mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-18 23:57:14 +02:00
Undo the effects of NULL_ROUTE_RFC1918 during restart/stop
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8433 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
20db84ae13
commit
a16cd8f28e
@ -194,6 +194,68 @@ disable_critical_hosts()
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Undo changes to routing
|
||||||
|
#
|
||||||
|
undo_routing() {
|
||||||
|
|
||||||
|
#
|
||||||
|
# Restore rt_tables database
|
||||||
|
#
|
||||||
|
if [ -f ${VARDIR}/rt_tables ]; then
|
||||||
|
[ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
|
||||||
|
rm -f ${VARDIR}/rt_tables
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
# Restore the rest of the routing table
|
||||||
|
#
|
||||||
|
if [ -f ${VARDIR}/undo_routing ]; then
|
||||||
|
. ${VARDIR}/undo_routing
|
||||||
|
progress_message "Shorewall-generated routing tables and routing rules removed"
|
||||||
|
rm -f ${VARDIR}/undo_routing
|
||||||
|
fi
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
restore_default_route() {
|
||||||
|
if [ -f ${VARDIR}/default_route ]; then
|
||||||
|
local default_route
|
||||||
|
default_route=
|
||||||
|
local route
|
||||||
|
|
||||||
|
while read route ; do
|
||||||
|
case $route in
|
||||||
|
default*)
|
||||||
|
if [ -n "$default_route" ]; then
|
||||||
|
case "$default_route" in
|
||||||
|
*metric*)
|
||||||
|
#
|
||||||
|
# Don't restore a route with a metric -- we only replace the one with metric == 0
|
||||||
|
#
|
||||||
|
qt ip route delete default metric 0 && \
|
||||||
|
progress_message "Default Route with metric 0 deleted"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
qt ip route replace $default_route && \
|
||||||
|
progress_message "Default Route (${default_route# }) restored"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
|
||||||
|
default_route="$default_route $route"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
default_route="$default_route $route"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done < ${VARDIR}/default_route
|
||||||
|
|
||||||
|
rm -f ${VARDIR}/default_route
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Stop the Firewall
|
# Stop the Firewall
|
||||||
#
|
#
|
||||||
@ -281,6 +343,9 @@ stop_firewall() {
|
|||||||
delete_proxy_arp
|
delete_proxy_arp
|
||||||
[ -n "$CLEAR_TC" ] && delete_tc1
|
[ -n "$CLEAR_TC" ] && delete_tc1
|
||||||
|
|
||||||
|
undo_routing
|
||||||
|
restore_default_route
|
||||||
|
|
||||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
||||||
|
|
||||||
undo_routing
|
undo_routing
|
||||||
@ -486,9 +551,12 @@ NOLOCK=
|
|||||||
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
|
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
|
||||||
|
|
||||||
SHAREDIR=/usr/share/shorewall
|
SHAREDIR=/usr/share/shorewall
|
||||||
VARDIR=/var/lib/shorewall
|
|
||||||
CONFDIR=/etc/shorewall
|
CONFDIR=/etc/shorewall
|
||||||
|
|
||||||
|
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
|
||||||
|
|
||||||
|
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||||
|
|
||||||
for library in lib.base lib.config; do
|
for library in lib.base lib.config; do
|
||||||
FUNCTIONS=${SHAREDIR}/${library}
|
FUNCTIONS=${SHAREDIR}/${library}
|
||||||
|
|
||||||
|
|||||||
@ -453,20 +453,19 @@ sub add_an_rtrule( $$$$ ) {
|
|||||||
progress_message " Routing rule \"$currentline\" $done";
|
progress_message " Routing rule \"$currentline\" $done";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub setup_providers() {
|
#
|
||||||
#
|
# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
|
||||||
# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
|
# it makes sense to keep all of the routing code together
|
||||||
# it makes sense to keep all of the routing code together
|
#
|
||||||
#
|
sub setup_null_routing() {
|
||||||
if ( $config{NULL_ROUTE_RFC1918} ) {
|
save_progress_message "Null Routing the RFC 1918 subnets";
|
||||||
emit 'if [ -z "$NOROUTES" ]; then';
|
for ( rfc1918_networks ) {
|
||||||
push_indent;
|
emit( "run_ip route replace unreachable $_" );
|
||||||
save_progress_message "Null Routing the RFC 1918 subnets";
|
emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
||||||
emit "run_ip route replace unreachable $_" for rfc1918_networks;
|
}
|
||||||
pop_indent;
|
}
|
||||||
emit "fi\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
|
sub setup_providers() {
|
||||||
my $providers = 0;
|
my $providers = 0;
|
||||||
|
|
||||||
my $fn = open_file 'providers';
|
my $fn = open_file 'providers';
|
||||||
@ -586,6 +585,7 @@ sub setup_providers() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
setup_null_routing if $config{NULL_ROUTE_RFC1918};
|
||||||
emit "\nrun_ip route flush cache";
|
emit "\nrun_ip route flush cache";
|
||||||
pop_indent;
|
pop_indent;
|
||||||
emit "fi\n";
|
emit "fi\n";
|
||||||
@ -594,6 +594,22 @@ sub setup_providers() {
|
|||||||
} else {
|
} else {
|
||||||
emit "\nundo_routing";
|
emit "\nundo_routing";
|
||||||
emit 'restore_default_route';
|
emit 'restore_default_route';
|
||||||
|
if ( $config{NULL_ROUTE_RFC1918} ) {
|
||||||
|
emit "\nif [ -z \"\$NOROUTES\" ]; then";
|
||||||
|
|
||||||
|
push_indent;
|
||||||
|
|
||||||
|
emit ( '#',
|
||||||
|
'# Initialize the file that holds \'undo\' commands',
|
||||||
|
'#',
|
||||||
|
'> ${VARDIR}/undo_routing' );
|
||||||
|
setup_null_routing;
|
||||||
|
emit "\nrun_ip route flush cache";
|
||||||
|
|
||||||
|
pop_indent;
|
||||||
|
|
||||||
|
emit "fi\n";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user