Update the Starting and Stopping document

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-07 16:24:01 +01:00 · 2020-03-10 12:23:00 -07:00 · 2020-03-10 12:23:00 -07:00 · 3222a380c3
commit 3222a380c3
parent e82307f61e
1 changed files with 42 additions and 4 deletions
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@ -26,6 +26,8 @@

      <year>2007</year>

+      <year>2020</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@ -201,6 +203,40 @@
      </blockquote></para>
  </section>

+  <section>
+    <title>systemd</title>
+
+    <para>As with SysV init described in the preceeding section, the behavior
+    of systemctl commands differ from the Shorewall CLI commands on
+    Debian-based systems. To make systemctl stop shorewall[-lite] and
+    systemctl restart shorewall[-lite] behave like shorewall stop and
+    shorewall restart, use this workaround provided by J Cliff
+    Armstrong:</para>
+
+    <para> Type (as root):</para>
+
+    <programlisting>    <command>systemctl edit shorewall.service</command></programlisting>
+
+    <para>This will open the default terminal editor to a blank file in which
+    you can paste the following:</para>
+
+    <programlisting>[Service]
+# reset ExecStop ExecStop=
+# set ExecStop to "stop" instead of "clear"
+ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>
+
+    <para>Then type</para>
+
+    <programlisting>    <command>systemctl daemon-reload</command></programlisting>
+
+    <para>to activate the changes. This change will survive future updates of
+    the shorewall package from apt repositories. The override file itself will
+    be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
+
+    <para>The same workaround may be applied to the other Shorewall products
+    (excluding Shorewall Init).</para>
+  </section>
+
  <section id="Trace">
    <title>Tracing Command Execution and other Debugging Aids</title>

@ -211,7 +247,8 @@

    <para>Example:</para>

-    <programlisting>shorewall trace check -r</programlisting>
+    <programlisting><command>shorewall trace check -r</command>   # Shorewall versions prior to 5.2.4
+<command>shorewall check -D  </command>       # Shorewall versions 5.2.4 and later</programlisting>

    <para>This produces a large amount of diagnostic output to standard out
    during the compilation step. If the command invokes the compiled firewall
@ -224,10 +261,11 @@

    <para>Example:</para>

-    <programlisting>shorewall debug restart</programlisting>
+    <programlisting><command>shorewall debug restart</command>    # Shorewall versions prior to 5.2.4
+<command>shorewall -D restart</command>       # Shorewall versions 5.2.4 and later</programlisting>

-    <para><emphasis role="bold">debug</emphasis> causes altered behavior of
-    scripts generated by the Shorewall compiler. These scripts normally use
+    <para><emphasis role="bold">debug</emphasis> (-D) causes altered behavior
+    of scripts generated by the Shorewall compiler. These scripts normally use
    ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
    commands normally passed to iptables-restore in its input file are passed
    individually to ip[6]tables. This is a diagnostic aid which allows