First cut at backing out routing changes from multiple providers

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4754 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-10 23:58:14 +01:00 · 2006-10-29 17:19:11 +00:00 · 2006-10-29 17:19:11 +00:00 · cb1ec8d932
commit cb1ec8d932
parent 33c94f34f7
6 changed files with 79 additions and 1 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -16,6 +16,8 @@ Changes in 3.3.4

 8)  Add lib.cli.

+9)  Attempt to undo routing changes.
+
 Changes in 3.3.3

 1)  Fix excluding in SUBNET column.
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -4722,6 +4722,8 @@ __EOF__

    [ -n "$DISABLE_IPV6" ] && save_command "disable_ipv6"

+    save_command "undo_routing"
+
    process_criticalhosts

    if [ -n "$CRITICALHOSTS" ]; then
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -303,6 +303,8 @@ stop_firewall() {

    [ -n "$DISABLE_IPV6" ] && disable_ipv6

+    undo_routing
+
    process_criticalhosts

    if [ -n "$CRITICALHOSTS" ]; then
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@ -1281,3 +1281,45 @@ get_device_mtu() # $1 = device
 	echo 1500
    fi
 }
+
+#
+# Undo changes to routing
+#
+undo_routing() {
+    #
+    # Restore rt_tables database
+    #
+    if [ -f ${VARDIR}/rt_tables ]; then
+	cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	rm -f ${VARDIR}/rt_tables
+    fi
+    #
+    # Restore the default route
+    #
+    if [ -f ${VARDIR}/default_route ]; then
+	local default_route="$(sed 's/\n/ /' ${VARDIR}/default_route)"
+
+	case "$default_route" in
+	    default*default)
+		default_route="${default_route%% default*}"
+		;;
+	esac
+	
+	qt ip route replace $default_route
+
+	progress_message "Default Route ($default_route) restored"
+
+	rm -f ${VARDIR}/default_route
+    fi
+    #
+    # Restore the rest of the routing table
+    #
+    if [ -f ${VARDIR}/undo_routing; then
+	. undo_routing
+	progress_message "Shorewall-generated routing tables and routing rules removed"
+	rm -f ${VARDIR}/undo_routing
+    fi
+}
+	
+
+	
--- a/Shorewall/lib.providers
+++ b/Shorewall/lib.providers
@ -123,6 +123,8 @@ __EOF__
 	
 	save_command "qt ip route flush table $number"

+	echo "qt ip route flush table $number" >> ${VARDIR}/undo_routing
+
 	if [ "x${duplicate:=-}" != x- ]; then
 	    if [ "x${copy:=-}" != "x-" ]; then
 		if [ "x${copy}" = xnone ]; then
@ -174,6 +176,7 @@ __EOF__

 	    save_command "qt ip rule del fwmark $mark"
 	    save_command "run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number"
+	    echo "qt ip rule del fwmark $mark" >> ${VARDIR}/undo_routing
 	fi

 	loose=
@ -297,10 +300,13 @@ __EOF__

 	save_command "qt ip rule del $source $dest $priority"
 	save_command "run_ip rule add $source $dest $priority table $provider"
+	echo "qt ip rule del $source $dest $priority" >> ${VARDIR}/undo_routing

 	progress_message "Routing rule \"$rule\" $DONE"
    }
-
+    #
+    #  E x e c u t i o n    B e g i n s    H e r e
+    #
    local_number=255
    main_number=254
    default_number=253
@ -311,6 +317,15 @@ __EOF__
    save_command
    save_command "if [ -z \"\$NOROUTES\" ]; then"
    INDENT="$INDENT    "
+    indent >&3 << __EOF__
+#
+# Undo any changes made the last time that we [re]started
+#
+undo_routing
+echo "cp /etc/iproute2/rt_tables \${VARDIR}/"
+ip route ls | grep -E '^\s*(default |nexthop )' > ${VARDIR}default_route
+> \${VARDIR}/undo_routing
+__EOF__
    save_progress_message "Adding Providers..."
    save_command "DEFAULT_ROUTE="

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -150,6 +150,21 @@ Other Changes in 3.3.4.
    command-processing code that is common to both /sbin/shorewall and
    /sbin/shorewall-lite.

+6)  Previously, Shorewall has not attempted to undo the changes it has
+    made to the firewall's routing as a result of entries in
+    /etc/shorewall/providers and /etc/shorewall/routes. Beginning with
+    this release, Shorewall will attempt to undo these changes.
+
+    If you use entries in /etc/shorewall/providers, you must exercise
+    care when installing this version of Shorewall in order to 
+    ensure that the firewall's routing be restored correctly.
+
+    When Shorewall starts or is restarted, it will capture the contents
+    of /etc/shorewall/rt_tables and will restore that database when
+    Shorewall is stopped or restarted. Similarly, the default route
+    will be captured the first time that you [re]start Shorewall using
+    this version.
+
 Migration Considerations:

 1)  Shorewall supports the notion of "default actions". A default