diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index f76c4fda6..8e0d593c1 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -16,6 +16,8 @@ Changes in 3.3.4 8) Add lib.cli. +9) Attempt to undo routing changes. + Changes in 3.3.3 1) Fix excluding in SUBNET column. diff --git a/Shorewall/compiler b/Shorewall/compiler index 54c4a9e20..3f8693a1f 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4722,6 +4722,8 @@ __EOF__ [ -n "$DISABLE_IPV6" ] && save_command "disable_ipv6" + save_command "undo_routing" + process_criticalhosts if [ -n "$CRITICALHOSTS" ]; then diff --git a/Shorewall/firewall b/Shorewall/firewall index 890a2038b..2c1d9da96 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -303,6 +303,8 @@ stop_firewall() { [ -n "$DISABLE_IPV6" ] && disable_ipv6 + undo_routing + process_criticalhosts if [ -n "$CRITICALHOSTS" ]; then diff --git a/Shorewall/lib.base b/Shorewall/lib.base index e57e3b521..54ce6d425 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -1281,3 +1281,45 @@ get_device_mtu() # $1 = device echo 1500 fi } + +# +# Undo changes to routing +# +undo_routing() { + # + # Restore rt_tables database + # + if [ -f ${VARDIR}/rt_tables ]; then + cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" + rm -f ${VARDIR}/rt_tables + fi + # + # Restore the default route + # + if [ -f ${VARDIR}/default_route ]; then + local default_route="$(sed 's/\n/ /' ${VARDIR}/default_route)" + + case "$default_route" in + default*default) + default_route="${default_route%% default*}" + ;; + esac + + qt ip route replace $default_route + + progress_message "Default Route ($default_route) restored" + + rm -f ${VARDIR}/default_route + fi + # + # Restore the rest of the routing table + # + if [ -f ${VARDIR}/undo_routing; then + . undo_routing + progress_message "Shorewall-generated routing tables and routing rules removed" + rm -f ${VARDIR}/undo_routing + fi +} + + + diff --git a/Shorewall/lib.providers b/Shorewall/lib.providers index 213de157d..013299d7f 100644 --- a/Shorewall/lib.providers +++ b/Shorewall/lib.providers @@ -123,6 +123,8 @@ __EOF__ save_command "qt ip route flush table $number" + echo "qt ip route flush table $number" >> ${VARDIR}/undo_routing + if [ "x${duplicate:=-}" != x- ]; then if [ "x${copy:=-}" != "x-" ]; then if [ "x${copy}" = xnone ]; then @@ -174,6 +176,7 @@ __EOF__ save_command "qt ip rule del fwmark $mark" save_command "run_ip rule add fwmark $mark pref $((10000 + $mark)) table $number" + echo "qt ip rule del fwmark $mark" >> ${VARDIR}/undo_routing fi loose= @@ -297,10 +300,13 @@ __EOF__ save_command "qt ip rule del $source $dest $priority" save_command "run_ip rule add $source $dest $priority table $provider" + echo "qt ip rule del $source $dest $priority" >> ${VARDIR}/undo_routing progress_message "Routing rule \"$rule\" $DONE" } - + # + # E x e c u t i o n B e g i n s H e r e + # local_number=255 main_number=254 default_number=253 @@ -311,6 +317,15 @@ __EOF__ save_command save_command "if [ -z \"\$NOROUTES\" ]; then" INDENT="$INDENT " + indent >&3 << __EOF__ +# +# Undo any changes made the last time that we [re]started +# +undo_routing +echo "cp /etc/iproute2/rt_tables \${VARDIR}/" +ip route ls | grep -E '^\s*(default |nexthop )' > ${VARDIR}default_route +> \${VARDIR}/undo_routing +__EOF__ save_progress_message "Adding Providers..." save_command "DEFAULT_ROUTE=" diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index cc9354577..d21ae0058 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -150,6 +150,21 @@ Other Changes in 3.3.4. command-processing code that is common to both /sbin/shorewall and /sbin/shorewall-lite. +6) Previously, Shorewall has not attempted to undo the changes it has + made to the firewall's routing as a result of entries in + /etc/shorewall/providers and /etc/shorewall/routes. Beginning with + this release, Shorewall will attempt to undo these changes. + + If you use entries in /etc/shorewall/providers, you must exercise + care when installing this version of Shorewall in order to + ensure that the firewall's routing be restored correctly. + + When Shorewall starts or is restarted, it will capture the contents + of /etc/shorewall/rt_tables and will restore that database when + Shorewall is stopped or restarted. Similarly, the default route + will be captured the first time that you [re]start Shorewall using + this version. + Migration Considerations: 1) Shorewall supports the notion of "default actions". A default