Add the '-p' option to start/restart (purge the conntrack table)

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8485 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -6,6 +6,8 @@ Changes in 4.1.8
 
 3)  Improvements in parsing.
 
+4)  Add the -p option to start and stop
+
 Changes in 4.1.7
 
 1)  Fix port verification.

Shorewall-common/modules

@@ -107,6 +107,7 @@ loadmodule sch_sfq
 loadmodule sch_ingress
 loadmodule sch_htb
 loadmodule cls_u32
+loadmodule cls_fw
 loadmodule act_police
 #
 # Extensions

Shorewall-common/releasenotes.txt

@@ -85,6 +85,12 @@ Problems Corrected in Shorewall 4.1.8
     the value of that variable was not passed to the shorewall[-lite]
     command.
 
+3)  With both Shorewall and Shorewall Lite, the 'start' and 'restart'
+    commands now support a '-p' option. This option causes the
+    Netfilter connection tracking table to be flushed (purged) as part
+    of the operation. The 'conntrack' utility must be installed to use
+    this option.
+
 Other Changes in Shoreall 4.1.8.
 
 1)  When using Shorewall-perl, the CEIL and RATE columns must now

Shorewall-common/shorewall

@@ -484,6 +484,11 @@ start_command() {
 			    FAST=Yes
 			    option=${option#f}
 			    ;;
+			p*)
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    PURGE=Yes
+			    option=${option%p}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -520,6 +525,7 @@ start_command() {
     esac
 
     export NOROUTES
+    export PURGE
 
     if [ -n "$FAST" ]; then
 	if qt mywhich make; then
@@ -765,6 +771,11 @@ restart_command() {
 			    option=
 			    shift
 			    ;;
+			p*)
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    PURGE=Yes
+			    option=${option%p}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -803,6 +814,7 @@ restart_command() {
     [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"
 
     export NOROUTES
+    export PURGE
 
     progress_message3 "Compiling..."
 
@@ -1416,11 +1428,11 @@ usage() # $1 = exit status
     echo "   reject <address> ..."
     echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -C {shell|perl} ] [ <directory> ] <system>"
     echo "   reset"
-    echo "   restart [ -n ] [ -C {shell|perl} ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [ -C {shell|perl} ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]"
-    echo "   start [ -f ] [ -n ] [ -C {shell|perl} ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -C {shell|perl} ] [ <directory> ]"
     echo "   stop [ -f ]"
     echo "   status"
     echo "   try [ -C {shell|perl} ] <directory> [ <timeout> ]"
@@ -1454,6 +1466,7 @@ FAST=
 VERBOSE_OFFSET=0
 USE_VERBOSITY=
 NOROUTES=
+PURGE=
 EXPORT=
 export TIMESTAMP=
 noroutes=

Shorewall-lite/shorewall-lite

@@ -222,6 +222,11 @@ start_command() {
 			    FAST=Yes
 			    option=${option#f}
 			    ;;
+			p*)
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    PURGE=Yes
+			    option=${option%p}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -311,6 +316,11 @@ restart_command() {
 			    NOROUTES=Yes
 			    option=${option#n}
 			    ;;
+			p*)
+			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+			    PURGE=Yes
+			    option=${option%p}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -371,11 +381,11 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   reject <address> ..."
     echo "   reset"
-    echo "   restart [ -n ]"
+    echo "   restart [ -n ] [ -p ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|filters|ip|log|mangle|nat|routing|tc|vardir|zones} ]"
-    echo "   start [ -f ] [ -n ]"
+    echo "   start [ -f ] [ -n ] [ -p ]"
     echo "   stop"
     echo "   status"
     echo "   version"

Shorewall-perl/Shorewall/Compiler.pm

@@ -671,6 +671,7 @@ EOF
     else
         setup_netfilter
         restore_dynamic_rules
+        conditionally_flush_conntrack
 EOF
     setup_forwarding;
     emit<<'EOF';

Shorewall-perl/prog.header

@@ -1002,6 +1002,20 @@ find_mac() # $1 = IP address, $2 = interface
     esac
 }
 
+#
+# Flush the conntrack table if $PURGE is non-empty
+#
+conditionally_flush_conntrack() {
+
+    if [ -n "$PURGE" ]; then
+	if [ -n $(which conntrack) ]; then
+            conntrack -F
+	else
+            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+	fi
+    fi
+}
+
 ################################################################################
 # End of functions imported from /usr/share/shorewall/lib.base
 ################################################################################

Shorewall-shell/prog.footer

@@ -72,7 +72,10 @@ case "$COMMAND" in
 	    progress_message3 "Starting $PRODUCT...."
 	    define_firewall
 	    status=$?
-	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
+	    if [ $status -eq 0 ]; then
+		[ -n "$PURGE" ]      && conntrack -F
+		[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+	    fi
 	    progress_message3 "done."
 	fi
 	;;
@@ -106,9 +109,14 @@ case "$COMMAND" in
 
 	define_firewall
 	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
- 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+
+	if [ $status -eq 0 ]; then
+	    [ -n "$PURGE" ] && conntrack -F 
+	    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+	else
+ 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
         fi
+
 	progress_message3 "done."
 	;;
     refresh)

manpages-lite/shorewall-lite.xml

@@ -190,7 +190,7 @@
       <arg>-<replaceable>options</replaceable></arg>
 
       <arg
-      choice="plain"><option>restart</option><arg><option>-n</option></arg></arg>
+      choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -316,7 +316,7 @@
 
       <arg><option>-n</option></arg>
 
-      <arg><option>-f</option></arg>
+      <arg><option>-f</option><arg><option>-p</option></arg></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -580,9 +580,14 @@
         <listitem>
           <para>Restart is similar to <emphasis role="bold">shorewall-lite
           stop</emphasis> followed by <emphasis role="bold">shorewall-lite
-          start</emphasis>. Existing connections are maintained. The
-          <option>-n</option> option causes Shorewall to avoid updating the
-          routing table(s).</para>
+          start</emphasis>. Existing connections are maintained.</para>
+
+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
+          <para>The <option>-p</option> option causes the connection tracking
+          table to be flushed; the <command>conntrack</command> utility must
+          be installed to use this option.</para>
         </listitem>
       </varlistentry>
 
@@ -763,10 +768,14 @@
           saved configuration specified by the RESTOREFILE option in <ulink
           url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
           be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall.</para>
+          more recently than the files in /etc/shorewall. </para>
 
           <para>The <option>-n</option> option causes Shorewall to avoid
           updating the routing table(s).</para>
+
+          <para>The <option>-p</option> option causes the connection tracking
+          table to be flushed; the <command>conntrack</command> utility must
+          be installed to use this option.</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall.xml

@@ -354,6 +354,8 @@
 
       <arg><option>-n</option></arg>
 
+      <arg><option>-p</option></arg>
+
       <arg><option>-C</option> <option>{shell|perl}</option></arg>
 
       <arg><replaceable>directory</replaceable></arg>
@@ -523,6 +525,8 @@
 
       <arg><option>-f</option></arg>
 
+      <arg><option>-n</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
@@ -1056,6 +1060,10 @@
           <para>The <option>-n</option> option causes Shorewall to avoid
           updating the routing table(s).</para>
 
+          <para>The <option>-p</option> option causes the connection tracking
+          table to be flushed; the <command>conntrack</command> utility must
+          be installed to use this option.</para>
+
           <para>The <option>-C</option> option determines the compiler to use
           (Shorewall-shell or Shorewall-perl). If not specified, the
           SHOREWALL_COMPILER setting in <ulink
@@ -1307,6 +1315,10 @@
           <para>The <option>-n</option> option causes Shorewall to avoid
           updating the routing table(s).</para>
 
+          <para>The <option>-p</option> option causes the connection tracking
+          table to be flushed; the <command>conntrack</command> utility must
+          be installed to use this option.</para>
+
           <para>The <option>-C</option> option determines the compiler to use
           (Shorewall-shell or Shorewall-perl). If not specified, the
           SHOREWALL_COMPILER setting in <ulink