On 1/25/2021 9:17 PM, Matthew Collins wrote: > Ok, that does make sense, thanks, but I note that 'start' also runs > 'restore' too? (I guess this is where the '-C' flag ends up) Which > should then restore counters? >
Start and restore are not the same commands and are doing different things internally, but the output on the screen looks the same as both commands call common functions. As far as I can tell, 'shorewall save [-C]', 'iptables-save [-c]', 'shorewall restore [-C]' and 'iptables-restore [-c]' are working as they should and properly saving/restoring the counters when using [-c|C]. Note that no traffic was going through the firewall at the time of testing this. If it is not working, a kernel issue/command issue might be the culprit. > If I do #shorewall save -C && shorewall stop && shorewall start, the > counters are reset as expected. But then a #shorewall restore -C does > not restore counters.* > > > *Actually, it does, but 'shorewall show ipa' (or 'iptaccount -l > account') are cleared! (running '#iptables-save | head' before and > after shows the same/similar counters when restored correctly) > > Perhaps this is a difference between 'per-IP' accounting, as I'm using > (and which the manpages say survives restarts...), and 'normal' > accounting. > Granted, the man page could be clearer there. iptaccount ipt_account' is an addition to iptables, so the counters option will have no effect with those values. Maybe using 'nfacct' might help you there. > So I think this isn't necessarily a bug in Shorewall, but the docs > need updating IMHO - referring to 'restore -C' after a reboot, and > that per-IP accounting counters (can)not be saved. > Were the xml manpages be modified, they should reflect the below: - As you pointed out, the -C opt will only be honored if 'RESTART' is set to 'reload' in 'shorewall.conf'. - Making clear that the values shown by iptaccount are computed on the fly and are not saved at all. - Using nfact to interact with iptables's extended accounting (1) and and that nfacct allows to save those values. 1) https://shorewall.org/Accounting.html#nfacct -- Matt Darfeuille <m...@shorewall.org> Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
