Many apologies, I was called away for a couple days. Many thanks for the patch!
Good news and bad news... the patch applies successfully (of course :-) ), #shorewall restart -C -f now mentions 'counters' in the iptables-restore line (as does #shorewall start -C -f)... but counters are still cleared: [matt@homeserver Shorewall]$ sudo patch -p 3 /usr/share/shorewall/Shorewall/Chains.pm ~/code-master-1-21.01.21.16.26.19-rfc.patch patching file /usr/share/shorewall/Shorewall/Chains.pm [matt@homeserver Shorewall]$ sudo shorewall save -C Currently-running Configuration Saved to /var/lib/shorewall/restore [matt@homeserver Shorewall]$ sudo shorewall show ipa Shorewall 5.2.8 per-IP Accounting at homeserver - Sat 23 Jan 14:19:42 GMT 2021 Showing table: loc IP: 192.168.1.10 SRC packets: 146357 bytes: 51338604 DST packets: 147839 bytes: 97006413 IP: 192.168.1.51 SRC packets: 94268 bytes: 46097562 DST packets: 208820 bytes: 234135327 IP: 192.168.1.52 SRC packets: 7612 bytes: 1665727 DST packets: 8627 bytes: 4504117 IP: 192.168.1.60 SRC packets: 48884 bytes: 25335363 DST packets: 49155 bytes: 45306629 IP: 192.168.1.70 SRC packets: 945 bytes: 91292 DST packets: 0 bytes: 0 IP: 192.168.1.79 SRC packets: 49381 bytes: 4097282 DST packets: 55188 bytes: 50986444 IP: 192.168.1.91 SRC packets: 2834 bytes: 2156472 DST packets: 2834 bytes: 1314774 IP: 192.168.1.104 SRC packets: 1865 bytes: 210304 DST packets: 2268 bytes: 844187 [matt@homeserver Shorewall]$ sudo shorewall restart -C -f Stopping Shorewall.... Processing /etc/shorewall/stop ... Processing /etc/shorewall/tcclear ... Preparing iptables-restore input... Running /sbin/iptables-restore --wait 60... IPv4 Forwarding Enabled Processing /etc/shorewall/stopped ... done. Starting Shorewall.... Initializing... Processing /etc/shorewall/init ... Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Accept Source Routing... Setting up Proxy ARP... Setting up Traffic Control... Preparing iptables-restore input... Running /sbin/iptables-restore --counters --wait 60... IPv4 Forwarding Enabled Processing /etc/shorewall/start ... Processing /etc/shorewall/started ... done. [matt@homeserver Shorewall]$ sudo shorewall show ipa Shorewall 5.2.8 per-IP Accounting at homeserver - Sat 23 Jan 14:20:06 GMT 2021 Showing table: loc IP: 192.168.1.10 SRC packets: 6 bytes: 1008 DST packets: 7 bytes: 1184 IP: 192.168.1.52 SRC packets: 29 bytes: 9938 DST packets: 32 bytes: 6030 Running '#shorewall restart -C -f && shorewall save -C && less /var/lib/shorewall/restore-iptables' multiple times shows that the packet/byte counters still seem to be being reset. However, running '#iptables-restore --counters /var/lib/shorewall/restore-iptables && shorewall save -C && less /var/lib/shorewall/restore-iptables' is keeping the counters!! '#shorewall -T restart -C -f' indicates that in fact, 'iptables-restore' is being given /var/lib/shorewall/.iptables-restore-input, which contains no packet/byte counter data (everything is [0:0]). 'reload' seems to write counters to this file, but not 'start' or 'restart' (or anything else?) So, is there a purpose for both 'restore-iptables' and '.iptables-restore-input'? Should '#shorewall save -C' write to '.iptables-restore-input' instead? Should both 'reload' and 'restart' write counters? (I can't find the logic that does this, should be in Chains.pm? I changed https://gitlab.com/shorewall/code/-/blob/master/Shorewall/Perl/Shorewall/Chains.pm#L8805 to emit ( 'if [ "$COMMAND" = reload ] || [ "$COMMAND" = restart ] ; then' ); but doesn't seem to help here) Thanks for your help so far, it's much appreciated. If this is getting a bit involved, I'm happy to kludge things here to suit me (I rarely use 'restart', so can make 'save' write to '.iptables-restore-input' to carry counters over a reboot). All the best, Matt On Fri, 22 Jan 2021 at 14:41, Matt Darfeuille <m...@shorewall.org> wrote: > > On 1/21/2021 5:04 PM, Matt Darfeuille wrote: > > On 1/20/2021 8:53 PM, Matt Darfeuille wrote: > >> On 1/20/2021 5:21 PM, Matthew Collins wrote: > >>> Gotcha. > >>> > >>> I'll have another go at working my way around the code. > >>> > >>> Do you want this reported on gitlab? (and if I fudge together a > >>> reasonable fix, I'll submit it there?) > >>> > >> > >> That would be lovely if you could file a bug report on Gitlab including > >> this URL thread (1). > >> If you manage to patch something up, can I ask you to send it through > >> here in addition to Gitlab? > >> > >> > >> As far as I can tell, the compiled firewall script does not handle the > >> -c option for start and restart. > >> > >> Note that '-C' becomes '-c' in the context of the compiled firewall script. > >> > >> > >> Thanks Matt and let us know how it goes. > >> > >> > >> 1) > >> https://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/CALpsz32rWjvox1DLS99gS%3DveW%3DiSsJu0jqetKx0QghFcwHewDw%40mail.gmail.com/#msg37200686 > >> > > > > Please try the attached patch (code-master-1-21.01.21.16.26.19-rfc.patch). > > > > This patch is not heavily tested and breaks the regression suite, do > > test this RFC patch on a non-production Shorewall installation. > > > > To apply the patch, you can execute the below command: > > 'patch -p 3 /usr/share/shorewall/Shorewall/Chains.pm > code-master-1-21.01.21.16.26.19-rfc.patch' > > -- > Matt Darfeuille <m...@shorewall.org> > Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ > SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ > Homepage: https://shorewall.org > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
