Commit d936ba61 by Bach Dániel

firewall: fix ipv6 firewall

parent df2c02ff
......@@ -103,8 +103,6 @@ class BuildFirewall:
def build_ipt(self):
"""Build rules."""
# TODO remove ipv4-specific rules
self.ipt_filter_firewall()
self.ipt_filter_host_rules()
self.ipt_filter_vlan_rules()
......@@ -113,10 +111,10 @@ class BuildFirewall:
self.build_ipt_nat()
context = {
'filter': (chain for name, chain in self.chains.iteritems()
if chain.name not in ('PREROUTING', 'POSTROUTING')),
'nat': (chain for name, chain in self.chains.iteritems()
if chain.name in ('PREROUTING', 'POSTROUTING'))}
'filter': lambda: (chain for name, chain in self.chains.iteritems()
if chain.name not in IptChain.nat_chains),
'nat': lambda: (chain for name, chain in self.chains.iteritems()
if chain.name in IptChain.nat_chains)}
template = loader.get_template('firewall/iptables.conf')
context['proto'] = 'ipv4'
......
......@@ -15,7 +15,8 @@ class InvalidRuleExcepion(Exception):
class IptRule(object):
def __init__(self, priority=1000, action=None, src=None, dst=None,
proto=None, sport=None, dport=None, extra=None):
proto=None, sport=None, dport=None, extra=None,
ipv4_only=False):
if proto not in ['tcp', 'udp', 'icmp', None]:
raise InvalidRuleExcepion()
if proto not in ['tcp', 'udp'] and (sport is not None or
......@@ -28,16 +29,21 @@ class IptRule(object):
(self.src4, self.src6) = (None, None)
if isinstance(src, tuple):
(self.src4, self.src6) = src
if not self.src6:
ipv4_only = True
(self.dst4, self.dst6) = (None, None)
if isinstance(dst, tuple):
(self.dst4, self.dst6) = dst
if not self.dst6:
ipv4_only = True
self.proto = proto
self.sport = sport
self.dport = dport
self.extra = extra
self.ipv4_only = extra and bool(ipv4_re.search(extra))
self.ipv4_only = (ipv4_only or
extra is not None and bool(ipv4_re.search(extra)))
def __hash__(self):
return hash(frozenset(self.__dict__.items()))
......@@ -69,8 +75,8 @@ class IptRule(object):
class IptChain(object):
builtin_chains = ('FORWARD', 'INPUT', 'OUTPUT', 'PREROUTING',
'POSTROUTING')
nat_chains = ('PREROUTING', 'POSTROUTING')
builtin_chains = ('FORWARD', 'INPUT', 'OUTPUT') + nat_chains
def __init__(self, name):
self.rules = set()
......@@ -98,3 +104,6 @@ class IptChain(object):
return '\n'.join([prefix + rule.compile(proto)
for rule in self.sort()
if not (proto == 'ipv6' and rule.ipv4_only)])
def compile_v6(self):
return self.compile('ipv6')
......@@ -26,7 +26,7 @@ def _apply_once(name, queues, task, data):
@celery.task(ignore_result=True)
def periodic_task():
from firewall.fw import Firewall, dhcp, dns, ipset, vlan
from firewall.fw import BuildFirewall, dhcp, dns, ipset, vlan
from remote_tasks import (reload_dns, reload_dhcp, reload_firewall,
reload_firewall_vlan, reload_blacklist)
......@@ -40,7 +40,7 @@ def periodic_task():
_apply_once('dhcp', firewall_queues, reload_dhcp,
lambda: (dhcp(), ))
_apply_once('firewall', firewall_queues, reload_firewall,
lambda: (Firewall(proto=4).get(), Firewall(proto=6).get()))
lambda: (BuildFirewall().build_ipt()))
_apply_once('firewall_vlan', firewall_queues, reload_firewall_vlan,
lambda: (vlan(), ))
_apply_once('blacklist', firewall_queues, reload_blacklist,
......
{% if nat %}
{% if proto == "ipv4" %}
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
......@@ -45,7 +45,11 @@ COMMIT
{% for chain in filter %}
{% if chain.name not in chain.builtin_chains %}-N {{ chain.name }}{% endif %}
{% if proto == "ipv4" %}
{{ chain.compile }}
{% else %}
{{ chain.compile_v6 }}
{% endif %}
{% endfor %}
# close all chains
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment