Remove RESTORE_ROUTING option in favor of a more rational route restoration algorithm

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/compiler

@@ -4724,6 +4724,8 @@ __EOF__
 
     save_command "undo_routing"
 
+    save_command "restore_default_route"
+
     process_criticalhosts
 
     if [ -n "$CRITICALHOSTS" ]; then
@@ -5135,7 +5137,6 @@ __EOF__
     LOGLIMIT="$LOGLIMIT"
     LOGTAGONLY="$LOGTAGONLY"
     LOGRULENUMBERS="$LOGRULENUMBERS"
-    RESTORE_ROUTING="$RESTORE_ROUTING"
 __EOF__
 
     if [ -n "$LOGFORMAT" ]; then
@@ -5426,6 +5427,9 @@ __EOF__
     if strip_file_and_lib_load providers providers; then
 	setup_providers $(find_file providers)
 	[ -n "$ROUTEMARK_INTERFACES" ] && setup_routes
+    else
+	save_command undo_routing
+	save_command restore_default_route
     fi
 
     if strip_file_and_lib_load nat nat; then

Shorewall/firewall

@@ -304,6 +304,7 @@ stop_firewall() {
     [ -n "$DISABLE_IPV6" ] && disable_ipv6
 
     undo_routing
+    restore_default_route
 
     process_criticalhosts
 

Shorewall/lib.base

@@ -1287,42 +1287,58 @@ get_device_mtu() # $1 = device
 #
 undo_routing() {
     
-    if [ -n "$RESTORE_ROUTING" ]; then
+    #
-        #
+    # Restore rt_tables database
-        # Restore rt_tables database
+    #
-        #
+    if [ -f ${VARDIR}/rt_tables ]; then
-	if [ -f ${VARDIR}/rt_tables ]; then
+	cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	rm -f ${VARDIR}/rt_tables
-	    rm -f ${VARDIR}/rt_tables
+    fi
-	fi
+    #
-        #
+    # Restore the rest of the routing table
-        # Restore the default route
+    #
-        #
+    if [ -f ${VARDIR}/undo_routing ]; then
-	if [ -f ${VARDIR}/default_route ]; then
+	. ${VARDIR}/undo_routing
-	    local default_route="$(sed 's/\n/ /' ${VARDIR}/default_route)"
+	progress_message "Shorewall-generated routing tables and routing rules removed"
-	    
+	rm -f ${VARDIR}/undo_routing
-	    case "$default_route" in
+    fi
-		default*default)
+
-		    default_route="${default_route%% default*}"
+}
+
+restore_default_route() {
+    
+    if [ -f ${VARDIR}/default_route ]; then
+	local default_route= route
+
+	while read route ; do
+	    case $route in
+		default*)
+		    if [ -n "$default_route" ]; then
+			case "$default_route" in
+			    metric)
+		                #
+		                # Don't restore a route with a metric -- we only replace the one with metric == 0
+		                #
+				qt ip route delete default metric 0 && \
+				    progress_message "Default Route with metric 0 deleted"
+				;;
+			    *)
+				qt ip route replace $default_route && \
+				    progress_message "Default Route (${default_route# }) restored"
+				;;
+			esac
+			
+			break
+		    fi
+		    
+		    default_route="$default_route $route"
+		    ;;
+		*)
+		    default_route="$default_route $route"
 		    ;;
 	    esac
+	done < ${VARDIR}/default_route
 	    
-	    qt ip route replace $default_route
+	rm -f ${VARDIR}/default_route
-	    
-	    progress_message "Default Route ($default_route) restored"
-	    
-	    rm -f ${VARDIR}/default_route
-	fi
-        #
-        # Restore the rest of the routing table
-        #
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
-	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
-	fi
     fi
 }
-	
-
-	

Shorewall/lib.config

@@ -1795,7 +1795,6 @@ do_initialize() {
     ACCEPT_DEFAULT=
     QUEUE_DEFAULT=
     OPTIMIZE=
-    RESTORE_ROUTING=
 
     LOGLIMIT=
     LOGPARMS=
@@ -2010,7 +2009,6 @@ do_initialize() {
     TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
     USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
     [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
-    RESTORE_ROUTING=$(added_param_value_no RESTORE_ROUTING $RESTORE_ROUTING)
     
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
     [ -n "$XMARK" ] || XCONNMARK=

Shorewall/lib.providers

@@ -124,7 +124,7 @@ __EOF__
 	save_command "qt ip route flush table $number"
 
 	indent >&3 << __EOF__
-[ -n "\$RESTORE_ROUTING" ] && echo "qt ip route flush table $number" >> \${VARDIR}/undo_routing
+echo "qt ip route flush table $number" >> \${VARDIR}/undo_routing
 __EOF__
 
 	if [ "x${duplicate:=-}" != x- ]; then
@@ -179,7 +179,7 @@ __EOF__
 	    indent >&3 << __EOF__
 qt ip rule del fwmark $mark
 run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number
-[ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing
+echo "qt ip rule del fwmark $mark" >> \${VARDIR}/undo_routing
 __EOF__
 	fi
 
@@ -225,7 +225,7 @@ rulenum=0
 find_interface_addresses $interface | while read address; do
     qt ip rule del from \$address
     run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number
-    [ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing
+    echo "qt ip rule del from \$address" >> \${VARDIR}/undo_routing
     rulenum=\$((\$rulenum + 1))
 done
 __EOF__
@@ -306,7 +306,7 @@ __EOF__
 	save_command "qt ip rule del $source $dest $priority"
 	save_command "run_ip rule add $source $dest $priority table $provider"
 	indent >&3 << __EOF__
-[ -n "\$RESTORE_ROUTING" ] && echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing
+echo "qt ip rule del $source $dest $priority" >> \${VARDIR}/undo_routing
 __EOF__
 	progress_message "Routing rule \"$rule\" $DONE"
     }
@@ -324,15 +324,16 @@ __EOF__
     save_command "if [ -z \"\$NOROUTES\" ]; then"
     INDENT="$INDENT    "
     indent >&3 << __EOF__
-if [ -n "\$RESTORE_ROUTING" ]; then
+#
-    #
+# Undo any changes made the last time that we [re]started
-    # Undo any changes made the last time that we [re]started
+#
-    #
+undo_routing
-    undo_routing
+#
-    cp /etc/iproute2/rt_tables \${VARDIR}/
+# Save current routing state so that it can be restored later
-    ip route ls | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route
+#
-    > \${VARDIR}/undo_routing
+cp /etc/iproute2/rt_tables \${VARDIR}/
-fi
+[ -f \${VARDIR}/default_route ] || ip route ls | grep -E '^\s*(default |nexthop )' > \${VARDIR}/default_route
+> \${VARDIR}/undo_routing
 __EOF__
     save_progress_message "Adding Providers..."
     save_command "DEFAULT_ROUTE="

Shorewall/releasenotes.txt

@@ -153,23 +153,23 @@ Other Changes in 3.3.4.
 6)  Previously, Shorewall has not attempted to undo the changes it has
     made to the firewall's routing as a result of entries in
     /etc/shorewall/providers and /etc/shorewall/routes. Beginning with
-    this release, Shorewall will attempt to undo these changes if
+    this release, Shorewall will attempt to undo these changes.
-    RESTORE_ROUTING=Yes in /etc/shorewall/shorewall.conf.
 
-    If you use entries in /etc/shorewall, you must exercise
+    When Shorewall starts or is restarted and there are entries in
-    care when first setting this option in order to 
+    /etc/shorewall/providers, Shorewall will capture the contents
-    ensure that the firewall's routing be restored correctly.
+    of /etc/shorewall/rt_tables and will restore that database when
+    Shorewall is stopped or restarted. Similarly, the default route
+    will be captured the first time that you [re]start Shorewall using
+    this version and will be restored under the following conditions:
 
-    When Shorewall starts or is restarted with RESTORE_ROUTING=Yes,
+    a) shorewall stop
-    it will capture the contents of /etc/shorewall/rt_tables and will
+    b) shorewall clear
-    restore that database when Shorewall is stopped or
+    c) shorewall restart or restore and there are no entries in
-    restarted. Similarly, the default route will be captured the first
+       /etc/shorewall/providers.
-    time that you [re]start Shorewall using this version.
 
-    Beware that setting RESTORE_ROUTING=Yes may result in lost
+    Once the default route has been restored, Shorewall will delete
-    connections after a start, stop, restart, restore or clear command
+    the saved copy so that it will once again be captured at the next
-    because the route being used by some existing connections may be
+    shorewall start or shorewall restore.
-    deleted.
 
 Migration Considerations:
 

Shorewall/shorewall.conf

@@ -964,23 +964,6 @@ USE_ACTIONS=Yes
 
 OPTIMIZE=0
 
-#
-# Restore Routing
-#
-# Prior to Shorewall release 3.3.4, Shorewall made no attempt to back out the
-# changes to routing that were generated by entries in /etc/shorewall/providers
-# and /etc/shorewall/route_rules.
-#
-# Beginning with 3.3.4, Shorewall will attempt to back out these changes 
-# as part of processing the "start", "stop", "restart", "restore" and "clear"
-# commands if RESTORE_ROUTING=Yes.
-#
-# Beware that setting RESTORE_ROUTING=Yes may result in a loss of existing
-# connections during and after any of the above commands. RESTORE_ROUTING=Yes
-# is not advised if you routinely administer your firewall(s) remotely.
-
-RESTORE_ROUTING=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################