[firewall6] corrections sur le firewall IPv6 de zamok

Ignore-this: fd14c1fed392ba1365ca2bba1dded80e darcs-hash:20120601170354-dd9a4-c025054653b274e47766da05abf90a2da321e2b9.gz
2012-06-01 19:03:54 +02:00 · 2012-06-01 19:03:54 +02:00 · 4818e80c41
commit 4818e80c41
parent 0bbd71a69f
1 changed files with 10 additions and 8 deletions
--- a/gestion/gen_confs/firewall6.py
+++ b/gestion/gen_confs/firewall6.py
@ -26,7 +26,7 @@ sys.path.append('/usr/scripts/gestion')

 from ldap_crans import hostname
 from config import conf_fw, mid, prefix, role, file_pickle, open_ports
-from config import authorized_icmpv6, mac_wifi, adm_only
+from config import authorized_icmpv6, mac_wifi, adm_only, adm_users
 from ipt import *

 # On invoque Ip6tables
@ -239,9 +239,9 @@ def adherents_server():

    dev_adm = iface6('adm')
    # On fait attention à ce qui sort
-    ip6tables.filter.output('-i lo -j ACCEPT')
+    ip6tables.filter.output('-o lo -j ACCEPT')
    ip6tables.filter.output('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
-    ip6tables.filter.output('-i %s -j SRV_OUT_ADM', dev_adm)
+    ip6tables.filter.output('-o %s -j SRV_OUT_ADM' % dev_adm)

    # Chaîne SRV_OUT_ADM
    # Seul certains users ont le droit de communiquer sur le vlan adm
@ -249,7 +249,8 @@ def adherents_server():
        try:
            u_uid = pwd.getpwnam(user)[2]
        except KeyError:
-            raise UnknowUserError(user)
+#            raise UnknowUserError(user)
+            continue
        ip6tables.filter.srv_out_adm('-m owner --uid-owner %d -j ACCEPT' %
                pwd.getpwnam(user)[2])

@ -258,12 +259,13 @@ def adherents_server():
    ip6tables.filter.srv_out_adm('-p tcp --dport domain -j ACCEPT')
    ip6tables.filter.srv_out_adm('-p udp --dport domain -j ACCEPT')
    # Pour le nfs (le paquet à laisser passer n'a pas d'owner)
-    ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org  -m owner ! \
--uid-owner 0 -j REJECT --reject-with icmp-net-prohibited')
-    ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org -j ACCEPT')
+#    ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org  -m owner ! \
+#--uid-owner 0 -j REJECT --reject-with icmp6-adm-prohibited')
+#    ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org -j ACCEPT')
+    ## A corriger, le nfs a pas l'air de faire de l'ipv6 de toute façon.

    # On arrête tout
-    ip6tables.filter.srv_out_adm('-j REJECT --reject-with icmp-net-prohibited')
+    ip6tables.filter.srv_out_adm('-j REJECT --reject-with icmp6-adm-prohibited')

 def start():
    ''' Démarre le firewall sur la machine considérée '''