|
|
dddd59 |
commit 42a997143a5c9c4ff89045752cd7e52e400fd93d
|
|
|
dddd59 |
Author: Thomas Woerner <twoerner@redhat.com>
|
|
|
dddd59 |
Date: Thu Sep 1 18:08:10 2016 +0200
|
|
|
dddd59 |
|
|
|
dddd59 |
firewall.core.fw: Do not abort transaction on failed ipv6_rpfilter rules
|
|
|
dddd59 |
|
|
|
dddd59 |
The existing transaction will be executed before trying to add the rules for
|
|
|
dddd59 |
ipv6_rpfilter and also afterwards. If the transaction with the ipv6_rpfilter
|
|
|
dddd59 |
fails, a warning is printed out and the remaining rules are applied afterwards.
|
|
|
dddd59 |
|
|
|
dddd59 |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
dddd59 |
index 0685258..b4450ee 100644
|
|
|
dddd59 |
--- a/src/firewall/core/fw.py
|
|
|
dddd59 |
+++ b/src/firewall/core/fw.py
|
|
|
dddd59 |
@@ -627,6 +627,12 @@ class Firewall(object):
|
|
|
dddd59 |
|
|
|
dddd59 |
if self.ipv6_rpfilter_enabled and \
|
|
|
dddd59 |
"raw" in self.get_available_tables("ipv6"):
|
|
|
dddd59 |
+
|
|
|
dddd59 |
+ # Execute existing transaction
|
|
|
dddd59 |
+ transaction.execute(True)
|
|
|
dddd59 |
+ # Start new transaction
|
|
|
dddd59 |
+ transaction.clear()
|
|
|
dddd59 |
+
|
|
|
dddd59 |
# here is no check for ebtables.restore_noflush_option needed
|
|
|
dddd59 |
# as ebtables is not used in here
|
|
|
dddd59 |
transaction.add_rule("ipv6",
|
|
|
dddd59 |
@@ -644,8 +650,17 @@ class Firewall(object):
|
|
|
dddd59 |
"-j", "LOG",
|
|
|
dddd59 |
"--log-prefix", "rpfilter_DROP: " ])
|
|
|
dddd59 |
|
|
|
dddd59 |
- if use_transaction is None:
|
|
|
dddd59 |
- transaction.execute(True)
|
|
|
dddd59 |
+ # Execute ipv6_rpfilter transaction, it might fail
|
|
|
dddd59 |
+ try:
|
|
|
dddd59 |
+ transaction.execute(True)
|
|
|
dddd59 |
+ except FirewallError as msg:
|
|
|
dddd59 |
+ log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
|
|
|
dddd59 |
+ # Start new transaction
|
|
|
dddd59 |
+ transaction.clear()
|
|
|
dddd59 |
+
|
|
|
dddd59 |
+ else:
|
|
|
dddd59 |
+ if use_transaction is None:
|
|
|
dddd59 |
+ transaction.execute(True)
|
|
|
dddd59 |
|
|
|
dddd59 |
# flush and policy
|
|
|
dddd59 |
|