From 0602b619bd0e5b6eacffe7e862054079015077d5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 9 Nov 2010 15:20:23 -0800 Subject: [PATCH] Fix NULL_ROUTE_RFC1918=Yes --- Shorewall/Perl/Shorewall/Providers.pm | 6 ++++-- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 5 +++++ 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 7960cfe57..db5588bb6 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -648,8 +648,10 @@ sub add_an_rtrule( ) { sub setup_null_routing() { save_progress_message "Null Routing the RFC 1918 subnets"; for ( rfc1918_networks ) { - emit( qq(run_ip route replace unreachable $_) ); - emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) ); + emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then), + qq( run_ip route replace unreachable $_), + qq( echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing), + qq(fi\n) ); } } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 25e5377ce..6539ac9af 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,8 @@ Changes in Shorewall 4.4.15 2) Modernize handling of the params file. +3) Fix NULL_ROUTE_RFC1918 + Changes in Shorewall 4.4.14 1) Support ipset lists. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index dd3b0c6ed..1440a6753 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -17,6 +17,11 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 1) If the variable VERBOSE was exported with a non-zero value then startup would fail. +2) If a route exists for an entire RFC1918 network (10.0.0.0/24, + 172.20.0.0/12 or 192.168.0.0/16) then setting + NULL_ROUTE_RFC1918=Yes would cause the route to replace with a + 'unreachable' one. + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------