extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-24 08:33:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

New 'reload' and 'restart' semantics

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-07-26 09:59:49 -07:00
parent 8e31255c9b
commit f9ec0c6930
24 changed files with 844 additions and 359 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-core/lib.cli
View File

@ -3787,7 +3787,7 @@ start_command() {
} }
# #
# Restart Command Executor # Reload/Restart Command Executor
# #
restart_command() { restart_command() {
local finished local finished
@ -3846,11 +3846,11 @@ restart_command() {
[ -n "$g_nolock" ] || mutex_on [ -n "$g_nolock" ] || mutex_on
if [ -x ${VARDIR}/firewall ]; then if [ -x ${VARDIR}/firewall ]; then
run_it ${VARDIR}/firewall $g_debugging restart run_it ${VARDIR}/firewall $g_debugging $COMMAND
rc=$? rc=$?
else else
error_message "${VARDIR}/firewall is missing or is not executable" error_message "${VARDIR}/firewall is missing or is not executable"
logger -p kern.err "ERROR:$g_product restart failed" logger -p kern.err "ERROR:$g_product $COMMAND failed"
rc=6 rc=6
fi fi
@ -4205,7 +4205,7 @@ shorewall_cli() {
run_it $g_firewall $g_debugging reset $@ run_it $g_firewall $g_debugging reset $@
[ -n "$g_nolock" ] || mutex_off [ -n "$g_nolock" ] || mutex_off
;; ;;
restart) reload|restart)
get_config Yes Yes get_config Yes Yes
shift shift
restart_command $@ restart_command $@

49
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -329,6 +329,21 @@
<arg choice="plain"><replaceable>address</replaceable></arg> <arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg>
<arg><option>-n</option></arg>
<arg><option>-p</option><arg><option>-C</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall-lite</command> <command>shorewall-lite</command>
@ -708,6 +723,7 @@
<para>If <option>-f</option> is given, the command will be processed <para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis role="bold">start</emphasis>, <emphasis
role="bold">reload</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para> role="bold">refresh</emphasis> command if that script exists.</para>
</listitem> </listitem>
@ -1026,6 +1042,32 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">reload </emphasis>[-n] [-p]
[-<option>C</option>]</term>
<listitem>
<para>Added in Shorewall 5.0.0, <emphasis
role="bold">reload</emphasis> is similar to <emphasis
role="bold">shorewall-lite start</emphasis> except that it assumes
that the firewall is already started. Existing connections are
maintained.</para>
<para>The <option>-n</option> option causes Shorewall-lite to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the specified (or implicit) firewall script is the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>, <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
...]</emphasis><acronym/></term> ...]</emphasis><acronym/></term>
@ -1043,9 +1085,10 @@
[-<option>C</option>]</term> [-<option>C</option>]</term>
<listitem> <listitem>
<para>Restart is similar to <emphasis role="bold">shorewall-lite <para>Beginning with Shorewall 5.0.0, this command performs a true
start</emphasis> except that it assumes that the firewall is already restart. The firewall is completely stopped as if a
started. Existing connections are maintained.</para> <command>stop</command> command had been issued then it is started
again.</para>
<para>The <option>-n</option> option causes Shorewall-lite to avoid <para>The <option>-n</option> option causes Shorewall-lite to avoid
updating the routing table(s).</para> updating the routing table(s).</para>

4
Shorewall/Makefile
View File

@ -8,11 +8,11 @@ all: $(VARDIR)/$(RESTOREFILE)
$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/* $(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
@/sbin/shorewall -q save >/dev/null; \ @/sbin/shorewall -q save >/dev/null; \
if \ if \
/sbin/shorewall -q restart >/dev/null 2>&1; \ /sbin/shorewall -q reload >/dev/null 2>&1; \
then \ then \
/sbin/shorewall -q save >/dev/null; \ /sbin/shorewall -q save >/dev/null; \
else \ else \
/sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \ /sbin/shorewall -q restore 2>&1 | tail >&2; exit 1; \
fi fi
clean: clean:

12
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -7070,9 +7070,9 @@ sub verify_source_interface( $$$$ ) {
fatal_error "A wildcard interface ( $iiface) is not allowed in this context" if $iiface =~ /\+$/; fatal_error "A wildcard interface ( $iiface) is not allowed in this context" if $iiface =~ /\+$/;
if ( $table eq 'nat' ) { if ( $table eq 'nat' ) {
warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++; warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts/reloads) unless $idiotcount++;
} else { } else {
warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++; warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts/reloads) unless $idiotcount1++;
} }
push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done'; push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
@ -7962,7 +7962,7 @@ sub save_dynamic_chains() {
my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}'; my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' ); emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
push_indent; push_indent;
emit( 'if [ -n "$g_counters" ]; then' , emit( 'if [ -n "$g_counters" ]; then' ,
@ -8251,7 +8251,7 @@ sub load_ipsets() {
} }
if ( @ipsets ) { if ( @ipsets ) {
emit ( 'elif [ "$COMMAND" = restart ]; then' ); emit ( 'elif [ "$COMMAND" = reload ]; then' );
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
} }
@ -8318,7 +8318,7 @@ sub create_netfilter_load( $ ) {
my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE'; my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
emit( '', emit( '',
'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then', 'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
' option="--counters"', ' option="--counters"',
'', '',
' progress_message "Reusing existing ruleset..."', ' progress_message "Reusing existing ruleset..."',
@ -8371,7 +8371,7 @@ sub create_netfilter_load( $ ) {
} }
} }
# #
# SHA1SUM chains for handling 'restart -s' # SHA1SUM chains for handling 'reload -s'
# #
if ( $table eq 'filter' ) { if ( $table eq 'filter' ) {
emit_unindented ':$g_sha1sum1 - [0:0]'; emit_unindented ':$g_sha1sum1 - [0:0]';

8
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -217,7 +217,7 @@ sub generate_script_2() {
my @dont_load = split_list $config{DONT_LOAD}, 'module'; my @dont_load = split_list $config{DONT_LOAD}, 'module';
emit ( '[ -n "${COMMAND:=restart}" ]', emit ( '[ -n "${COMMAND:=reload}" ]',
'[ -n "${VERBOSITY:=0}" ]', '[ -n "${VERBOSITY:=0}" ]',
qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) ); qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
@ -361,7 +361,7 @@ sub generate_script_3($) {
create_chainlist_reload( $_[0] ); create_chainlist_reload( $_[0] );
create_save_ipsets; create_save_ipsets;
emit "#\n# Start/Restart the Firewall\n#"; emit "#\n# Start/Reload the Firewall\n#";
emit( 'define_firewall() {', emit( 'define_firewall() {',
' local options' ); ' local options' );
@ -567,8 +567,8 @@ case $COMMAND in
start) start)
logger -p kern.info "$g_product started" logger -p kern.info "$g_product started"
;; ;;
restart) reloaded)
logger -p kern.info "$g_product restarted" logger -p kern.info "$g_product reloaded"
;; ;;
refresh) refresh)
logger -p kern.info "$g_product refreshed" logger -p kern.info "$g_product refreshed"

4
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -2471,8 +2471,8 @@ EOF
start) start)
logger -p kern.err "ERROR:$g_product start failed" logger -p kern.err "ERROR:$g_product start failed"
;; ;;
restart) reload)
logger -p kern.err "ERROR:$g_product restart failed" logger -p kern.err "ERROR:$g_product reload failed"
;; ;;
refresh) refresh)
logger -p kern.err "ERROR:$g_product refresh failed" logger -p kern.err "ERROR:$g_product refresh failed"

16
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -1797,7 +1797,7 @@ sub compile_updown() {
if ( $wildcard ) { if ( $wildcard ) {
emit( ' if [ "$state" = started ]; then', emit( ' if [ "$state" = started ]; then',
' COMMAND=restart', ' COMMAND=reload',
' else', ' else',
' COMMAND=start', ' COMMAND=start',
' fi' ); ' fi' );
@ -1816,8 +1816,8 @@ sub compile_updown() {
if ( $wildcard ) { if ( $wildcard ) {
emit( ' if [ "$state" = started ]; then', emit( ' if [ "$state" = started ]; then',
' progress_message3 "$g_product attempting restart"', ' progress_message3 "$g_product attempting reload"',
' COMMAND=restart', ' COMMAND=reload',
' detect_configuration', ' detect_configuration',
' define_firewall', ' define_firewall',
' fi' ); ' fi' );
@ -1859,8 +1859,8 @@ sub compile_updown() {
emit( '', emit( '',
' if [ "$state" = started ]; then', ' if [ "$state" = started ]; then',
' COMMAND=restart', ' COMMAND=reload',
' progress_message3 "$g_product attempting restart"', ' progress_message3 "$g_product attempting reload"',
' detect_configuration', ' detect_configuration',
' define_firewall', ' define_firewall',
' elif [ "$state" = stopped ]; then', ' elif [ "$state" = stopped ]; then',
@ -1884,8 +1884,8 @@ sub compile_updown() {
emit( "$interfaces)", emit( "$interfaces)",
' case $state in', ' case $state in',
' started)', ' started)',
' COMMAND=restart', ' COMMAND=reload',
' progress_message3 "$g_product attempting restart"', ' progress_message3 "$g_product attempting reload"',
' detect_configuration', ' detect_configuration',
' define_firewall', ' define_firewall',
' ;;', ' ;;',
@ -2054,7 +2054,7 @@ sub handle_optional_interfaces( $ ) {
emit( '', emit( '',
'if [ -z "$HAVE_INTERFACE" ]; then' , 'if [ -z "$HAVE_INTERFACE" ]; then' ,
' case "$COMMAND" in', ' case "$COMMAND" in',
' start|restart|restore|refresh)' ' start|reload|restore|refresh)'
); );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {

4
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -1884,7 +1884,7 @@ sub verify_required_interfaces( $ ) {
push_indent; push_indent;
emit( 'start|restart|restore)' ); emit( 'start|reload|restore)' );
push_indent; push_indent;
@ -1946,7 +1946,7 @@ sub verify_required_interfaces( $ ) {
if ( $generate_case ) { if ( $generate_case ) {
emit( 'case "$COMMAND" in' ); emit( 'case "$COMMAND" in' );
push_indent; push_indent;
emit( 'start|restart|restore|refresh)' ); emit( 'start|reload|restore|refresh)' );
push_indent; push_indent;
} }

2
Shorewall/Perl/lib.core
View File

@ -21,7 +21,7 @@
# -v and -q Standard Shorewall Verbosity control # -v and -q Standard Shorewall Verbosity control
# -t Timestamp progress messages # -t Timestamp progress messages
# -p Purge conntrack table # -p Purge conntrack table
# -r Recover from failed start/restart # -r Recover from failed start/reload
# -V <verbosity> Set verbosity level explicitly # -V <verbosity> Set verbosity level explicitly
# -R <restore> Overrides RESTOREFILE setting # -R <restore> Overrides RESTOREFILE setting
# #

171
Shorewall/Perl/prog.footer
View File

@ -17,6 +17,7 @@ usage() {
echo " reset" echo " reset"
echo " reenable <interface>" echo " reenable <interface>"
echo " refresh" echo " refresh"
echo " reload"
echo " restart" echo " restart"
echo " run <command> [ <parameter> ... ]" echo " run <command> [ <parameter> ... ]"
echo " status" echo " status"
@ -37,27 +38,30 @@ usage() {
exit $1 exit $1
} }
checkkernelversion() { start_command() {
?if __IPV6 if product_is_started; then
local kernel error_message "$g_product is already Running"
status=0
kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//') else
progress_message3 "Starting $g_product...."
case "$kernel" in detect_configuration
*.*.*) define_firewall
kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) status=$?
;; if [ $status -eq 0 ]; then
*) [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g')) progress_message3 "done."
;; fi
esac
if [ $kernel -lt 20624 ]; then
error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
return 1
fi fi
?endif
return $status
}
stop_command() {
progress_message3 "Stopping $g_product...."
detect_configuration
stop_firewall
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
return 0 return 0
} }
@ -224,94 +228,71 @@ COMMAND="$1"
case "$COMMAND" in case "$COMMAND" in
start) start)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if product_is_started; then start_command
error_message "$g_product is already Running"
status=0
else
progress_message3 "Starting $g_product...."
if checkkernelversion; then
detect_configuration
define_firewall
status=$?
if [ $status -eq 0 ]; then
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
progress_message3 "done."
fi
fi
fi
;; ;;
stop) stop)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if checkkernelversion; then stop_command
progress_message3 "Stopping $g_product...."
detect_configuration
stop_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
fi
;; ;;
reset) reset)
if ! product_is_started ; then if ! product_is_started ; then
error_message "$g_product is not running" error_message "$g_product is not running"
status=2 status=2
elif checkkernelversion; then elif [ $# -eq 1 ]; then
if [ $# -eq 1 ]; then $g_tool -Z
$g_tool -Z $g_tool -t mangle -Z
$g_tool -t mangle -Z date > ${VARDIR}/restarted
date > ${VARDIR}/restarted status=0
status=0 progress_message3 "$g_product Counters Reset"
progress_message3 "$g_product Counters Reset" else
else shift
shift status=0
status=0 for chain in $@; do
for chain in $@; do if chain_exists $chain; then
if chain_exists $chain; then if qt $g_tool-Z $chain; then
if qt $g_tool-Z $chain; then progress_message3 "Filter $chain Counters Reset"
progress_message3 "Filter $chain Counters Reset"
else
error_message "ERROR: Reset of chain $chain failed"
status=2
break
fi
else else
error_message "WARNING: Filter Chain $chain does not exist" error_message "ERROR: Reset of chain $chain failed"
status=2
break
fi fi
done else
fi error_message "WARNING: Filter Chain $chain does not exist"
fi
done
fi fi
;; ;;
restart) reload)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if product_is_started; then if product_is_started; then
progress_message3 "Restarting $g_product...." progress_message3 "Reloading $g_product...."
else else
error_message "$g_product is not running" error_message "$g_product is not running"
progress_message3 "Starting $g_product...." progress_message3 "Starting $g_product...."
COMMAND=start COMMAND=start
fi fi
if checkkernelversion; then detect_configuration
detect_configuration define_firewall
define_firewall status=$?
status=$? if [ -n "$SUBSYSLOCK" ]; then
if [ -n "$SUBSYSLOCK" ]; then [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK fi
fi
[ $status -eq 0 ] && progress_message3 "done." [ $status -eq 0 ] && progress_message3 "done."
fi ;;
restart)
[ $# -ne 1 ] && usage 2
COMMAND=stop stop_command && COMMAND=start start_command
;; ;;
refresh) refresh)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if product_is_started; then if product_is_started; then
progress_message3 "Refreshing $g_product...." progress_message3 "Refreshing $g_product...."
if checkkernelversion; then detect_configuration
detect_configuration define_firewall
define_firewall status=$?
status=$? [ $status -eq 0 ] && progress_message3 "done."
[ $status -eq 0 ] && progress_message3 "done."
fi
else else
echo "$g_product is not running" >&2 echo "$g_product is not running" >&2
status=2 status=2
@ -319,27 +300,23 @@ case "$COMMAND" in
;; ;;
restore) restore)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if checkkernelversion; then detect_configuration
detect_configuration define_firewall
define_firewall status=$?
status=$? if [ -n "$SUBSYSLOCK" ]; then
if [ -n "$SUBSYSLOCK" ]; then [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK fi
fi [ $status -eq 0 ] && progress_message3 "done."
[ $status -eq 0 ] && progress_message3 "done."
fi
;; ;;
clear) clear)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
progress_message3 "Clearing $g_product...." progress_message3 "Clearing $g_product...."
if checkkernelversion; then clear_firewall
clear_firewall status=0
status=0 if [ -n "$SUBSYSLOCK" ]; then
if [ -n "$SUBSYSLOCK" ]; then rm -f $SUBSYSLOCK
rm -f $SUBSYSLOCK
fi
progress_message3 "done."
fi fi
progress_message3 "done."
;; ;;
status) status)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2

2
Shorewall/configfiles/init
View File

@ -4,7 +4,7 @@
# /etc/shorewall/init # /etc/shorewall/init
# #
# Add commands below that you want to be executed at the beginning of # Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command. # a "shorewall start", "shorewall-reload" or "shorewall restart" command.
# #
# For additional information, see # For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm # http://shorewall.net/shorewall_extension_scripts.htm

5
Shorewall/configfiles/initdone
View File

@ -4,8 +4,9 @@
# /etc/shorewall/initdone # /etc/shorewall/initdone
# #
# Add commands below that you want to be executed during # Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where # "shorewall start", "shorewall reload" or "shorewall restart" commands
# Shorewall has not yet added any permanent rules to the builtin chains. # at the point where Shorewall has not yet added any permanent rules to
# the builtin chains.
# #
# For additional information, see # For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm # http://shorewall.net/shorewall_extension_scripts.htm

2
Shorewall/configfiles/start
View File

@ -4,7 +4,7 @@
# /etc/shorewall/start # /etc/shorewall/start
# #
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# been started or restarted. # been started, reloaded or restarted.
# #
# See http://shorewall.net/shorewall_extension_scripts.htm for additional # See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information. # information.

9
Shorewall/configfiles/started
View File

@ -4,11 +4,10 @@
# /etc/shorewall/started # /etc/shorewall/started
# #
# Add commands below that you want to be executed after shorewall has # Add commands below that you want to be executed after shorewall has
# been completely started or restarted. The difference between this # been completely started, reloaded or restarted. The difference between
# extension script and /etc/shorewall/start is that this one is invoked # this extension script and /etc/shorewall/start is that this one is
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and # invoked after the 'shorewall' chain has been created (thus
# after the 'shorewall' chain has been created (thus signaling that the # signaling that the firewall is completely up).
# firewall is completely up).
# #
# This script should not change the firewall configuration directly but # This script should not change the firewall configuration directly but
# may do so indirectly by running /sbin/shorewall with the 'nolock' # may do so indirectly by running /sbin/shorewall with the 'nolock'

5
Shorewall/default.debian
View File

@ -25,6 +25,11 @@ OPTIONS=""
# #
STARTOPTIONS="" STARTOPTIONS=""
#
# Restart options
#
RELOADOPTIONS=""
# #
# Restart options # Restart options
# #

14
Shorewall/init.debian.sh
View File

@ -106,6 +106,13 @@ shorewall_stop () {
return 0 return 0
} }
# reload the firewall
shorewall_reload () {
echo -n "Reloading \"Shorewall firewall\": "
$SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
return 0
}
# restart the firewall # restart the firewall
shorewall_restart () { shorewall_restart () {
echo -n "Restarting \"Shorewall firewall\": " echo -n "Restarting \"Shorewall firewall\": "
@ -135,14 +142,17 @@ case "$1" in
refresh) refresh)
shorewall_refresh shorewall_refresh
;; ;;
force-reload|restart) restart)
shorewall_restart shorewall_restart
;; ;;
force0reload|reload)
shorewall_reload
;;
status) status)
shorewall_status shorewall_status
;; ;;
*) *)
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload|status}" echo "Usage: /etc/init.d/shorewall {start|stop|refresh|reload|restart|force-reload|status}"
exit 1 exit 1
esac esac

20
Shorewall/init.fedora.sh
View File

@ -65,6 +65,21 @@ stop() {
return $retval return $retval
} }
reload() {
echo -n $"Reloading Shorewall: "
$shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
retval=${PIPESTATUS[0]}
if [[ $retval == 0 ]]; then
touch $lockfile
success
else # Failed to start, clean up lock file if present
rm -f $lockfile
failure
fi
echo
return $retval
}
restart() { restart() {
# Note that we don't simply stop and start since shorewall has a built in # Note that we don't simply stop and start since shorewall has a built in
# restart which stops the firewall if running and then starts it. # restart which stops the firewall if running and then starts it.
@ -100,7 +115,10 @@ case "$1" in
status_q || exit 0 status_q || exit 0
$1 $1
;; ;;
restart|reload|force-reload) reload|force-reload)
reload
;;
restart)
restart restart
;; ;;
condrestart|try-restart) condrestart|try-restart)

6
Shorewall/init.sh
View File

@ -30,7 +30,6 @@ RCDLINKS="2,S41 3,S41 6,K41"
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall reload Reload the firewall # shorewall reload Reload the firewall
# (same as restart)
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall status Displays firewall status # shorewall status Displays firewall status
# #
@ -82,7 +81,10 @@ case "$command" in
start) start)
exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
;; ;;
restart|reload) reload)
exec $SBINDIR/shorewall $OPTIONS reload $RELOADOPTIONS
;;
restart)
exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
;; ;;
status|stop) status|stop)

12
Shorewall/init.slackware.shorewall.sh
View File

@ -27,6 +27,11 @@ stop() {
exec /sbin/shorewall stop exec /sbin/shorewall stop
} }
reload() {
echo "Reloading IPv4 shorewall rules..."
exec /sbin/shorewall reload $RELOADOPTIONS
}
restart() { restart() {
echo "Restarting IPv4 shorewall rules..." echo "Restarting IPv4 shorewall rules..."
exec /sbin/shorewall restart $RESTARTOPTIONS exec /sbin/shorewall restart $RESTARTOPTIONS
@ -43,10 +48,13 @@ case "$1" in
'stop') 'stop')
stop stop
;; ;;
'reload'|'restart') 'reload')
reload
;;
'restart')
restart restart
;; ;;
'status') 'status')
status status
;; ;;
*) *)

6
Shorewall/init.suse.sh
View File

@ -31,7 +31,6 @@
# shorewall start Starts the firewall # shorewall start Starts the firewall
# shorewall restart Restarts the firewall # shorewall restart Restarts the firewall
# shorewall reload Reload the firewall # shorewall reload Reload the firewall
# (same as restart)
# shorewall stop Stops the firewall # shorewall stop Stops the firewall
# shorewall status Displays firewall status # shorewall status Displays firewall status
# #
@ -81,7 +80,10 @@ case "$command" in
start) start)
exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
;; ;;
restart|reload) reload)
exec $SBINDIR/shorewall $OPTIONS restart $RELOADOPTIONS
;;
restart)
exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
;; ;;
status|stop) status|stop)

51
Shorewall/lib.cli-std
View File

@ -931,7 +931,7 @@ update_command() {
} }
# #
# Restart Command Executor # Reload/Restart Command Executor
# #
restart_command() { restart_command() {
local finished local finished
@ -1027,22 +1027,22 @@ restart_command() {
uptodate ${VARDIR}/firewall && g_fast=Yes uptodate ${VARDIR}/firewall && g_fast=Yes
fi fi
g_file="${VARDIR}/.restart" g_file="${VARDIR}/.${COMMAND}"
if [ -z "$g_fast" ]; then if [ -z "$g_fast" ]; then
if compiler $g_debugging $nolock compile "$g_file"; then if compiler $g_debugging $nolock compile "$g_file"; then
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/.restart $g_debugging restart run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
rc=$? rc=$?
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
else else
rc=$? rc=$?
logger -p kern.err "ERROR:$g_product restart failed" logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
fi fi
else else
[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found" [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
[ -n "$nolock" ] || mutex_on [ -n "$nolock" ] || mutex_on
run_it ${VARDIR}/firewall $g_debugging restart run_it ${VARDIR}/firewall $g_debugging $COMMAND
rc=$? rc=$?
[ -n "$nolock" ] || mutex_off [ -n "$nolock" ] || mutex_off
fi fi
@ -1138,7 +1138,7 @@ refresh_command() {
} }
# #
# Safe-start/safe-restart Command Executor # Safe-start/safe-reload/safe-restart Command Executor
# #
safe_commands() { safe_commands() {
local finished local finished
@ -1229,8 +1229,8 @@ safe_commands() {
# the command is safe-start or shorewall[6] is not started yet # the command is safe-start or shorewall[6] is not started yet
command="start" command="start"
else else
# the command is safe-restart and the firewall is already running # the command is safe-reload or safe-restart and the firewall is already running
command="restart" command="${COMMAND#safe-}"
fi fi
g_file="${VARDIR}/.$command" g_file="${VARDIR}/.$command"
@ -1245,6 +1245,12 @@ safe_commands() {
RESTOREFILE=NONE RESTOREFILE=NONE
progress_message3 "Starting..." progress_message3 "Starting..."
;; ;;
reload)
RESTOREFILE=.safe
g_restorepath=${VARDIR}/.safe
save_config
progress_message3 "Reloading..."
;;
restart) restart)
RESTOREFILE=.safe RESTOREFILE=.safe
g_restorepath=${VARDIR}/.safe g_restorepath=${VARDIR}/.safe
@ -1262,7 +1268,7 @@ safe_commands() {
if read_yesno_with_timeout $timeout ; then if read_yesno_with_timeout $timeout ; then
echo "New configuration has been accepted" echo "New configuration has been accepted"
else else
if [ "$command" = "restart" ]; then if [ "$command" = "restart" -o "$command" = "reload" ]; then
run_it ${VARDIR}/.safe restore run_it ${VARDIR}/.safe restore
else else
run_it ${VARDIR}/.$command clear run_it ${VARDIR}/.$command clear
@ -1361,7 +1367,7 @@ try_command() {
command="start" command="start"
else else
# the firewall is already running # the firewall is already running
command="restart" command="reload"
fi fi
g_file="${VARDIR}/.$command" g_file="${VARDIR}/.$command"
@ -1378,11 +1384,11 @@ try_command() {
RESTOREFILE=NONE RESTOREFILE=NONE
progress_message3 "Starting..." progress_message3 "Starting..."
;; ;;
restart) reload)
RESTOREFILE=.try RESTOREFILE=.try
g_restorepath=${VARDIR}/.try g_restorepath=${VARDIR}/.try
save_config save_config
progress_message3 "Restarting..." progress_message3 "Reloading..."
;; ;;
esac esac
@ -1391,7 +1397,7 @@ try_command() {
if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
sleep $timeout sleep $timeout
if [ "$command" = "restart" ]; then if [ "$command" = "reload" ]; then
run_it ${VARDIR}/.try restore run_it ${VARDIR}/.try restore
else else
run_it ${VARDIR}/.$command clear run_it ${VARDIR}/.$command clear
@ -1417,9 +1423,9 @@ rcp_command() {
} }
# #
# [Re]load command executor # Remote-{start|reload|restart} command executor
# #
reload_command() # $* = original arguments less the command. remote_reload_command() # $* = original arguments less the command.
{ {
local verbose local verbose
verbose=$(make_verbose) verbose=$(make_verbose)
@ -1572,12 +1578,15 @@ reload_command() # $* = original arguments less the command.
progress_message3 "Copy complete" progress_message3 "Copy complete"
if [ $COMMAND = reload ]; then if [ $COMMAND = remote-reload ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \ rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload" && \
progress_message3 "System $system reloaded" || saveit= progress_message3 "System $system reloaded" || saveit=
elif [ $COMMAND = remote-restart ]; then
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
progress_message3 "System $system restarted" || saveit=
else else
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \ rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \
progress_message3 "System $system loaded" || saveit= progress_message3 "System $system started" || saveit=
fi fi
if [ -n "$saveit" ]; then if [ -n "$saveit" ]; then
@ -1694,9 +1703,9 @@ compiler_command() {
shift shift
update_command $@ update_command $@
;; ;;
load|reload) remote-start|remote-reload-reload|remote-restart)
shift shift
reload_command $@ remote_reload_command $@
;; ;;
export) export)
shift shift
@ -1707,7 +1716,7 @@ compiler_command() {
shift shift
try_command $@ try_command $@
;; ;;
safe-restart|safe-start) safe-reload|safe-restart|safe-start)
get_config Yes get_config Yes
shift shift
safe_commands $@ safe_commands $@

372
Shorewall/manpages/shorewall.xml
View File

@ -312,30 +312,6 @@
expression</replaceable></arg> expression</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>load</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall</command> <command>shorewall</command>
@ -448,7 +424,55 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg> <arg choice="plain"><option>remote_start</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_reload</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_restart</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -1305,65 +1329,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">load</emphasis> [-<option>s</option>]
[-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">start</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">logdrop</emphasis> <term><emphasis role="bold">logdrop</emphasis>
<replaceable>address</replaceable></term> <replaceable>address</replaceable></term>
@ -1551,13 +1516,202 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">reload </emphasis>[-<option>s</option>] <term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
[-<option>c</option>] [-<option>r</option> [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
<listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The
pre-5.0.0 <command>reload</command> command is now called
<command>remote_restart</command> (see below).</para>
<para>Reload is similar to <emphasis role="bold">shorewall
start</emphasis> except that it assumes that the firewall is already
started. Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command, Shorewall
will look in that <emphasis>directory</emphasis> first for
configuration files.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-d</option> option causes the compiler to run
under the Perl debugger.</para>
<para>The <option>-f</option> option suppresses the compilation step
and simply reused the compiled script which last started/restarted
Shorewall, provided that /etc/shorewall and its contents have not
been modified since the last start/restart.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
both <option>-f</option> and <option>-c</option> are present, the
result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
existing firewall script is used and if that script was the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_start</emphasis>
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>] <replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ] [-<option>i</option>] [ <replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term> <replaceable>system</replaceable></term>
<listitem> <listitem>
<para>This command was renamed from <command>load</command> in
Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">start</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_reload
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
<replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was added in Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
role="bold">'/sbin/shorewall-lite reload'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<emphasis>system</emphasis> using scp. If the copy succeeds,
Shorewall Lite on <emphasis>system</emphasis> is restarted via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">restart</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<emphasis>directory</emphasis> using scp. This step is performed
before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_restart
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
<replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was renamed from <command>reload</command> in
Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current <para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user shorewall script and install it on a system (provided that the user
@ -1628,12 +1782,14 @@
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term> [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
<listitem> <listitem>
<para>Restart is similar to <emphasis role="bold">shorewall <para>Beginning with Shorewall 5.0.0, this command performs a true
start</emphasis> except that it assumes that the firewall is already restart. The firewall is completely stopped as if a
started. Existing connections are maintained. If a <command>stop</command> command had been issued then it is started
<emphasis>directory</emphasis> is included in the command, Shorewall again.</para>
will look in that <emphasis>directory</emphasis> first for
configuration files.</para> <para>If a <emphasis>directory</emphasis> is included in the
command, Shorewall will look in that <emphasis>directory</emphasis>
first for configuration files.</para>
<para>The <option>-n</option> option causes Shorewall to avoid <para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para> updating the routing table(s).</para>
@ -1744,6 +1900,38 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">safe-reload
</emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
</option><replaceable>timeout</replaceable> ] [
<replaceable>directory</replaceable> ]</term>
<listitem>
<para>Added in Shorewall 5.0.0, this command performs the same
function as did <command>safe_restart</command> in earlier
releases.</para>
<para>Only allowed if Shorewall is running. The current
configuration is saved in /var/lib/shorewall/safe-reload (see the
save command below) then a <emphasis role="bold">shorewall
reload</emphasis> is done. You will then be prompted asking if you
want to accept the new configuration or not. If you answer "n" or if
you fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), the
configuration is restored from the saved configuration. If a
directory is given, then Shorewall will look in that directory first
when opening configuration files.</para>
<para>Beginning with Shorewall 4.5.0, you may specify a different
<replaceable>timeout</replaceable> value using the
<option>-t</option> option. The numeric
<replaceable>timeout</replaceable> may optionally be followed by an
<option>s</option>, <option>m</option> or <option>h</option> suffix
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
suffix is omitted, seconds is assumed.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">safe-restart <term><emphasis role="bold">safe-restart
</emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t </emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t

37
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -699,8 +699,9 @@
<para>If <option>-f</option> is given, the command will be processed <para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful by the compiled script that executed the last successful
<command>start</command>, <command>restart</command> or <command>start</command>, <command>reload</command>, <emphasis
<command>refresh</command> command if that script exists.</para> role="bold">restart</emphasis> or <command>refresh</command> command
if that script exists.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1003,6 +1004,31 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">reload </emphasis>[-n] [-p]
[-<option>C</option>]</term>
<listitem>
<para>Added in Shorewall 5.0.0, <emphasis
role="bold">reload</emphasis> is similar to <command>shorewall6-lite
start</command> except that it assumes that the firewall is already
started. Existing connections are maintained.</para>
<para>The <option>-n</option> option causes shorewall6-lite to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the specified (or implicit) firewall script is the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>, <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
...]</emphasis><acronym/></term> ...]</emphasis><acronym/></term>
@ -1020,9 +1046,10 @@
[-<option>C</option>]</term> [-<option>C</option>]</term>
<listitem> <listitem>
<para>Restart is similar to <command>shorewall6-lite start</command> <para>Beginning with Shorewall 5.0.0, this command performs a true
except that it assumes that the firewall is already started. restart. The firewall is completely stopped as if a
Existing connections are maintained.</para> <command>stop</command> command had been issued then it is started
again.</para>
<para>The <option>-n</option> option causes shorewall6-lite to avoid <para>The <option>-n</option> option causes shorewall6-lite to avoid
updating the routing table(s).</para> updating the routing table(s).</para>

384
Shorewall6/manpages/shorewall6.xml
View File

@ -263,30 +263,6 @@
expression</replaceable></arg> expression</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>load</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6</command> <command>shorewall6</command>
@ -402,7 +378,55 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg> <arg choice="plain"><option>remote_start</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_reload</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>remote_restart</option></arg>
<arg><option>-s</option></arg> <arg><option>-s</option></arg>
@ -430,6 +454,29 @@
<arg choice="plain"><option>reset</option></arg> <arg choice="plain"><option>reset</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg>
<arg><option>-n</option></arg>
<arg><option>-f</option></arg>
<arg><option>-c</option></arg>
<arg><option>-T</option></arg>
<arg><option>-i</option><arg><option>-C</option></arg></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6</command> <command>shorewall6</command>
@ -482,6 +529,23 @@
<arg><replaceable>parameter ...</replaceable></arg> <arg><replaceable>parameter ...</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>safe-reload</option></arg>
<arg><option>-d</option></arg>
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6</command> <command>shorewall6</command>
@ -1201,65 +1265,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">load </emphasis> [-<option>s</option>]
[-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall6 script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall6-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall6 Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <option>-s</option> is specified and the <emphasis
role="bold">start</emphasis> command succeeds, then the remote
Shorewall6-lite configuration is saved by executing
<command>shorewall6-lite save</command> via ssh.</para>
<para>if <option>-c</option> is included, the command
<command>shorewall6-lite show capabilities -f &gt;
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">logdrop <term><emphasis role="bold">logdrop
</emphasis><replaceable>address</replaceable></term> </emphasis><replaceable>address</replaceable></term>
@ -1448,13 +1453,141 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">reload </emphasis>[-<option>s</option>] <term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
[-<option>c</option>] [-<option>r</option> [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
<replaceable>root-user-name</replaceable>] [-<option>T</option>] [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ] [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
<listitem>
<para>This command was re-implemented in Shorewall 5.0.0. The
pre-5.0.0 <command>reload</command> command is now called
<command>remote_restart</command> (see below).</para>
<para>Reload is similar to <command>shorewall6 start</command>
except that it assumes that the firewall is already started.
Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command,
Shorewall6 will look in that <emphasis>directory</emphasis> first
for configuration files.</para>
<para>The <option>-n</option> option causes Shorewall6 to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-d</option> option causes the compiler to run
under the Perl debugger.</para>
<para>The <option>-f</option> option suppresses the compilation step
and simply reused the compiled script which last started/restarted
Shorewall, provided that <filename class="directory">/etc/shorewall6
</filename> and its contents have not been modified since the last
start/restart.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
When both <option>-f</option> and <option>-c</option> are present,
the result is determined by the option that appears last.</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when AUTOMAKE=Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
an existing firewall script is used and if that script was the one
that generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_reload
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
<replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term> <replaceable>system</replaceable></term>
<listitem> <listitem>
<para>This command was added in Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall6 script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
role="bold">'/sbin/shorewall6-lite reload'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<emphasis>system</emphasis> using scp. If the copy succeeds,
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
ssh.</para>
<para>If <option>-s</option> is specified and the
<command>restart</command> command succeeds, then the remote
Shorewall6-lite configuration is saved by executing
<command>shorewall6-lite save</command> via ssh.</para>
<para>if <option>-c</option> is included, the command
<command>shorewall6-lite show capabilities -f &gt;
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
then the generated file is copied to <emphasis>directory</emphasis>
using scp. This step is performed before the configuration is
compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_ restart
</emphasis>[-<option>s</option>] [-<option>c</option>]
[-<option>r</option> <replaceable>root-user-name</replaceable>]
[-<option>T</option>] [-<option>i</option>] [
<replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was renamed from <command>reload</command> in
Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current <para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a working directory is assumed. Allows a non-root user to compile a
shorewall6 script and install it on a system (provided that the user shorewall6 script and install it on a system (provided that the user
@ -1506,6 +1639,67 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">remote_start </emphasis>
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
<replaceable>system</replaceable></term>
<listitem>
<para>This command was added in Shorewall 5.0.0.</para>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall6 script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall6-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall6 Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <option>-s</option> is specified and the <emphasis
role="bold">start</emphasis> command succeeds, then the remote
Shorewall6-lite configuration is saved by executing
<command>shorewall6-lite save</command> via ssh.</para>
<para>if <option>-c</option> is included, the command
<command>shorewall6-lite show capabilities -f &gt;
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
<para>The <option>-T</option> option was added in Shorewall 4.5.3
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the current line
contains alternative input specifications following a semicolon
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
set to Yes in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>, <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
...]</emphasis><acronym/></term> ...]</emphasis><acronym/></term>
@ -1525,12 +1719,14 @@
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term> [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
<listitem> <listitem>
<para>Restart is similar to <command>shorewall6 start</command> <para>Beginning with Shorewall 5.0.0, this command performs a true
except that it assumes that the firewall is already started. restart. The firewall is completely stopped as if a
Existing connections are maintained. If a <command>stop</command> command had been issued then it is started
<emphasis>directory</emphasis> is included in the command, again.</para>
Shorewall6 will look in that <emphasis>directory</emphasis> first
for configuration files.</para> <para>If a <emphasis>directory</emphasis> is included in the
command, Shorewall6 will look in that <emphasis>directory</emphasis>
first for configuration files.</para>
<para>The <option>-n</option> option causes Shorewall6 to avoid <para>The <option>-n</option> option causes Shorewall6 to avoid
updating the routing table(s).</para> updating the routing table(s).</para>