forked from extern/shorewall_code
New 'reload' and 'restart' semantics
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
8e31255c9b
commit
f9ec0c6930
@ -3787,7 +3787,7 @@ start_command() {
|
||||
}
|
||||
|
||||
#
|
||||
# Restart Command Executor
|
||||
# Reload/Restart Command Executor
|
||||
#
|
||||
restart_command() {
|
||||
local finished
|
||||
@ -3846,11 +3846,11 @@ restart_command() {
|
||||
[ -n "$g_nolock" ] || mutex_on
|
||||
|
||||
if [ -x ${VARDIR}/firewall ]; then
|
||||
run_it ${VARDIR}/firewall $g_debugging restart
|
||||
run_it ${VARDIR}/firewall $g_debugging $COMMAND
|
||||
rc=$?
|
||||
else
|
||||
error_message "${VARDIR}/firewall is missing or is not executable"
|
||||
logger -p kern.err "ERROR:$g_product restart failed"
|
||||
logger -p kern.err "ERROR:$g_product $COMMAND failed"
|
||||
rc=6
|
||||
fi
|
||||
|
||||
@ -4205,7 +4205,7 @@ shorewall_cli() {
|
||||
run_it $g_firewall $g_debugging reset $@
|
||||
[ -n "$g_nolock" ] || mutex_off
|
||||
;;
|
||||
restart)
|
||||
reload|restart)
|
||||
get_config Yes Yes
|
||||
shift
|
||||
restart_command $@
|
||||
|
@ -329,6 +329,21 @@
|
||||
<arg choice="plain"><replaceable>address</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>reload</option></arg>
|
||||
|
||||
<arg><option>-n</option></arg>
|
||||
|
||||
<arg><option>-p</option><arg><option>-C</option></arg></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall-lite</command>
|
||||
|
||||
@ -708,6 +723,7 @@
|
||||
<para>If <option>-f</option> is given, the command will be processed
|
||||
by the compiled script that executed the last successful <emphasis
|
||||
role="bold">start</emphasis>, <emphasis
|
||||
role="bold">reload</emphasis>, <emphasis
|
||||
role="bold">restart</emphasis> or <emphasis
|
||||
role="bold">refresh</emphasis> command if that script exists.</para>
|
||||
</listitem>
|
||||
@ -1026,6 +1042,32 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reload </emphasis>[-n] [-p]
|
||||
[-<option>C</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.0, <emphasis
|
||||
role="bold">reload</emphasis> is similar to <emphasis
|
||||
role="bold">shorewall-lite start</emphasis> except that it assumes
|
||||
that the firewall is already started. Existing connections are
|
||||
maintained.</para>
|
||||
|
||||
<para>The <option>-n</option> option causes Shorewall-lite to avoid
|
||||
updating the routing table(s).</para>
|
||||
|
||||
<para>The <option>-p</option> option causes the connection tracking
|
||||
table to be flushed; the <command>conntrack</command> utility must
|
||||
be installed to use this option.</para>
|
||||
|
||||
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
|
||||
If the specified (or implicit) firewall script is the one that
|
||||
generated the current running configuration, then the running
|
||||
netfilter configuration will be reloaded as is so as to preserve the
|
||||
iptables packet and byte counters.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
|
||||
...]</emphasis><acronym/></term>
|
||||
@ -1043,9 +1085,10 @@
|
||||
[-<option>C</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restart is similar to <emphasis role="bold">shorewall-lite
|
||||
start</emphasis> except that it assumes that the firewall is already
|
||||
started. Existing connections are maintained.</para>
|
||||
<para>Beginning with Shorewall 5.0.0, this command performs a true
|
||||
restart. The firewall is completely stopped as if a
|
||||
<command>stop</command> command had been issued then it is started
|
||||
again.</para>
|
||||
|
||||
<para>The <option>-n</option> option causes Shorewall-lite to avoid
|
||||
updating the routing table(s).</para>
|
||||
|
@ -8,11 +8,11 @@ all: $(VARDIR)/$(RESTOREFILE)
|
||||
$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
|
||||
@/sbin/shorewall -q save >/dev/null; \
|
||||
if \
|
||||
/sbin/shorewall -q restart >/dev/null 2>&1; \
|
||||
/sbin/shorewall -q reload >/dev/null 2>&1; \
|
||||
then \
|
||||
/sbin/shorewall -q save >/dev/null; \
|
||||
else \
|
||||
/sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
|
||||
/sbin/shorewall -q restore 2>&1 | tail >&2; exit 1; \
|
||||
fi
|
||||
|
||||
clean:
|
||||
|
@ -7070,9 +7070,9 @@ sub verify_source_interface( $$$$ ) {
|
||||
fatal_error "A wildcard interface ( $iiface) is not allowed in this context" if $iiface =~ /\+$/;
|
||||
|
||||
if ( $table eq 'nat' ) {
|
||||
warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
|
||||
warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts/reloads) unless $idiotcount++;
|
||||
} else {
|
||||
warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
|
||||
warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts/reloads) unless $idiotcount1++;
|
||||
}
|
||||
|
||||
push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
|
||||
@ -7962,7 +7962,7 @@ sub save_dynamic_chains() {
|
||||
my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
|
||||
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
|
||||
|
||||
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
|
||||
emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' );
|
||||
push_indent;
|
||||
|
||||
emit( 'if [ -n "$g_counters" ]; then' ,
|
||||
@ -8251,7 +8251,7 @@ sub load_ipsets() {
|
||||
}
|
||||
|
||||
if ( @ipsets ) {
|
||||
emit ( 'elif [ "$COMMAND" = restart ]; then' );
|
||||
emit ( 'elif [ "$COMMAND" = reload ]; then' );
|
||||
ensure_ipset( $_ ) for @ipsets;
|
||||
}
|
||||
|
||||
@ -8318,7 +8318,7 @@ sub create_netfilter_load( $ ) {
|
||||
my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
|
||||
|
||||
emit( '',
|
||||
'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
|
||||
'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then',
|
||||
' option="--counters"',
|
||||
'',
|
||||
' progress_message "Reusing existing ruleset..."',
|
||||
@ -8371,7 +8371,7 @@ sub create_netfilter_load( $ ) {
|
||||
}
|
||||
}
|
||||
#
|
||||
# SHA1SUM chains for handling 'restart -s'
|
||||
# SHA1SUM chains for handling 'reload -s'
|
||||
#
|
||||
if ( $table eq 'filter' ) {
|
||||
emit_unindented ':$g_sha1sum1 - [0:0]';
|
||||
|
@ -217,7 +217,7 @@ sub generate_script_2() {
|
||||
|
||||
my @dont_load = split_list $config{DONT_LOAD}, 'module';
|
||||
|
||||
emit ( '[ -n "${COMMAND:=restart}" ]',
|
||||
emit ( '[ -n "${COMMAND:=reload}" ]',
|
||||
'[ -n "${VERBOSITY:=0}" ]',
|
||||
qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
|
||||
|
||||
@ -361,7 +361,7 @@ sub generate_script_3($) {
|
||||
create_chainlist_reload( $_[0] );
|
||||
create_save_ipsets;
|
||||
|
||||
emit "#\n# Start/Restart the Firewall\n#";
|
||||
emit "#\n# Start/Reload the Firewall\n#";
|
||||
|
||||
emit( 'define_firewall() {',
|
||||
' local options' );
|
||||
@ -567,8 +567,8 @@ case $COMMAND in
|
||||
start)
|
||||
logger -p kern.info "$g_product started"
|
||||
;;
|
||||
restart)
|
||||
logger -p kern.info "$g_product restarted"
|
||||
reloaded)
|
||||
logger -p kern.info "$g_product reloaded"
|
||||
;;
|
||||
refresh)
|
||||
logger -p kern.info "$g_product refreshed"
|
||||
|
@ -2471,8 +2471,8 @@ EOF
|
||||
start)
|
||||
logger -p kern.err "ERROR:$g_product start failed"
|
||||
;;
|
||||
restart)
|
||||
logger -p kern.err "ERROR:$g_product restart failed"
|
||||
reload)
|
||||
logger -p kern.err "ERROR:$g_product reload failed"
|
||||
;;
|
||||
refresh)
|
||||
logger -p kern.err "ERROR:$g_product refresh failed"
|
||||
|
@ -1797,7 +1797,7 @@ sub compile_updown() {
|
||||
|
||||
if ( $wildcard ) {
|
||||
emit( ' if [ "$state" = started ]; then',
|
||||
' COMMAND=restart',
|
||||
' COMMAND=reload',
|
||||
' else',
|
||||
' COMMAND=start',
|
||||
' fi' );
|
||||
@ -1816,8 +1816,8 @@ sub compile_updown() {
|
||||
if ( $wildcard ) {
|
||||
|
||||
emit( ' if [ "$state" = started ]; then',
|
||||
' progress_message3 "$g_product attempting restart"',
|
||||
' COMMAND=restart',
|
||||
' progress_message3 "$g_product attempting reload"',
|
||||
' COMMAND=reload',
|
||||
' detect_configuration',
|
||||
' define_firewall',
|
||||
' fi' );
|
||||
@ -1859,8 +1859,8 @@ sub compile_updown() {
|
||||
|
||||
emit( '',
|
||||
' if [ "$state" = started ]; then',
|
||||
' COMMAND=restart',
|
||||
' progress_message3 "$g_product attempting restart"',
|
||||
' COMMAND=reload',
|
||||
' progress_message3 "$g_product attempting reload"',
|
||||
' detect_configuration',
|
||||
' define_firewall',
|
||||
' elif [ "$state" = stopped ]; then',
|
||||
@ -1884,8 +1884,8 @@ sub compile_updown() {
|
||||
emit( "$interfaces)",
|
||||
' case $state in',
|
||||
' started)',
|
||||
' COMMAND=restart',
|
||||
' progress_message3 "$g_product attempting restart"',
|
||||
' COMMAND=reload',
|
||||
' progress_message3 "$g_product attempting reload"',
|
||||
' detect_configuration',
|
||||
' define_firewall',
|
||||
' ;;',
|
||||
@ -2054,7 +2054,7 @@ sub handle_optional_interfaces( $ ) {
|
||||
emit( '',
|
||||
'if [ -z "$HAVE_INTERFACE" ]; then' ,
|
||||
' case "$COMMAND" in',
|
||||
' start|restart|restore|refresh)'
|
||||
' start|reload|restore|refresh)'
|
||||
);
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
|
@ -1884,7 +1884,7 @@ sub verify_required_interfaces( $ ) {
|
||||
|
||||
push_indent;
|
||||
|
||||
emit( 'start|restart|restore)' );
|
||||
emit( 'start|reload|restore)' );
|
||||
|
||||
push_indent;
|
||||
|
||||
@ -1946,7 +1946,7 @@ sub verify_required_interfaces( $ ) {
|
||||
if ( $generate_case ) {
|
||||
emit( 'case "$COMMAND" in' );
|
||||
push_indent;
|
||||
emit( 'start|restart|restore|refresh)' );
|
||||
emit( 'start|reload|restore|refresh)' );
|
||||
push_indent;
|
||||
}
|
||||
|
||||
|
@ -21,7 +21,7 @@
|
||||
# -v and -q Standard Shorewall Verbosity control
|
||||
# -t Timestamp progress messages
|
||||
# -p Purge conntrack table
|
||||
# -r Recover from failed start/restart
|
||||
# -r Recover from failed start/reload
|
||||
# -V <verbosity> Set verbosity level explicitly
|
||||
# -R <restore> Overrides RESTOREFILE setting
|
||||
#
|
||||
|
@ -17,6 +17,7 @@ usage() {
|
||||
echo " reset"
|
||||
echo " reenable <interface>"
|
||||
echo " refresh"
|
||||
echo " reload"
|
||||
echo " restart"
|
||||
echo " run <command> [ <parameter> ... ]"
|
||||
echo " status"
|
||||
@ -37,27 +38,30 @@ usage() {
|
||||
exit $1
|
||||
}
|
||||
|
||||
checkkernelversion() {
|
||||
?if __IPV6
|
||||
local kernel
|
||||
|
||||
kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
|
||||
|
||||
case "$kernel" in
|
||||
*.*.*)
|
||||
kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
|
||||
;;
|
||||
*)
|
||||
kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ $kernel -lt 20624 ]; then
|
||||
error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
|
||||
return 1
|
||||
start_command() {
|
||||
if product_is_started; then
|
||||
error_message "$g_product is already Running"
|
||||
status=0
|
||||
else
|
||||
progress_message3 "Starting $g_product...."
|
||||
detect_configuration
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ $status -eq 0 ]; then
|
||||
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
||||
progress_message3 "done."
|
||||
fi
|
||||
fi
|
||||
?endif
|
||||
|
||||
return $status
|
||||
}
|
||||
|
||||
stop_command() {
|
||||
progress_message3 "Stopping $g_product...."
|
||||
detect_configuration
|
||||
stop_firewall
|
||||
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
|
||||
progress_message3 "done."
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -224,94 +228,71 @@ COMMAND="$1"
|
||||
case "$COMMAND" in
|
||||
start)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if product_is_started; then
|
||||
error_message "$g_product is already Running"
|
||||
status=0
|
||||
else
|
||||
progress_message3 "Starting $g_product...."
|
||||
if checkkernelversion; then
|
||||
detect_configuration
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ $status -eq 0 ]; then
|
||||
[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
|
||||
progress_message3 "done."
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
start_command
|
||||
;;
|
||||
stop)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if checkkernelversion; then
|
||||
progress_message3 "Stopping $g_product...."
|
||||
detect_configuration
|
||||
stop_firewall
|
||||
status=0
|
||||
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
|
||||
progress_message3 "done."
|
||||
fi
|
||||
stop_command
|
||||
;;
|
||||
reset)
|
||||
if ! product_is_started ; then
|
||||
error_message "$g_product is not running"
|
||||
status=2
|
||||
elif checkkernelversion; then
|
||||
if [ $# -eq 1 ]; then
|
||||
$g_tool -Z
|
||||
$g_tool -t mangle -Z
|
||||
date > ${VARDIR}/restarted
|
||||
status=0
|
||||
progress_message3 "$g_product Counters Reset"
|
||||
else
|
||||
shift
|
||||
status=0
|
||||
for chain in $@; do
|
||||
if chain_exists $chain; then
|
||||
if qt $g_tool-Z $chain; then
|
||||
progress_message3 "Filter $chain Counters Reset"
|
||||
else
|
||||
error_message "ERROR: Reset of chain $chain failed"
|
||||
status=2
|
||||
break
|
||||
fi
|
||||
elif [ $# -eq 1 ]; then
|
||||
$g_tool -Z
|
||||
$g_tool -t mangle -Z
|
||||
date > ${VARDIR}/restarted
|
||||
status=0
|
||||
progress_message3 "$g_product Counters Reset"
|
||||
else
|
||||
shift
|
||||
status=0
|
||||
for chain in $@; do
|
||||
if chain_exists $chain; then
|
||||
if qt $g_tool-Z $chain; then
|
||||
progress_message3 "Filter $chain Counters Reset"
|
||||
else
|
||||
error_message "WARNING: Filter Chain $chain does not exist"
|
||||
error_message "ERROR: Reset of chain $chain failed"
|
||||
status=2
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
else
|
||||
error_message "WARNING: Filter Chain $chain does not exist"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
;;
|
||||
restart)
|
||||
reload)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if product_is_started; then
|
||||
progress_message3 "Restarting $g_product...."
|
||||
progress_message3 "Reloading $g_product...."
|
||||
else
|
||||
error_message "$g_product is not running"
|
||||
progress_message3 "Starting $g_product...."
|
||||
COMMAND=start
|
||||
fi
|
||||
|
||||
if checkkernelversion; then
|
||||
detect_configuration
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
|
||||
fi
|
||||
detect_configuration
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
|
||||
fi
|
||||
|
||||
[ $status -eq 0 ] && progress_message3 "done."
|
||||
fi
|
||||
[ $status -eq 0 ] && progress_message3 "done."
|
||||
;;
|
||||
restart)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
COMMAND=stop stop_command && COMMAND=start start_command
|
||||
;;
|
||||
refresh)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if product_is_started; then
|
||||
progress_message3 "Refreshing $g_product...."
|
||||
if checkkernelversion; then
|
||||
detect_configuration
|
||||
define_firewall
|
||||
status=$?
|
||||
[ $status -eq 0 ] && progress_message3 "done."
|
||||
fi
|
||||
detect_configuration
|
||||
define_firewall
|
||||
status=$?
|
||||
[ $status -eq 0 ] && progress_message3 "done."
|
||||
else
|
||||
echo "$g_product is not running" >&2
|
||||
status=2
|
||||
@ -319,27 +300,23 @@ case "$COMMAND" in
|
||||
;;
|
||||
restore)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
if checkkernelversion; then
|
||||
detect_configuration
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
|
||||
fi
|
||||
[ $status -eq 0 ] && progress_message3 "done."
|
||||
fi
|
||||
detect_configuration
|
||||
define_firewall
|
||||
status=$?
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
|
||||
fi
|
||||
[ $status -eq 0 ] && progress_message3 "done."
|
||||
;;
|
||||
clear)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
progress_message3 "Clearing $g_product...."
|
||||
if checkkernelversion; then
|
||||
clear_firewall
|
||||
status=0
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
rm -f $SUBSYSLOCK
|
||||
fi
|
||||
progress_message3 "done."
|
||||
clear_firewall
|
||||
status=0
|
||||
if [ -n "$SUBSYSLOCK" ]; then
|
||||
rm -f $SUBSYSLOCK
|
||||
fi
|
||||
progress_message3 "done."
|
||||
;;
|
||||
status)
|
||||
[ $# -ne 1 ] && usage 2
|
||||
|
@ -4,7 +4,7 @@
|
||||
# /etc/shorewall/init
|
||||
#
|
||||
# Add commands below that you want to be executed at the beginning of
|
||||
# a "shorewall start" or "shorewall restart" command.
|
||||
# a "shorewall start", "shorewall-reload" or "shorewall restart" command.
|
||||
#
|
||||
# For additional information, see
|
||||
# http://shorewall.net/shorewall_extension_scripts.htm
|
||||
|
@ -4,8 +4,9 @@
|
||||
# /etc/shorewall/initdone
|
||||
#
|
||||
# Add commands below that you want to be executed during
|
||||
# "shorewall start" or "shorewall restart" commands at the point where
|
||||
# Shorewall has not yet added any permanent rules to the builtin chains.
|
||||
# "shorewall start", "shorewall reload" or "shorewall restart" commands
|
||||
# at the point where Shorewall has not yet added any permanent rules to
|
||||
# the builtin chains.
|
||||
#
|
||||
# For additional information, see
|
||||
# http://shorewall.net/shorewall_extension_scripts.htm
|
||||
|
@ -4,7 +4,7 @@
|
||||
# /etc/shorewall/start
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been started or restarted.
|
||||
# been started, reloaded or restarted.
|
||||
#
|
||||
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
|
||||
# information.
|
||||
|
@ -4,11 +4,10 @@
|
||||
# /etc/shorewall/started
|
||||
#
|
||||
# Add commands below that you want to be executed after shorewall has
|
||||
# been completely started or restarted. The difference between this
|
||||
# extension script and /etc/shorewall/start is that this one is invoked
|
||||
# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
|
||||
# after the 'shorewall' chain has been created (thus signaling that the
|
||||
# firewall is completely up).
|
||||
# been completely started, reloaded or restarted. The difference between
|
||||
# this extension script and /etc/shorewall/start is that this one is
|
||||
# invoked after the 'shorewall' chain has been created (thus
|
||||
# signaling that the firewall is completely up).
|
||||
#
|
||||
# This script should not change the firewall configuration directly but
|
||||
# may do so indirectly by running /sbin/shorewall with the 'nolock'
|
||||
|
@ -25,6 +25,11 @@ OPTIONS=""
|
||||
#
|
||||
STARTOPTIONS=""
|
||||
|
||||
#
|
||||
# Restart options
|
||||
#
|
||||
RELOADOPTIONS=""
|
||||
|
||||
#
|
||||
# Restart options
|
||||
#
|
||||
|
@ -106,6 +106,13 @@ shorewall_stop () {
|
||||
return 0
|
||||
}
|
||||
|
||||
# reload the firewall
|
||||
shorewall_reload () {
|
||||
echo -n "Reloading \"Shorewall firewall\": "
|
||||
$SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
|
||||
return 0
|
||||
}
|
||||
|
||||
# restart the firewall
|
||||
shorewall_restart () {
|
||||
echo -n "Restarting \"Shorewall firewall\": "
|
||||
@ -135,14 +142,17 @@ case "$1" in
|
||||
refresh)
|
||||
shorewall_refresh
|
||||
;;
|
||||
force-reload|restart)
|
||||
restart)
|
||||
shorewall_restart
|
||||
;;
|
||||
force0reload|reload)
|
||||
shorewall_reload
|
||||
;;
|
||||
status)
|
||||
shorewall_status
|
||||
;;
|
||||
*)
|
||||
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload|status}"
|
||||
echo "Usage: /etc/init.d/shorewall {start|stop|refresh|reload|restart|force-reload|status}"
|
||||
exit 1
|
||||
esac
|
||||
|
||||
|
@ -65,6 +65,21 @@ stop() {
|
||||
return $retval
|
||||
}
|
||||
|
||||
reload() {
|
||||
echo -n $"Reloading Shorewall: "
|
||||
$shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger
|
||||
retval=${PIPESTATUS[0]}
|
||||
if [[ $retval == 0 ]]; then
|
||||
touch $lockfile
|
||||
success
|
||||
else # Failed to start, clean up lock file if present
|
||||
rm -f $lockfile
|
||||
failure
|
||||
fi
|
||||
echo
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
# Note that we don't simply stop and start since shorewall has a built in
|
||||
# restart which stops the firewall if running and then starts it.
|
||||
@ -100,7 +115,10 @@ case "$1" in
|
||||
status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart|reload|force-reload)
|
||||
reload|force-reload)
|
||||
reload
|
||||
;;
|
||||
restart)
|
||||
restart
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
|
@ -30,7 +30,6 @@ RCDLINKS="2,S41 3,S41 6,K41"
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall reload Reload the firewall
|
||||
# (same as restart)
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
#
|
||||
@ -82,7 +81,10 @@ case "$command" in
|
||||
start)
|
||||
exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
|
||||
;;
|
||||
restart|reload)
|
||||
reload)
|
||||
exec $SBINDIR/shorewall $OPTIONS reload $RELOADOPTIONS
|
||||
;;
|
||||
restart)
|
||||
exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
|
||||
;;
|
||||
status|stop)
|
||||
|
@ -27,6 +27,11 @@ stop() {
|
||||
exec /sbin/shorewall stop
|
||||
}
|
||||
|
||||
reload() {
|
||||
echo "Reloading IPv4 shorewall rules..."
|
||||
exec /sbin/shorewall reload $RELOADOPTIONS
|
||||
}
|
||||
|
||||
restart() {
|
||||
echo "Restarting IPv4 shorewall rules..."
|
||||
exec /sbin/shorewall restart $RESTARTOPTIONS
|
||||
@ -43,10 +48,13 @@ case "$1" in
|
||||
'stop')
|
||||
stop
|
||||
;;
|
||||
'reload'|'restart')
|
||||
'reload')
|
||||
reload
|
||||
;;
|
||||
'restart')
|
||||
restart
|
||||
;;
|
||||
'status')
|
||||
'status')
|
||||
status
|
||||
;;
|
||||
*)
|
||||
|
@ -31,7 +31,6 @@
|
||||
# shorewall start Starts the firewall
|
||||
# shorewall restart Restarts the firewall
|
||||
# shorewall reload Reload the firewall
|
||||
# (same as restart)
|
||||
# shorewall stop Stops the firewall
|
||||
# shorewall status Displays firewall status
|
||||
#
|
||||
@ -81,7 +80,10 @@ case "$command" in
|
||||
start)
|
||||
exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
|
||||
;;
|
||||
restart|reload)
|
||||
reload)
|
||||
exec $SBINDIR/shorewall $OPTIONS restart $RELOADOPTIONS
|
||||
;;
|
||||
restart)
|
||||
exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
|
||||
;;
|
||||
status|stop)
|
||||
|
@ -931,7 +931,7 @@ update_command() {
|
||||
}
|
||||
|
||||
#
|
||||
# Restart Command Executor
|
||||
# Reload/Restart Command Executor
|
||||
#
|
||||
restart_command() {
|
||||
local finished
|
||||
@ -1027,22 +1027,22 @@ restart_command() {
|
||||
uptodate ${VARDIR}/firewall && g_fast=Yes
|
||||
fi
|
||||
|
||||
g_file="${VARDIR}/.restart"
|
||||
g_file="${VARDIR}/.${COMMAND}"
|
||||
|
||||
if [ -z "$g_fast" ]; then
|
||||
if compiler $g_debugging $nolock compile "$g_file"; then
|
||||
[ -n "$nolock" ] || mutex_on
|
||||
run_it ${VARDIR}/.restart $g_debugging restart
|
||||
run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND}
|
||||
rc=$?
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
else
|
||||
rc=$?
|
||||
logger -p kern.err "ERROR:$g_product restart failed"
|
||||
logger -p kern.err "ERROR:$g_product ${COMMAND} failed"
|
||||
fi
|
||||
else
|
||||
[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
|
||||
[ -n "$nolock" ] || mutex_on
|
||||
run_it ${VARDIR}/firewall $g_debugging restart
|
||||
run_it ${VARDIR}/firewall $g_debugging $COMMAND
|
||||
rc=$?
|
||||
[ -n "$nolock" ] || mutex_off
|
||||
fi
|
||||
@ -1138,7 +1138,7 @@ refresh_command() {
|
||||
}
|
||||
|
||||
#
|
||||
# Safe-start/safe-restart Command Executor
|
||||
# Safe-start/safe-reload/safe-restart Command Executor
|
||||
#
|
||||
safe_commands() {
|
||||
local finished
|
||||
@ -1229,8 +1229,8 @@ safe_commands() {
|
||||
# the command is safe-start or shorewall[6] is not started yet
|
||||
command="start"
|
||||
else
|
||||
# the command is safe-restart and the firewall is already running
|
||||
command="restart"
|
||||
# the command is safe-reload or safe-restart and the firewall is already running
|
||||
command="${COMMAND#safe-}"
|
||||
fi
|
||||
|
||||
g_file="${VARDIR}/.$command"
|
||||
@ -1245,6 +1245,12 @@ safe_commands() {
|
||||
RESTOREFILE=NONE
|
||||
progress_message3 "Starting..."
|
||||
;;
|
||||
reload)
|
||||
RESTOREFILE=.safe
|
||||
g_restorepath=${VARDIR}/.safe
|
||||
save_config
|
||||
progress_message3 "Reloading..."
|
||||
;;
|
||||
restart)
|
||||
RESTOREFILE=.safe
|
||||
g_restorepath=${VARDIR}/.safe
|
||||
@ -1262,7 +1268,7 @@ safe_commands() {
|
||||
if read_yesno_with_timeout $timeout ; then
|
||||
echo "New configuration has been accepted"
|
||||
else
|
||||
if [ "$command" = "restart" ]; then
|
||||
if [ "$command" = "restart" -o "$command" = "reload" ]; then
|
||||
run_it ${VARDIR}/.safe restore
|
||||
else
|
||||
run_it ${VARDIR}/.$command clear
|
||||
@ -1361,7 +1367,7 @@ try_command() {
|
||||
command="start"
|
||||
else
|
||||
# the firewall is already running
|
||||
command="restart"
|
||||
command="reload"
|
||||
fi
|
||||
|
||||
g_file="${VARDIR}/.$command"
|
||||
@ -1378,11 +1384,11 @@ try_command() {
|
||||
RESTOREFILE=NONE
|
||||
progress_message3 "Starting..."
|
||||
;;
|
||||
restart)
|
||||
reload)
|
||||
RESTOREFILE=.try
|
||||
g_restorepath=${VARDIR}/.try
|
||||
save_config
|
||||
progress_message3 "Restarting..."
|
||||
progress_message3 "Reloading..."
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -1391,7 +1397,7 @@ try_command() {
|
||||
if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
|
||||
sleep $timeout
|
||||
|
||||
if [ "$command" = "restart" ]; then
|
||||
if [ "$command" = "reload" ]; then
|
||||
run_it ${VARDIR}/.try restore
|
||||
else
|
||||
run_it ${VARDIR}/.$command clear
|
||||
@ -1417,9 +1423,9 @@ rcp_command() {
|
||||
}
|
||||
|
||||
#
|
||||
# [Re]load command executor
|
||||
# Remote-{start|reload|restart} command executor
|
||||
#
|
||||
reload_command() # $* = original arguments less the command.
|
||||
remote_reload_command() # $* = original arguments less the command.
|
||||
{
|
||||
local verbose
|
||||
verbose=$(make_verbose)
|
||||
@ -1572,12 +1578,15 @@ reload_command() # $* = original arguments less the command.
|
||||
|
||||
progress_message3 "Copy complete"
|
||||
|
||||
if [ $COMMAND = reload ]; then
|
||||
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
|
||||
if [ $COMMAND = remote-reload ]; then
|
||||
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload" && \
|
||||
progress_message3 "System $system reloaded" || saveit=
|
||||
elif [ $COMMAND = remote-restart ]; then
|
||||
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
|
||||
progress_message3 "System $system restarted" || saveit=
|
||||
else
|
||||
rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \
|
||||
progress_message3 "System $system loaded" || saveit=
|
||||
progress_message3 "System $system started" || saveit=
|
||||
fi
|
||||
|
||||
if [ -n "$saveit" ]; then
|
||||
@ -1694,9 +1703,9 @@ compiler_command() {
|
||||
shift
|
||||
update_command $@
|
||||
;;
|
||||
load|reload)
|
||||
remote-start|remote-reload-reload|remote-restart)
|
||||
shift
|
||||
reload_command $@
|
||||
remote_reload_command $@
|
||||
;;
|
||||
export)
|
||||
shift
|
||||
@ -1707,7 +1716,7 @@ compiler_command() {
|
||||
shift
|
||||
try_command $@
|
||||
;;
|
||||
safe-restart|safe-start)
|
||||
safe-reload|safe-restart|safe-start)
|
||||
get_config Yes
|
||||
shift
|
||||
safe_commands $@
|
||||
|
@ -312,30 +312,6 @@
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>load</option></arg>
|
||||
|
||||
<arg><option>-s</option></arg>
|
||||
|
||||
<arg><option>-c</option></arg>
|
||||
|
||||
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
@ -448,7 +424,55 @@
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>reload</option></arg>
|
||||
<arg choice="plain"><option>remote_start</option></arg>
|
||||
|
||||
<arg><option>-s</option></arg>
|
||||
|
||||
<arg><option>-c</option></arg>
|
||||
|
||||
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>remote_reload</option></arg>
|
||||
|
||||
<arg><option>-s</option></arg>
|
||||
|
||||
<arg><option>-c</option></arg>
|
||||
|
||||
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>remote_restart</option></arg>
|
||||
|
||||
<arg><option>-s</option></arg>
|
||||
|
||||
@ -1305,65 +1329,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">load</emphasis> [-<option>s</option>]
|
||||
[-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
working directory is assumed. Allows a non-root user to compile a
|
||||
shorewall script and install it on a system (provided that the user
|
||||
has root access to the system via ssh). The command is equivalent
|
||||
to:</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
|
||||
role="bold">/firewall &&\</emphasis>
|
||||
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
|
||||
role="bold">:/var/lib/shorewall-lite/ &&\</emphasis>
|
||||
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
|
||||
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
|
||||
|
||||
<para>In other words, the configuration in the specified (or
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<replaceable>system</replaceable> using scp. If the copy succeeds,
|
||||
Shorewall Lite on <replaceable>system</replaceable> is started via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <emphasis role="bold">-s</emphasis> is specified and the
|
||||
<emphasis role="bold">start</emphasis> command succeeds, then the
|
||||
remote Shorewall-lite configuration is saved by executing <emphasis
|
||||
role="bold">shorewall-lite save</emphasis> via ssh.</para>
|
||||
|
||||
<para>if <emphasis role="bold">-c</emphasis> is included, the
|
||||
command <emphasis role="bold">shorewall-lite show capabilities -f
|
||||
> /var/lib/shorewall-lite/capabilities</emphasis> is executed via
|
||||
ssh then the generated file is copied to
|
||||
<replaceable>directory</replaceable> using scp. This step is
|
||||
performed before the configuration is compiled.</para>
|
||||
|
||||
<para>If <option>-r</option> is included, it specifies that the root
|
||||
user on <replaceable>system</replaceable> is named
|
||||
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
compiler-generated error and warning message.</para>
|
||||
|
||||
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
||||
and causes a warning message to be issued if the current line
|
||||
contains alternative input specifications following a semicolon
|
||||
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
||||
set to Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logdrop</emphasis>
|
||||
<replaceable>address</replaceable></term>
|
||||
@ -1551,13 +1516,202 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
|
||||
[-<option>c</option>] [-<option>r</option>
|
||||
<term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
|
||||
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
|
||||
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
|
||||
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was re-implemented in Shorewall 5.0.0. The
|
||||
pre-5.0.0 <command>reload</command> command is now called
|
||||
<command>remote_restart</command> (see below).</para>
|
||||
|
||||
<para>Reload is similar to <emphasis role="bold">shorewall
|
||||
start</emphasis> except that it assumes that the firewall is already
|
||||
started. Existing connections are maintained. If a
|
||||
<emphasis>directory</emphasis> is included in the command, Shorewall
|
||||
will look in that <emphasis>directory</emphasis> first for
|
||||
configuration files.</para>
|
||||
|
||||
<para>The <option>-n</option> option causes Shorewall to avoid
|
||||
updating the routing table(s).</para>
|
||||
|
||||
<para>The <option>-p</option> option causes the connection tracking
|
||||
table to be flushed; the <command>conntrack</command> utility must
|
||||
be installed to use this option.</para>
|
||||
|
||||
<para>The <option>-d</option> option causes the compiler to run
|
||||
under the Perl debugger.</para>
|
||||
|
||||
<para>The <option>-f</option> option suppresses the compilation step
|
||||
and simply reused the compiled script which last started/restarted
|
||||
Shorewall, provided that /etc/shorewall and its contents have not
|
||||
been modified since the last start/restart.</para>
|
||||
|
||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||
and performs the compilation step unconditionally, overriding the
|
||||
AUTOMAKE setting in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
|
||||
both <option>-f</option> and <option>-c</option> are present, the
|
||||
result is determined by the option that appears last.</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
compiler-generated error and warning message.</para>
|
||||
|
||||
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
||||
and causes a warning message to be issued if the current line
|
||||
contains alternative input specifications following a semicolon
|
||||
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
||||
set to Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
|
||||
<para>The <option>-C</option> option was added in Shorewall 4.6.5
|
||||
and is only meaningful when AUTOMAKE=Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
|
||||
existing firewall script is used and if that script was the one that
|
||||
generated the current running configuration, then the running
|
||||
netfilter configuration will be reloaded as is so as to preserve the
|
||||
iptables packet and byte counters.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">remote_start</emphasis>
|
||||
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was renamed from <command>load</command> in
|
||||
Shorewall 5.0.0.</para>
|
||||
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
working directory is assumed. Allows a non-root user to compile a
|
||||
shorewall script and install it on a system (provided that the user
|
||||
has root access to the system via ssh). The command is equivalent
|
||||
to:</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
|
||||
role="bold">/firewall &&\</emphasis>
|
||||
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
|
||||
role="bold">:/var/lib/shorewall-lite/ &&\</emphasis>
|
||||
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
|
||||
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
|
||||
|
||||
<para>In other words, the configuration in the specified (or
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<replaceable>system</replaceable> using scp. If the copy succeeds,
|
||||
Shorewall Lite on <replaceable>system</replaceable> is started via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <emphasis role="bold">-s</emphasis> is specified and the
|
||||
<emphasis role="bold">start</emphasis> command succeeds, then the
|
||||
remote Shorewall-lite configuration is saved by executing <emphasis
|
||||
role="bold">shorewall-lite save</emphasis> via ssh.</para>
|
||||
|
||||
<para>if <emphasis role="bold">-c</emphasis> is included, the
|
||||
command <emphasis role="bold">shorewall-lite show capabilities -f
|
||||
> /var/lib/shorewall-lite/capabilities</emphasis> is executed via
|
||||
ssh then the generated file is copied to
|
||||
<replaceable>directory</replaceable> using scp. This step is
|
||||
performed before the configuration is compiled.</para>
|
||||
|
||||
<para>If <option>-r</option> is included, it specifies that the root
|
||||
user on <replaceable>system</replaceable> is named
|
||||
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
compiler-generated error and warning message.</para>
|
||||
|
||||
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
||||
and causes a warning message to be issued if the current line
|
||||
contains alternative input specifications following a semicolon
|
||||
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
||||
set to Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">remote_reload
|
||||
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
||||
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
||||
[-<option>T</option>] [-<option>i</option>] [
|
||||
<replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was added in Shorewall 5.0.0.</para>
|
||||
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
working directory is assumed. Allows a non-root user to compile a
|
||||
shorewall script and install it on a system (provided that the user
|
||||
has root access to the system via ssh). The command is equivalent
|
||||
to:</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall &&\</emphasis>
|
||||
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
|
||||
role="bold">:/var/lib/shorewall-lite/ &&\</emphasis>
|
||||
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
|
||||
role="bold">'/sbin/shorewall-lite reload'</emphasis></programlisting>
|
||||
|
||||
<para>In other words, the configuration in the specified (or
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<emphasis>system</emphasis> using scp. If the copy succeeds,
|
||||
Shorewall Lite on <emphasis>system</emphasis> is restarted via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <emphasis role="bold">-s</emphasis> is specified and the
|
||||
<emphasis role="bold">restart</emphasis> command succeeds, then the
|
||||
remote Shorewall-lite configuration is saved by executing <emphasis
|
||||
role="bold">shorewall-lite save</emphasis> via ssh.</para>
|
||||
|
||||
<para>if <emphasis role="bold">-c</emphasis> is included, the
|
||||
command <emphasis role="bold">shorewall-lite show capabilities -f
|
||||
> /var/lib/shorewall-lite/capabilities</emphasis> is executed via
|
||||
ssh then the generated file is copied to
|
||||
<emphasis>directory</emphasis> using scp. This step is performed
|
||||
before the configuration is compiled.</para>
|
||||
|
||||
<para>If <option>-r</option> is included, it specifies that the root
|
||||
user on <replaceable>system</replaceable> is named
|
||||
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
compiler-generated error and warning message.</para>
|
||||
|
||||
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
||||
and causes a warning message to be issued if the current line
|
||||
contains alternative input specifications following a semicolon
|
||||
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
||||
set to Yes in <ulink
|
||||
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">remote_restart
|
||||
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
||||
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
||||
[-<option>T</option>] [-<option>i</option>] [
|
||||
<replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was renamed from <command>reload</command> in
|
||||
Shorewall 5.0.0.</para>
|
||||
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
working directory is assumed. Allows a non-root user to compile a
|
||||
shorewall script and install it on a system (provided that the user
|
||||
@ -1628,12 +1782,14 @@
|
||||
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restart is similar to <emphasis role="bold">shorewall
|
||||
start</emphasis> except that it assumes that the firewall is already
|
||||
started. Existing connections are maintained. If a
|
||||
<emphasis>directory</emphasis> is included in the command, Shorewall
|
||||
will look in that <emphasis>directory</emphasis> first for
|
||||
configuration files.</para>
|
||||
<para>Beginning with Shorewall 5.0.0, this command performs a true
|
||||
restart. The firewall is completely stopped as if a
|
||||
<command>stop</command> command had been issued then it is started
|
||||
again.</para>
|
||||
|
||||
<para>If a <emphasis>directory</emphasis> is included in the
|
||||
command, Shorewall will look in that <emphasis>directory</emphasis>
|
||||
first for configuration files.</para>
|
||||
|
||||
<para>The <option>-n</option> option causes Shorewall to avoid
|
||||
updating the routing table(s).</para>
|
||||
@ -1744,6 +1900,38 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">safe-reload
|
||||
</emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
|
||||
</option><replaceable>timeout</replaceable> ] [
|
||||
<replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.0, this command performs the same
|
||||
function as did <command>safe_restart</command> in earlier
|
||||
releases.</para>
|
||||
|
||||
<para>Only allowed if Shorewall is running. The current
|
||||
configuration is saved in /var/lib/shorewall/safe-reload (see the
|
||||
save command below) then a <emphasis role="bold">shorewall
|
||||
reload</emphasis> is done. You will then be prompted asking if you
|
||||
want to accept the new configuration or not. If you answer "n" or if
|
||||
you fail to answer within 60 seconds (such as when your new
|
||||
configuration has disabled communication with your terminal), the
|
||||
configuration is restored from the saved configuration. If a
|
||||
directory is given, then Shorewall will look in that directory first
|
||||
when opening configuration files.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.0, you may specify a different
|
||||
<replaceable>timeout</replaceable> value using the
|
||||
<option>-t</option> option. The numeric
|
||||
<replaceable>timeout</replaceable> may optionally be followed by an
|
||||
<option>s</option>, <option>m</option> or <option>h</option> suffix
|
||||
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
|
||||
suffix is omitted, seconds is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">safe-restart
|
||||
</emphasis>[-<option>d</option>] [-<option>p</option>] [-<option>t
|
||||
|
@ -699,8 +699,9 @@
|
||||
|
||||
<para>If <option>-f</option> is given, the command will be processed
|
||||
by the compiled script that executed the last successful
|
||||
<command>start</command>, <command>restart</command> or
|
||||
<command>refresh</command> command if that script exists.</para>
|
||||
<command>start</command>, <command>reload</command>, <emphasis
|
||||
role="bold">restart</emphasis> or <command>refresh</command> command
|
||||
if that script exists.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1003,6 +1004,31 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reload </emphasis>[-n] [-p]
|
||||
[-<option>C</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 5.0.0, <emphasis
|
||||
role="bold">reload</emphasis> is similar to <command>shorewall6-lite
|
||||
start</command> except that it assumes that the firewall is already
|
||||
started. Existing connections are maintained.</para>
|
||||
|
||||
<para>The <option>-n</option> option causes shorewall6-lite to avoid
|
||||
updating the routing table(s).</para>
|
||||
|
||||
<para>The <option>-p</option> option causes the connection tracking
|
||||
table to be flushed; the <command>conntrack</command> utility must
|
||||
be installed to use this option.</para>
|
||||
|
||||
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
|
||||
If the specified (or implicit) firewall script is the one that
|
||||
generated the current running configuration, then the running
|
||||
netfilter configuration will be reloaded as is so as to preserve the
|
||||
iptables packet and byte counters.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
|
||||
...]</emphasis><acronym/></term>
|
||||
@ -1020,9 +1046,10 @@
|
||||
[-<option>C</option>]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restart is similar to <command>shorewall6-lite start</command>
|
||||
except that it assumes that the firewall is already started.
|
||||
Existing connections are maintained.</para>
|
||||
<para>Beginning with Shorewall 5.0.0, this command performs a true
|
||||
restart. The firewall is completely stopped as if a
|
||||
<command>stop</command> command had been issued then it is started
|
||||
again.</para>
|
||||
|
||||
<para>The <option>-n</option> option causes shorewall6-lite to avoid
|
||||
updating the routing table(s).</para>
|
||||
|
@ -263,30 +263,6 @@
|
||||
expression</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>load</option></arg>
|
||||
|
||||
<arg><option>-s</option></arg>
|
||||
|
||||
<arg><option>-c</option></arg>
|
||||
|
||||
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@ -402,7 +378,55 @@
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>reload</option></arg>
|
||||
<arg choice="plain"><option>remote_start</option></arg>
|
||||
|
||||
<arg><option>-s</option></arg>
|
||||
|
||||
<arg><option>-c</option></arg>
|
||||
|
||||
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>remote_reload</option></arg>
|
||||
|
||||
<arg><option>-s</option></arg>
|
||||
|
||||
<arg><option>-c</option></arg>
|
||||
|
||||
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
|
||||
<arg><option>-i</option></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><replaceable>system</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>remote_restart</option></arg>
|
||||
|
||||
<arg><option>-s</option></arg>
|
||||
|
||||
@ -430,6 +454,29 @@
|
||||
<arg choice="plain"><option>reset</option></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>reload</option></arg>
|
||||
|
||||
<arg><option>-n</option></arg>
|
||||
|
||||
<arg><option>-f</option></arg>
|
||||
|
||||
<arg><option>-c</option></arg>
|
||||
|
||||
<arg><option>-T</option></arg>
|
||||
|
||||
<arg><option>-i</option><arg><option>-C</option></arg></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@ -482,6 +529,23 @@
|
||||
<arg><replaceable>parameter ...</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
<arg
|
||||
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
||||
|
||||
<arg>-<replaceable>options</replaceable></arg>
|
||||
|
||||
<arg choice="plain"><option>safe-reload</option></arg>
|
||||
|
||||
<arg><option>-d</option></arg>
|
||||
|
||||
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
|
||||
|
||||
<arg><replaceable>directory</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>shorewall6</command>
|
||||
|
||||
@ -1201,65 +1265,6 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">load </emphasis> [-<option>s</option>]
|
||||
[-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
working directory is assumed. Allows a non-root user to compile a
|
||||
shorewall6 script and install it on a system (provided that the user
|
||||
has root access to the system via ssh). The command is equivalent
|
||||
to:</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
|
||||
role="bold">/firewall &&\</emphasis>
|
||||
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
|
||||
role="bold">:/var/lib/shorewall6-lite/ &&\</emphasis>
|
||||
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
|
||||
role="bold">'/sbin/shorewall6-lite start'</emphasis></programlisting>
|
||||
|
||||
<para>In other words, the configuration in the specified (or
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<replaceable>system</replaceable> using scp. If the copy succeeds,
|
||||
Shorewall6 Lite on <replaceable>system</replaceable> is started via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <option>-s</option> is specified and the <emphasis
|
||||
role="bold">start</emphasis> command succeeds, then the remote
|
||||
Shorewall6-lite configuration is saved by executing
|
||||
<command>shorewall6-lite save</command> via ssh.</para>
|
||||
|
||||
<para>if <option>-c</option> is included, the command
|
||||
<command>shorewall6-lite show capabilities -f >
|
||||
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
|
||||
then the generated file is copied to
|
||||
<replaceable>directory</replaceable> using scp. This step is
|
||||
performed before the configuration is compiled.</para>
|
||||
|
||||
<para>If <option>-r</option> is included, it specifies that the root
|
||||
user on <replaceable>system</replaceable> is named
|
||||
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
compiler-generated error and warning message.</para>
|
||||
|
||||
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
||||
and causes a warning message to be issued if the current line
|
||||
contains alternative input specifications following a semicolon
|
||||
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
||||
set to Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">logdrop
|
||||
</emphasis><replaceable>address</replaceable></term>
|
||||
@ -1448,13 +1453,141 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reload </emphasis>[-<option>s</option>]
|
||||
[-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
|
||||
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
|
||||
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
|
||||
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was re-implemented in Shorewall 5.0.0. The
|
||||
pre-5.0.0 <command>reload</command> command is now called
|
||||
<command>remote_restart</command> (see below).</para>
|
||||
|
||||
<para>Reload is similar to <command>shorewall6 start</command>
|
||||
except that it assumes that the firewall is already started.
|
||||
Existing connections are maintained. If a
|
||||
<emphasis>directory</emphasis> is included in the command,
|
||||
Shorewall6 will look in that <emphasis>directory</emphasis> first
|
||||
for configuration files.</para>
|
||||
|
||||
<para>The <option>-n</option> option causes Shorewall6 to avoid
|
||||
updating the routing table(s).</para>
|
||||
|
||||
<para>The <option>-p</option> option causes the connection tracking
|
||||
table to be flushed; the <command>conntrack</command> utility must
|
||||
be installed to use this option.</para>
|
||||
|
||||
<para>The <option>-d</option> option causes the compiler to run
|
||||
under the Perl debugger.</para>
|
||||
|
||||
<para>The <option>-f</option> option suppresses the compilation step
|
||||
and simply reused the compiled script which last started/restarted
|
||||
Shorewall, provided that <filename class="directory">/etc/shorewall6
|
||||
</filename> and its contents have not been modified since the last
|
||||
start/restart.</para>
|
||||
|
||||
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
||||
and performs the compilation step unconditionally, overriding the
|
||||
AUTOMAKE setting in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
||||
When both <option>-f</option> and <option>-c</option> are present,
|
||||
the result is determined by the option that appears last.</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
compiler-generated error and warning message.</para>
|
||||
|
||||
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
||||
and causes a warning message to be issued if the current line
|
||||
contains alternative input specifications following a semicolon
|
||||
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
||||
set to Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>The <option>-C</option> option was added in Shorewall 4.6.5
|
||||
and is only meaningful when AUTOMAKE=Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
||||
an existing firewall script is used and if that script was the one
|
||||
that generated the current running configuration, then the running
|
||||
netfilter configuration will be reloaded as is so as to preserve the
|
||||
iptables packet and byte counters.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">remote_reload
|
||||
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
||||
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
||||
[-<option>T</option>] [-<option>i</option>] [
|
||||
<replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was added in Shorewall 5.0.0.</para>
|
||||
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
working directory is assumed. Allows a non-root user to compile a
|
||||
shorewall6 script and install it on a system (provided that the user
|
||||
has root access to the system via ssh). The command is equivalent
|
||||
to:</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall &&\</emphasis>
|
||||
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
|
||||
role="bold">:/var/lib/shorewall6-lite/ &&\</emphasis>
|
||||
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
|
||||
role="bold">'/sbin/shorewall6-lite reload'</emphasis></programlisting>
|
||||
|
||||
<para>In other words, the configuration in the specified (or
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<emphasis>system</emphasis> using scp. If the copy succeeds,
|
||||
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <option>-s</option> is specified and the
|
||||
<command>restart</command> command succeeds, then the remote
|
||||
Shorewall6-lite configuration is saved by executing
|
||||
<command>shorewall6-lite save</command> via ssh.</para>
|
||||
|
||||
<para>if <option>-c</option> is included, the command
|
||||
<command>shorewall6-lite show capabilities -f >
|
||||
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
|
||||
then the generated file is copied to <emphasis>directory</emphasis>
|
||||
using scp. This step is performed before the configuration is
|
||||
compiled.</para>
|
||||
|
||||
<para>If <option>-r</option> is included, it specifies that the root
|
||||
user on <replaceable>system</replaceable> is named
|
||||
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
compiler-generated error and warning message.</para>
|
||||
|
||||
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
||||
and causes a warning message to be issued if the current line
|
||||
contains alternative input specifications following a semicolon
|
||||
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
||||
set to Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">remote_ restart
|
||||
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
||||
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
||||
[-<option>T</option>] [-<option>i</option>] [
|
||||
<replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was renamed from <command>reload</command> in
|
||||
Shorewall 5.0.0.</para>
|
||||
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
working directory is assumed. Allows a non-root user to compile a
|
||||
shorewall6 script and install it on a system (provided that the user
|
||||
@ -1506,6 +1639,67 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">remote_start </emphasis>
|
||||
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
|
||||
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
||||
[-<option>i</option>] [ <replaceable>directory</replaceable> ]
|
||||
<replaceable>system</replaceable></term>
|
||||
|
||||
<listitem>
|
||||
<para>This command was added in Shorewall 5.0.0.</para>
|
||||
|
||||
<para>If <emphasis>directory</emphasis> is omitted, the current
|
||||
working directory is assumed. Allows a non-root user to compile a
|
||||
shorewall6 script and install it on a system (provided that the user
|
||||
has root access to the system via ssh). The command is equivalent
|
||||
to:</para>
|
||||
|
||||
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
|
||||
role="bold">/firewall &&\</emphasis>
|
||||
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
||||
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
|
||||
role="bold">:/var/lib/shorewall6-lite/ &&\</emphasis>
|
||||
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
|
||||
role="bold">'/sbin/shorewall6-lite start'</emphasis></programlisting>
|
||||
|
||||
<para>In other words, the configuration in the specified (or
|
||||
defaulted) directory is compiled to a file called firewall in that
|
||||
directory. If compilation succeeds, then firewall is copied to
|
||||
<replaceable>system</replaceable> using scp. If the copy succeeds,
|
||||
Shorewall6 Lite on <replaceable>system</replaceable> is started via
|
||||
ssh.</para>
|
||||
|
||||
<para>If <option>-s</option> is specified and the <emphasis
|
||||
role="bold">start</emphasis> command succeeds, then the remote
|
||||
Shorewall6-lite configuration is saved by executing
|
||||
<command>shorewall6-lite save</command> via ssh.</para>
|
||||
|
||||
<para>if <option>-c</option> is included, the command
|
||||
<command>shorewall6-lite show capabilities -f >
|
||||
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
|
||||
then the generated file is copied to
|
||||
<replaceable>directory</replaceable> using scp. This step is
|
||||
performed before the configuration is compiled.</para>
|
||||
|
||||
<para>If <option>-r</option> is included, it specifies that the root
|
||||
user on <replaceable>system</replaceable> is named
|
||||
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
||||
|
||||
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
||||
and causes a Perl stack trace to be included with each
|
||||
compiler-generated error and warning message.</para>
|
||||
|
||||
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
||||
and causes a warning message to be issued if the current line
|
||||
contains alternative input specifications following a semicolon
|
||||
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
||||
set to Yes in <ulink
|
||||
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
|
||||
...]</emphasis><acronym/></term>
|
||||
@ -1525,12 +1719,14 @@
|
||||
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Restart is similar to <command>shorewall6 start</command>
|
||||
except that it assumes that the firewall is already started.
|
||||
Existing connections are maintained. If a
|
||||
<emphasis>directory</emphasis> is included in the command,
|
||||
Shorewall6 will look in that <emphasis>directory</emphasis> first
|
||||
for configuration files.</para>
|
||||
<para>Beginning with Shorewall 5.0.0, this command performs a true
|
||||
restart. The firewall is completely stopped as if a
|
||||
<command>stop</command> command had been issued then it is started
|
||||
again.</para>
|
||||
|
||||
<para>If a <emphasis>directory</emphasis> is included in the
|
||||
command, Shorewall6 will look in that <emphasis>directory</emphasis>
|
||||
first for configuration files.</para>
|
||||
|
||||
<para>The <option>-n</option> option causes Shorewall6 to avoid
|
||||
updating the routing table(s).</para>
|
||||
|
Loading…
Reference in New Issue
Block a user