def apply_default_rules(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
for backend in self.enabled_backends():
rules = backend.build_default_rules(self._log_denied)
transaction.add_rules(backend, rules)
ipv6_backend = self.get_backend_by_ipv("ipv6")
if self.ipv6_rpfilter_enabled and \
"raw" in ipv6_backend.get_available_tables():
# Execute existing transaction
transaction.execute(True)
# Start new transaction
transaction.clear()
rules = ipv6_backend.build_rpfilter_rules(self._log_denied)
transaction.add_rules(ipv6_backend, rules)
# Execute ipv6_rpfilter transaction, it might fail
try:
transaction.execute(True)
except FirewallError as msg:
log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
# Start new transaction
transaction.clear()
else:
if use_transaction is None:
transaction.execute(True)
def apply_default_tables(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
for backend in self.enabled_backends():
transaction.add_rules(backend, backend.build_default_tables())
if use_transaction is None:
transaction.execute(True)
def set_policy(self, policy, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
log.debug1("Setting policy to '%s'", policy)
for backend in self.enabled_backends():
rules = backend.build_set_policy_rules(policy)
transaction.add_rules(backend, rules)
if use_transaction is None:
transaction.execute(True)
def flush(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
log.debug1("Flushing rule set")
for backend in self.all_backends():
rules = backend.build_flush_rules()
transaction.add_rules(backend, rules)
if use_transaction is None:
transaction.execute(True)
def apply_default_rules(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
for backend in self.enabled_backends():
rules = backend.build_default_rules(self._log_denied)
transaction.add_rules(backend, rules)
ipv6_backend = self.get_backend_by_ipv("ipv6")
if "raw" in ipv6_backend.get_available_tables():
if self.ipv6_rpfilter_enabled:
rules = ipv6_backend.build_rpfilter_rules(self._log_denied)
transaction.add_rules(ipv6_backend, rules)
if self._rfc3964_ipv4:
# Flush due to iptables-restore (nftables) bug tiggered when
# specifying same index multiple times in same batch
# rhbz 1647925
transaction.execute(True)
transaction.clear()
rules = ipv6_backend.build_rfc3964_ipv4_rules()
transaction.add_rules(ipv6_backend, rules)
else:
if use_transaction is None:
transaction.execute(True)
def apply_default_rules(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
for backend in self.enabled_backends():
rules = backend.build_default_rules(self._log_denied)
transaction.add_rules(backend, rules)
if self.is_ipv_enabled("ipv6"):
ipv6_backend = self.get_backend_by_ipv("ipv6")
if "raw" in ipv6_backend.get_available_tables():
if self.ipv6_rpfilter_enabled:
rules = ipv6_backend.build_rpfilter_rules(self._log_denied)
transaction.add_rules(ipv6_backend, rules)
if self.is_ipv_enabled("ipv6") and self._rfc3964_ipv4:
rules = ipv6_backend.build_rfc3964_ipv4_rules()
transaction.add_rules(ipv6_backend, rules)
if use_transaction is None:
transaction.execute(True)