[gestion/gen_confs/firewall6.py,gestion/ipt.py] Ménage dans les règles après que komaz soit devenue routeur pour le wifi et avoir permis les etensions de vie privée.

2013-02-13 15:14:04 +01:00 · 2013-02-13 15:14:04 +01:00 · ab5320bfd2
commit ab5320bfd2
parent 58b2dbe647
2 changed files with 44 additions and 93 deletions
--- a/gestion/ipt.py
+++ b/gestion/ipt.py
@ -118,7 +118,7 @@ class Ip6tables(object):
    def macip(self, mac, type_m):
        '''Fait la correspondance MAC-IP'''
        tab = {'serveurs' : 'fil' }
-	if type_m in tab.keys(): type_m = tab[type_m]
+        if type_m in tab.keys(): type_m = tab[type_m]
        type_mm = re.sub('-', '', type_m)
        getattr(self.filter,'mac' + type_mm)(" ".join(['-m mac --mac-source', mac,
            '-j RETURN']))
@ -170,10 +170,7 @@ ACCEPT' % (dev, proto, ip, port))

        if ip:
            self.filter.blacklist_src('-m mac --mac-source %s -j REJECT --reject-with icmp6-port-unreachable' % mac)
-            #~ self.filter.blacklist_src('-s %s -j REJECT --reject-with \
-#~ icmp6-adm-prohibited' % ip)
-            self.filter.blacklist_dst('-d %s -j REJECT --reject-with \
-icmp6-adm-prohibited' % ip)
+            self.filter.blacklist_dst('-d %s -j REJECT --reject-with icmp6-adm-prohibited' % ip)


    def version(self):
@ -751,19 +748,19 @@ def mac_ip(ipt, machines, types_machines):
    adresses en eui64'''
 
    macips(ipt, machines, types_machines)
-    # TODO Il faut raffiner avant de rajouter le wifi
    for type_m in types_machines:
        if not '-v6' in type_m:
            dev = iface6(type_m)
            ipt.filter.input('-i %s -s %s -j %s' % (dev, prefix[type_m][0],
                'MAC' + type_m.upper()))
            ipt.filter.input('-i %s -j IEUI64' % dev)
-            ipt.filter.ieui64('-i %s -s %s -m eui64 -j RETURN' % (dev,
-                prefix[type_m][0]))

+    # On active les extensions de vie privée
+    for net in prefix['subnet']:
+       ipt.filter.ieui64('-s %s -j RETURN' % net)
+    # Pour le lien local, on n'accepte que les eui64
    ipt.filter.ieui64('-s fe80::/64 -m eui64 -j RETURN')
    ipt.filter.ieui64('-j REJECT')
-    #ipt.filter.ieui64('-j REJECT')

 def macips(ipt, machines, types_machines):
    ''' Construit la chaîne MAC '''