On Sun, 11 Oct 2015 10:55:44 +0100 Dominic Benson <[email protected]> wrote:
> > I am against this change. I vote for a change for this. Nobody > > expects firewall restart to stop traffic - ever. > > I don’t think that this follows; with this change ‘reload’ does The > Right Thing, and that is consistent with almost everything else. The > restart action on a nameserver, webserver, database etc. would be > expected to drop requests during the restart. Similarly a restart of > a hardware firewall would drop traffic whereas a config commit > wouldn’t. That's very different. You think about one server situation. But as a firewall/router that means all traffic routed will be halted and then re-enabled, all natted connections are lost etc during restart. That is NOT expected to happen during firewall restart. There was a very big feature called shorewall-perl which was especially for not to drop all traffic during restart - I'm very much against crippling shorewall this way by introducing restart which by default interrupts traffic. My first suggestion was bad but I suggest config option for shorewall.conf RESTART=restart|reload where reload is the default. Especially naming proper behaviour LEGACY_RESTART is not a good idea. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
