From ec8e01d09ce50886777d4b1aa5833bd224bc2064 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 11 Sep 2004 16:16:34 +0000
Subject: [PATCH] Add RETAIN_ALIASES option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1620 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    |  1 +
 Shorewall2/firewall         | 25 ++++++++++++++++++-------
 Shorewall2/releasenotes.txt | 13 +++++++++++++
 Shorewall2/shorewall.conf   | 15 +++++++++++++++
 4 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index eab70a2c3..b08840c2f 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -78,3 +78,4 @@ Changes since 2.0.3
 
 37) Fixed proxy arp flag setting for complex configurations.
 
+38) Added RETAIN_ALIASES option.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 218f1e0fc..e69498247 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -2069,7 +2069,7 @@ setup_nat() {
 		    add_ip_aliases=
 		    ;;
 		*)
-		    run_and_save_command qt ip addr del $external dev $iface
+		    [ -n "$RETAIN_ALIASES" ] || run_and_save_command qt ip addr del $external dev $iface
 		    ;;
 	    esac
 	else
@@ -2105,7 +2105,7 @@ setup_nat() {
 	policyout="-m policy --pol none --dir out"
     fi
 
-    save_progress_message "Restoring one-to-one NAT..."
+    [ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring one-to-one NAT..."
 
     while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
@@ -4807,7 +4807,7 @@ setup_masq()
 		if [ -n "$address" ]; then
 		    for addr in $(ip_range_explicit ${address%:*}) ; do
 			if ! list_search $addr $aliases_to_add; then
-			    save_command qt ip addr del $addr dev $interface 
+			    [ -n "$RETAIN_ALIASES" ] || save_command qt ip addr del $addr dev $interface 
 			    aliases_to_add="$aliases_to_add $addr $fullinterface"
 			    case $fullinterface in 
 				*:*)
@@ -4980,7 +4980,10 @@ setup_masq()
 
     strip_file masq $1
 
-    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
+    if [ -n "$NAT_ENABLED" ]; then
+	echo "Masqueraded Networks and Hosts:"
+	[ -n "$RETAIN_ALIASES" ] || save_progress_message "Restoring Masquerading/SNAT..."
+    fi
 
     while read fullinterface networks addresses proto ports ipsec; do
 	expandv fullinterface networks addresses proto ports ipsec
@@ -5198,7 +5201,14 @@ add_ip_aliases()
     do_one()
     {
 	val=$(address_details)
-	ensure_and_save_command ip addr add ${external}${val} dev $interface $label
+
+	if [ -n "$RETAIN_ALIASES" ]; then
+	    run_ip addr add ${external}${val} dev $interface $label
+	    save_command qt ip addr add ${external}${val} dev $interface $label
+	else
+	    ensure_and_save_command ip addr add ${external}${val} dev $interface $label
+	fi
+
 	echo "$external $interface" >> ${STATEDIR}/nat
 	[ -n "$label" ] && label="with $label"
 	progress_message "   IP Address $external added to interface $interface $label"
@@ -6740,9 +6750,10 @@ do_initialize() {
     BRIDGING=
     DYNAMIC_ZONES=
     PKTTYPE=
+    RETAIN_ALIASES=
+
     RESTOREBASE=
     TMP_DIR=
-
     ALL_INTERFACES=
 
     stopping=
@@ -6914,7 +6925,7 @@ do_initialize() {
     DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
     PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
     STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
-
+    RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
     #
     # Strip the files that we use often
     #
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 73552bde2..4e85ea208 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -471,3 +471,16 @@ New Features:
     Marking using the CLASSIFY target always occurs in the POSTROUTING
     chain of the mangle table and is not affected by the setting of
     MARK_IN_FORWARD_CHAIN in shorewall.conf.
+
+16) During "shorewall start", IP addresses to be added as a consequence
+    of ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes are quietly deleted
+    when /etc/shorewall/nat and /etc/shorewall/masq are processed then
+    the are re-added later. This is done to help ensure that the
+    addresses can be added with the specified labels but can have
+    the undesirable side effect of causing routes to be quietly
+    deleted. A new RETAIN_ALIASES option has been added to
+    shorewall.conf; when this option is set to Yes, existing addresses
+    will not be deleted. Regardless of the setting of RETAIN_ALIASES,
+    addresses added during "shorewall start" are still deleted at a
+    subsequent "shorewall stop" or "shorewall restart".
+
diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf
index a2399d5b2..65fad315b 100755
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@@ -333,6 +333,21 @@ ADD_IP_ALIASES=Yes
 #
 ADD_SNAT_ALIASES=No
 
+#
+# RETAIN EXISTING ALIASES/IP ADDRESSES
+#
+# Normally, when ADD_IP_ALIASES=Yes and/or ADD_SNAT_ALIASES=Yes then Shorewall
+# will first delete the address then re-add it. This is to ensure that the
+# address is added with the specified label. Unfortunately, this can cause
+# problems if it results in the deletion of the last IP address on an
+# interface because then all routes through the interface are automatically 
+# removed.
+#
+# You can cause Shorewall to retain existing addresses by setting
+# RETAIN_ALIASES=Yes. 
+#
+RETAIN_ALIASES=No
+
 #
 # ENABLE TRAFFIC SHAPING
 #