From 3222a380c38d480b11514b0df78b5f16748c5ebf Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 10 Mar 2020 12:23:00 -0700
Subject: [PATCH] Update the Starting and Stopping document

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 docs/starting_and_stopping_shorewall.xml | 46 +++++++++++++++++++++---
 1 file changed, 42 insertions(+), 4 deletions(-)

diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml
index 05aeaa426..09d475f17 100644
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@@ -26,6 +26,8 @@
 
       <year>2007</year>
 
+      <year>2020</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -201,6 +203,40 @@
       </blockquote></para>
   </section>
 
+  <section>
+    <title>systemd</title>
+
+    <para>As with SysV init described in the preceeding section, the behavior
+    of systemctl commands differ from the Shorewall CLI commands on
+    Debian-based systems. To make systemctl stop shorewall[-lite] and
+    systemctl restart shorewall[-lite] behave like shorewall stop and
+    shorewall restart, use this workaround provided by J Cliff
+    Armstrong:</para>
+
+    <para> Type (as root):</para>
+
+    <programlisting>    <command>systemctl edit shorewall.service</command></programlisting>
+
+    <para>This will open the default terminal editor to a blank file in which
+    you can paste the following:</para>
+
+    <programlisting>[Service]
+# reset ExecStop ExecStop=
+# set ExecStop to "stop" instead of "clear"
+ExecStop=/sbin/shorewall $OPTIONS stop</programlisting>
+
+    <para>Then type</para>
+
+    <programlisting>    <command>systemctl daemon-reload</command></programlisting>
+
+    <para>to activate the changes. This change will survive future updates of
+    the shorewall package from apt repositories. The override file itself will
+    be saved to `/etc/systemd/system/shorewall.service.d/`.</para>
+
+    <para>The same workaround may be applied to the other Shorewall products
+    (excluding Shorewall Init).</para>
+  </section>
+
   <section id="Trace">
     <title>Tracing Command Execution and other Debugging Aids</title>
 
@@ -211,7 +247,8 @@
 
     <para>Example:</para>
 
-    <programlisting>shorewall trace check -r</programlisting>
+    <programlisting><command>shorewall trace check -r</command>   # Shorewall versions prior to 5.2.4
+<command>shorewall check -D  </command>       # Shorewall versions 5.2.4 and later</programlisting>
 
     <para>This produces a large amount of diagnostic output to standard out
     during the compilation step. If the command invokes the compiled firewall
@@ -224,10 +261,11 @@
 
     <para>Example:</para>
 
-    <programlisting>shorewall debug restart</programlisting>
+    <programlisting><command>shorewall debug restart</command>    # Shorewall versions prior to 5.2.4
+<command>shorewall -D restart</command>       # Shorewall versions 5.2.4 and later</programlisting>
 
-    <para><emphasis role="bold">debug</emphasis> causes altered behavior of
-    scripts generated by the Shorewall compiler. These scripts normally use
+    <para><emphasis role="bold">debug</emphasis> (-D) causes altered behavior
+    of scripts generated by the Shorewall compiler. These scripts normally use
     ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
     commands normally passed to iptables-restore in its input file are passed
     individually to ip[6]tables. This is a diagnostic aid which allows