Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

2025-02-16 09:50:33 +01:00 · 2020-04-18 09:36:20 -07:00 · 2020-04-18 09:36:20 -07:00 · 5101a6be4a
commit 5101a6be4a
parent 15ca726c49 3c36d638a5
2 changed files with 68 additions and 20 deletions
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@ -24,6 +24,20 @@
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 ###############################################################################
+#
+# Check to see if any of the products are running. If so, issue a warning
+# and exits with value 1
+firewall_stopped() {
+    for PRODUCT in $PRODUCTS; do
+	if $PRODUCT status > /dev/null 2>&1; then
+	    echo "   WARNING: $PRODUCT is running -- ignoring $1 command" >&2
+	    return 1
+	fi
+    done
+
+    return 0
+}
+
 # set the STATEDIR variable
 setstatedir() {
    local statedir
@ -42,23 +56,6 @@ setstatedir() {
    fi
 }

-#
-# This is modified by the installer when ${SHAREDIR} <> /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-# check if shorewall-init is configured or not
-if [ -f "$SYSCONFDIR/shorewall-init" ]; then
-    . $SYSCONFDIR/shorewall-init
-    if [ -z "$PRODUCTS" ]; then
-	echo "ERROR: No products configured" >&2
-	exit 1
-    fi
-else
-    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
-    exit 1
-fi
-
 # Initialize the firewall
 shorewall_start () {
    local PRODUCT
@ -116,12 +113,29 @@ shorewall_stop () {
    return 0
 }

+#
+# This is modified by the installer when ${SHAREDIR} <> /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+# check if shorewall-init is configured or not
+if [ -f "$SYSCONFDIR/shorewall-init" ]; then
+    . $SYSCONFDIR/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+	echo "ERROR: No products configured" >&2
+	exit 6
+    fi
+else
+    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
+    exit 1
+fi
+
 case "$1" in
    start)
-	shorewall_start
+	firewall_stopped 'start' && shorewall_start
 	;;
    stop)
-	shorewall_stop
+	firewall_stopped 'stop' && shorewall_stop
 	;;
    *)
 	echo "Usage: $0 {start|stop}"
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@ -192,11 +192,19 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    ipv4 ipsets are saved. Both features require ipset version 5 or
    later.</para>

+    <caution>
+      <para>After setting SAVE_IPSETS, it is important to recompile the
+      firewall script (e.g., 'shorewall compile', 'shorewall reload' or
+      'shorewall restart') before rebooting</para>
+    </caution>
+
    <para>Although Shorewall can save the definition of your ipsets and
    restore them when Shorewall starts, in most cases you must use the ipset
    utility to initially create and load your ipsets. The exception is that
    Shorewall will automatically create an empty iphash ipset to back each
-    dynamic zone.</para>
+    dynamic zone. It will also create the ipset required by the
+    DYNAMIC_BLACKLIST=ipset:.. setting in <ulink
+    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink>,</para>
  </section>

  <section>
@ -220,6 +228,32 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    the ipsets will be save to and restored from. Shorewall-init will create
    any necessary directories during the first 'save' operation.</para>

+    <caution>
+      <para>If you set SAVE_IPSETS in /etc/sysconfig/shorewall-init
+      (/etc/default/shorewall-init on Debian and derivatives) when
+      shorewall-init has not been started by systemd, then when the system is
+      going down during reboot, the ipset contents will not be saved. You can
+      work around that as follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Suppose that you have set
+          SAVE_IPSETS=/var/lib/shorewall/init-save-ipsets.</para>
+        </listitem>
+
+        <listitem>
+          <para>Before rebooting, execute this command:</para>
+
+          <programlisting>ipset save &gt; /var/lib/shorewall/init-save-ipsets</programlisting>
+        </listitem>
+
+        <listitem>
+          <para>Be sure to enable shoewall-init (e.g., <emphasis
+          role="bold">systemctl enable shorewall-init</emphasis>).</para>
+        </listitem>
+      </itemizedlist>
+    </caution>
+
    <para>If you configure Shorewall-init to save/restore ipsets, be sure to
    set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>