520,8 @@ -options - + filename @@ -672,6 +675,8 @@ + + directory @@ -1406,6 +1411,14 @@ lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf(5). + + The option was added in Shorewall 4.6.5 + and is only meaningful when AUTOMAKE=Yes in shorewall.conf(5). If an + existing firewall script is used and if that script was the one that + generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. @@ -1429,6 +1442,11 @@ causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option. + + The option was added in Shorewall 4.6.5. + If the option was specified during shorewall save, then the counters saved by + that operation will be restored. @@ -1517,6 +1535,10 @@ filename is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall.conf(5). + + The option, added in Shorewall 4.6.5, + causes the iptables packet and byte counters to be saved along with + the chains and rules. @@ -1821,6 +1843,13 @@ lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf(5). + + The option was added in Shorewall 4.6.5 + and is only meaningful when the option is also + specified. If the previously-saved configuration is restored, and if + the option was also specified in the save command, then the packet and byte + counters will be restored. diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index 29bcaa415..0b63b6343 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -301,6 +301,8 @@ + + directory @@ -314,6 +316,8 @@ + + filename @@ -342,6 +346,8 @@ + + filename @@ -476,6 +482,8 @@ + + @@ -819,6 +827,12 @@ The option causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option. + + The option was added in Shorewall 4.6.5. + If the specified (or implicit) firewall script is the one that + generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. @@ -834,6 +848,11 @@ filename is given then shorewall6-lite will be restored from the file specified by the RESTOREFILE option in shorewall6.conf(5). + + The option was added in Shorewall 4.6.5. + If the option was specified during shorewall save, then the counters saved by + that operation will be restored. @@ -865,6 +884,10 @@ filename is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall6.conf(5). + + The option, added in Shorewall 4.6.5, + causes the ip6tables packet and byte counters to be saved along with + the chains and rules. @@ -1111,6 +1134,13 @@ url="shorewall.conf.html">shorewall.conf(5) exists, is executable and is not older than the current filewall script, then that saved configuration is restored. + + The option was added in Shorewall 4.6.5 + and is only meaningful when the option is also + specified. If the previously-saved configuration is restored, and if + the option was also specified in the save command, then the packet and byte + counters will be restored. diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index c8eb7ded2..d870d8341 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -189,8 +189,6 @@ REQUIRE_INTERFACE=Yes RESTORE_ROUTEMARKS=Yes -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 409ff9807..03a3954da 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No RESTORE_ROUTEMARKS=Yes -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index d50fe1ecc..5df52bc59 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No RESTORE_ROUTEMARKS=Yes -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 6d6e70d6e..59763bf2e 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No RESTORE_ROUTEMARKS=Yes -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index afebc9e70..d02ad3658 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -189,8 +189,6 @@ REQUIRE_INTERFACE=No RESTORE_ROUTEMARKS=Yes -SAVE_COUNTERS=No - SAVE_IPSETS=No TC_ENABLED=No diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 2942ea93e..be535f1e4 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -2122,20 +2122,6 @@ INLINE - - - ; -j REJECT - - SAVE_COUNTERS=[Yes|No] - - - Added in Shorewall 4.6.5. - - When set to Yes, this option causes the save and restore commands to respectively save and - restore chain counters. - - - SAVE_IPSETS={Yes| - + directory @@ -413,7 +413,8 @@ -options - + filename @@ -474,7 +475,8 @@ -options - + filename @@ -599,7 +601,7 @@ - + directory @@ -1298,6 +1300,14 @@ lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall6.conf(5). + + The option was added in Shorewall 4.6.5 + and is only meaningful when AUTOMAKE=Yes in shorewall6.conf(5). If + an existing firewall script is used and if that script was the one + that generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. @@ -1313,6 +1323,11 @@ filename is given then Shorewall6 will be restored from the file specified by the RESTOREFILE option in shorewall6.conf(5). + + The option was added in Shorewall 4.6.5. + If the option was specified during shorewall6 save, then the counters saved by + that operation will be restored. @@ -1402,6 +1417,10 @@ filename is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall6.conf(5). + + The option, added in Shorewall 4.6.5, + causes the ip6tables packet and byte counters to be saved along with + the chains and rules. @@ -1667,6 +1686,13 @@ lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall6.conf(5). + + The option was added in Shorewall 4.6.5 + and is only meaningful when the option is also + specified. If the previously-saved configuration is restored, and if + the option was also specified in the save command, then the packet and byte + counters will be restored along with the chains and rules.