commit 42a997143a5c9c4ff89045752cd7e52e400fd93d
Author: Thomas Woerner <twoerner@redhat.com>
Date: Thu Sep 1 18:08:10 2016 +0200
firewall.core.fw: Do not abort transaction on failed ipv6_rpfilter rules
The existing transaction will be executed before trying to add the rules for
ipv6_rpfilter and also afterwards. If the transaction with the ipv6_rpfilter
fails, a warning is printed out and the remaining rules are applied afterwards.
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 0685258..b4450ee 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -627,6 +627,12 @@ class Firewall(object):
if self.ipv6_rpfilter_enabled and \
"raw" in self.get_available_tables("ipv6"):
+
+ # Execute existing transaction
+ transaction.execute(True)
+ # Start new transaction
+ transaction.clear()
+
# here is no check for ebtables.restore_noflush_option needed
# as ebtables is not used in here
transaction.add_rule("ipv6",
@@ -644,8 +650,17 @@ class Firewall(object):
"-j", "LOG",
"--log-prefix", "rpfilter_DROP: " ])
- if use_transaction is None:
- transaction.execute(True)
+ # Execute ipv6_rpfilter transaction, it might fail
+ try:
+ transaction.execute(True)
+ except FirewallError as msg:
+ log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
+ # Start new transaction
+ transaction.clear()
+
+ else:
+ if use_transaction is None:
+ transaction.execute(True)
# flush and policy