From f9ec0c69305e55d622044f2fb5382f2699da0b12 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 26 Jul 2015 09:59:49 -0700 Subject: [PATCH] New 'reload' and 'restart' semantics Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 8 +- Shorewall-lite/manpages/shorewall-lite.xml | 49 ++- Shorewall/Makefile | 4 +- Shorewall/Perl/Shorewall/Chains.pm | 12 +- Shorewall/Perl/Shorewall/Compiler.pm | 8 +- Shorewall/Perl/Shorewall/Misc.pm | 4 +- Shorewall/Perl/Shorewall/Providers.pm | 16 +- Shorewall/Perl/Shorewall/Zones.pm | 4 +- Shorewall/Perl/lib.core | 2 +- Shorewall/Perl/prog.footer | 171 ++++----- Shorewall/configfiles/init | 2 +- Shorewall/configfiles/initdone | 5 +- Shorewall/configfiles/start | 2 +- Shorewall/configfiles/started | 9 +- Shorewall/default.debian | 5 + Shorewall/init.debian.sh | 14 +- Shorewall/init.fedora.sh | 20 +- Shorewall/init.sh | 6 +- Shorewall/init.slackware.shorewall.sh | 12 +- Shorewall/init.suse.sh | 6 +- Shorewall/lib.cli-std | 51 ++- Shorewall/manpages/shorewall.xml | 372 +++++++++++++----- Shorewall6-lite/manpages/shorewall6-lite.xml | 37 +- Shorewall6/manpages/shorewall6.xml | 384 ++++++++++++++----- 24 files changed, 844 insertions(+), 359 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 28b36b2b3..fbe372e5c 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -3787,7 +3787,7 @@ start_command() { } # -# Restart Command Executor +# Reload/Restart Command Executor # restart_command() { local finished @@ -3846,11 +3846,11 @@ restart_command() { [ -n "$g_nolock" ] || mutex_on if [ -x ${VARDIR}/firewall ]; then - run_it ${VARDIR}/firewall $g_debugging restart + run_it ${VARDIR}/firewall $g_debugging $COMMAND rc=$? else error_message "${VARDIR}/firewall is missing or is not executable" - logger -p kern.err "ERROR:$g_product restart failed" + logger -p kern.err "ERROR:$g_product $COMMAND failed" rc=6 fi @@ -4205,7 +4205,7 @@ shorewall_cli() { run_it $g_firewall $g_debugging reset $@ [ -n "$g_nolock" ] || mutex_off ;; - restart) + reload|restart) get_config Yes Yes shift restart_command $@ diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index 5f806bd63..055302466 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -329,6 +329,21 @@ address + + shorewall-lite + + | + + -options + + + + + + + + shorewall-lite @@ -708,6 +723,7 @@ If is given, the command will be processed by the compiled script that executed the last successful start, reload, restart or refresh command if that script exists. @@ -1026,6 +1042,32 @@ + + reload [-n] [-p] + [-] + + + Added in Shorewall 5.0.0, reload is similar to shorewall-lite start except that it assumes + that the firewall is already started. Existing connections are + maintained. + + The option causes Shorewall-lite to avoid + updating the routing table(s). + + The option causes the connection tracking + table to be flushed; the conntrack utility must + be installed to use this option. + + The option was added in Shorewall 4.6.5. + If the specified (or implicit) firewall script is the one that + generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. + + + reset [chain, ...] @@ -1043,9 +1085,10 @@ [-] - Restart is similar to shorewall-lite - start except that it assumes that the firewall is already - started. Existing connections are maintained. + Beginning with Shorewall 5.0.0, this command performs a true + restart. The firewall is completely stopped as if a + stop command had been issued then it is started + again. The option causes Shorewall-lite to avoid updating the routing table(s). diff --git a/Shorewall/Makefile b/Shorewall/Makefile index e5ba97e18..040424468 100644 --- a/Shorewall/Makefile +++ b/Shorewall/Makefile @@ -8,11 +8,11 @@ all: $(VARDIR)/$(RESTOREFILE) $(VARDIR)/$(RESTOREFILE): $(CONFDIR)/* @/sbin/shorewall -q save >/dev/null; \ if \ - /sbin/shorewall -q restart >/dev/null 2>&1; \ + /sbin/shorewall -q reload >/dev/null 2>&1; \ then \ /sbin/shorewall -q save >/dev/null; \ else \ - /sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \ + /sbin/shorewall -q restore 2>&1 | tail >&2; exit 1; \ fi clean: diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index ca564d328..5cec5f784 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -7070,9 +7070,9 @@ sub verify_source_interface( $$$$ ) { fatal_error "A wildcard interface ( $iiface) is not allowed in this context" if $iiface =~ /\+$/; if ( $table eq 'nat' ) { - warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++; + warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts/reloads) unless $idiotcount++; } else { - warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++; + warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts/reloads) unless $idiotcount1++; } push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done'; @@ -7962,7 +7962,7 @@ sub save_dynamic_chains() { my $tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}'; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; - emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' ); + emit ( 'if [ "$COMMAND" = reload -o "$COMMAND" = refresh ]; then' ); push_indent; emit( 'if [ -n "$g_counters" ]; then' , @@ -8251,7 +8251,7 @@ sub load_ipsets() { } if ( @ipsets ) { - emit ( 'elif [ "$COMMAND" = restart ]; then' ); + emit ( 'elif [ "$COMMAND" = reload ]; then' ); ensure_ipset( $_ ) for @ipsets; } @@ -8318,7 +8318,7 @@ sub create_netfilter_load( $ ) { my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE'; emit( '', - 'if [ "$COMMAND" = restart -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then', + 'if [ "$COMMAND" = reload -a -n "$g_counters" ] && chain_exists $g_sha1sum1 && chain_exists $g_sha1sum2 ; then', ' option="--counters"', '', ' progress_message "Reusing existing ruleset..."', @@ -8371,7 +8371,7 @@ sub create_netfilter_load( $ ) { } } # - # SHA1SUM chains for handling 'restart -s' + # SHA1SUM chains for handling 'reload -s' # if ( $table eq 'filter' ) { emit_unindented ':$g_sha1sum1 - [0:0]'; diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 301d49ae0..8239621e5 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -217,7 +217,7 @@ sub generate_script_2() { my @dont_load = split_list $config{DONT_LOAD}, 'module'; - emit ( '[ -n "${COMMAND:=restart}" ]', + emit ( '[ -n "${COMMAND:=reload}" ]', '[ -n "${VERBOSITY:=0}" ]', qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) ); @@ -361,7 +361,7 @@ sub generate_script_3($) { create_chainlist_reload( $_[0] ); create_save_ipsets; - emit "#\n# Start/Restart the Firewall\n#"; + emit "#\n# Start/Reload the Firewall\n#"; emit( 'define_firewall() {', ' local options' ); @@ -567,8 +567,8 @@ case $COMMAND in start) logger -p kern.info "$g_product started" ;; - restart) - logger -p kern.info "$g_product restarted" + reloaded) + logger -p kern.info "$g_product reloaded" ;; refresh) logger -p kern.info "$g_product refreshed" diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 1e18f38b7..1ca292ddd 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2471,8 +2471,8 @@ EOF start) logger -p kern.err "ERROR:$g_product start failed" ;; - restart) - logger -p kern.err "ERROR:$g_product restart failed" + reload) + logger -p kern.err "ERROR:$g_product reload failed" ;; refresh) logger -p kern.err "ERROR:$g_product refresh failed" diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 2209772a1..6e0359f8d 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1797,7 +1797,7 @@ sub compile_updown() { if ( $wildcard ) { emit( ' if [ "$state" = started ]; then', - ' COMMAND=restart', + ' COMMAND=reload', ' else', ' COMMAND=start', ' fi' ); @@ -1816,8 +1816,8 @@ sub compile_updown() { if ( $wildcard ) { emit( ' if [ "$state" = started ]; then', - ' progress_message3 "$g_product attempting restart"', - ' COMMAND=restart', + ' progress_message3 "$g_product attempting reload"', + ' COMMAND=reload', ' detect_configuration', ' define_firewall', ' fi' ); @@ -1859,8 +1859,8 @@ sub compile_updown() { emit( '', ' if [ "$state" = started ]; then', - ' COMMAND=restart', - ' progress_message3 "$g_product attempting restart"', + ' COMMAND=reload', + ' progress_message3 "$g_product attempting reload"', ' detect_configuration', ' define_firewall', ' elif [ "$state" = stopped ]; then', @@ -1884,8 +1884,8 @@ sub compile_updown() { emit( "$interfaces)", ' case $state in', ' started)', - ' COMMAND=restart', - ' progress_message3 "$g_product attempting restart"', + ' COMMAND=reload', + ' progress_message3 "$g_product attempting reload"', ' detect_configuration', ' define_firewall', ' ;;', @@ -2054,7 +2054,7 @@ sub handle_optional_interfaces( $ ) { emit( '', 'if [ -z "$HAVE_INTERFACE" ]; then' , ' case "$COMMAND" in', - ' start|restart|restore|refresh)' + ' start|reload|restore|refresh)' ); if ( $family == F_IPV4 ) { diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 64f7e07d2..72846c079 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1884,7 +1884,7 @@ sub verify_required_interfaces( $ ) { push_indent; - emit( 'start|restart|restore)' ); + emit( 'start|reload|restore)' ); push_indent; @@ -1946,7 +1946,7 @@ sub verify_required_interfaces( $ ) { if ( $generate_case ) { emit( 'case "$COMMAND" in' ); push_indent; - emit( 'start|restart|restore|refresh)' ); + emit( 'start|reload|restore|refresh)' ); push_indent; } diff --git a/Shorewall/Perl/lib.core b/Shorewall/Perl/lib.core index 78a7a962e..04655f749 100644 --- a/Shorewall/Perl/lib.core +++ b/Shorewall/Perl/lib.core @@ -21,7 +21,7 @@ # -v and -q Standard Shorewall Verbosity control # -t Timestamp progress messages # -p Purge conntrack table -# -r Recover from failed start/restart +# -r Recover from failed start/reload # -V Set verbosity level explicitly # -R Overrides RESTOREFILE setting # diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index eb712759e..a38c243dc 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -17,6 +17,7 @@ usage() { echo " reset" echo " reenable " echo " refresh" + echo " reload" echo " restart" echo " run [ ... ]" echo " status" @@ -37,27 +38,30 @@ usage() { exit $1 } -checkkernelversion() { -?if __IPV6 - local kernel - - kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//') - - case "$kernel" in - *.*.*) - kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) - ;; - *) - kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g')) - ;; - esac - - if [ $kernel -lt 20624 ]; then - error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later" - return 1 +start_command() { + if product_is_started; then + error_message "$g_product is already Running" + status=0 + else + progress_message3 "Starting $g_product...." + detect_configuration + define_firewall + status=$? + if [ $status -eq 0 ]; then + [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK + progress_message3 "done." + fi fi -?endif + return $status +} + +stop_command() { + progress_message3 "Stopping $g_product...." + detect_configuration + stop_firewall + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." return 0 } @@ -224,94 +228,71 @@ COMMAND="$1" case "$COMMAND" in start) [ $# -ne 1 ] && usage 2 - if product_is_started; then - error_message "$g_product is already Running" - status=0 - else - progress_message3 "Starting $g_product...." - if checkkernelversion; then - detect_configuration - define_firewall - status=$? - if [ $status -eq 0 ]; then - [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK - progress_message3 "done." - fi - fi - fi + start_command ;; stop) [ $# -ne 1 ] && usage 2 - if checkkernelversion; then - progress_message3 "Stopping $g_product...." - detect_configuration - stop_firewall - status=0 - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - progress_message3 "done." - fi + stop_command ;; reset) if ! product_is_started ; then error_message "$g_product is not running" status=2 - elif checkkernelversion; then - if [ $# -eq 1 ]; then - $g_tool -Z - $g_tool -t mangle -Z - date > ${VARDIR}/restarted - status=0 - progress_message3 "$g_product Counters Reset" - else - shift - status=0 - for chain in $@; do - if chain_exists $chain; then - if qt $g_tool-Z $chain; then - progress_message3 "Filter $chain Counters Reset" - else - error_message "ERROR: Reset of chain $chain failed" - status=2 - break - fi + elif [ $# -eq 1 ]; then + $g_tool -Z + $g_tool -t mangle -Z + date > ${VARDIR}/restarted + status=0 + progress_message3 "$g_product Counters Reset" + else + shift + status=0 + for chain in $@; do + if chain_exists $chain; then + if qt $g_tool-Z $chain; then + progress_message3 "Filter $chain Counters Reset" else - error_message "WARNING: Filter Chain $chain does not exist" + error_message "ERROR: Reset of chain $chain failed" + status=2 + break fi - done - fi + else + error_message "WARNING: Filter Chain $chain does not exist" + fi + done fi ;; - restart) + reload) [ $# -ne 1 ] && usage 2 if product_is_started; then - progress_message3 "Restarting $g_product...." + progress_message3 "Reloading $g_product...." else error_message "$g_product is not running" progress_message3 "Starting $g_product...." COMMAND=start fi - if checkkernelversion; then - detect_configuration - define_firewall - status=$? - if [ -n "$SUBSYSLOCK" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi + detect_configuration + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi - [ $status -eq 0 ] && progress_message3 "done." - fi + [ $status -eq 0 ] && progress_message3 "done." + ;; + restart) + [ $# -ne 1 ] && usage 2 + COMMAND=stop stop_command && COMMAND=start start_command ;; refresh) [ $# -ne 1 ] && usage 2 if product_is_started; then progress_message3 "Refreshing $g_product...." - if checkkernelversion; then - detect_configuration - define_firewall - status=$? - [ $status -eq 0 ] && progress_message3 "done." - fi + detect_configuration + define_firewall + status=$? + [ $status -eq 0 ] && progress_message3 "done." else echo "$g_product is not running" >&2 status=2 @@ -319,27 +300,23 @@ case "$COMMAND" in ;; restore) [ $# -ne 1 ] && usage 2 - if checkkernelversion; then - detect_configuration - define_firewall - status=$? - if [ -n "$SUBSYSLOCK" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi - [ $status -eq 0 ] && progress_message3 "done." - fi + detect_configuration + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi + [ $status -eq 0 ] && progress_message3 "done." ;; clear) [ $# -ne 1 ] && usage 2 progress_message3 "Clearing $g_product...." - if checkkernelversion; then - clear_firewall - status=0 - if [ -n "$SUBSYSLOCK" ]; then - rm -f $SUBSYSLOCK - fi - progress_message3 "done." + clear_firewall + status=0 + if [ -n "$SUBSYSLOCK" ]; then + rm -f $SUBSYSLOCK fi + progress_message3 "done." ;; status) [ $# -ne 1 ] && usage 2 diff --git a/Shorewall/configfiles/init b/Shorewall/configfiles/init index d3bffbc92..3c70ed407 100644 --- a/Shorewall/configfiles/init +++ b/Shorewall/configfiles/init @@ -4,7 +4,7 @@ # /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. +# a "shorewall start", "shorewall-reload" or "shorewall restart" command. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm diff --git a/Shorewall/configfiles/initdone b/Shorewall/configfiles/initdone index dd549c298..ccddd93ce 100644 --- a/Shorewall/configfiles/initdone +++ b/Shorewall/configfiles/initdone @@ -4,8 +4,9 @@ # /etc/shorewall/initdone # # Add commands below that you want to be executed during -# "shorewall start" or "shorewall restart" commands at the point where -# Shorewall has not yet added any permanent rules to the builtin chains. +# "shorewall start", "shorewall reload" or "shorewall restart" commands +# at the point where Shorewall has not yet added any permanent rules to +# the builtin chains. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm diff --git a/Shorewall/configfiles/start b/Shorewall/configfiles/start index 1ad810cfe..ad72931ab 100644 --- a/Shorewall/configfiles/start +++ b/Shorewall/configfiles/start @@ -4,7 +4,7 @@ # /etc/shorewall/start # # Add commands below that you want to be executed after shorewall has -# been started or restarted. +# been started, reloaded or restarted. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. diff --git a/Shorewall/configfiles/started b/Shorewall/configfiles/started index b7704dbab..243799fad 100644 --- a/Shorewall/configfiles/started +++ b/Shorewall/configfiles/started @@ -4,11 +4,10 @@ # /etc/shorewall/started # # Add commands below that you want to be executed after shorewall has -# been completely started or restarted. The difference between this -# extension script and /etc/shorewall/start is that this one is invoked -# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and -# after the 'shorewall' chain has been created (thus signaling that the -# firewall is completely up). +# been completely started, reloaded or restarted. The difference between +# this extension script and /etc/shorewall/start is that this one is +# invoked after the 'shorewall' chain has been created (thus +# signaling that the firewall is completely up). # # This script should not change the firewall configuration directly but # may do so indirectly by running /sbin/shorewall with the 'nolock' diff --git a/Shorewall/default.debian b/Shorewall/default.debian index d65ea3d24..0615ea015 100644 --- a/Shorewall/default.debian +++ b/Shorewall/default.debian @@ -25,6 +25,11 @@ OPTIONS="" # STARTOPTIONS="" +# +# Restart options +# +RELOADOPTIONS="" + # # Restart options # diff --git a/Shorewall/init.debian.sh b/Shorewall/init.debian.sh index 8cc333021..5052f6b60 100755 --- a/Shorewall/init.debian.sh +++ b/Shorewall/init.debian.sh @@ -106,6 +106,13 @@ shorewall_stop () { return 0 } +# reload the firewall +shorewall_reload () { + echo -n "Reloading \"Shorewall firewall\": " + $SRWL $SRWL_OPTS restart $RELOADOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone + return 0 +} + # restart the firewall shorewall_restart () { echo -n "Restarting \"Shorewall firewall\": " @@ -135,14 +142,17 @@ case "$1" in refresh) shorewall_refresh ;; - force-reload|restart) + restart) shorewall_restart ;; + force0reload|reload) + shorewall_reload + ;; status) shorewall_status ;; *) - echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload|status}" + echo "Usage: /etc/init.d/shorewall {start|stop|refresh|reload|restart|force-reload|status}" exit 1 esac diff --git a/Shorewall/init.fedora.sh b/Shorewall/init.fedora.sh index 9ab64f689..e36c5d329 100755 --- a/Shorewall/init.fedora.sh +++ b/Shorewall/init.fedora.sh @@ -65,6 +65,21 @@ stop() { return $retval } +reload() { + echo -n $"Reloading Shorewall: " + $shorewall $OPTIONS reload $RELOADOPTIONS 2>&1 | $logger + retval=${PIPESTATUS[0]} + if [[ $retval == 0 ]]; then + touch $lockfile + success + else # Failed to start, clean up lock file if present + rm -f $lockfile + failure + fi + echo + return $retval +} + restart() { # Note that we don't simply stop and start since shorewall has a built in # restart which stops the firewall if running and then starts it. @@ -100,7 +115,10 @@ case "$1" in status_q || exit 0 $1 ;; - restart|reload|force-reload) + reload|force-reload) + reload + ;; + restart) restart ;; condrestart|try-restart) diff --git a/Shorewall/init.sh b/Shorewall/init.sh index 4ece82c83..a4a50ba15 100755 --- a/Shorewall/init.sh +++ b/Shorewall/init.sh @@ -30,7 +30,6 @@ RCDLINKS="2,S41 3,S41 6,K41" # shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall reload Reload the firewall -# (same as restart) # shorewall stop Stops the firewall # shorewall status Displays firewall status # @@ -82,7 +81,10 @@ case "$command" in start) exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS ;; - restart|reload) + reload) + exec $SBINDIR/shorewall $OPTIONS reload $RELOADOPTIONS + ;; + restart) exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS ;; status|stop) diff --git a/Shorewall/init.slackware.shorewall.sh b/Shorewall/init.slackware.shorewall.sh index bc5e2ef7d..82afc6b5c 100755 --- a/Shorewall/init.slackware.shorewall.sh +++ b/Shorewall/init.slackware.shorewall.sh @@ -27,6 +27,11 @@ stop() { exec /sbin/shorewall stop } +reload() { + echo "Reloading IPv4 shorewall rules..." + exec /sbin/shorewall reload $RELOADOPTIONS +} + restart() { echo "Restarting IPv4 shorewall rules..." exec /sbin/shorewall restart $RESTARTOPTIONS @@ -43,10 +48,13 @@ case "$1" in 'stop') stop ;; - 'reload'|'restart') + 'reload') + reload + ;; + 'restart') restart ;; - 'status') + 'status') status ;; *) diff --git a/Shorewall/init.suse.sh b/Shorewall/init.suse.sh index a7157db53..c6dc6d9c4 100755 --- a/Shorewall/init.suse.sh +++ b/Shorewall/init.suse.sh @@ -31,7 +31,6 @@ # shorewall start Starts the firewall # shorewall restart Restarts the firewall # shorewall reload Reload the firewall -# (same as restart) # shorewall stop Stops the firewall # shorewall status Displays firewall status # @@ -81,7 +80,10 @@ case "$command" in start) exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS ;; - restart|reload) + reload) + exec $SBINDIR/shorewall $OPTIONS restart $RELOADOPTIONS + ;; + restart) exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS ;; status|stop) diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index e1cc6dde2..88f39b598 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -931,7 +931,7 @@ update_command() { } # -# Restart Command Executor +# Reload/Restart Command Executor # restart_command() { local finished @@ -1027,22 +1027,22 @@ restart_command() { uptodate ${VARDIR}/firewall && g_fast=Yes fi - g_file="${VARDIR}/.restart" + g_file="${VARDIR}/.${COMMAND}" if [ -z "$g_fast" ]; then if compiler $g_debugging $nolock compile "$g_file"; then [ -n "$nolock" ] || mutex_on - run_it ${VARDIR}/.restart $g_debugging restart + run_it ${VARDIR}/.${COMMAND} $g_debugging ${COMMAND} rc=$? [ -n "$nolock" ] || mutex_off else rc=$? - logger -p kern.err "ERROR:$g_product restart failed" + logger -p kern.err "ERROR:$g_product ${COMMAND} failed" fi else [ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found" [ -n "$nolock" ] || mutex_on - run_it ${VARDIR}/firewall $g_debugging restart + run_it ${VARDIR}/firewall $g_debugging $COMMAND rc=$? [ -n "$nolock" ] || mutex_off fi @@ -1138,7 +1138,7 @@ refresh_command() { } # -# Safe-start/safe-restart Command Executor +# Safe-start/safe-reload/safe-restart Command Executor # safe_commands() { local finished @@ -1229,8 +1229,8 @@ safe_commands() { # the command is safe-start or shorewall[6] is not started yet command="start" else - # the command is safe-restart and the firewall is already running - command="restart" + # the command is safe-reload or safe-restart and the firewall is already running + command="${COMMAND#safe-}" fi g_file="${VARDIR}/.$command" @@ -1245,6 +1245,12 @@ safe_commands() { RESTOREFILE=NONE progress_message3 "Starting..." ;; + reload) + RESTOREFILE=.safe + g_restorepath=${VARDIR}/.safe + save_config + progress_message3 "Reloading..." + ;; restart) RESTOREFILE=.safe g_restorepath=${VARDIR}/.safe @@ -1262,7 +1268,7 @@ safe_commands() { if read_yesno_with_timeout $timeout ; then echo "New configuration has been accepted" else - if [ "$command" = "restart" ]; then + if [ "$command" = "restart" -o "$command" = "reload" ]; then run_it ${VARDIR}/.safe restore else run_it ${VARDIR}/.$command clear @@ -1361,7 +1367,7 @@ try_command() { command="start" else # the firewall is already running - command="restart" + command="reload" fi g_file="${VARDIR}/.$command" @@ -1378,11 +1384,11 @@ try_command() { RESTOREFILE=NONE progress_message3 "Starting..." ;; - restart) + reload) RESTOREFILE=.try g_restorepath=${VARDIR}/.try save_config - progress_message3 "Restarting..." + progress_message3 "Reloading..." ;; esac @@ -1391,7 +1397,7 @@ try_command() { if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then sleep $timeout - if [ "$command" = "restart" ]; then + if [ "$command" = "reload" ]; then run_it ${VARDIR}/.try restore else run_it ${VARDIR}/.$command clear @@ -1417,9 +1423,9 @@ rcp_command() { } # -# [Re]load command executor +# Remote-{start|reload|restart} command executor # -reload_command() # $* = original arguments less the command. +remote_reload_command() # $* = original arguments less the command. { local verbose verbose=$(make_verbose) @@ -1572,12 +1578,15 @@ reload_command() # $* = original arguments less the command. progress_message3 "Copy complete" - if [ $COMMAND = reload ]; then - rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \ + if [ $COMMAND = remote-reload ]; then + rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload" && \ progress_message3 "System $system reloaded" || saveit= + elif [ $COMMAND = remote-restart ]; then + rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \ + progress_message3 "System $system restarted" || saveit= else rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \ - progress_message3 "System $system loaded" || saveit= + progress_message3 "System $system started" || saveit= fi if [ -n "$saveit" ]; then @@ -1694,9 +1703,9 @@ compiler_command() { shift update_command $@ ;; - load|reload) + remote-start|remote-reload-reload|remote-restart) shift - reload_command $@ + remote_reload_command $@ ;; export) shift @@ -1707,7 +1716,7 @@ compiler_command() { shift try_command $@ ;; - safe-restart|safe-start) + safe-reload|safe-restart|safe-start) get_config Yes shift safe_commands $@ diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 1897d3067..555b55345 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -312,30 +312,6 @@ expression - - shorewall - - | - - -options - - - - - - - - root-user-name - - - - - - directory - - system - - shorewall @@ -448,7 +424,55 @@ -options - + + + + + + + root-user-name + + + + + + directory + + system + + + + shorewall + + | + + -options + + + + + + + + root-user-name + + + + + + directory + + system + + + + shorewall + + | + + -options + + @@ -1305,65 +1329,6 @@ - - load [-] - [-] [- - root-user-name] [-] - [-] [ directory ] - system - - - If directory is omitted, the current - working directory is assumed. Allows a non-root user to compile a - shorewall script and install it on a system (provided that the user - has root access to the system via ssh). The command is equivalent - to: - - /sbin/shorewall compile -e directory directory/firewall &&\ - scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\ - ssh root@system '/sbin/shorewall-lite start' - - In other words, the configuration in the specified (or - defaulted) directory is compiled to a file called firewall in that - directory. If compilation succeeds, then firewall is copied to - system using scp. If the copy succeeds, - Shorewall Lite on system is started via - ssh. - - If -s is specified and the - start command succeeds, then the - remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh. - - if -c is included, the - command shorewall-lite show capabilities -f - > /var/lib/shorewall-lite/capabilities is executed via - ssh then the generated file is copied to - directory using scp. This step is - performed before the configuration is compiled. - - If is included, it specifies that the root - user on system is named - root-user-name rather than "root". - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall.conf(5). - - - logdrop address @@ -1551,13 +1516,202 @@ - reload [-] - [-] [- + reload [-] + [-] [-] [-] + [-] [-] [-] + [-] [ directory ] + + + This command was re-implemented in Shorewall 5.0.0. The + pre-5.0.0 reload command is now called + remote_restart (see below). + + Reload is similar to shorewall + start except that it assumes that the firewall is already + started. Existing connections are maintained. If a + directory is included in the command, Shorewall + will look in that directory first for + configuration files. + + The option causes Shorewall to avoid + updating the routing table(s). + + The option causes the connection tracking + table to be flushed; the conntrack utility must + be installed to use this option. + + The option causes the compiler to run + under the Perl debugger. + + The option suppresses the compilation step + and simply reused the compiled script which last started/restarted + Shorewall, provided that /etc/shorewall and its contents have not + been modified since the last start/restart. + + The option was added in Shorewall 4.4.20 + and performs the compilation step unconditionally, overriding the + AUTOMAKE setting in shorewall.conf(5). When + both and are present, the + result is determined by the option that appears last. + + The option was added in Shorewall 4.5.3 + and causes a Perl stack trace to be included with each + compiler-generated error and warning message. + + The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall.conf(5). + + The option was added in Shorewall 4.6.5 + and is only meaningful when AUTOMAKE=Yes in shorewall.conf(5). If an + existing firewall script is used and if that script was the one that + generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. + + + + + remote_start + [-] [-] [- root-user-name] [-] [-] [ directory ] system + This command was renamed from load in + Shorewall 5.0.0. + + If directory is omitted, the current + working directory is assumed. Allows a non-root user to compile a + shorewall script and install it on a system (provided that the user + has root access to the system via ssh). The command is equivalent + to: + + /sbin/shorewall compile -e directory directory/firewall &&\ + scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\ + ssh root@system '/sbin/shorewall-lite start' + + In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall is copied to + system using scp. If the copy succeeds, + Shorewall Lite on system is started via + ssh. + + If -s is specified and the + start command succeeds, then the + remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh. + + if -c is included, the + command shorewall-lite show capabilities -f + > /var/lib/shorewall-lite/capabilities is executed via + ssh then the generated file is copied to + directory using scp. This step is + performed before the configuration is compiled. + + If is included, it specifies that the root + user on system is named + root-user-name rather than "root". + + The option was added in Shorewall 4.5.3 + and causes a Perl stack trace to be included with each + compiler-generated error and warning message. + + The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall.conf(5). + + + + + remote_reload + [-] [-] + [- root-user-name] + [-] [-] [ + directory ] + system + + + This command was added in Shorewall 5.0.0. + + If directory is omitted, the current + working directory is assumed. Allows a non-root user to compile a + shorewall script and install it on a system (provided that the user + has root access to the system via ssh). The command is equivalent + to: + + /sbin/shorewall compile -e directory directory/firewall &&\ + scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\ + ssh root@system '/sbin/shorewall-lite reload' + + In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall is copied to + system using scp. If the copy succeeds, + Shorewall Lite on system is restarted via + ssh. + + If -s is specified and the + restart command succeeds, then the + remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh. + + if -c is included, the + command shorewall-lite show capabilities -f + > /var/lib/shorewall-lite/capabilities is executed via + ssh then the generated file is copied to + directory using scp. This step is performed + before the configuration is compiled. + + If is included, it specifies that the root + user on system is named + root-user-name rather than "root". + + The option was added in Shorewall 4.5.3 + and causes a Perl stack trace to be included with each + compiler-generated error and warning message. + + The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall.conf(5). + + + + + remote_restart + [-] [-] + [- root-user-name] + [-] [-] [ + directory ] + system + + + This command was renamed from reload in + Shorewall 5.0.0. + If directory is omitted, the current working directory is assumed. Allows a non-root user to compile a shorewall script and install it on a system (provided that the user @@ -1628,12 +1782,14 @@ [-] [ directory ] - Restart is similar to shorewall - start except that it assumes that the firewall is already - started. Existing connections are maintained. If a - directory is included in the command, Shorewall - will look in that directory first for - configuration files. + Beginning with Shorewall 5.0.0, this command performs a true + restart. The firewall is completely stopped as if a + stop command had been issued then it is started + again. + + If a directory is included in the + command, Shorewall will look in that directory + first for configuration files. The option causes Shorewall to avoid updating the routing table(s). @@ -1744,6 +1900,38 @@ + + safe-reload + [-] [-] [-timeout ] [ + directory ] + + + Added in Shorewall 5.0.0, this command performs the same + function as did safe_restart in earlier + releases. + + Only allowed if Shorewall is running. The current + configuration is saved in /var/lib/shorewall/safe-reload (see the + save command below) then a shorewall + reload is done. You will then be prompted asking if you + want to accept the new configuration or not. If you answer "n" or if + you fail to answer within 60 seconds (such as when your new + configuration has disabled communication with your terminal), the + configuration is restored from the saved configuration. If a + directory is given, then Shorewall will look in that directory first + when opening configuration files. + + Beginning with Shorewall 4.5.0, you may specify a different + timeout value using the + option. The numeric + timeout may optionally be followed by an + , or suffix + (e.g., 5m) to specify seconds, minutes or hours respectively. If the + suffix is omitted, seconds is assumed. + + + safe-restart [-] [-] [- @@ -1003,6 +1004,31 @@ + + reload [-n] [-p] + [-] + + + Added in Shorewall 5.0.0, reload is similar to shorewall6-lite + start except that it assumes that the firewall is already + started. Existing connections are maintained. + + The option causes shorewall6-lite to avoid + updating the routing table(s). + + The option causes the connection tracking + table to be flushed; the conntrack utility must + be installed to use this option. + + The option was added in Shorewall 4.6.5. + If the specified (or implicit) firewall script is the one that + generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. + + + reset [chain, ...] @@ -1020,9 +1046,10 @@ [-] - Restart is similar to shorewall6-lite start - except that it assumes that the firewall is already started. - Existing connections are maintained. + Beginning with Shorewall 5.0.0, this command performs a true + restart. The firewall is completely stopped as if a + stop command had been issued then it is started + again. The option causes shorewall6-lite to avoid updating the routing table(s). diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index b7e851568..4a19c5c75 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -263,30 +263,6 @@ expression - - shorewall6 - - | - - -options - - - - - - - - root-user-name - - - - - - directory - - system - - shorewall6 @@ -402,7 +378,55 @@ -options - + + + + + + + root-user-name + + + + + + directory + + system + + + + shorewall6 + + | + + -options + + + + + + + + root-user-name + + + + + + directory + + system + + + + shorewall6 + + | + + -options + + @@ -430,6 +454,29 @@ + + shorewall6 + + | + + -options + + + + + + + + + + + + + + directory + + shorewall6 @@ -482,6 +529,23 @@ parameter ... + + shorewall6 + + | + + -options + + + + + + timeout + + directory + + shorewall6 @@ -1201,65 +1265,6 @@ - - load [-] - [-] [- - root-user-name] [-] - [-] [ directory ] - system - - - If directory is omitted, the current - working directory is assumed. Allows a non-root user to compile a - shorewall6 script and install it on a system (provided that the user - has root access to the system via ssh). The command is equivalent - to: - - /sbin/shorewall6 compile -e directory directory/firewall &&\ - scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall6-lite/ &&\ - ssh root@system '/sbin/shorewall6-lite start' - - In other words, the configuration in the specified (or - defaulted) directory is compiled to a file called firewall in that - directory. If compilation succeeds, then firewall is copied to - system using scp. If the copy succeeds, - Shorewall6 Lite on system is started via - ssh. - - If is specified and the start command succeeds, then the remote - Shorewall6-lite configuration is saved by executing - shorewall6-lite save via ssh. - - if is included, the command - shorewall6-lite show capabilities -f > - /var/lib/shorewall6-lite/capabilities is executed via ssh - then the generated file is copied to - directory using scp. This step is - performed before the configuration is compiled. - - If is included, it specifies that the root - user on system is named - root-user-name rather than "root". - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - - logdrop address @@ -1448,13 +1453,141 @@ - reload [-] - [-] [- - root-user-name] [-] - [-] [ directory ] + reload [-] + [-] [-] [-] + [-] [-] [-] + [-] [ directory ] + + + This command was re-implemented in Shorewall 5.0.0. The + pre-5.0.0 reload command is now called + remote_restart (see below). + + Reload is similar to shorewall6 start + except that it assumes that the firewall is already started. + Existing connections are maintained. If a + directory is included in the command, + Shorewall6 will look in that directory first + for configuration files. + + The option causes Shorewall6 to avoid + updating the routing table(s). + + The option causes the connection tracking + table to be flushed; the conntrack utility must + be installed to use this option. + + The option causes the compiler to run + under the Perl debugger. + + The option suppresses the compilation step + and simply reused the compiled script which last started/restarted + Shorewall, provided that /etc/shorewall6 + and its contents have not been modified since the last + start/restart. + + The option was added in Shorewall 4.4.20 + and performs the compilation step unconditionally, overriding the + AUTOMAKE setting in shorewall6.conf(5). + When both and are present, + the result is determined by the option that appears last. + + The option was added in Shorewall 4.5.3 + and causes a Perl stack trace to be included with each + compiler-generated error and warning message. + + The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall6.conf(5). + + The option was added in Shorewall 4.6.5 + and is only meaningful when AUTOMAKE=Yes in shorewall6.conf(5). If + an existing firewall script is used and if that script was the one + that generated the current running configuration, then the running + netfilter configuration will be reloaded as is so as to preserve the + iptables packet and byte counters. + + + + + remote_reload + [-] [-] + [- root-user-name] + [-] [-] [ + directory ] system + This command was added in Shorewall 5.0.0. + + If directory is omitted, the current + working directory is assumed. Allows a non-root user to compile a + shorewall6 script and install it on a system (provided that the user + has root access to the system via ssh). The command is equivalent + to: + + /sbin/shorewall6 compile -e directory directory/firewall &&\ + scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall6-lite/ &&\ + ssh root@system '/sbin/shorewall6-lite reload' + + In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall is copied to + system using scp. If the copy succeeds, + Shorewall6 Lite on system is restarted via + ssh. + + If is specified and the + restart command succeeds, then the remote + Shorewall6-lite configuration is saved by executing + shorewall6-lite save via ssh. + + if is included, the command + shorewall6-lite show capabilities -f > + /var/lib/shorewall6-lite/capabilities is executed via ssh + then the generated file is copied to directory + using scp. This step is performed before the configuration is + compiled. + + If is included, it specifies that the root + user on system is named + root-user-name rather than "root". + + The option was added in Shorewall 4.5.3 + and causes a Perl stack trace to be included with each + compiler-generated error and warning message. + + The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall6.conf(5). + + + + + remote_ restart + [-] [-] + [- root-user-name] + [-] [-] [ + directory ] + system + + + This command was renamed from reload in + Shorewall 5.0.0. + If directory is omitted, the current working directory is assumed. Allows a non-root user to compile a shorewall6 script and install it on a system (provided that the user @@ -1506,6 +1639,67 @@ + + remote_start + [-] [-] [- + root-user-name] [-] + [-] [ directory ] + system + + + This command was added in Shorewall 5.0.0. + + If directory is omitted, the current + working directory is assumed. Allows a non-root user to compile a + shorewall6 script and install it on a system (provided that the user + has root access to the system via ssh). The command is equivalent + to: + + /sbin/shorewall6 compile -e directory directory/firewall &&\ + scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall6-lite/ &&\ + ssh root@system '/sbin/shorewall6-lite start' + + In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall is copied to + system using scp. If the copy succeeds, + Shorewall6 Lite on system is started via + ssh. + + If is specified and the start command succeeds, then the remote + Shorewall6-lite configuration is saved by executing + shorewall6-lite save via ssh. + + if is included, the command + shorewall6-lite show capabilities -f > + /var/lib/shorewall6-lite/capabilities is executed via ssh + then the generated file is copied to + directory using scp. This step is + performed before the configuration is compiled. + + If is included, it specifies that the root + user on system is named + root-user-name rather than "root". + + The option was added in Shorewall 4.5.3 + and causes a Perl stack trace to be included with each + compiler-generated error and warning message. + + The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall6.conf(5). + + + reset [chain, ...] @@ -1525,12 +1719,14 @@ [-] [ directory ] - Restart is similar to shorewall6 start - except that it assumes that the firewall is already started. - Existing connections are maintained. If a - directory is included in the command, - Shorewall6 will look in that directory first - for configuration files. + Beginning with Shorewall 5.0.0, this command performs a true + restart. The firewall is completely stopped as if a + stop command had been issued then it is started + again. + + If a directory is included in the + command, Shorewall6 will look in that directory + first for configuration files. The option causes Shorewall6 to avoid updating the routing table(s).