extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 09:33:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update the Shorewall-perl document regarding SAVE_IPSETS.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-01-04 14:45:27 -08:00
parent 1175fa23b8
commit 0c92e05509
1 changed files with 47 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/Shorewall-perl.xml
View File

@ -361,12 +361,16 @@ insert_rule $filter_table-&gt;{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
used in a Shorewall configuration file, the name must be preceded by used in a Shorewall configuration file, the name must be preceded by
a plus sign (+) as with the shell-based compiler.</para> a plus sign (+) as with the shell-based compiler.</para>
<para>Shorewall is now out of the ipset load/reload business with <para>From Shorewall-perl 4.0.0 - Shorewall 4.4.5, Shorewall was out
the exception of ipsets used for dynamic zones. With scripts of the ipset load/reload business with the exception of ipsets used
generated by the Perl-based Compiler, the Netfilter rule set is for dynamic zones:</para>
never cleared. That means that there is no opportunity for Shorewall
to load/reload your ipsets since that cannot be done while there are <blockquote>
any current rules using ipsets.</para> <para>With scripts generated by the Perl-based Compiler, the
Netfilter rule set is never cleared. That means that there is no
opportunity for Shorewall to load/reload your ipsets since that
cannot be done while there are any current rules using
ipsets.</para>
<para>So:</para> <para>So:</para>
@ -374,8 +378,8 @@ insert_rule $filter_table-&gt;{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
<listitem> <listitem>
<para>Your ipsets must be loaded before Shorewall starts. You <para>Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in are free to try to do that with the following code in
<filename>/etc/shorewall/init (it works for me; your mileage may <filename>/etc/shorewall/init (it works for me; your mileage
vary)</filename>:</para> may vary)</filename>:</para>
<programlisting>if [ "$COMMAND" = start ]; then <programlisting>if [ "$COMMAND" = start ]; then
ipset -U :all: :all: ipset -U :all: :all:
@ -395,27 +399,33 @@ fi</programlisting>
mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
fi</programlisting> fi</programlisting>
<para>The above extension scripts will work most of the time but <para>The above extension scripts will work most of the time
will fail in a <command>shorewall stop</command> - but will fail in a <command>shorewall stop</command> -
<command>shorewall start</command> sequence if you use ipsets in <command>shorewall start</command> sequence if you use ipsets
your routestopped file (see below).</para> in your routestopped file (see below).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Your ipsets may not be reloaded until Shorewall is stopped <para>Your ipsets may not be reloaded until Shorewall is
or cleared.</para> stopped or cleared.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>If you specify ipsets in your routestopped file then <para>If you specify ipsets in your routestopped file then
Shorewall must be cleared in order to reload your ipsets.</para> Shorewall must be cleared in order to reload your
ipsets.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>As a consequence, scripts generated by the Perl-based compiler <para>As a consequence, scripts generated by the Perl-based
will ignore <filename>/etc/shorewall/ipsets</filename> and will compiler will ignore <filename>/etc/shorewall/ipsets</filename>
issue a warning if you set SAVE_IPSETS=Yes in and will issue a warning if you set SAVE_IPSETS=Yes in
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
</blockquote>
<para>Beginning with Shorewall 4.4.6 (and 4.5.3), SAVE_IPSETS=Yes is
once again supported. See <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
<listitem> <listitem>