just for fun
[root@prometheus ~]# shorewall restart > shorewall_restart
[root@prometheus ~]# shorewall reload > shorewall_reload
[root@prometheus ~]# sdiff -s shorewall_reload shorewall_restart
Shorewall configuration compiled to /var/lib/shorewall/.reloa | Shorewall configuration compiled to /var/lib/shorewall/.resta
Like you can see the diff of the two files are similar, reload and restart are the same command (except the compilation path)
[root@prometheus ~]# cat shorewall_restart
Compiling using Shorewall 5.1.10.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/snat...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/blrules...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
Compiling /etc/shorewall/tunnels...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /etc/shorewall/mangle...
Generating Rule Matrix...
Optimizing Ruleset...
Creating iptables-restore input...
Compiling /etc/shorewall/stoppedrules...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Reloading Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Setting up Traffic Control...
Processing /etc/shorewall/tcstart ...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
IPv4 Forwarding Enabled
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.
The best evidence that shorewall restart is not a real restart is that /etc/shorewall/stopped
are not triggered, this script is launched at the end of the service stop
I say that because firewall-adjust uses /etc/e-smith/events/actions/nethserver-shorewall-restart
with shorewall restart
and it does not destroy the set of ipset because shorewall is not stopped properly but in fact it is reloaded
As a comparison, when you use systemctl restart shorewall, it does a stop, then a start, the set of ipset are destroyed then recreated.
I am working to increase the hash file size, and I cannot do it because shorewall still use the set
two possibilities
-
create my own action with
nethserver-fail2ban-save
to restart shorewall with systemctl -
modify the action
nethserver-shorewall-restart
to use systemctl to restart shorewall-$message = qx(/usr/sbin/shorewall $action 2>&1);
+$message = qx(systemctl $action shorewall 2>&1);