diff --git a/Shorewall/help b/Shorewall/help index 9d3dc52fa..0403a6cc2 100755 --- a/Shorewall/help +++ b/Shorewall/help @@ -207,10 +207,11 @@ reset) ;; restart) - echo "restart: [ -q ] restart [ ] + echo "restart: [ -q ] [ -n ] restart [ ] Restart is the same as a shorewall stop && shorewall start. Existing connections are maintained. - If \"-q\" is specified, less detain is displayed making it easier to spot warnings" + If \"-q\" is specified, less detain is displayed making it easier to spot warnings + If \"-n\" is specified, no changes to routing will be made" ;; safe-restart) @@ -227,13 +228,15 @@ safe-start) ;; restore) - echo "restore: restore [ ] + echo "restore: restore [ -n ] [ ] Restore Shorewall to a state saved using the 'save' command Existing connections are maintained. The names a restore file in /var/lib/shorewall created using "shorewall save"; if no is given then Shorewall will be restored from the file specified by the RESTOREFILE option in shorewall.conf. + If \"-n\" is specified, no changes to routing will be made. + See also \"help save\" and \"help forget\"" ;; @@ -279,22 +282,25 @@ show) ;; start) - echo "start: [ -q ] [ -f ] start [ ] + echo "start: [ -q ] [ -f ] [ -n ] start [ ] Start shorewall. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. If \"-q\" is specified, less detail is displayed making it easier to spot warnings If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option in shorewall.conf will be restored if that saved configuration exists. In that - case, a may not be specified". + case, a may not be specified. + If \"-n\" is specified, no changes to routing will be made". ;; stop) - echo "stop: stop + echo "stop: [ -n ] stop Stops the firewall. All existing connections, except those listed in /etc/shorewall/routestopped, are taken down. The only new traffic permitted through the firewall - is from systems listed in /etc/shorewall/routestopped." + is from systems listed in /etc/shorewall/routestopped. + + If \"-n\" is specified, no changes to routing will be made" ;; status) @@ -327,12 +333,15 @@ trace) ;; try) - echo "try: try [ ] + echo "try: try [ -n ] [ ] Restart shorewall using the specified configuration. If an error occurs during the restart, then another shorewall restart is performed using the default configuration. If a timeout is specified then the restart is always performed after the timeout occurs and uses - the default configuration." + the default configuration. + + The \"-n\" option will be passed down to the underlying commands (see + 'start', 'stop', 'restart' and 'restore')" ;; version) diff --git a/Shorewall/hosts b/Shorewall/hosts index 8fdfc9b89..baea61b77 100644 --- a/Shorewall/hosts +++ b/Shorewall/hosts @@ -21,7 +21,8 @@ # are defined in /etc/shorewall/zones determines the order in # which the records in this file are interpreted. # -# ZONE - The name of a zone defined in /etc/shorewall/zones +# ZONE - The name of a zone defined in /etc/shorewall/zones. You may +# not list the firewall zone in this column. # # HOST(S) - The name of an interface defined in the # /etc/shorewall/interfaces file followed by a colon (":") and diff --git a/Shorewall/interfaces b/Shorewall/interfaces index fa98df13b..b49d75f37 100644 --- a/Shorewall/interfaces +++ b/Shorewall/interfaces @@ -8,8 +8,9 @@ # # Columns are: # -# ZONE Zone for this interface. Must match the short name -# of a zone defined in /etc/shorewall/zones. +# ZONE Zone for this interface. Must match the name of a +# zone defined in /etc/shorewall/zones. You may not +# list the firewall zone in this column. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should diff --git a/Shorewall/proxyarp b/Shorewall/proxyarp index 3c6f66814..ece7a486a 100644 --- a/Shorewall/proxyarp +++ b/Shorewall/proxyarp @@ -9,9 +9,7 @@ # # ADDRESS IP Address # -# INTERFACE Local interface where system is connected. If the -# local interface is obvious from the subnetting, -# you may enter "-" in this column. +# INTERFACE Local interface where system is connected. # # EXTERNAL External Interface to be used to access this system # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 9dbe07d21..00c63983f 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -27,6 +27,14 @@ New Features in 2.5.6: rm -rf /usr/share/shorewall-*.bkout rm -rf /var/lib/shorewall-*.bkout +2) A new '-n' option has been added to the "start", "restart", + "restore", "stop" and "try" commands. This option instructs + Shorewall to not alter the routing in any way. + + This option is useful when you have a multi-ISP environment because + it prevents the route cache from being flushed which preserves the + mapping of end-point address pairs to routes. + Problems Corrected in 2.5.5: 1) The install script now installs the correct Makefile. Previously, diff --git a/Shorewall/shorewall b/Shorewall/shorewall index e23a29af8..df3a3ca65 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -592,6 +592,7 @@ IPT_OPTIONS="-nv" FAST= VERBOSE= NOROUTES= +noroutes= done=0 @@ -1067,15 +1068,16 @@ case "$1" in [ -n "$SHOREWALL_DIR" ] && startup_error "ERROR: -c option may not be used with \"try\"" [ $# -lt 2 -o $# -gt 3 ] && usage 1 [ -n "$QUIET" ] && QUIET=-q + [ -n "$NOROUTES" ] && NOROUTES=-n if ! $0 $debugging $QUIET -c $2 restart; then if ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then - $0 $QUIET start + $0 $QUIET $NOROUTES start fi elif ! $IPTABLES -L shorewall > /dev/null 2> /dev/null; then - $0 $QUIET start + $0 $QUIET $NOROUTES start elif [ $# -eq 3 ]; then sleep $3 - $0 $QUIET restart + $0 $QUIET $NOROUTES restart fi ;; logwatch) @@ -1285,6 +1287,7 @@ case "$1" in # the command is safe-start but the firewall is already running $0 nolock $debugging start ret=$? + mutex_off exit 0 fi