On 10/11/2015 11:19 AM, Tuomo Soini wrote: > On Sun, 11 Oct 2015 10:55:44 +0100 > Dominic Benson <[email protected]> wrote: > > >>> I am against this change. I vote for a change for this. Nobody >>> expects firewall restart to stop traffic - ever. >> >> I don’t think that this follows; with this change ‘reload’ does The >> Right Thing, and that is consistent with almost everything else. The >> restart action on a nameserver, webserver, database etc. would be >> expected to drop requests during the restart. Similarly a restart of >> a hardware firewall would drop traffic whereas a config commit >> wouldn’t. > > That's very different. You think about one server situation. But as a > firewall/router that means all traffic routed will be halted and then > re-enabled, all natted connections are lost etc during restart. That is > NOT expected to happen during firewall restart.
If ADMINISABSENTMINDED=Yes (the default), it isn't quite that bad. The only reason that connections would be severed would be if they got a 'no route to host' error. > > There was a very big feature called shorewall-perl which was especially > for not to drop all traffic during restart - I'm very much against > crippling shorewall this way by introducing restart which by default > interrupts traffic. Again, it doesn't necessarily interrupt traffic. > > My first suggestion was bad but I suggest config option for > shorewall.conf RESTART=restart|reload where reload is the default. > > Especially naming proper behaviour LEGACY_RESTART is not a good idea. > I'm happy to change the name. Wish we would have had this exchange when the feature was introduced in Beta 1, though... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
