From f08532e194c43b79b872dd7593b3ca7de9477c8e Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 15 Mar 2005 16:55:13 +0000
Subject: [PATCH] Add 'continue' extension script

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2004 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    |  4 ++++
 Shorewall2/continue         |  6 ++++++
 Shorewall2/firewall         | 12 +++++++-----
 Shorewall2/releasenotes.txt | 15 ++++++++++++++-
 4 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 Shorewall2/continue

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index b9219ae00..ec80768a1 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -1,3 +1,7 @@
+Changes in 2.2.3
+
+1) Added the 'continue' extension script.
+
 Changes in 2.2.2
 
 1) The 'check' command disclaimer is toned down further and only
diff --git a/Shorewall2/continue b/Shorewall2/continue
new file mode 100644
index 000000000..e608ca4ed
--- /dev/null
+++ b/Shorewall2/continue
@@ -0,0 +1,6 @@
+############################################################################
+# Shorewall 2.2 -- /etc/shorewall/continue
+#
+# Add commands below that you want to be executed after shorewall has
+# cleared any existing Netfilter rules and has enabled existing connections.
+#
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 38569020d..197aa9f0c 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -5678,7 +5678,7 @@ initialize_netfilter () {
     run_user_exit init
 
     #
-    # The some files might be large so strip them while the firewall is still running
+    # Some files might be large so strip them while the firewall is still running
     # (restart command). This reduces the length of time that the firewall isn't
     # accepting new connections.
     #
@@ -5721,6 +5721,8 @@ initialize_netfilter () {
     setcontinue INPUT
     setcontinue OUTPUT
 
+    run_user_exit continue
+
     [ -n "$DISABLE_IPV6" ] && disable_ipv6
 
     #
@@ -5729,10 +5731,6 @@ initialize_netfilter () {
     run_iptables -A INPUT  -i lo -j ACCEPT
     run_iptables -A OUTPUT -o lo -j ACCEPT
 
-    accounting_file=$(find_file accounting)
-
-    [ -f $accounting_file ] && setup_accounting $accounting_file
-
     #
     # Allow DNS lookups during startup for FQDNs
     #
@@ -5756,6 +5754,10 @@ initialize_netfilter () {
 	run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
     fi
 
+    accounting_file=$(find_file accounting)
+
+    [ -f $accounting_file ] && setup_accounting $accounting_file
+
     if [ -z "$NEWNOTSYN" ]; then
 	createchain newnotsyn no
 
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 4149777f0..08292f010 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -1,5 +1,18 @@
-Shorewall 2.2.2
+Shorewall 2.2.3
 
+-----------------------------------------------------------------------
+Problems corrected in version 2.2.3
+-----------------------------------------------------------------------
+New Features in version 2.2.3
+
+1) A new extension script "continue" has been added. This script is
+   invoked after Shorewall has set the built-in filter chains' 
+   policy to DROP, deleted any existing Netfilter rules and user
+   chains and has enabled existing connections.
+
+   It is useful for enabling certain communication while Shorewall is
+   being [re]started. Be sure to delete any rules that you add here in
+   your /etc/shorewall/start file.
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.2