update documentation

friendly-bits · friendly-bits · commit cfcd16c7d04c · 2024-04-02T23:26:38.000+03:00
diff --git a/Documentation/NOTES.md b/Documentation/NOTES.md
@@ -80,15 +80,19 @@
 
 16) Note that cron jobs will be run as root.
 
-17) To test before deployment:
+17) If you have nftables installed but for some reason you are using iptables rules (via the nft_compat kernel module), you can and probably should install geoip-shell with the option `-w ipt` which will force it to use iptables+ipset. For example: `geoip-shell install -w ipt`.
+
+18) If you upgrade your system from iptables to nftables, you can either re-install geoip-shell and it will then automatically use nftables, or you can use this command without reinstalling: `geoip-shell configure -w nft`, which will remove all iptables rules and ipsets, and re-create nftables rules and sets based on your existing config. If you are on OpenWrt, this does not apply: instead, you will need to install the geoip-shell package for nftables-based OpenWrt.
+
+19) To test before deployment:
     <details> <summary>Read more:</summary>
 
     - You can run the install script with the "-k" (noblock) option to apply all actions and create all firewall rules except the geoip-shell "enable" rule. This way you can make sure no errors are encountered and check the resulting firewall config before commiting to actual blocking. To enable blocking later, use the command `geoip-shell on`.
     - You can run the install script with the "-n" option to skip creating the reboot cron job which implements persistence and with the '-s disable' option to skip creating the autoupdate cron job. This way, a simple machine restart should undo all changes made to the firewall (unless you have some software that restores firewall settings after reboot). For example: `sh geoip-shell-install -c <country_code> -m whitelist -n -s disable`. To enable persistence and autoupdate later, reinstall without both options.
 
     </details>
 
-18) How to get yourself locked out of your remote server and how to prevent this:
+20) How to get yourself locked out of your remote server and how to prevent this:
     <details> <summary>Read more:</summary>
 
     There are 4 scenarios where you can lock yourself out of your remote server with this suite:
diff --git a/README.md b/README.md
@@ -132,7 +132,7 @@ _(Note that some commands require root privileges, so you will likely need to ru
 
 **5)** The install script will ask you several questions to configure the installation, then initiate download and application of the ip lists. If you are not sure how to answer some of the questions, read [INSTALLATION.md](/Documentation/INSTALLATION.md).
 
-**6)** That's it! By default, ip lists will be updated daily at 4:15am local time (4:15 at night) - you can verify that automatic updates are working by running `cat /var/log/syslog | grep geoip-shell` on the next day (change syslog path if necessary, according to the location assigned by your distro. on some distributions, a different command should be used, such as `logread`).
+**6)** That's it! By default, ip lists will be updated daily at 4:15am local time (4:15 at night) - you can verify that automatic updates are working by running `geoip-shell status`: this will report geoip-shell status and time of last successful update (note that this time doesn't change if lists are already up-to-date during an automatic update). Alternatively, run `cat /var/log/syslog | grep geoip-shell` on the next day to check geoip-shell log messages (change syslog path if necessary, according to the location assigned by your distro. on OpenWrt and some other distributions a different command should be used, such as `logread`).
 
 ## **Usage**
 _(Note that all commands require root privileges, so you will likely need to run them with `sudo`)_
