Invoke 'routestopped' rules during [re]start

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2005 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 16:13:18 +01:00 · 2005-03-15 21:02:11 +00:00 · 2005-03-15 21:02:11 +00:00 · 20355a6d24
commit 20355a6d24
parent f08532e194
3 changed files with 91 additions and 45 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -2,6 +2,8 @@ Changes in 2.2.3

 1) Added the 'continue' extension script.

+2) Obey 'routestopped' rules during [re]start.
+
 Changes in 2.2.2

 1) The 'check' command disclaimer is toned down further and only
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1390,6 +1390,58 @@ disable_ipv6_1() {
    fi
 }

+#
+# Process the routestopped file either adding or deleting rules
+#
+
+process_routestopped() # $1 = command
+{
+    local hosts= interface host host1 options networks
+
+    while read interface host options; do
+	expandv interface host options
+	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
+	for h in $(separate_list $host); do
+	    hosts="$hosts $interface:$h"
+	done
+
+	routeback=
+
+	if [ -n "$options" ]; then
+	    for option in $(separate_list $options); do
+		case $option in
+		    routeback)
+			if [ -n "$routeback" ]; then
+			    error_message "Warning: Duplicate routestopped option ignored: routeback"
+			else
+			    routeback=Yes
+			    for h in $(separate_list $host); do
+				run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
+			    done
+			fi
+			;;
+		    *)
+			error_message "Warning: Unknown routestopped option ignored: $option"
+			;;
+		esac
+	    done
+	fi
+		    
+    done < $TMP_DIR/routestopped
+
+    for host in $hosts; do
+	interface=${host%:*}
+	networks=${host#*:}
+	$IPTABLES $1 INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
+	[ -z "$ADMINISABSENTMINDED" ] && \
+	    run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+
+	for host1 in $hosts; do
+	    [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
+	done
+    done
+}
+
 #
 # Stop the Firewall
 #
@ -1465,50 +1517,9 @@ stop_firewall() {

    hosts=

-    strip_file routestopped
+    [ -f $TMP_DIR/routestopped ] || strip_file routestopped

-    while read interface host options; do
-	expandv interface host options
-	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
-	for h in $(separate_list $host); do
-	    hosts="$hosts $interface:$h"
-	done
-
-	routeback=
-
-	if [ -n "$options" ]; then
-	    for option in $(separate_list $options); do
-		case $option in
-		    routeback)
-			if [ -n "$routeback" ]; then
-			    error_message "Warning: Duplicate option ignored: routeback"
-			else
-			    routeback=Yes
-			    for h in $(separate_list $host); do
-				$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
-			    done
-			fi
-			;;
-		    *)
-			error_message "Warning: Unknown option ignored: $option"
-			;;
-		esac
-	    done
-	fi
-		    
-    done < $TMP_DIR/routestopped
-
-    for host in $hosts; do
-	interface=${host%:*}
-	networks=${host#*:}
-	$IPTABLES -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
-	[ -z "$ADMINISABSENTMINDED" ] && \
-	    $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
-
-	for host1 in $hosts; do
-	    [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
-	done
-    done
+    process_routestopped -A

    $IPTABLES -A INPUT  -i lo -j ACCEPT
    [ -z "$ADMINISABSENTMINDED" ] && \
@ -5723,6 +5734,14 @@ initialize_netfilter () {

    run_user_exit continue

+    f=$(find_file routestopped)
+
+    echo "Processing $f ..."
+
+    strip_file routestopped $f
+
+    process_routestopped -A
+
    [ -n "$DISABLE_IPV6" ] && disable_ipv6

    #
@ -6580,6 +6599,8 @@ activate_rules()
 	run_iptables -D $chain -p udp --dport 53 -j ACCEPT
    done
 
+    process_routestopped -D
+
    if [ -n "$LOGALLNEW" ]; then
 	for table in mangle nat filter; do
 	    case $table in
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -2,6 +2,8 @@ Shorewall 2.2.3

 -----------------------------------------------------------------------
 Problems corrected in version 2.2.3
+
+None.
 -----------------------------------------------------------------------
 New Features in version 2.2.3

@ -13,6 +15,27 @@ New Features in version 2.2.3
   It is useful for enabling certain communication while Shorewall is
   being [re]started. Be sure to delete any rules that you add here in
   your /etc/shorewall/start file.
+
+2) There has been ongoing confusion about how the
+   /etc/shorewall/routestopped file works. People understand how it
+   works with the 'shorewall stop' command but when they read that
+   'shorewall restart' is logically equivalent to 'shorewall stop'
+   followed by 'shorewall start' then they erroneously conclude that
+   /etc/shorewall/routestopped can be used to enable new connections
+   during 'shorewall restart'. Up to now, it cannot -- that file is not
+   processed during either 'shorewall start' or 'shorewall restart'.
+
+   Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped
+   will be processed TWICE during 'shorewall start' and during
+   'shorewall restart'. It will be processed to add rules allowing new
+   connections during the 'start/restart' and it will be processed
+   again when the 'start/restart' is complete to remove the rules added
+   earlier.
+
+   The result of this change will be that during most of [re]start, new
+   connections will be allowed in accordance with the contents of
+   /etc/shorewall/routestopped.
+
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.2