On 2/8/2018 6:46 PM, Tom Eastep wrote: > On 02/08/2018 08:45 AM, Matt Darfeuille wrote: >> On 2/8/2018 5:17 PM, Tom Eastep wrote: >>> On 02/08/2018 04:20 AM, Matt Darfeuille wrote: >>>> Hi, >>>> >>>> From: >>>> >>>> http://shorewall.org/manpages/shorewall.html >>>> >>>> "Reload is similar to shorewall start except that it assumes that the >>>> firewall is already started. Existing connections are maintained." >>>> >>>> If I do 'shorewall stop' followed by 'shorewall reload' the firewall >>>> will be started: >>>> >>>> $ shorewall status >>>> Shorewall-5.1.12-RC1 Status ... >>>> >>>> Shorewall is running >>>> State:Started ... from /etc/shorewall/ (/var/lib/shorewall/firewall >>>> compiled ... by Shorewall version 5.1.12-RC1) >>>> >>>> $ shorewall stop >>>> Stopping Shorewall.... >>>> Preparing iptables-restore input... >>>> Running /sbin/iptables-restore... >>>> done. >>>> $ shorewall status >>>> Shorewall-5.1.12-RC1 Status ... >>>> >>>> Shorewall is stopped >>>> State:Stopped ... (/var/lib/shorewall/firewall compiled ... by Shorewall >>>> version 5.1.12-RC1) >>>> >>>> $ shorewall reload >>>> Shorewall is not running >>>> Starting Shorewall.... >>>> Initializing... >>>> Setting up Route Filtering... >>>> Setting up Martian Logging... >>>> Preparing iptables-restore input... >>>> Running /sbin/iptables-restore ... >>>> done. >>>> >>>> My understanding is that 'shorewall reload' should only reload shorewall >>>> when the state is 'started' or what Am I missing? >>>> >>>> In other words: why 'shorewall reload' starts the firewall when >>>> shorewall is stopped? >>>> >>> The generated script interprets 'reload' and 'restart' as 'start' when >>> the firewall is not currently started. >>> >> Is there any way to alter this so that the generated script would not >> unconditionally start the firewall? >> If no and if it makes sense could something to that effect be implemented? >> >> -Matt > > Because Shorewall is not a daemon, it's state at any point in time is > rather nebulous. The Shorewall state is recorded in two ways: > > 1. When the firewall is started, a filter-table chain named 'Shorewall' > is created. When the firewall is stopped, that chain is deleted. > That is what the CLI uses to determine if Shorewall is started or not. > 2. $VARDIR/state records the last state transition performed by Shorewall. > > > Of course, neither of these measures are even close to being foolproof > because they can be altered by simple administrative commands. > > For instance: > > root@Asus:~# shorewall status > Shorewall-5.2.0-Beta1 Status at Asus - Thu Feb 8 09:32:32 PST 2018 > > Shorewall is running > State:Started Mon Feb 5 14:01:21 PST 2018 from /etc/shorewall/ > (/var/lib/shorewall/firewall compiled Fri Feb 2 14:28:46 PST 2018 by > Shorewall version 5.2.0-Beta1) > > root@Asus:~# iptables -F shorewall > root@Asus:~# iptables -X shorewall > root@Asus:~# shorewall status > Shorewall-5.2.0-Beta1 Status at Asus - Thu Feb 8 09:32:46 PST 2018 > > Shorewall is stopped > State:Started Mon Feb 5 14:01:21 PST 2018 from /etc/shorewall/ > (/var/lib/shorewall/firewall compiled Fri Feb 2 14:28:46 PST 2018 by > Shorewall version 5.2.0-Beta1) > > root@Asus:~# > > With the system in this state, should we really be so pedantic as to > insist that 'start' be used rather than 'reload'? > > Note that when RESTART=restart, the 'restart' command is fundamentally > 'shorewall stop && shorewall start'; should 'restart' be denied in the > above situation? > > One thing is certain -- 'stop' and 'clear' must be allowed regardless of > whether the Shorewall chain exists or not. And given that requirement, I > don't think that we should quibble about when 'restart' and 'reload' are > allowable commands. >
It's always interesting to learn how Shorewall works! Given your explanation it clearly makes no sense to nitpick about this. The reason why I was asking is that my interface is configure by dhcp. My understanding is that shorewall should be reloaded when a new lease is acquired? Based on that asumption I have a script in /etc/dhcp/dhclient-exit-hooks.d that will reload shorewall when the 'reason' is 'BOUND' and I was simply looking for a way to only reload shorewall when it is already started. Thanks for your answer and I'm looking forward to 5.2. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
