def apply_default_rules(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
for ipv in ["ipv4", "ipv6", "eb"]:
self.__apply_default_rules(ipv, transaction)
if self.ipv6_rpfilter_enabled and \
"raw" in self.get_available_tables("ipv6"):
# here is no check for ebtables.restore_noflush_option needed
# as ebtables is not used in here
transaction.add_rule("ipv6", [
"-I", "PREROUTING", "1", "-t", "raw", "-p", "ipv6-icmp",
"--icmpv6-type=router-advertisement", "-j", "ACCEPT"
]) # RHBZ#1058505
transaction.add_rule("ipv6", [
"-I", "PREROUTING", "2", "-t", "raw", "-m", "rpfilter",
"--invert", "-j", "DROP"
])
if self._log_denied != "off":
transaction.add_rule("ipv6", [
"-I", "PREROUTING", "2", "-t", "raw", "-m", "rpfilter",
"--invert", "-j", "LOG", "--log-prefix", "rpfilter_DROP: "
])
if use_transaction is None:
transaction.execute(True)
def apply_default_rules(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
for ipv in [ "ipv4", "ipv6", "eb" ]:
self.__apply_default_rules(ipv, transaction)
if self.ipv6_rpfilter_enabled and \
"raw" in self.get_available_tables("ipv6"):
# here is no check for ebtables.restore_noflush_option needed
# as ebtables is not used in here
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "1", "-t", "raw",
"-p", "ipv6-icmp",
"--icmpv6-type=router-advertisement",
"-j", "ACCEPT" ]) # RHBZ#1058505
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "2", "-t", "raw",
"-m", "rpfilter", "--invert", "-j", "DROP" ])
if self._log_denied != "off":
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "2", "-t", "raw",
"-m", "rpfilter", "--invert",
"-j", "LOG",
"--log-prefix", "rpfilter_DROP: " ])
if use_transaction is None:
transaction.execute(True)
def apply_default_rules(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
for ipv in [ "ipv4", "ipv6", "eb" ]:
self.__apply_default_rules(ipv, transaction)
if self.ipv6_rpfilter_enabled and \
"raw" in self.get_available_tables("ipv6"):
# Execute existing transaction
transaction.execute(True)
# Start new transaction
transaction.clear()
# here is no check for ebtables.restore_noflush_option needed
# as ebtables is not used in here
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "1", "-t", "raw",
"-p", "ipv6-icmp",
"--icmpv6-type=router-advertisement",
"-j", "ACCEPT" ]) # RHBZ#1058505
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "2", "-t", "raw",
"-m", "rpfilter", "--invert", "-j", "DROP" ])
if self._log_denied != "off":
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "2", "-t", "raw",
"-m", "rpfilter", "--invert",
"-j", "LOG",
"--log-prefix", "rpfilter_DROP: " ])
# Execute ipv6_rpfilter transaction, it might fail
try:
transaction.execute(True)
except FirewallError as msg:
log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
# Start new transaction
transaction.clear()
else:
if use_transaction is None:
transaction.execute(True)
def apply_default_rules(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
for ipv in [ "ipv4", "ipv6", "eb" ]:
self.__apply_default_rules(ipv, transaction)
if self.ipv6_rpfilter_enabled and \
"raw" in self.get_available_tables("ipv6"):
# Execute existing transaction
transaction.execute(True)
# Start new transaction
transaction.clear()
# here is no check for ebtables.restore_noflush_option needed
# as ebtables is not used in here
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "1", "-t", "raw",
"-p", "ipv6-icmp",
"--icmpv6-type=router-advertisement",
"-j", "ACCEPT" ]) # RHBZ#1058505
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "2", "-t", "raw",
"-m", "rpfilter", "--invert", "-j", "DROP" ])
if self._log_denied != "off":
transaction.add_rule("ipv6",
[ "-I", "PREROUTING", "2", "-t", "raw",
"-m", "rpfilter", "--invert",
"-j", "LOG",
"--log-prefix", "rpfilter_DROP: " ])
# Execute ipv6_rpfilter transaction, it might fail
try:
transaction.execute(True)
except FirewallError as msg:
log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
# Start new transaction
transaction.clear()
else:
if use_transaction is None:
transaction.execute(True)
