diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite index a63e29217..df190fe97 100755 --- a/Shorewall-lite/shorewall-lite +++ b/Shorewall-lite/shorewall-lite @@ -631,11 +631,15 @@ case "$COMMAND" in stop|clear) [ $# -ne 1 ] && usage 1 verify_firewall_script - run_it $g_firewall $debugging $nolock $COMMAND + [ -n "$nolock" ] || mutex_on + run_it $g_firewall $debugging $COMMAND + [ -n "$nolock" ] || mutex_off ;; reset) verify_firewall_script - run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@ + [ -n "$nolock" ] || mutex_on + run_it $SHOREWALL_SHELL $g_firewall $debugging $@ + [ -n "$nolock" ] || mutex_off ;; restart) shift diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 60ae82120..655d9aca3 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -8,6 +8,8 @@ Changes in Shorewall 4.4.11.1 4) Don't slow down 'stop' with 'wait'. +5) Resolve mutex/nolock issues. + Changes in Shorewall 4.4.11 1) Apply patch from Gabriel. diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt index 8a806d048..f5f0352d2 100644 --- a/Shorewall/known_problems.txt +++ b/Shorewall/known_problems.txt @@ -32,4 +32,10 @@ Suggested workaround is to set startup=1 in your /etc/default/shorewall* files. +5) /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the + 'nolock' option. In other cases, this option is incorrectly passed + on to the compiled script, causing the script to issue a usage + synopsis and to terminate. + + diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 7ff9fa8ec..901ae6b4f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -233,6 +233,11 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E 3) Previously, using a destination port-range with :random produced a fatal compilation error in REDIRECT rules. +4) /sbin/shorewall and /sbin/shorewall6 sometimes failed to honor the + 'nolock' option. In other cases, this option was incorrectly passed + on to the compiled script, causing the script to issue a usage + synopsis and to terminate. + 4.4.11 1) The IPv6 allowBcast action generated an invalid rule. diff --git a/Shorewall/shorewall b/Shorewall/shorewall index bab9a9bc4..7485d5e94 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -1631,17 +1631,17 @@ case "$COMMAND" in get_config [ $# -ne 1 ] && usage 1 [ -x $g_firewall ] || fatal_error "Shorewall has never been started" - mutex_on - run_it $g_firewall $g_debugging $nolock $COMMAND - mutex_off + [ -n "$nolock" ] || mutex_on + run_it $g_firewall $g_debugging $COMMAND + [ -n "$nolock" ] || mutex_off ;; reset) get_config shift - mutex_on + [ -n "$nolock" ] || mutex_on [ -x $g_firewall ] || fatal_error "Shorewall has never been started" - run_it $g_firewall $g_debugging $nolock reset $@ - mutex_off + run_it $g_firewall $g_debugging reset $@ + [ -n "$nolock" ] || mutex_off ;; compile) get_config Yes diff --git a/Shorewall6-lite/shorewall6-lite b/Shorewall6-lite/shorewall6-lite index 89a36c505..d53ff86c6 100755 --- a/Shorewall6-lite/shorewall6-lite +++ b/Shorewall6-lite/shorewall6-lite @@ -615,7 +615,9 @@ case "$COMMAND" in stop|reset|clear) [ $# -ne 1 ] && usage 1 verify_firewall_script - run_it $g_firewall $debugging $nolock $COMMAND + [ -n "$nolock" ] || mutex_on + run_it $g_firewall $debugging $COMMAND + [ -n "$nolock" ] || mutex_on ;; restart) shift diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 index c1f3e23a4..ab32081f1 100755 --- a/Shorewall6/shorewall6 +++ b/Shorewall6/shorewall6 @@ -1544,17 +1544,17 @@ case "$COMMAND" in [ $# -ne 1 ] && usage 1 get_config [ -x $g_firewall ] || fatal_error "Shorewall6 has never been started" - mutex_on - run_it $g_firewall $g_debugging $nolock $COMMAND - mutex_off + [ -n "$nolock" ] || mutex_on + run_it $g_firewall $g_debugging $COMMAND + [ -n "$nolock" ] || mutex_off ;; reset) get_config shift - mutex_on + [ -n "$nolock" ] || mutex_on [ -x $g_firewall ] || fatal_error "Shorewall6 has never been started" - run_it $g_firewall $g_debugging $nolock reset $@ - mutex_off + run_it $g_firewall $g_debugging reset $@ + [ -n "$nolock" ] || mutex_off ;; compile) get_config Yes