Hi Matt, Ok, understood.
Yes, agreed - save and restore are working correctly so far as I can tell here. Seems I was tripped up by assuming that the iptaccount counters would be included in those. nfacct seems like it would work, although may also need additional steps above those mentioned to keep the counters over a reboot. (it seems impossible, on the other hand, to restore counters using the iptaccount tools) Agreed with your suggestions re the man pages, with the addition perhaps of mentioning that a 'restore -C' is also required after a reboot, as 'start -C' doesn't seem sufficient on its own as it reads a different file. I'll explore nffact (or just convert my 'per IP' accounting to 'basic' accounting), and will stop bothering you :-) Thank you very much for your help! All the best, Matt On Wed, 27 Jan 2021 at 14:52, Matt Darfeuille <m...@shorewall.org> wrote: > > On 1/25/2021 9:17 PM, Matthew Collins wrote: > > Ok, that does make sense, thanks, but I note that 'start' also runs > > 'restore' too? (I guess this is where the '-C' flag ends up) Which > > should then restore counters? > > > > Start and restore are not the same commands and are doing different > things internally, but the output on the screen looks the same as both > commands call common functions. > > > As far as I can tell, 'shorewall save [-C]', 'iptables-save [-c]', > 'shorewall restore [-C]' and 'iptables-restore [-c]' are working as they > should and properly saving/restoring the counters when using [-c|C]. > Note that no traffic was going through the firewall at the time of > testing this. > > If it is not working, a kernel issue/command issue might be the culprit. > > > If I do #shorewall save -C && shorewall stop && shorewall start, the > > counters are reset as expected. But then a #shorewall restore -C does > > not restore counters.* > > > > > *Actually, it does, but 'shorewall show ipa' (or 'iptaccount -l > > account') are cleared! (running '#iptables-save | head' before and > > after shows the same/similar counters when restored correctly) > > > > Perhaps this is a difference between 'per-IP' accounting, as I'm using > > (and which the manpages say survives restarts...), and 'normal' > > accounting. > > > > Granted, the man page could be clearer there. > iptaccount ipt_account' is an addition to iptables, so the counters > option will have no effect with those values. > Maybe using 'nfacct' might help you there. > > > So I think this isn't necessarily a bug in Shorewall, but the docs > > need updating IMHO - referring to 'restore -C' after a reboot, and > > that per-IP accounting counters (can)not be saved. > > > Were the xml manpages be modified, they should reflect the below: > - As you pointed out, the -C opt will only be honored if 'RESTART' is > set to 'reload' in 'shorewall.conf'. > - Making clear that the values shown by iptaccount are computed on the > fly and are not saved at all. > - Using nfact to interact with iptables's extended accounting (1) and > and that nfacct allows to save those values. > > > 1) https://shorewall.org/Accounting.html#nfacct > > -- > Matt Darfeuille <m...@shorewall.org> > Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ > SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ > Homepage: https://shorewall.org > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
