forked from extern/shorewall_code
Undo the effects of NULL_ROUTE_RFC1918 during restart/stop
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8433 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
20db84ae13
commit
a16cd8f28e
@ -194,6 +194,68 @@ disable_critical_hosts()
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Undo changes to routing
|
||||
#
|
||||
undo_routing() {
|
||||
|
||||
#
|
||||
# Restore rt_tables database
|
||||
#
|
||||
if [ -f ${VARDIR}/rt_tables ]; then
|
||||
[ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
|
||||
rm -f ${VARDIR}/rt_tables
|
||||
fi
|
||||
#
|
||||
# Restore the rest of the routing table
|
||||
#
|
||||
if [ -f ${VARDIR}/undo_routing ]; then
|
||||
. ${VARDIR}/undo_routing
|
||||
progress_message "Shorewall-generated routing tables and routing rules removed"
|
||||
rm -f ${VARDIR}/undo_routing
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
restore_default_route() {
|
||||
if [ -f ${VARDIR}/default_route ]; then
|
||||
local default_route
|
||||
default_route=
|
||||
local route
|
||||
|
||||
while read route ; do
|
||||
case $route in
|
||||
default*)
|
||||
if [ -n "$default_route" ]; then
|
||||
case "$default_route" in
|
||||
*metric*)
|
||||
#
|
||||
# Don't restore a route with a metric -- we only replace the one with metric == 0
|
||||
#
|
||||
qt ip route delete default metric 0 && \
|
||||
progress_message "Default Route with metric 0 deleted"
|
||||
;;
|
||||
*)
|
||||
qt ip route replace $default_route && \
|
||||
progress_message "Default Route (${default_route# }) restored"
|
||||
;;
|
||||
esac
|
||||
|
||||
break
|
||||
fi
|
||||
|
||||
default_route="$default_route $route"
|
||||
;;
|
||||
*)
|
||||
default_route="$default_route $route"
|
||||
;;
|
||||
esac
|
||||
done < ${VARDIR}/default_route
|
||||
|
||||
rm -f ${VARDIR}/default_route
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Stop the Firewall
|
||||
#
|
||||
@ -281,6 +343,9 @@ stop_firewall() {
|
||||
delete_proxy_arp
|
||||
[ -n "$CLEAR_TC" ] && delete_tc1
|
||||
|
||||
undo_routing
|
||||
restore_default_route
|
||||
|
||||
[ -n "$DISABLE_IPV6" ] && disable_ipv6
|
||||
|
||||
undo_routing
|
||||
@ -486,9 +551,12 @@ NOLOCK=
|
||||
[ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; }
|
||||
|
||||
SHAREDIR=/usr/share/shorewall
|
||||
VARDIR=/var/lib/shorewall
|
||||
CONFDIR=/etc/shorewall
|
||||
|
||||
[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
|
||||
for library in lib.base lib.config; do
|
||||
FUNCTIONS=${SHAREDIR}/${library}
|
||||
|
||||
|
@ -453,20 +453,19 @@ sub add_an_rtrule( $$$$ ) {
|
||||
progress_message " Routing rule \"$currentline\" $done";
|
||||
}
|
||||
|
||||
sub setup_providers() {
|
||||
#
|
||||
# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
|
||||
# it makes sense to keep all of the routing code together
|
||||
#
|
||||
if ( $config{NULL_ROUTE_RFC1918} ) {
|
||||
emit 'if [ -z "$NOROUTES" ]; then';
|
||||
push_indent;
|
||||
save_progress_message "Null Routing the RFC 1918 subnets";
|
||||
emit "run_ip route replace unreachable $_" for rfc1918_networks;
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
}
|
||||
#
|
||||
# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
|
||||
# it makes sense to keep all of the routing code together
|
||||
#
|
||||
sub setup_null_routing() {
|
||||
save_progress_message "Null Routing the RFC 1918 subnets";
|
||||
for ( rfc1918_networks ) {
|
||||
emit( "run_ip route replace unreachable $_" );
|
||||
emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" );
|
||||
}
|
||||
}
|
||||
|
||||
sub setup_providers() {
|
||||
my $providers = 0;
|
||||
|
||||
my $fn = open_file 'providers';
|
||||
@ -586,6 +585,7 @@ sub setup_providers() {
|
||||
}
|
||||
}
|
||||
|
||||
setup_null_routing if $config{NULL_ROUTE_RFC1918};
|
||||
emit "\nrun_ip route flush cache";
|
||||
pop_indent;
|
||||
emit "fi\n";
|
||||
@ -594,6 +594,22 @@ sub setup_providers() {
|
||||
} else {
|
||||
emit "\nundo_routing";
|
||||
emit 'restore_default_route';
|
||||
if ( $config{NULL_ROUTE_RFC1918} ) {
|
||||
emit "\nif [ -z \"\$NOROUTES\" ]; then";
|
||||
|
||||
push_indent;
|
||||
|
||||
emit ( '#',
|
||||
'# Initialize the file that holds \'undo\' commands',
|
||||
'#',
|
||||
'> ${VARDIR}/undo_routing' );
|
||||
setup_null_routing;
|
||||
emit "\nrun_ip route flush cache";
|
||||
|
||||
pop_indent;
|
||||
|
||||
emit "fi\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user