Undo the effects of NULL_ROUTE_RFC1918 during restart/stop

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8433 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-04-18 15:07:15 +00:00
parent 20db84ae13
commit a16cd8f28e
2 changed files with 98 additions and 14 deletions

View File

@ -194,6 +194,68 @@ disable_critical_hosts()
done
}
#
# Undo changes to routing
#
undo_routing() {
#
# Restore rt_tables database
#
if [ -f ${VARDIR}/rt_tables ]; then
[ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
rm -f ${VARDIR}/rt_tables
fi
#
# Restore the rest of the routing table
#
if [ -f ${VARDIR}/undo_routing ]; then
. ${VARDIR}/undo_routing
progress_message "Shorewall-generated routing tables and routing rules removed"
rm -f ${VARDIR}/undo_routing
fi
}
restore_default_route() {
if [ -f ${VARDIR}/default_route ]; then
local default_route
default_route=
local route
while read route ; do
case $route in
default*)
if [ -n "$default_route" ]; then
case "$default_route" in
*metric*)
#
# Don't restore a route with a metric -- we only replace the one with metric == 0
#
qt ip route delete default metric 0 && \
progress_message "Default Route with metric 0 deleted"
;;
*)
qt ip route replace $default_route && \
progress_message "Default Route (${default_route# }) restored"
;;
esac
break
fi
default_route="$default_route $route"
;;
*)
default_route="$default_route $route"
;;
esac
done < ${VARDIR}/default_route
rm -f ${VARDIR}/default_route
fi
}
#
# Stop the Firewall
#
@ -281,6 +343,9 @@ stop_firewall() {
delete_proxy_arp
[ -n "$CLEAR_TC" ] && delete_tc1
undo_routing
restore_default_route
[ -n "$DISABLE_IPV6" ] && disable_ipv6
undo_routing
@ -486,9 +551,12 @@ NOLOCK=
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
SHAREDIR=/usr/share/shorewall
VARDIR=/var/lib/shorewall
CONFDIR=/etc/shorewall
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
[ -n "${VARDIR:=/var/lib/shorewall}" ]
for library in lib.base lib.config; do
FUNCTIONS=${SHAREDIR}/${library}

View File

@ -453,20 +453,19 @@ sub add_an_rtrule( $$$$ ) {
progress_message " Routing rule \"$currentline\" $done";
}
sub setup_providers() {
#
# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
# it makes sense to keep all of the routing code together
#
if ( $config{NULL_ROUTE_RFC1918} ) {
emit 'if [ -z "$NOROUTES" ]; then';
push_indent;
save_progress_message "Null Routing the RFC 1918 subnets";
emit "run_ip route replace unreachable $_" for rfc1918_networks;
pop_indent;
emit "fi\n";
}
#
# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
# it makes sense to keep all of the routing code together
#
sub setup_null_routing() {
save_progress_message "Null Routing the RFC 1918 subnets";
for ( rfc1918_networks ) {
emit( "run_ip route replace unreachable $_" );
emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" );
}
}
sub setup_providers() {
my $providers = 0;
my $fn = open_file 'providers';
@ -586,6 +585,7 @@ sub setup_providers() {
}
}
setup_null_routing if $config{NULL_ROUTE_RFC1918};
emit "\nrun_ip route flush cache";
pop_indent;
emit "fi\n";
@ -594,6 +594,22 @@ sub setup_providers() {
} else {
emit "\nundo_routing";
emit 'restore_default_route';
if ( $config{NULL_ROUTE_RFC1918} ) {
emit "\nif [ -z \"\$NOROUTES\" ]; then";
push_indent;
emit ( '#',
'# Initialize the file that holds \'undo\' commands',
'#',
'> ${VARDIR}/undo_routing' );
setup_null_routing;
emit "\nrun_ip route flush cache";
pop_indent;
emit "fi\n";
}
}
}