More RTC changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9336 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-21 02:08:48 +02:00 · 2009-01-24 23:57:10 +00:00 · 2009-01-24 23:57:10 +00:00 · 88c57231ac
commit 88c57231ac
parent 0d87cecbad
3 changed files with 110 additions and 90 deletions
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@ -318,43 +318,45 @@ EOF
 	            ;;
            esac
-            if [ "$RESTOREFILE" = NONE ]; then
+            if [ -z "$RTCONLY" ]; then
-                COMMAND=clear
+                if [ "$RESTOREFILE" = NONE ]; then
-                clear_firewall
+                    COMMAND=clear
-                echo "$PRODUCT Cleared"
+                    clear_firewall
-
+                    echo "$PRODUCT Cleared"
 	        kill $$
 	        exit 2
            else
 	        RESTOREPATH=${VARDIR}/$RESTOREFILE
 	        if [ -x $RESTOREPATH ]; then
 		    if [ -x ${RESTOREPATH}-ipsets ]; then
 		        progress_message2 Restoring Ipsets...
 		        #
 		        # We must purge iptables to be sure that there are no
 		        # references to ipsets
 		        #
 		        for table in mangle nat filter; do
 			    do_iptables -t $table -F
 			    do_iptables -t $table -X
 		        done
 		        ${RESTOREPATH}-ipsets
 		    fi
 		    echo Restoring ${PRODUCT:=Shorewall}...
 		    if $RESTOREPATH restore; then
 		        echo "$PRODUCT restored from $RESTOREPATH"
 		        set_state "Started"
 		    else
 		        set_state "Unknown"
 		    fi
 	            kill $$
 	            exit 2
                else
 	            RESTOREPATH=${VARDIR}/$RESTOREFILE
 	            if [ -x $RESTOREPATH ]; then
 		        if [ -x ${RESTOREPATH}-ipsets ]; then
 		            progress_message2 Restoring Ipsets...
 		            #
 		            # We must purge iptables to be sure that there are no
 		            # references to ipsets
 		            #
 		            for table in mangle nat filter; do
 			        do_iptables -t $table -F
 			        do_iptables -t $table -X
 		            done
 		            ${RESTOREPATH}-ipsets
 		        fi
 		        echo Restoring ${PRODUCT:=Shorewall}...
 		        if $RESTOREPATH restore; then
 		            echo "$PRODUCT restored from $RESTOREPATH"
 		            set_state "Started"
 		        else
 		            set_state "Unknown"
 		        fi
 	                kill $$
 	                exit 2
                    fi
 	        fi
            fi
 	    ;;
@ -365,66 +367,78 @@ EOF
    STOPPING="Yes"
    TERMINATOR=
 EOF
    emit '    if [ -n "$RTCONLY" ]; then';
-    deletechain shorewall
+    push_indent;
    emit( '    delete_tc1' ) if $config{CLEAR_TC};
-    run_stop_exit
+    emit( '    undo_routing',
 	  '    restore_default_route'
 	  );
    pop_indent;
    emit <<'EOF';
    else
        deletechain shorewall
        run_stop_exit
 EOF
    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
 	emit <<'EOF';
-    run_iptables -t mangle -F
+        run_iptables -t mangle -F
-    run_iptables -t mangle -X
+        run_iptables -t mangle -X
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+        for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+	    qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
+        done
 EOF
    }
    if ( $capabilities{RAW_TABLE} ) {
 	if ( $family == F_IPV4 ) {
 	    emit <<'EOF';
-    run_iptables -t raw -F
+        run_iptables -t raw -F
-    run_iptables -t raw -X
+        run_iptables -t raw -X
-    for chain in PREROUTING OUTPUT; do
+        for chain in PREROUTING OUTPUT; do
-        qt1 $IPTABLES -t raw -P $chain ACCEPT
+            qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
+        done
 EOF
 	} else {
 	    emit <<'EOF';
-    run_iptables -t raw -F
+        run_iptables -t raw -F
-    run_iptables -t raw -X
+        run_iptables -t raw -X
-    for chain in PREROUTING OUTPUT; do
+        for chain in PREROUTING OUTPUT; do
-        qt1 $IP6TABLES -t raw -P $chain ACCEPT
+            qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
+        done
 EOF
 	}
    }
    if ( $capabilities{NAT_ENABLED} ) {
 	emit <<'EOF';
-    delete_nat
+        delete_nat
-    for chain in PREROUTING POSTROUTING OUTPUT; do
+        for chain in PREROUTING POSTROUTING OUTPUT; do
-        qt1 $IPTABLES -t nat -P $chain ACCEPT
+            qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
+        done
 EOF
    }
    if ( $family == F_IPV4 ) {
 	emit <<'EOF';
-    if [ -f ${VARDIR}/proxyarp ]; then
+        if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
+	    while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
+	        qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NORTC}" ] && qt ip route del $address dev $interface
+	        [ -z "${haveroute}${NORTC}" ] && qt ip route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	        f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
+	        [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
+	    done < ${VARDIR}/proxyarp
-    fi
+        fi
-    rm -f ${VARDIR}/proxyarp
+        rm -f ${VARDIR}/proxyarp
 EOF
    }
    push_indent;
    push_indent;
    emit 'delete_tc1' if $config{CLEAR_TC};
@ -578,12 +592,14 @@ EOF
 	}
    }
-    emit 'run_stopped_exit';
+    emit( '', 
 	  'run_stopped_exit' ,
 	  'set_state "Stopped"' );
    pop_indent;
    pop_indent;
-    emit '
+    emit '    fi
    set_state "Stopped"
    logger -p kern.info "$PRODUCT Stopped"
--- a/Shorewall-perl/prog.functions
+++ b/Shorewall-perl/prog.functions
@ -20,26 +20,28 @@ delete_proxyarp() {
 clear_firewall() {
    stop_firewall
-    setpolicy INPUT ACCEPT
+    if [ -z "$RTCONLY" ]; then
-    setpolicy FORWARD ACCEPT
+	setpolicy INPUT ACCEPT
-    setpolicy OUTPUT ACCEPT
+	setpolicy FORWARD ACCEPT
 	setpolicy OUTPUT ACCEPT
-    run_iptables -F
+	run_iptables -F
-    echo 1 > /proc/sys/net/ipv4/ip_forward
+	echo 1 > /proc/sys/net/ipv4/ip_forward
-
+	
-    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -n "$DISABLE_IPV6" ]; then
-	if qt mywhich ip6tables; then
+	    if qt mywhich ip6tables; then
-	    ip6tables -P INPUT   ACCEPT 2> /dev/null
+		ip6tables -P INPUT   ACCEPT 2> /dev/null
-	    ip6tables -P OUTPUT  ACCEPT 2> /dev/null
+		ip6tables -P OUTPUT  ACCEPT 2> /dev/null
-	    ip6tables -P FORWARD ACCEPT 2> /dev/null
+		ip6tables -P FORWARD ACCEPT 2> /dev/null
 	    fi
 	fi
 	run_clear_exit
 	set_state "Cleared"
    fi
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$PRODUCT Cleared"
 }
--- a/Shorewall-perl/prog.functions6
+++ b/Shorewall-perl/prog.functions6
@ -4,17 +4,19 @@
 clear_firewall() {
    stop_firewall
-    setpolicy INPUT ACCEPT
+    if [ -z "$RTCONLY" ]; then
-    setpolicy FORWARD ACCEPT
+        setpolicy INPUT ACCEPT
-    setpolicy OUTPUT ACCEPT
+    	setpolicy FORWARD ACCEPT
 	setpolicy OUTPUT ACCEPT
-    run_iptables -F
+	run_iptables -F
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 	run_clear_exit
-    run_clear_exit
+	set_state "Cleared"
-
+    fi
    set_state "Cleared"
    logger -p kern.info "$PRODUCT Cleared"
 }