YunoHost/moulinette
1
0
Fork 0
mirror of https://github.com/YunoHost/moulinette.git synced 2024-09-03 20:06:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

[enh] Call iptables/ip6tables with --wait option (close #325)

Browse source
This commit is contained in:
Jérôme Lebleu 2016-05-28 22:01:01 +02:00
parent 765a06bd14
commit bca32c881e
1 changed files with 18 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
src/yunohost/firewall.py
View file

@ -210,26 +210,26 @@ def firewall_reload(skip_upnp=False):
# IPv4 # IPv4
try: try:
process.check_output("iptables -L") process.check_output("iptables -w -L")
except process.CalledProcessError as e: except process.CalledProcessError as e:
logger.debug('iptables seems to be not available, it outputs:\n%s', logger.debug('iptables seems to be not available, it outputs:\n%s',
prependlines(e.output.rstrip(), '> ')) prependlines(e.output.rstrip(), '> '))
logger.warning(m18n.n('iptables_unavailable')) logger.warning(m18n.n('iptables_unavailable'))
else: else:
rules = [ rules = [
"iptables -F", "iptables -w -F",
"iptables -X", "iptables -w -X",
"iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT", "iptables -w -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT",
] ]
# Iterate over ports and add rule # Iterate over ports and add rule
for protocol in ['TCP', 'UDP']: for protocol in ['TCP', 'UDP']:
for port in firewall['ipv4'][protocol]: for port in firewall['ipv4'][protocol]:
rules.append("iptables -A INPUT -p %s --dport %s -j ACCEPT" \ rules.append("iptables -w -A INPUT -p %s --dport %s -j ACCEPT" \
% (protocol, process.quote(str(port)))) % (protocol, process.quote(str(port))))
rules += [ rules += [
"iptables -A INPUT -i lo -j ACCEPT", "iptables -w -A INPUT -i lo -j ACCEPT",
"iptables -A INPUT -p icmp -j ACCEPT", "iptables -w -A INPUT -p icmp -j ACCEPT",
"iptables -P INPUT DROP", "iptables -w -P INPUT DROP",
] ]
# Execute each rule # Execute each rule
@ -246,19 +246,19 @@ def firewall_reload(skip_upnp=False):
logger.warning(m18n.n('ip6tables_unavailable')) logger.warning(m18n.n('ip6tables_unavailable'))
else: else:
rules = [ rules = [
"ip6tables -F", "ip6tables -w -F",
"ip6tables -X", "ip6tables -w -X",
"ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT", "ip6tables -w -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT",
] ]
# Iterate over ports and add rule # Iterate over ports and add rule
for protocol in ['TCP', 'UDP']: for protocol in ['TCP', 'UDP']:
for port in firewall['ipv6'][protocol]: for port in firewall['ipv6'][protocol]:
rules.append("ip6tables -A INPUT -p %s --dport %s -j ACCEPT" \ rules.append("ip6tables -w -A INPUT -p %s --dport %s -j ACCEPT" \
% (protocol, process.quote(str(port)))) % (protocol, process.quote(str(port))))
rules += [ rules += [
"ip6tables -A INPUT -i lo -j ACCEPT", "ip6tables -w -A INPUT -i lo -j ACCEPT",
"ip6tables -A INPUT -p icmpv6 -j ACCEPT", "ip6tables -w -A INPUT -p icmpv6 -j ACCEPT",
"ip6tables -P INPUT DROP", "ip6tables -w -P INPUT DROP",
] ]
# Execute each rule # Execute each rule
@ -413,11 +413,11 @@ def firewall_stop():
""" """
if os.system("iptables -P INPUT ACCEPT") != 0: if os.system("iptables -w -P INPUT ACCEPT") != 0:
raise MoulinetteError(errno.ESRCH, m18n.n('iptables_unavailable')) raise MoulinetteError(errno.ESRCH, m18n.n('iptables_unavailable'))
os.system("iptables -F") os.system("iptables -w -F")
os.system("iptables -X") os.system("iptables -w -X")
if os.path.exists("/proc/net/if_inet6"): if os.path.exists("/proc/net/if_inet6"):
os.system("ip6tables -P INPUT ACCEPT") os.system("ip6tables -P INPUT ACCEPT")