def apply_default_rules(self, use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction for ipv in ["ipv4", "ipv6", "eb"]: self.__apply_default_rules(ipv, transaction) if self.ipv6_rpfilter_enabled and \ "raw" in self.get_available_tables("ipv6"): # here is no check for ebtables.restore_noflush_option needed # as ebtables is not used in here transaction.add_rule("ipv6", [ "-I", "PREROUTING", "1", "-t", "raw", "-p", "ipv6-icmp", "--icmpv6-type=router-advertisement", "-j", "ACCEPT" ]) # RHBZ#1058505 transaction.add_rule("ipv6", [ "-I", "PREROUTING", "2", "-t", "raw", "-m", "rpfilter", "--invert", "-j", "DROP" ]) if self._log_denied != "off": transaction.add_rule("ipv6", [ "-I", "PREROUTING", "2", "-t", "raw", "-m", "rpfilter", "--invert", "-j", "LOG", "--log-prefix", "rpfilter_DROP: " ]) if use_transaction is None: transaction.execute(True)
def apply_default_rules(self, use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction for ipv in [ "ipv4", "ipv6", "eb" ]: self.__apply_default_rules(ipv, transaction) if self.ipv6_rpfilter_enabled and \ "raw" in self.get_available_tables("ipv6"): # here is no check for ebtables.restore_noflush_option needed # as ebtables is not used in here transaction.add_rule("ipv6", [ "-I", "PREROUTING", "1", "-t", "raw", "-p", "ipv6-icmp", "--icmpv6-type=router-advertisement", "-j", "ACCEPT" ]) # RHBZ#1058505 transaction.add_rule("ipv6", [ "-I", "PREROUTING", "2", "-t", "raw", "-m", "rpfilter", "--invert", "-j", "DROP" ]) if self._log_denied != "off": transaction.add_rule("ipv6", [ "-I", "PREROUTING", "2", "-t", "raw", "-m", "rpfilter", "--invert", "-j", "LOG", "--log-prefix", "rpfilter_DROP: " ]) if use_transaction is None: transaction.execute(True)
def apply_default_rules(self, use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction for ipv in [ "ipv4", "ipv6", "eb" ]: self.__apply_default_rules(ipv, transaction) if self.ipv6_rpfilter_enabled and \ "raw" in self.get_available_tables("ipv6"): # Execute existing transaction transaction.execute(True) # Start new transaction transaction.clear() # here is no check for ebtables.restore_noflush_option needed # as ebtables is not used in here transaction.add_rule("ipv6", [ "-I", "PREROUTING", "1", "-t", "raw", "-p", "ipv6-icmp", "--icmpv6-type=router-advertisement", "-j", "ACCEPT" ]) # RHBZ#1058505 transaction.add_rule("ipv6", [ "-I", "PREROUTING", "2", "-t", "raw", "-m", "rpfilter", "--invert", "-j", "DROP" ]) if self._log_denied != "off": transaction.add_rule("ipv6", [ "-I", "PREROUTING", "2", "-t", "raw", "-m", "rpfilter", "--invert", "-j", "LOG", "--log-prefix", "rpfilter_DROP: " ]) # Execute ipv6_rpfilter transaction, it might fail try: transaction.execute(True) except FirewallError as msg: log.warning("Applying rules for ipv6_rpfilter failed: %s", msg) # Start new transaction transaction.clear() else: if use_transaction is None: transaction.execute(True)