Why shorewall restart is not a real restart, but a reload

just for fun

[root@prometheus ~]# shorewall restart > shorewall_restart
[root@prometheus ~]# shorewall reload > shorewall_reload

[root@prometheus ~]# sdiff -s shorewall_reload shorewall_restart
Shorewall configuration compiled to /var/lib/shorewall/.reloa |	Shorewall configuration compiled to /var/lib/shorewall/.resta

Like you can see the diff of the two files are similar, reload and restart are the same command (except the compilation path)

[root@prometheus ~]# cat  shorewall_restart
Compiling using Shorewall 5.1.10.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/snat...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/blrules...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
Compiling /etc/shorewall/tunnels...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /etc/shorewall/mangle...
Generating Rule Matrix...
Optimizing Ruleset...
Creating iptables-restore input...
Compiling /etc/shorewall/stoppedrules...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Reloading Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Setting up Traffic Control...
Processing /etc/shorewall/tcstart ...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
IPv4 Forwarding Enabled
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.

The best evidence that shorewall restart is not a real restart is that /etc/shorewall/stopped are not triggered, this script is launched at the end of the service stop

I say that because firewall-adjust uses /etc/e-smith/events/actions/nethserver-shorewall-restart with shorewall restart and it does not destroy the set of ipset because shorewall is not stopped properly but in fact it is reloaded

As a comparison, when you use systemctl restart shorewall, it does a stop, then a start, the set of ipset are destroyed then recreated.

I am working to increase the hash file size, and I cannot do it because shorewall still use the set

two possibilities

  • create my own action with nethserver-fail2ban-save to restart shorewall with systemctl

  • modify the action nethserver-shorewall-restart to use systemctl to restart shorewall

    -$message = qx(/usr/sbin/shorewall $action 2>&1);
    +$message = qx(systemctl $action shorewall 2>&1);

From the shorewall docs shorewall refresh should work for reconfiguring blacklists.

shorewall refresh | Reloads rules dealing with static blacklisting, traffic control and ECN.

4 Likes