Add RETAIN_ALIASES option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1620 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-24 11:41:26 +02:00 · 2004-09-11 16:16:34 +00:00 · 2004-09-11 16:16:34 +00:00 · ec8e01d09c
commit ec8e01d09c
parent 648b09ea1a
4 changed files with 47 additions and 7 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -78,3 +78,4 @@ Changes since 2.0.3

 37) Fixed proxy arp flag setting for complex configurations.

+38) Added RETAIN_ALIASES option.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2069,7 +2069,7 @@ setup_nat() {
 		    add_ip_aliases=
 		    ;;
 		*)
-		    run_and_save_command qt ip addr del $external dev $iface
+		    [ -n "$RETAIN_ALIASES" ] || run_and_save_command qt ip addr del $external dev $iface
 		    ;;
 	    esac
 	else
@ -2105,7 +2105,7 @@ setup_nat() {
 	policyout="-m policy --pol none --dir out"
    fi

-    save_progress_message "Restoring one-to-one NAT..."
+    [ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring one-to-one NAT..."

    while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
@ -4807,7 +4807,7 @@ setup_masq()
 		if [ -n "$address" ]; then
 		    for addr in $(ip_range_explicit ${address%:*}) ; do
 			if ! list_search $addr $aliases_to_add; then
-			    save_command qt ip addr del $addr dev $interface 
+			    [ -n "$RETAIN_ALIASES" ] || save_command qt ip addr del $addr dev $interface 
 			    aliases_to_add="$aliases_to_add $addr $fullinterface"
 			    case $fullinterface in 
 				*:*)
@ -4980,7 +4980,10 @@ setup_masq()

    strip_file masq $1

-    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
+    if [ -n "$NAT_ENABLED" ]; then
+	echo "Masqueraded Networks and Hosts:"
+	[ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring Masquerading/SNAT..."
+    fi

    while read fullinterface networks addresses proto ports ipsec; do
 	expandv fullinterface networks addresses proto ports ipsec
@ -5198,7 +5201,14 @@ add_ip_aliases()
    do_one()
    {
 	val=$(address_details)
-	ensure_and_save_command ip addr add ${external}${val} dev $interface $label
+
+	if [ -n "$RETAIN_ALIASES" ]; then
+	    run_ip addr add ${external}${val} dev $interface $label
+	    save_command qt ip addr add ${external}${val} dev $interface $label
+	else
+	    ensure_and_save_command ip addr add ${external}${val} dev $interface $label
+	fi
+
 	echo "$external $interface" >> ${STATEDIR}/nat
 	[ -n "$label" ] && label="with $label"
 	progress_message "   IP Address $external added to interface $interface $label"
@ -6740,9 +6750,10 @@ do_initialize() {
    BRIDGING=
    DYNAMIC_ZONES=
    PKTTYPE=
+    RETAIN_ALIASES=
+
    RESTOREBASE=
    TMP_DIR=
-
    ALL_INTERFACES=

    stopping=
@ -6914,7 +6925,7 @@ do_initialize() {
    DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
    PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
    STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
-
+    RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
    #
    # Strip the files that we use often
    #
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -471,3 +471,16 @@ New Features:
    Marking using the CLASSIFY target always occurs in the POSTROUTING
    chain of the mangle table and is not affected by the setting of
    MARK_IN_FORWARD_CHAIN in shorewall.conf.
+
+16) During "shorewall start", IP addresses to be added as a consequence
+    of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted
+    when /etc/shorewall/nat and /etc/shorewall/masq are processed then
+    the are re-added later. This is done to help ensure that the
+    addresses can be added with the specified labels but can have
+    the undesirable side effect of causing routes to be quietly
+    deleted. A new RETAIN_ALIASES option has been added to
+    shorewall.conf; when this option is set to Yes, existing addresses
+    will not be deleted. Regardless of the setting of RETAIN_ALIASES,
+    addresses added during "shorewall start" are still deleted at a
+    subsequent "shorewall stop" or "shorewall restart".
+
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@ -333,6 +333,21 @@ ADD_IP_ALIASES=Yes
 #
 ADD_SNAT_ALIASES=No

+#
+# RETAIN EXISTING ALIASES/IP ADDRESSES
+#
+# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
+# will first delete the address then re-add it. This is to ensure that the
+# address is added with the specified label. Unfortunately, this can cause
+# problems if it results in the deletion of the last IP address on an
+# interface because then all routes through the interface are automatically 
+# removed.
+#
+# You can cause Shorewall to retain existing addresses by setting
+# RETAIN_ALIASES=Yes. 
+#
+RETAIN_ALIASES=No
+
 #
 # ENABLE TRAFFIC SHAPING
 #