Add RESTORE_ROUTING option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4761 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/compiler

@@ -5135,6 +5135,7 @@ __EOF__
     LOGLIMIT="$LOGLIMIT"
     LOGTAGONLY="$LOGTAGONLY"
     LOGRULENUMBERS="$LOGRULENUMBERS"
+    RESTORE_ROUTING="$RESTORE_ROUTING"
 __EOF__
 
     if [ -n "$LOGFORMAT" ]; then

Shorewall/lib.base

@@ -1286,38 +1286,41 @@ get_device_mtu() # $1 = device
 # Undo changes to routing
 #
 undo_routing() {
-    #
-    # Restore rt_tables database
-    #
-    if [ -f ${VARDIR}/rt_tables ]; then
-	cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	rm -f ${VARDIR}/rt_tables
-    fi
-    #
-    # Restore the default route
-    #
-    if [ -f ${VARDIR}/default_route ]; then
-	local default_route="$(sed 's/\n/ /' ${VARDIR}/default_route)"
     
-	case "$default_route" in
-	    default*default)
-		default_route="${default_route%% default*}"
-		;;
-	esac
+    if [ -n "$RESTORE_ROUTING" ]; then
+        #
+        # Restore rt_tables database
+        #
+	if [ -f ${VARDIR}/rt_tables ]; then
+	    cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	    rm -f ${VARDIR}/rt_tables
+	fi
+        #
+        # Restore the default route
+        #
+	if [ -f ${VARDIR}/default_route ]; then
+	    local default_route="$(sed 's/\n/ /' ${VARDIR}/default_route)"
 	    
-	qt ip route replace $default_route
+	    case "$default_route" in
+		default*default)
+		    default_route="${default_route%% default*}"
+		    ;;
+	    esac
 	    
-	progress_message "Default Route ($default_route) restored"
+	    qt ip route replace $default_route
 	    
-	rm -f ${VARDIR}/default_route
-    fi
-    #
-    # Restore the rest of the routing table
-    #
-    if [ -f ${VARDIR}/undo_routing ]; then
-	. ${VARDIR}/undo_routing
-	progress_message "Shorewall-generated routing tables and routing rules removed"
-	rm -f ${VARDIR}/undo_routing
+	    progress_message "Default Route ($default_route) restored"
+	    
+	    rm -f ${VARDIR}/default_route
+	fi
+        #
+        # Restore the rest of the routing table
+        #
+	if [ -f ${VARDIR}/undo_routing ]; then
+	    . ${VARDIR}/undo_routing
+	    progress_message "Shorewall-generated routing tables and routing rules removed"
+	    rm -f ${VARDIR}/undo_routing
+	fi
     fi
 }
 	

Shorewall/lib.config

@@ -1795,6 +1795,7 @@ do_initialize() {
     ACCEPT_DEFAULT=
     QUEUE_DEFAULT=
     OPTIMIZE=
+    RESTORE_ROUTING=
 
     LOGLIMIT=
     LOGPARMS=
@@ -2009,6 +2010,7 @@ do_initialize() {
     TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
     USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
     [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
+    RESTORE_ROUTING=$(added_param_value_no RESTORE_ROUTING $RESTORE_ROUTING)
     
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
     [ -n "$XMARK" ] || XCONNMARK=

Shorewall/lib.providers

@@ -124,7 +124,7 @@ __EOF__
 	save_command "qt ip route flush table $number"
 
 	indent >&3 << __EOF__
-echo "qt ip route flush table $number" >> \${VARDIR}/undo_routing
+[ -n "\$RESTORE_ROUTING" ] && echo "qt ip route flush table $number" >> \${VARDIR}/undo_routing
 __EOF__
 
 	if [ "x${duplicate:=-}" != x- ]; then
@@ -179,7 +179,7 @@ __EOF__
 	    indent >&3 << __EOF__
 qt ip rule del fwmark $mark
 run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number
-echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing
+[ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing
 __EOF__
 	fi
 
@@ -225,7 +225,7 @@ rulenum=0
 find_interface_addresses $interface | while read address; do
     qt ip rule del from \$address
     run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number
-    echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing
+    [ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing
     rulenum=\$((\$rulenum + 1))
 done
 __EOF__
@@ -306,7 +306,7 @@ __EOF__
 	save_command "qt ip rule del $source $dest $priority"
 	save_command "run_ip rule add $source $dest $priority table $provider"
 	indent >&3 << __EOF__
- echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing
+[ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing
 __EOF__
 	progress_message "Routing rule \"$rule\" $DONE"
     }
@@ -324,13 +324,15 @@ __EOF__
     save_command "if [ -z \"\$NOROUTES\" ]; then"
     INDENT="$INDENT    "
     indent >&3 << __EOF__
-#
-# Undo any changes made the last time that we [re]started
-#
-undo_routing
-cp /etc/iproute2/rt_tables \${VARDIR}/
-ip route ls | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route
-> \${VARDIR}/undo_routing
+if [ -n "\$RESTORE_ROUTING" ]; then
+    #
+    # Undo any changes made the last time that we [re]started
+    #
+    undo_routing
+    cp /etc/iproute2/rt_tables \${VARDIR}/
+    ip route ls | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route
+    > \${VARDIR}/undo_routing
+fi
 __EOF__
     save_progress_message "Adding Providers..."
     save_command "DEFAULT_ROUTE="

Shorewall/releasenotes.txt

@@ -153,17 +153,23 @@ Other Changes in 3.3.4.
 6)  Previously, Shorewall has not attempted to undo the changes it has
     made to the firewall's routing as a result of entries in
     /etc/shorewall/providers and /etc/shorewall/routes. Beginning with
-    this release, Shorewall will attempt to undo these changes.
+    this release, Shorewall will attempt to undo these changes if
+    RESTORE_ROUTING=Yes in /etc/shorewall/shorewall.conf.
 
-    If you use entries in /etc/shorewall/providers, you must exercise
-    care when installing this version of Shorewall in order to 
+    If you use entries in /etc/shorewall, you must exercise
+    care when first setting this option in order to 
     ensure that the firewall's routing be restored correctly.
 
-    When Shorewall starts or is restarted, it will capture the contents
-    of /etc/shorewall/rt_tables and will restore that database when
-    Shorewall is stopped or restarted. Similarly, the default route
-    will be captured the first time that you [re]start Shorewall using
-    this version.
+    When Shorewall starts or is restarted with RESTORE_ROUTING=Yes,
+    it will capture the contents of /etc/shorewall/rt_tables and will
+    restore that database when Shorewall is stopped or
+    restarted. Similarly, the default route will be captured the first
+    time that you [re]start Shorewall using this version.
+
+    Beware that setting RESTORE_ROUTING=Yes may result in lost
+    connections after a start, stop, restart, restore or clear command
+    because the route being used by some existing connections may be
+    deleted.
 
 Migration Considerations:
 

Shorewall/shorewall.conf

@@ -964,6 +964,23 @@ USE_ACTIONS=Yes
 
 OPTIMIZE=0
 
+#
+# Restore Routing
+#
+# Prior to Shorewall release 3.3.4, Shorewall made no attempt to back out the
+# changes to routing that were generated by entries in /etc/shorewall/providers
+# and /etc/shorewall/route_rules.
+#
+# Beginning with 3.3.4, Shorewall will attempt to back out these changes 
+# as part of processing the "start", "stop", "restart", "restore" and "clear"
+# commands if RESTORE_ROUTING=Yes.
+#
+# Beware that setting RESTORE_ROUTING=Yes may result in a loss of existing
+# connections during and after any of the above commands. RESTORE_ROUTING=Yes
+# is not advised if you routinely administer your firewall(s) remotely.
+
+RESTORE_ROUTING=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################