Brian J. Murrell wrote: > On Thu, 2009-02-05 at 08:09 -0500, Brian J. Murrell wrote: >> From my look at the restore script created by shorewall 4.0.12 and >> shorewall-lite 4.0.8 I'm wondering why I don't see anything that would >> enable /proc/sys/net/ipv4/ip_forward for the "restore" code-path. >> >> It would seem in define_firewall() that "echo 1 >>> /proc/sys/net/ipv4/ip_forward" is done if $COMMAND is anything other >> than restore however. >> >> Is there something about the restore case that should not enable >> ip_forward if shorewall.conf has IP_FORWARDING=On? > > In fact, perhaps I am misunderstanding the point of "shorewall restore". > It would seem there are a number of things that [ $COMMAND = restore ] > does not do that are done otherwise. Things like: > > echo 1 > /proc/sys/net/ipv4/ip_forward
Again -- that bug is unique to the version of Shorewall-perl that you
are running.
>
> run_{refreshed|start}_exit
>
> run_started_exit
>
> And in fact this is explaining why I am finding my actions
> in /etc/shorewall/start are not always being run.
>
You are correct. Those user exits are not executed when the command is
'restore'. The scripts are intended to allow modification of the
Netfilter ruleset after Shorewall has completed its configuration. Such
changes would have already been applied in the case of restore. So they
are not executed for 'restore'.
> I guess I was under the impression that "shorewall restore" was suitable
> to run from an initscript to quickly bring a previously saved instance
> of shorewall up -- i.e. without having to do all the rule
> building/compilation and whatnot. I'm pretty sure I even remember
> seeing it used that way in a provided initscript (from a linux distro
> probably).
>
> It would seem this is not the case however. Did it used to be at one
> time and I'm just not keeping up with the times?
The default used to be to use the "-f" option which ends up doing a
'restore' if the compiled script hadn't been replaced in since the last
'save'. With Shorewall-perl, there is no noticeable difference in the
speed of 'start' and 'restore' so we've changed the init script to
simply do a 'start'.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
