diff --git a/Shorewall-common/firewall b/Shorewall-common/firewall index ccd269bc7..ce573b7f3 100755 --- a/Shorewall-common/firewall +++ b/Shorewall-common/firewall @@ -194,6 +194,68 @@ disable_critical_hosts() done } +# +# Undo changes to routing +# +undo_routing() { + + # + # Restore rt_tables database + # + if [ -f ${VARDIR}/rt_tables ]; then + [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" + rm -f ${VARDIR}/rt_tables + fi + # + # Restore the rest of the routing table + # + if [ -f ${VARDIR}/undo_routing ]; then + . ${VARDIR}/undo_routing + progress_message "Shorewall-generated routing tables and routing rules removed" + rm -f ${VARDIR}/undo_routing + fi + +} + +restore_default_route() { + if [ -f ${VARDIR}/default_route ]; then + local default_route + default_route= + local route + + while read route ; do + case $route in + default*) + if [ -n "$default_route" ]; then + case "$default_route" in + *metric*) + # + # Don't restore a route with a metric -- we only replace the one with metric == 0 + # + qt ip route delete default metric 0 && \ + progress_message "Default Route with metric 0 deleted" + ;; + *) + qt ip route replace $default_route && \ + progress_message "Default Route (${default_route# }) restored" + ;; + esac + + break + fi + + default_route="$default_route $route" + ;; + *) + default_route="$default_route $route" + ;; + esac + done < ${VARDIR}/default_route + + rm -f ${VARDIR}/default_route + fi +} + # # Stop the Firewall # @@ -281,6 +343,9 @@ stop_firewall() { delete_proxy_arp [ -n "$CLEAR_TC" ] && delete_tc1 + undo_routing + restore_default_route + [ -n "$DISABLE_IPV6" ] && disable_ipv6 undo_routing @@ -486,9 +551,12 @@ NOLOCK= [ $# -gt 1 ] && [ "$1" = "nolock" ] && { NOLOCK=Yes; shift ; } SHAREDIR=/usr/share/shorewall -VARDIR=/var/lib/shorewall CONFDIR=/etc/shorewall +[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ] + +[ -n "${VARDIR:=/var/lib/shorewall}" ] + for library in lib.base lib.config; do FUNCTIONS=${SHAREDIR}/${library} diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 0cf979900..5f9737876 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -453,20 +453,19 @@ sub add_an_rtrule( $$$$ ) { progress_message " Routing rule \"$currentline\" $done"; } -sub setup_providers() { - # - # This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business, - # it makes sense to keep all of the routing code together - # - if ( $config{NULL_ROUTE_RFC1918} ) { - emit 'if [ -z "$NOROUTES" ]; then'; - push_indent; - save_progress_message "Null Routing the RFC 1918 subnets"; - emit "run_ip route replace unreachable $_" for rfc1918_networks; - pop_indent; - emit "fi\n"; - } +# +# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business, +# it makes sense to keep all of the routing code together +# +sub setup_null_routing() { + save_progress_message "Null Routing the RFC 1918 subnets"; + for ( rfc1918_networks ) { + emit( "run_ip route replace unreachable $_" ); + emit( "echo \"qt ip route del unreachable $_\" >> \${VARDIR}/undo_routing" ); + } +} +sub setup_providers() { my $providers = 0; my $fn = open_file 'providers'; @@ -586,6 +585,7 @@ sub setup_providers() { } } + setup_null_routing if $config{NULL_ROUTE_RFC1918}; emit "\nrun_ip route flush cache"; pop_indent; emit "fi\n"; @@ -594,6 +594,22 @@ sub setup_providers() { } else { emit "\nundo_routing"; emit 'restore_default_route'; + if ( $config{NULL_ROUTE_RFC1918} ) { + emit "\nif [ -z \"\$NOROUTES\" ]; then"; + + push_indent; + + emit ( '#', + '# Initialize the file that holds \'undo\' commands', + '#', + '> ${VARDIR}/undo_routing' ); + setup_null_routing; + emit "\nrun_ip route flush cache"; + + pop_indent; + + emit "fi\n"; + } } }