extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-24 08:33:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

New 'reload' and 'restart' semantics

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-07-26 09:59:49 -07:00
parent 8e31255c9b
commit f9ec0c6930
24 changed files with 844 additions and 359 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-core/lib.cli
View File

@ -3787,7 +3787,7 @@ start_command() {
}
#
# Restart Command Executor
# Reload/Restart Command Executor
#
restart_command() {
local finished
@ -3846,11 +3846,11 @@ restart_command() {
[ -n "$g_nolock" ] || mutex_on
if [ -x ${VARDIR}/firewall ]; then
run_it ${VARDIR}/firewall $g_debugging restart
run_it ${VARDIR}/firewall $g_debugging $COMMAND
rc=$?
else
error_message "${VARDIR}/firewall is missing or is not executable"
logger -p kern.err "ERROR:$g_product restart failed"
logger -p kern.err "ERROR:$g_product $COMMAND failed"
rc=6
fi
@ -4205,7 +4205,7 @@ shorewall_cli() {
run_it $g_firewall $g_debugging reset $@
[ -n "$g_nolock" ] || mutex_off
;;
restart)
reload|restart)
get_config Yes Yes
shift
restart_command $@

49
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -329,6 +329,21 @@
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg>
<arg><option>-n</option></arg>
<arg><option>-p</option><arg><option>-C</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
@ -708,6 +723,7 @@
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">reload</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>
</listitem>
@ -1026,6 +1042,32 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reload </emphasis>[-n] [-p]
[-<option>C</option>]</term>
<listitem>
<para>Added in Shorewall 5.0.0, <emphasis
role="bold">reload</emphasis> is similar to <emphasis
role="bold">shorewall-lite start</emphasis> except that it assumes
that the firewall is already started. Existing connections are
maintained.</para>
<para>The <option>-n</option> option causes Shorewall-lite to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the specified (or implicit) firewall script is the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
...]</emphasis><acronym/></term>
@ -1043,9 +1085,10 @@
[-<option>C</option>]</term>
<listitem>
<para>Restart is similar to <emphasis role="bold">shorewall-lite
start</emphasis> except that it assumes that the firewall is already
started. Existing connections are maintained.</para>
<para>Beginning with Shorewall 5.0.0, this command performs a true
restart. The firewall is completely stopped as if a
<command>stop</command> command had been issued then it is started
again.</para>
<para>The <option>-n</option> option causes Shorewall-lite to avoid
updating the routing table(s).</para>

4
Shorewall/Makefile
View File

@ -8,11 +8,11 @@ all: $(VARDIR)/$(RESTOREFILE)
$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
@/sbin/shorewall -q save >/dev/null; \
if \
/sbin/shorewall -q restart >/dev/null 2>&1; \
/sbin/shorewall -q reload >/dev/null 2>&1; \
then \
/sbin/shorewall -q save >/dev/null; \
else \
/sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
/sbin/shorewall -q restore 2>&1 | tail >&2; exit 1; \
fi
clean:

12
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -7070,9 +7070,9 @@ sub verify_source_interface( $$$$ ) {
fatal_error "A wildcard interface ( $iiface) is not allowed in this context" if $iiface =~ /\+$/;
if ( $table eq 'nat' ) {
warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts/reloads) unless $idiotcount++;
} else {
warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts/reloads) unless $idiotcount1++;
}
push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
@ -7962,7 +7962,7 @@ sub save_dynamic_chains() {
my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
push_indent;
emit( 'if [ -n "$g_counters" ]; then' ,
@ -8251,7 +8251,7 @@ sub load_ipsets() {
}
if ( @ipsets ) {
emit ( 'elif [ "$COMMAND" = restart ]; then' );
emit ( 'elif [ "$COMMAND" = reload ]; then' );
ensure_ipset( $_ ) for @ipsets;
}
@ -8318,7 +8318,7 @@ sub create_netfilter_load( $ ) {
my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
emit( '',
'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
' option="--counters"',
'',
' progress_message "Reusing existing ruleset..."',
@ -8371,7 +8371,7 @@ sub create_netfilter_load( $ ) {
}
}
#
# SHA1SUM chains for handling 'restart -s'
# SHA1SUM chains for handling 'reload -s'
#
if ( $table eq 'filter' ) {
emit_unindented ':$g_sha1sum1 - [0:0]';

8
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -217,7 +217,7 @@ sub generate_script_2() {
my @dont_load = split_list $config{DONT_LOAD}, 'module';
emit ( '[ -n "${COMMAND:=restart}" ]',
emit ( '[ -n "${COMMAND:=reload}" ]',
'[ -n "${VERBOSITY:=0}" ]',
qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
@ -361,7 +361,7 @@ sub generate_script_3($) {
create_chainlist_reload( $_[0] );
create_save_ipsets;
emit "#\n# Start/Restart the Firewall\n#";
emit "#\n# Start/Reload the Firewall\n#";
emit( 'define_firewall() {',
' local options' );
@ -567,8 +567,8 @@ case $COMMAND in
start)
logger -p kern.info "$g_product started"
;;
restart)
logger -p kern.info "$g_product restarted"
reloaded)
logger -p kern.info "$g_product reloaded"
;;
refresh)
logger -p kern.info "$g_product refreshed"

4
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -2471,8 +2471,8 @@ EOF
start)
logger -p kern.err "ERROR:$g_product start failed"
;;
restart)
logger -p kern.err "ERROR:$g_product restart failed"
reload)
logger -p kern.err "ERROR:$g_product reload failed"
;;
refresh)
logger -p kern.err "ERROR:$g_product refresh failed"

16
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -1797,7 +1797,7 @@ sub compile_updown() {
if ( $wildcard ) {
emit( ' if [ "$state" = started ]; then',
' COMMAND=restart',
' COMMAND=reload',
' else',
' COMMAND=start',
' fi' );
@ -1816,8 +1816,8 @@ sub compile_updown() {
if ( $wildcard ) {
emit( ' if [ "$state" = started ]; then',
' progress_message3 "$g_product attempting restart"',
' COMMAND=restart',
' progress_message3 "$g_product attempting reload"',
' COMMAND=reload',
' detect_configuration',
' define_firewall',
' fi' );
@ -1859,8 +1859,8 @@ sub compile_updown() {
emit( '',
' if [ "$state" = started ]; then',
' COMMAND=restart',
' progress_message3 "$g_product attempting restart"',
' COMMAND=reload',
' progress_message3 "$g_product attempting reload"',
' detect_configuration',
' define_firewall',
' elif [ "$state" = stopped ]; then',
@ -1884,8 +1884,8 @@ sub compile_updown() {
emit( "$interfaces)",
' case $state in',
' started)',
' COMMAND=restart',
' progress_message3 "$g_product attempting restart"',
' COMMAND=reload',
' progress_message3 "$g_product attempting reload"',
' detect_configuration',
' define_firewall',
' ;;',
@ -2054,7 +2054,7 @@ sub handle_optional_interfaces( $ ) {
emit( '',
'if [ -z "$HAVE_INTERFACE" ]; then' ,
' case "$COMMAND" in',
' start|restart|restore|refresh)'
' start|reload|restore|refresh)'
);
if ( $family == F_IPV4 ) {

4
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -1884,7 +1884,7 @@ sub verify_required_interfaces( $ ) {
push_indent;
emit( 'start|restart|restore)' );
emit( 'start|reload|restore)' );
push_indent;
@ -1946,7 +1946,7 @@ sub verify_required_interfaces( $ ) {
if ( $generate_case ) {
emit( 'case "$COMMAND" in' );
push_indent;
emit( 'start|restart|restore|refresh)' );
emit( 'start|reload|restore|refresh)' );
push_indent;
}

2
Shorewall/Perl/lib.core
View File

@ -21,7 +21,7 @@
# -v and -q Standard Shorewall Verbosity control
# -t Timestamp progress messages
# -p Purge conntrack table
# -r Recover from failed start/restart
# -r Recover from failed start/reload
# -V <verbosity> Set verbosity level explicitly
# -R <restore> Overrides RESTOREFILE setting
#

171
Shorewall/Perl/prog.footer
View File

@ -17,6 +17,7 @@ usage() {
echo " reset"
echo " reenable <interface>"
echo " refresh"
echo " reload"
echo " restart"
echo " run <command> [ <parameter> ... ]"
echo " status"
@ -37,27 +38,30 @@ usage() {
exit $1
}
checkkernelversion() {
?if __IPV6
local kernel
kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
case "$kernel" in
*.*.*)
kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
;;
*)
kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
;;
esac
if [ $kernel -lt 20624 ]; then
error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
return 1
start_command() {
if product_is_started; then
error_message "$g_product is already Running"
status=0
else
progress_message3 "Starting $g_product...."
detect_configuration
define_firewall
status=$?
if [ $status -eq 0 ]; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
progress_message3 "done."
fi
fi
?endif
return $status
}
stop_command() {
progress_message3 "Stopping $g_product...."
detect_configuration
stop_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
return 0
}
@ -224,94 +228,71 @@ COMMAND="$1"
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
if product_is_started; then
error_message "$g_product is already Running"
status=0
else
progress_message3 "Starting $g_product...."
if checkkernelversion; then
detect_configuration
define_firewall
status=$?
if [ $status -eq 0 ]; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
progress_message3 "done."
fi
fi
fi
start_command
;;
stop)
[ $# -ne 1 ] && usage 2
if checkkernelversion; then
progress_message3 "Stopping $g_product...."
detect_configuration
stop_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
fi
stop_command
;;
reset)
if ! product_is_started ; then
error_message "$g_product is not running"
status=2
elif checkkernelversion; then
if [ $# -eq 1 ]; then
$g_tool -Z
$g_tool -t mangle -Z
date > ${VARDIR}/restarted
status=0
progress_message3 "$g_product Counters Reset"
else
shift
status=0
for chain in $@; do
if chain_exists $chain; then
if qt $g_tool-Z $chain; then
progress_message3 "Filter $chain Counters Reset"
else
error_message "ERROR: Reset of chain $chain failed"
status=2
break
fi
elif [ $# -eq 1 ]; then
$g_tool -Z
$g_tool -t mangle -Z
date > ${VARDIR}/restarted
status=0
progress_message3 "$g_product Counters Reset"
else
shift
status=0
for chain in $@; do
if chain_exists $chain; then
if qt $g_tool-Z $chain; then
progress_message3 "Filter $chain Counters Reset"
else
error_message "WARNING: Filter Chain $chain does not exist"
error_message "ERROR: Reset of chain $chain failed"
status=2
break
fi
done
fi
else
error_message "WARNING: Filter Chain $chain does not exist"
fi
done
fi
;;
restart)
reload)
[ $# -ne 1 ] && usage 2
if product_is_started; then
progress_message3 "Restarting $g_product...."
progress_message3 "Reloading $g_product...."
else
error_message "$g_product is not running"
progress_message3 "Starting $g_product...."
COMMAND=start
fi
if checkkernelversion; then
detect_configuration
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
detect_configuration
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
[ $status -eq 0 ] && progress_message3 "done."
fi
[ $status -eq 0 ] && progress_message3 "done."
;;
restart)
[ $# -ne 1 ] && usage 2
COMMAND=stop stop_command && COMMAND=start start_command
;;
refresh)
[ $# -ne 1 ] && usage 2
if product_is_started; then
progress_message3 "Refreshing $g_product...."
if checkkernelversion; then
detect_configuration
define_firewall
status=$?
[ $status -eq 0 ] && progress_message3 "done."
fi
detect_configuration
define_firewall
status=$?
[ $status -eq 0 ] && progress_message3 "done."
else
echo "$g_product is not running" >&2
status=2
@ -319,27 +300,23 @@ case "$COMMAND" in
;;
restore)
[ $# -ne 1 ] && usage 2
if checkkernelversion; then
detect_configuration
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
[ $status -eq 0 ] && progress_message3 "done."
fi
detect_configuration
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
[ $status -eq 0 ] && progress_message3 "done."
;;
clear)
[ $# -ne 1 ] && usage 2
progress_message3 "Clearing $g_product...."
if checkkernelversion; then
clear_firewall
status=0
if [ -n "$SUBSYSLOCK" ]; then
rm -f $SUBSYSLOCK
fi
progress_message3 "done."
clear_firewall
status=0
if [ -n "$SUBSYSLOCK" ]; then
rm -f $SUBSYSLOCK
fi
progress_message3 "done."
;;
status)
[ $# -ne 1 ] && usage 2

2
Shorewall/configfiles/init
View File

@ -4,7 +4,7 @@
# /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
# a "shorewall start", "shorewall-reload" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm

5
Shorewall/configfiles/initdone
View File

@ -4,8 +4,9 @@
# /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any permanent rules to the builtin chains.
# "shorewall start", "shorewall reload" or "shorewall restart" commands
# at the point where Shorewall has not yet added any permanent rules to
# the builtin chains.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm

2
Shorewall/configfiles/start
View File

@ -4,7 +4,7 @@
# /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
# been started, reloaded or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.

9
Shorewall/configfiles/started
View File

@ -4,11 +4,10 @@
# /etc/shorewall/started
#
# Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this
# extension script and /etc/shorewall/start is that this one is invoked
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
# after the 'shorewall' chain has been created (thus signaling that the
# firewall is completely up).
# been completely started, reloaded or restarted. The difference between
# this extension script and /etc/shorewall/start is that this one is
# invoked after the 'shorewall' chain has been created (thus
# signaling that the firewall is completely up).
#
# This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock'

5
Shorewall/default.debian
View File

@ -25,6 +25,11 @@ OPTIONS=""
#
STARTOPTIONS=""
#
# Restart options
#
RELOADOPTIONS=""
#
# Restart options
#

14
Shorewall/init.debian.sh
View File

@ -106,6 +106,13 @@ shorewall_stop () {
return 0
}
# reload the firewall
shorewall_reload () {
echo -n "Reloading \"Shorewall firewall\": "
$SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# restart the firewall
shorewall_restart () {
echo -n "Restarting \"Shorewall firewall\": "
@ -135,14 +142,17 @@ case "$1" in
refresh)
shorewall_refresh
;;
force-reload|restart)
restart)
shorewall_restart
;;
force0reload|reload)
shorewall_reload
;;
status)
shorewall_status
;;
*)
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload|status}"
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|reload|restart|force-reload|status}"
exit 1
esac

20
Shorewall/init.fedora.sh
View File

@ -65,6 +65,21 @@ stop() {
return $retval
}
reload() {
echo -n $"Reloading Shorewall: "
$shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
touch $lockfile
success
else # Failed to start, clean up lock file if present
rm -f $lockfile
failure
fi
echo
return $retval
}
restart() {
# Note that we don't simply stop and start since shorewall has a built in
# restart which stops the firewall if running and then starts it.
@ -100,7 +115,10 @@ case "$1" in
status_q || exit 0
$1
;;
restart|reload|force-reload)
reload|force-reload)
reload
;;
restart)
restart
;;
condrestart|try-restart)

6
Shorewall/init.sh
View File

@ -30,7 +30,6 @@ RCDLINKS="2,S41 3,S41 6,K41"
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall reload Reload the firewall
# (same as restart)
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
#
@ -82,7 +81,10 @@ case "$command" in
start)
exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
;;
restart|reload)
reload)
exec $SBINDIR/shorewall $OPTIONS reload $RELOADOPTIONS
;;
restart)
exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
;;
status|stop)

12
Shorewall/init.slackware.shorewall.sh
View File

@ -27,6 +27,11 @@ stop() {
exec /sbin/shorewall stop
}
reload() {
echo "Reloading IPv4 shorewall rules..."
exec /sbin/shorewall reload $RELOADOPTIONS
}
restart() {
echo "Restarting IPv4 shorewall rules..."
exec /sbin/shorewall restart $RESTARTOPTIONS
@ -43,10 +48,13 @@ case "$1" in
'stop')
stop
;;
'reload'|'restart')
'reload')
reload
;;
'restart')
restart
;;
'status')
'status')
status
;;
*)

6
Shorewall/init.suse.sh
View File

@ -31,7 +31,6 @@
# shorewall start Starts the firewall
# shorewall restart Restarts the firewall
# shorewall reload Reload the firewall
# (same as restart)
# shorewall stop Stops the firewall
# shorewall status Displays firewall status
#
@ -81,7 +80,10 @@ case "$command" in
start)
exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
;;
restart|reload)
reload)
exec $SBINDIR/shorewall $OPTIONS restart $RELOADOPTIONS
;;
restart)
exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
;;
status|stop)

51
Shorewall/lib.cli-std
View File

@ -931,7 +931,7 @@ update_command() {
}
#
# Restart Command Executor
# Reload/Restart Command Executor
#
restart_command() {
local finished
@ -1027,22 +1027,22 @@ restart_command() {
uptodate ${VARDIR}/firewall && g_fast=Yes
fi
g_file="${VARDIR}/.restart"
g_file="${VARDIR}/.${COMMAND}"
if [ -z "$g_fast" ]; then
if compiler $g_debugging $nolock compile "$g_file"; then
[ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/.restart $g_debugging restart
run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
rc=$?
[ -n "$nolock" ] || mutex_off
else
rc=$?
logger -p kern.err "ERROR:$g_product restart failed"
logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
fi
else
[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
[ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/firewall $g_debugging restart
run_it ${VARDIR}/firewall $g_debugging $COMMAND
rc=$?
[ -n "$nolock" ] || mutex_off
fi
@ -1138,7 +1138,7 @@ refresh_command() {
}
#
# Safe-start/safe-restart Command Executor
# Safe-start/safe-reload/safe-restart Command Executor
#
safe_commands() {
local finished
@ -1229,8 +1229,8 @@ safe_commands() {
# the command is safe-start or shorewall[6] is not started yet
command="start"
else
# the command is safe-restart and the firewall is already running
command="restart"
# the command is safe-reload or safe-restart and the firewall is already running
command="${COMMAND#safe-}"
fi
g_file="${VARDIR}/.$command"
@ -1245,6 +1245,12 @@ safe_commands() {
RESTOREFILE=NONE
progress_message3 "Starting..."
;;
reload)
RESTOREFILE=.safe
g_restorepath=${VARDIR}/.safe
save_config
progress_message3 "Reloading..."
;;
restart)
RESTOREFILE=.safe
g_restorepath=${VARDIR}/.safe
@ -1262,7 +1268,7 @@ safe_commands() {
if read_yesno_with_timeout $timeout ; then
echo "New configuration has been accepted"
else
if [ "$command" = "restart" ]; then
if [ "$command" = "restart" -o "$command" = "reload" ]; then
run_it ${VARDIR}/.safe restore
else
run_it ${VARDIR}/.$command clear
@ -1361,7 +1367,7 @@ try_command() {
command="start"
else
# the firewall is already running
command="restart"
command="reload"
fi
g_file="${VARDIR}/.$command"
@ -1378,11 +1384,11 @@ try_command() {
RESTOREFILE=NONE
progress_message3 "Starting..."
;;
restart)
reload)
RESTOREFILE=.try
g_restorepath=${VARDIR}/.try
save_config
progress_message3 "Restarting..."
progress_message3 "Reloading..."
;;
esac
@ -1391,7 +1397,7 @@ try_command() {
if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
sleep $timeout
if [ "$command" = "restart" ]; then
if [ "$command" = "reload" ]; then
run_it ${VARDIR}/.try restore
else
run_it ${VARDIR}/.$command clear
@ -1417,9 +1423,9 @@ rcp_command() {
}
#
# [Re]load command executor
# Remote-{start|reload|restart} command executor
#
reload_command() # $* = original arguments less the command.
remote_reload_command() # $* = original arguments less the command.
{
local verbose
verbose=$(make_verbose)
@ -1572,12 +1578,15 @@ reload_command() # $* = original arguments less the command.
progress_message3 "Copy complete"
if [ $COMMAND = reload ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
if [ $COMMAND = remote-reload ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload" && \
progress_message3 "System $system reloaded" || saveit=
elif [ $COMMAND = remote-restart ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
progress_message3 "System $system restarted" || saveit=
else
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \
progress_message3 "System $system loaded" || saveit=
progress_message3 "System $system started" || saveit=
fi
if [ -n "$saveit" ]; then
@ -1694,9 +1703,9 @@ compiler_command() {
shift
update_command $@
;;
load|reload)
remote-start|remote-reload-reload|remote-restart)
shift
reload_command $@
remote_reload_command $@
;;
export)
shift
@ -1707,7 +1716,7 @@ compiler_command() {
shift
try_command $@
;;
safe-restart|safe-start)
safe-reload|safe-restart|safe-start)
get_config Yes
shift
safe_commands $@

372
Shorewall/manpages/shorewall.xml
View File

@ -312,30 +312,6 @@
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>load</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
@ -448,7 +424,55 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg>
<arg choice="plain"><option>remote_start</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_reload</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_restart</option></arg>
<arg><option>-s</option></arg>
@ -1305,65 +1329,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">load</emphasis> [-<option>s</option>]
[-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">start</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logdrop</emphasis>
<replaceable>address</replaceable></term>
@ -1551,13 +1516,202 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
[-<option>c</option>] [-<option>r</option>
<term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
<listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The
pre-5.0.0 <command>reload</command> command is now called
<command>remote_restart</command> (see below).</para>
<para>Reload is similar to <emphasis role="bold">shorewall
start</emphasis> except that it assumes that the firewall is already
started. Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command, Shorewall
will look in that <emphasis>directory</emphasis> first for
configuration files.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-d</option> option causes the compiler to run
under the Perl debugger.</para>
<para>The <option>-f</option> option suppresses the compilation step
and simply reused the compiled script which last started/restarted
Shorewall, provided that /etc/shorewall and its contents have not
been modified since the last start/restart.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
both <option>-f</option> and <option>-c</option> are present, the
result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
existing firewall script is used and if that script was the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_start</emphasis>
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was renamed from <command>load</command> in
Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">start</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_reload
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
<replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was added in Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
role="bold">'/sbin/shorewall-lite reload'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<emphasis>system</emphasis> using scp. If the copy succeeds,
Shorewall Lite on <emphasis>system</emphasis> is restarted via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">restart</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<emphasis>directory</emphasis> using scp. This step is performed
before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_restart
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
<replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was renamed from <command>reload</command> in
Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
@ -1628,12 +1782,14 @@
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
<listitem>
<para>Restart is similar to <emphasis role="bold">shorewall
start</emphasis> except that it assumes that the firewall is already
started. Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command, Shorewall
will look in that <emphasis>directory</emphasis> first for
configuration files.</para>
<para>Beginning with Shorewall 5.0.0, this command performs a true
restart. The firewall is completely stopped as if a
<command>stop</command> command had been issued then it is started
again.</para>
<para>If a <emphasis>directory</emphasis> is included in the
command, Shorewall will look in that <emphasis>directory</emphasis>
first for configuration files.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
@ -1744,6 +1900,38 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">safe-reload
</emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
</option><replaceable>timeout</replaceable> ] [
<replaceable>directory</replaceable> ]</term>
<listitem>
<para>Added in Shorewall 5.0.0, this command performs the same
function as did <command>safe_restart</command> in earlier
releases.</para>
<para>Only allowed if Shorewall is running. The current
configuration is saved in /var/lib/shorewall/safe-reload (see the
save command below) then a <emphasis role="bold">shorewall
reload</emphasis> is done. You will then be prompted asking if you
want to accept the new configuration or not. If you answer "n" or if
you fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), the
configuration is restored from the saved configuration. If a
directory is given, then Shorewall will look in that directory first
when opening configuration files.</para>
<para>Beginning with Shorewall 4.5.0, you may specify a different
<replaceable>timeout</replaceable> value using the
<option>-t</option> option. The numeric
<replaceable>timeout</replaceable> may optionally be followed by an
<option>s</option>, <option>m</option> or <option>h</option> suffix
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
suffix is omitted, seconds is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">safe-restart
</emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t

37
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -699,8 +699,9 @@
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful
<command>start</command>, <command>restart</command> or
<command>refresh</command> command if that script exists.</para>
<command>start</command>, <command>reload</command>, <emphasis
role="bold">restart</emphasis> or <command>refresh</command> command
if that script exists.</para>
</listitem>
</varlistentry>
@ -1003,6 +1004,31 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reload </emphasis>[-n] [-p]
[-<option>C</option>]</term>
<listitem>
<para>Added in Shorewall 5.0.0, <emphasis
role="bold">reload</emphasis> is similar to <command>shorewall6-lite
start</command> except that it assumes that the firewall is already
started. Existing connections are maintained.</para>
<para>The <option>-n</option> option causes shorewall6-lite to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the specified (or implicit) firewall script is the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
...]</emphasis><acronym/></term>
@ -1020,9 +1046,10 @@
[-<option>C</option>]</term>
<listitem>
<para>Restart is similar to <command>shorewall6-lite start</command>
except that it assumes that the firewall is already started.
Existing connections are maintained.</para>
<para>Beginning with Shorewall 5.0.0, this command performs a true
restart. The firewall is completely stopped as if a
<command>stop</command> command had been issued then it is started
again.</para>
<para>The <option>-n</option> option causes shorewall6-lite to avoid
updating the routing table(s).</para>

384
Shorewall6/manpages/shorewall6.xml
View File

@ -263,30 +263,6 @@
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>load</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -402,7 +378,55 @@
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg>
<arg choice="plain"><option>remote_start</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_reload</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_restart</option></arg>
<arg><option>-s</option></arg>
@ -430,6 +454,29 @@
<arg choice="plain"><option>reset</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg>
<arg><option>-n</option></arg>
<arg><option>-f</option></arg>
<arg><option>-c</option></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option><arg><option>-C</option></arg></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -482,6 +529,23 @@
<arg><replaceable>parameter ...</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>safe-reload</option></arg>
<arg><option>-d</option></arg>
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
@ -1201,65 +1265,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">load </emphasis> [-<option>s</option>]
[-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall6 script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall6-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall6 Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <option>-s</option> is specified and the <emphasis
role="bold">start</emphasis> command succeeds, then the remote
Shorewall6-lite configuration is saved by executing
<command>shorewall6-lite save</command> via ssh.</para>
<para>if <option>-c</option> is included, the command
<command>shorewall6-lite show capabilities -f &gt;
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logdrop
</emphasis><replaceable>address</replaceable></term>
@ -1448,13 +1453,141 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
[-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
<term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
<listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The
pre-5.0.0 <command>reload</command> command is now called
<command>remote_restart</command> (see below).</para>
<para>Reload is similar to <command>shorewall6 start</command>
except that it assumes that the firewall is already started.
Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command,
Shorewall6 will look in that <emphasis>directory</emphasis> first
for configuration files.</para>
<para>The <option>-n</option> option causes Shorewall6 to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-d</option> option causes the compiler to run
under the Perl debugger.</para>
<para>The <option>-f</option> option suppresses the compilation step
and simply reused the compiled script which last started/restarted
Shorewall, provided that <filename class="directory">/etc/shorewall6
</filename> and its contents have not been modified since the last
start/restart.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
When both <option>-f</option> and <option>-c</option> are present,
the result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
an existing firewall script is used and if that script was the one
that generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_reload
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
<replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was added in Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall6 script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
role="bold">'/sbin/shorewall6-lite reload'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<emphasis>system</emphasis> using scp. If the copy succeeds,
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
ssh.</para>
<para>If <option>-s</option> is specified and the
<command>restart</command> command succeeds, then the remote
Shorewall6-lite configuration is saved by executing
<command>shorewall6-lite save</command> via ssh.</para>
<para>if <option>-c</option> is included, the command
<command>shorewall6-lite show capabilities -f &gt;
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
then the generated file is copied to <emphasis>directory</emphasis>
using scp. This step is performed before the configuration is
compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_ restart
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
<replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was renamed from <command>reload</command> in
Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall6 script and install it on a system (provided that the user
@ -1506,6 +1639,67 @@
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_start </emphasis>
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was added in Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall6 script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall6-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall6 Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <option>-s</option> is specified and the <emphasis
role="bold">start</emphasis> command succeeds, then the remote
Shorewall6-lite configuration is saved by executing
<command>shorewall6-lite save</command> via ssh.</para>
<para>if <option>-c</option> is included, the command
<command>shorewall6-lite show capabilities -f &gt;
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
...]</emphasis><acronym/></term>
@ -1525,12 +1719,14 @@
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
<listitem>
<para>Restart is similar to <command>shorewall6 start</command>
except that it assumes that the firewall is already started.
Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command,
Shorewall6 will look in that <emphasis>directory</emphasis> first
for configuration files.</para>
<para>Beginning with Shorewall 5.0.0, this command performs a true
restart. The firewall is completely stopped as if a
<command>stop</command> command had been issued then it is started
again.</para>
<para>If a <emphasis>directory</emphasis> is included in the
command, Shorewall6 will look in that <emphasis>directory</emphasis>
first for configuration files.</para>
<para>The <option>-n</option> option causes Shorewall6 to avoid
updating the routing table(s).</para>