From 1d19c1b8eb57dc193bbd85a68c11685c8fadd020 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 3 Jul 2007 19:55:01 +0000 Subject: [PATCH] More wrapup of 'refresh' restoration git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6768 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 2 ++ Shorewall-common/releasenotes.txt | 12 ++++-------- Shorewall-perl/Shorewall/Chains.pm | 4 +--- docs/Shorewall-perl.xml | 22 +++++++++++++++++++--- docs/shorewall_extension_scripts.xml | 6 +++--- manpages/shorewall.xml | 18 +++++++++++------- 6 files changed, 40 insertions(+), 24 deletions(-) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 4f391c105..f4c026a5b 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -14,6 +14,8 @@ Changes in 4.0.0 RC 1 7) Work around SELinux nonsense. +8) Restore the 'refresh' command. + Changes in 4.0.0 Beta 6 1) First step to adding compiler debugging facility. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 1f476c05f..031ea2fdf 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -340,6 +340,7 @@ Migration Considerations: following exceptions: - The refresh command is rejected if Shorewall is not running. + - The refresh command only rebuilds the 'blacklst' chain. - A directory name may not be specified in the refresh command. g) Some run-time scripts have been converted to compile time @@ -357,14 +358,9 @@ Migration Considerations: my $chainref = $chain_table{'filter'}{'INPUT'}; - Some run-time scripts are simply eliminated because they no - longer make any sense under Shorewall-perl: - - continue - This script was designed to allow you to add - special rules during [re]start. - Shorewall-perl doesn't need such rules. - refresh - The 'refresh' command is the same as 'restart' - refreshed + The continue script is eliminated. That script was designed to + allow you to add special rules during [re]start. Shorewall-perl + doesn't need such rules. h) The /etc/shorewall/tos file now has zone-independent SOURCE and DEST columns as do all other files except the rules and policy diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index ed8125a87..11846b310 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1993,9 +1993,7 @@ sub create_blacklist_reload() { emitr '*filter'; emitr ':blacklst - [0:0]'; - my $chainref = $filter_table->{blacklst}; - - for my $rule ( @{$chainref->{rules}} ) { + for my $rule ( @{$filter_table->{blacklst}{rules}} ) { emitr( substr( $rule, 0, 1 ) eq '~' ? $rule : "-A blacklst $rule" ); } # diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml index 12f6f6fd1..407b2d76d 100644 --- a/docs/Shorewall-perl.xml +++ b/docs/Shorewall-perl.xml @@ -132,8 +132,24 @@ - The 'refresh' command is now synonymous with - 'restart'. + The 'refresh' command is now similar to restart with the + exceptios that: + + + + The command fails if Shorewall is not running. + + + + A directory name cannot be specified in the + command. + + + + The refresh command does not alter the Netfilter + configuration except for the static blacklist. + + @@ -173,7 +189,7 @@ initdone - refresh + diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml index f69c794ce..ae09bbab9 100644 --- a/docs/shorewall_extension_scripts.xml +++ b/docs/shorewall_extension_scripts.xml @@ -101,8 +101,8 @@ refresh -- invoked while the firewall is being refreshed but - before the blacklst chains have been rebuilt (Not used by Shorewall - Perl). + before the blacklst chains have been rebuilt (Note: Shorewall-perl does + not rebuild the blacklist during refresh). @@ -366,7 +366,7 @@ initdone - refresh + diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index b06057282..a395fac9d 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -810,13 +810,17 @@ refresh - The rules involving the the black list, ECN control rules, and - traffic shaping are recreated to reflect any changes made to your - configuration files. Existing connections are untouched. Under - Shorewall-perl, refresh preforms the same action - as restart (refresh requires - that Shorewall is already running and does not accept a directory - name as an argument). + Shorewall-shell: The rules involving the the black list, ECN + control rules, and traffic shaping are recreated to reflect any + changes made to your configuration files. Existing connections are + untouched. + + Shorewall-perl: All steps performed by + restart are performed by + refresh with the exception that + refresh only recreates the static blacklist while + restart recreates the entire Netfilter + ruleset.