Merge pull request #16 from titoko/dev

BugFix UPNP & Check for ipv6
This commit is contained in:
Alexis Gavoty 2013-04-29 07:17:50 -07:00
commit fa9b528fac

View file

@ -33,7 +33,7 @@ def firewall_allow(protocol=None, port=None, ipv6=None, upnp=False):
""" """
port = int(port) port = int(port)
if (upnp): if (upnp):
add_portmapping(protocol, upnp, ipv6) add_portmapping(protocol, upnp, ipv6,'a')
if 0 < port < 65536: if 0 < port < 65536:
if protocol == "Both": if protocol == "Both":
@ -113,7 +113,7 @@ def firewall_reload(upnp=False):
if 22 not in firewall['ipv4']['TCP']: if 22 not in firewall['ipv4']['TCP']:
update_yml(22, 'TCP', 'a', False) update_yml(22, 'TCP', 'a', False)
if(os.path.exists("/proc/net/if_inet6")):
os.system ("ip6tables -P INPUT ACCEPT") os.system ("ip6tables -P INPUT ACCEPT")
os.system ("ip6tables -F") os.system ("ip6tables -F")
os.system ("ip6tables -X") os.system ("ip6tables -X")
@ -122,21 +122,26 @@ def firewall_reload(upnp=False):
if 22 not in firewall['ipv6']['TCP']: if 22 not in firewall['ipv6']['TCP']:
update_yml(22, 'TCP', 'a', False) update_yml(22, 'TCP', 'a', False)
if upnp:
remove_portmapping()
add_portmapping('TCP', upnp, False); add_portmapping('TCP', upnp, False,'r');
add_portmapping('UDP', upnp, False); add_portmapping('UDP', upnp, False,'r');
add_portmapping('TCP', upnp, True);
add_portmapping('UDP', upnp, True); if(os.path.exists("/proc/net/if_inet6")):
add_portmapping('TCP', upnp, True,'r');
add_portmapping('UDP', upnp, True,'r');
os.system ("iptables -A INPUT -i lo -j ACCEPT") os.system ("iptables -A INPUT -i lo -j ACCEPT")
os.system ("iptables -A INPUT -p icmp -j ACCEPT") os.system ("iptables -A INPUT -p icmp -j ACCEPT")
os.system ("iptables -P INPUT DROP")
if(os.path.exists("/proc/net/if_inet6")):
os.system ("ip6tables -A INPUT -i lo -j ACCEPT") os.system ("ip6tables -A INPUT -i lo -j ACCEPT")
os.system ("ip6tables -A INPUT -p icmp -j ACCEPT") os.system ("ip6tables -A INPUT -p icmp -j ACCEPT")
os.system ("iptables -P INPUT DROP")
os.system ("ip6tables -P INPUT DROP") os.system ("ip6tables -P INPUT DROP")
os.system("service fail2ban restart")
os.system("service fail2ban restart")
win_msg(_("Firewall successfully reloaded")) win_msg(_("Firewall successfully reloaded"))
return firewall_list() return firewall_list()
@ -182,12 +187,14 @@ def update_yml(port=None, protocol=None, mode=None, ipv6=None):
yaml.dump(firewall, f) yaml.dump(firewall, f)
def add_portmapping(protocol=None, upnp=False, ipv6=None): def add_portmapping(protocol=None, upnp=False, ipv6=None,mode=None,):
""" """
Send a port mapping rules to igd device Send a port mapping rules to igd device
Keyword arguments: Keyword arguments:
protocol -- Protocol used protocol -- Protocol used
port -- Port to open upnp -- Boolean upnp
ipv6 -- Boolean ipv6
mode -- Add a rule (a) or reload all rules (r)
Return Return
None None
@ -197,7 +204,37 @@ def add_portmapping(protocol=None, upnp=False, ipv6=None):
else: else:
os.system ("iptables -P INPUT ACCEPT") os.system ("iptables -P INPUT ACCEPT")
if upnp and mode=='a':
remove_portmapping()
if ipv6: ip = 'ipv6'
else: ip = 'ipv4'
with open('firewall.yml', 'r') as f:
firewall = yaml.load(f)
for i,port in enumerate (firewall[ip][protocol]):
if ipv6:
os.system ("ip6tables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
else:
os.system ("iptables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp: if upnp:
upnpc = miniupnpc.UPnP()
upnpc.discoverdelay = 200
nbigd = upnpc.discover()
if nbigd:
upnpc.selectigd()
upnpc.addportmapping(port, protocol, upnpc.lanaddr, port, 'yunohost firewall : port %u' % port, '')
os.system ("iptables -P INPUT DROP")
def remove_portmapping():
"""
Remove all portmapping rules in the igd device
Keyword arguments:
None
Return
None
"""
upnp = miniupnpc.UPnP() upnp = miniupnpc.UPnP()
upnp.discoverdelay = 200 upnp.discoverdelay = 200
nbigd = upnp.discover() nbigd = upnp.discover()
@ -218,21 +255,6 @@ def add_portmapping(protocol=None, upnp=False, ipv6=None):
upnp.deleteportmapping(p[0], p[1]) upnp.deleteportmapping(p[0], p[1])
if ipv6: ip = 'ipv6'
else: ip = 'ipv4'
with open('firewall.yml', 'r') as f:
firewall = yaml.load(f)
for i,port in enumerate (firewall[ip][protocol]):
if ipv6:
os.system ("ip6tables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
else:
os.system ("iptables -A INPUT -p "+ protocol +" -i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp:
upnp.addportmapping(port, protocol, upnp.lanaddr, port, 'yunohost firewall : port %u' % port, '')
os.system ("iptables -P INPUT DROP")
def firewall_installupnp(): def firewall_installupnp():
""" """
Add upnp cron Add upnp cron