Fix NULL_ROUTE_RFC1918=Yes

Shorewall/Perl/Shorewall/Providers.pm

@@ -648,8 +648,10 @@ sub add_an_rtrule( ) {
 sub setup_null_routing() {
     save_progress_message "Null Routing the RFC 1918 subnets";
     for ( rfc1918_networks ) {
-	emit( qq(run_ip route replace unreachable $_) );
+	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
-	emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
+	      qq(    run_ip route replace unreachable $_),
+	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing),
+	      qq(fi\n) );
     }
 }
 

Shorewall/changelog.txt

@@ -4,6 +4,8 @@ Changes in Shorewall 4.4.15
 
 2)  Modernize handling of the params file.
 
+3)  Fix NULL_ROUTE_RFC1918
+
 Changes in Shorewall 4.4.14
 
 1)  Support ipset lists.

Shorewall/releasenotes.txt

@@ -17,6 +17,11 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 1)  If the variable VERBOSE was exported with a non-zero value then
     startup would fail.
 
+2)  If a route exists for an entire RFC1918 network (10.0.0.0/24,
+    172.20.0.0/12 or 192.168.0.0/16) then setting
+    NULL_ROUTE_RFC1918=Yes would cause the route to replace with a
+    'unreachable' one.
+
 ----------------------------------------------------------------------------
            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------