From bbb831ea77c15aa5f9626dfdbab37eb717e15c8c Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 30 Oct 2006 16:15:55 +0000 Subject: [PATCH] Remove RESTORE_ROUTING option in favor of a more rational route restoration algorithm git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 6 ++- Shorewall/firewall | 1 + Shorewall/lib.base | 84 +++++++++++++++++++++++--------------- Shorewall/lib.config | 2 - Shorewall/lib.providers | 27 ++++++------ Shorewall/releasenotes.txt | 28 ++++++------- Shorewall/shorewall.conf | 17 -------- 7 files changed, 84 insertions(+), 81 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 6f15469a4..c3ad0e232 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4724,6 +4724,8 @@ __EOF__ save_command "undo_routing" + save_command "restore_default_route" + process_criticalhosts if [ -n "$CRITICALHOSTS" ]; then @@ -5135,7 +5137,6 @@ __EOF__ LOGLIMIT="$LOGLIMIT" LOGTAGONLY="$LOGTAGONLY" LOGRULENUMBERS="$LOGRULENUMBERS" - RESTORE_ROUTING="$RESTORE_ROUTING" __EOF__ if [ -n "$LOGFORMAT" ]; then @@ -5426,6 +5427,9 @@ __EOF__ if strip_file_and_lib_load providers providers; then setup_providers $(find_file providers) [ -n "$ROUTEMARK_INTERFACES" ] && setup_routes + else + save_command undo_routing + save_command restore_default_route fi if strip_file_and_lib_load nat nat; then diff --git a/Shorewall/firewall b/Shorewall/firewall index 2c1d9da96..711d0d3d8 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -304,6 +304,7 @@ stop_firewall() { [ -n "$DISABLE_IPV6" ] && disable_ipv6 undo_routing + restore_default_route process_criticalhosts diff --git a/Shorewall/lib.base b/Shorewall/lib.base index f02d2da7e..71125b1a4 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -1287,42 +1287,58 @@ get_device_mtu() # $1 = device # undo_routing() { - if [ -n "$RESTORE_ROUTING" ]; then - # - # Restore rt_tables database - # - if [ -f ${VARDIR}/rt_tables ]; then - cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" - rm -f ${VARDIR}/rt_tables - fi - # - # Restore the default route - # - if [ -f ${VARDIR}/default_route ]; then - local default_route="$(sed 's/\n/ /' ${VARDIR}/default_route)" - - case "$default_route" in - default*default) - default_route="${default_route%% default*}" + # + # Restore rt_tables database + # + if [ -f ${VARDIR}/rt_tables ]; then + cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" + rm -f ${VARDIR}/rt_tables + fi + # + # Restore the rest of the routing table + # + if [ -f ${VARDIR}/undo_routing ]; then + . ${VARDIR}/undo_routing + progress_message "Shorewall-generated routing tables and routing rules removed" + rm -f ${VARDIR}/undo_routing + fi + +} + +restore_default_route() { + + if [ -f ${VARDIR}/default_route ]; then + local default_route= route + + while read route ; do + case $route in + default*) + if [ -n "$default_route" ]; then + case "$default_route" in + metric) + # + # Don't restore a route with a metric -- we only replace the one with metric == 0 + # + qt ip route delete default metric 0 && \ + progress_message "Default Route with metric 0 deleted" + ;; + *) + qt ip route replace $default_route && \ + progress_message "Default Route (${default_route# }) restored" + ;; + esac + + break + fi + + default_route="$default_route $route" + ;; + *) + default_route="$default_route $route" ;; esac + done < ${VARDIR}/default_route - qt ip route replace $default_route - - progress_message "Default Route ($default_route) restored" - - rm -f ${VARDIR}/default_route - fi - # - # Restore the rest of the routing table - # - if [ -f ${VARDIR}/undo_routing ]; then - . ${VARDIR}/undo_routing - progress_message "Shorewall-generated routing tables and routing rules removed" - rm -f ${VARDIR}/undo_routing - fi + rm -f ${VARDIR}/default_route fi } - - - diff --git a/Shorewall/lib.config b/Shorewall/lib.config index e1c94f1da..a8e7f68b7 100644 --- a/Shorewall/lib.config +++ b/Shorewall/lib.config @@ -1795,7 +1795,6 @@ do_initialize() { ACCEPT_DEFAULT= QUEUE_DEFAULT= OPTIMIZE= - RESTORE_ROUTING= LOGLIMIT= LOGPARMS= @@ -2010,7 +2009,6 @@ do_initialize() { TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" - RESTORE_ROUTING=$(added_param_value_no RESTORE_ROUTING $RESTORE_ROUTING) [ -n "$XCONNMARK_MATCH" ] || XCONNMARK= [ -n "$XMARK" ] || XCONNMARK= diff --git a/Shorewall/lib.providers b/Shorewall/lib.providers index 8a5819d1e..13590c6ce 100644 --- a/Shorewall/lib.providers +++ b/Shorewall/lib.providers @@ -124,7 +124,7 @@ __EOF__ save_command "qt ip route flush table $number" indent >&3 << __EOF__ -[ -n "\$RESTORE_ROUTING" ] && echo "qt ip route flush table $number" >> \${VARDIR}/undo_routing +echo "qt ip route flush table $number" >> \${VARDIR}/undo_routing __EOF__ if [ "x${duplicate:=-}" != x- ]; then @@ -179,7 +179,7 @@ __EOF__ indent >&3 << __EOF__ qt ip rule del fwmark $mark run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number -[ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing +echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing __EOF__ fi @@ -225,7 +225,7 @@ rulenum=0 find_interface_addresses $interface | while read address; do qt ip rule del from \$address run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number - [ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing + echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing rulenum=\$((\$rulenum + 1)) done __EOF__ @@ -306,7 +306,7 @@ __EOF__ save_command "qt ip rule del $source $dest $priority" save_command "run_ip rule add $source $dest $priority table $provider" indent >&3 << __EOF__ -[ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing +echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing __EOF__ progress_message "Routing rule \"$rule\" $DONE" } @@ -324,15 +324,16 @@ __EOF__ save_command "if [ -z \"\$NOROUTES\" ]; then" INDENT="$INDENT " indent >&3 << __EOF__ -if [ -n "\$RESTORE_ROUTING" ]; then - # - # Undo any changes made the last time that we [re]started - # - undo_routing - cp /etc/iproute2/rt_tables \${VARDIR}/ - ip route ls | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route - > \${VARDIR}/undo_routing -fi +# +# Undo any changes made the last time that we [re]started +# +undo_routing +# +# Save current routing state so that it can be restored later +# +cp /etc/iproute2/rt_tables \${VARDIR}/ +[ -f \${VARDIR}/default_route ] || ip route ls | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route +> \${VARDIR}/undo_routing __EOF__ save_progress_message "Adding Providers..." save_command "DEFAULT_ROUTE=" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 5104ebfef..5478dc6b7 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -153,23 +153,23 @@ Other Changes in 3.3.4. 6) Previously, Shorewall has not attempted to undo the changes it has made to the firewall's routing as a result of entries in /etc/shorewall/providers and /etc/shorewall/routes. Beginning with - this release, Shorewall will attempt to undo these changes if - RESTORE_ROUTING=Yes in /etc/shorewall/shorewall.conf. + this release, Shorewall will attempt to undo these changes. - If you use entries in /etc/shorewall, you must exercise - care when first setting this option in order to - ensure that the firewall's routing be restored correctly. + When Shorewall starts or is restarted and there are entries in + /etc/shorewall/providers, Shorewall will capture the contents + of /etc/shorewall/rt_tables and will restore that database when + Shorewall is stopped or restarted. Similarly, the default route + will be captured the first time that you [re]start Shorewall using + this version and will be restored under the following conditions: - When Shorewall starts or is restarted with RESTORE_ROUTING=Yes, - it will capture the contents of /etc/shorewall/rt_tables and will - restore that database when Shorewall is stopped or - restarted. Similarly, the default route will be captured the first - time that you [re]start Shorewall using this version. + a) shorewall stop + b) shorewall clear + c) shorewall restart or restore and there are no entries in + /etc/shorewall/providers. - Beware that setting RESTORE_ROUTING=Yes may result in lost - connections after a start, stop, restart, restore or clear command - because the route being used by some existing connections may be - deleted. + Once the default route has been restored, Shorewall will delete + the saved copy so that it will once again be captured at the next + shorewall start or shorewall restore. Migration Considerations: diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 181877dd1..e79d550bc 100644 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -964,23 +964,6 @@ USE_ACTIONS=Yes OPTIMIZE=0 -# -# Restore Routing -# -# Prior to Shorewall release 3.3.4, Shorewall made no attempt to back out the -# changes to routing that were generated by entries in /etc/shorewall/providers -# and /etc/shorewall/route_rules. -# -# Beginning with 3.3.4, Shorewall will attempt to back out these changes -# as part of processing the "start", "stop", "restart", "restore" and "clear" -# commands if RESTORE_ROUTING=Yes. -# -# Beware that setting RESTORE_ROUTING=Yes may result in a loss of existing -# connections during and after any of the above commands. RESTORE_ROUTING=Yes -# is not advised if you routinely administer your firewall(s) remotely. - -RESTORE_ROUTING=No - ############################################################################### # P A C K E T D I S P O S I T I O N ###############################################################################