-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 3/4/20 6:30 PM, J Cliff Armstrong via Shorewall-users wrote: > > On 3/4/2020 5:53 PM, Tom Eastep wrote: >> Back in the days of SysV init, the /etc/default/shorewall file >> set a flag that told /etc/init.d/shorewall to do a 'clear' rather >> than a 'stop'. The file was shipped with flag set, but users >> could reset it if desired (at the risk of having update/upgrade >> issues). When we went to systemd, that was no longer feasible, so >> the shorewall.service file released with Debian has the >> following: >> >> ExecStop=/sbin/shorewall $OPTIONS clear >> >> Note that systemd does not support 'ExecRestart=...' in the >> .service file, but rather executes the 'ExecStop' command >> followed by the 'ExecStart' command. This obviously looses Docker >> rules. >> >> I won't be releasing any change regarding this issue until at >> least 5.2.4. In the mean time, you can avoid using 'systemctl >> restart shorewall' and use 'shorewall restart' instead. Or you >> can modify the above line in the .service file to read: >> >> ExecStop=/sbin/shorewall $OPTIONS stop >> >> followed by 'systemctl daemon-reload'. >> >> Note that this issue is independent of the 'iptables -L' issue in >> my prior post. Nevertheless, the attached patch *is* required to >> make the code work correctly otherwise. >> >> -Tom > > Sorry to butt in, but it's worth noting that Systemd has a feature > called "drop-in overrides" that can alleviate this inconsistency > for people for whom it's an issue. Instead of modifying the > shorewall.service file in `/lib/systemd/system/`, type (as root): > `systemctl edit shorewall.service`. This will open the default > terminal editor to a blank file in which you can paste the > following: > > [service] # reset ExecStop ExecStop= # set ExecStop to "stop" > instead of "clear" ExecStop=/sbin/shorewall $OPTIONS stop > > Then type `systemctl daemon-reload` to activate the changes. This > change will survive future updates of the shorewall package from > apt repositories. The override file itself will be saved to > `/etc/systemd/system/shorewall.service.d/`. >
Thanks, Cliff! - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5gdcYACgkQluaz8kI6 TRBprw//T88GQHlgQ47WvG8dLzG3Fa0Rt4uUaR/tan6QMcZTpg0tHHz8p4rBC5z9 puPp544p7cDzevMIx4wSxZm6+lb4cZZGaWhkNip3ht73NC054kFPFDVVmF5bJ91F 2arzvAlTekIc2QHdd5yMRdpalJ0b0zRH38tbYwTha0t2yfxFSmUineJVLTlSQXKM V3+sDV4cN/aVwUF4+lDq8Uw2EfcNFQNRYAXKvvjdM3D4m4riHpeZYWvdtW8RHdjj NZijSmqkavZYfkKW7+d7c60Vu79ndRrotgQro725wiIPu30LxxcvTlrsYKnyjXv2 XzM1kIRAAsOUKt57rldWWgr9M4x2+VrQPf8fEsrBi3UpjIGHPH40oBmOQWJB+jyc HUeR4OzZYoQT+HxPNRDMN4SJxNhOZGLPglOZOHc3UB5HPyVRF/ZQtbZBCCpZKb7s nDlWfPiZKWUYI2IZ5qiTairfMJdhNiJUd9cROQ65sNoCmnxn5GdAr0NbM2EuBUyj 3eEQFvUFLOYrOht59/tpGa4gs1gqcLzETiMoCYU3QW/+/4NF2z9GlAoOVc1JWVHL ZZ86mLRY874sSMkvxudrqCICZuIftvVmu5tj7waTcOh/7mH3tEEJo3hEnDdIWrmb 48U2eWm44Yg2pIk2WyRseRZxNrrJMDz+j/Yx75XE71ft7/7FYyg= =XCw6 -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
