From c433ec1950b33da91ad1c437fcf7ed67e68e489f Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Tue, 9 Apr 2013 15:40:17 +0200
Subject: [PATCH] =?UTF-8?q?[firewall4]=20Pettry=5Fprint=20pour=20le=20pare?=
 =?UTF-8?q?-feu=20de=20zamok=20et=20on=20autorise=20les=20nounoun=20=C3=A0?=
 =?UTF-8?q?=20acceder=20=C3=A0=20adm?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 gestion/gen_confs/firewall4.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py
index 5dc48eac..98586a3b 100755
--- a/gestion/gen_confs/firewall4.py
+++ b/gestion/gen_confs/firewall4.py
@@ -933,10 +933,7 @@ class firewall_zamok(firewall_base):
         chain='ADMIN-VLAN'
 
         if table == 'filter':
-            for user in adm_users:
-                try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
-                except KeyError: print "Utilisateur %s inconnu" % user
-
+            pretty_print(table, chain)
             # ldap et dns toujours joinable
             self.add(table, chain, '-p tcp --dport ldap -j ACCEPT')
             self.add(table, chain, '-p tcp --dport domain -j ACCEPT')
@@ -945,8 +942,16 @@ class firewall_zamok(firewall_base):
             # Pour le nfs (le paquet à laisser passer n'a pas d'owner)
             self.add(table, chain, '-d daath.adm.crans.org -j ACCEPT')
 
+            for user in adm_users:
+                try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
+                except KeyError: print "Utilisateur %s inconnu" % user
+
+            for nounou in conn.search("droits=%s" % lc_ldap.attributs.nounou):
+                self.add(table, chain, '-m owner --uid-owner %s -j RETURN' % nounou['uidNumber'][0])
+
             # Rien d'autre ne passe
             self.add(table, chain, '-j REJECT --reject-with icmp-net-prohibited')
+            print OK
 
         if apply:
             self.apply(table, chain)
@@ -963,12 +968,14 @@ class firewall_zamok(firewall_base):
         chain='BLACKLIST-OUTPUT'
 
         if table == 'filter':
-            self.add(table, chain, '-d 127.0.0.1/8 -j ACCEPT')
+            pretty_print(table, chain)
+            self.add(table, chain, '-d 127.0.0.1/8 -j RETURN')
             for net in NETs['all']:
-                        self.add(table, chain, '-d %s -j ACCEPT' % net)
+                        self.add(table, chain, '-d %s -j RETURN' % net)
             for adh in self.blacklisted_adherents():
                 if 'uidNumber' in adh.attrs.keys():
                     self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0])
+            print OK
 
         if apply:
             self.apply(table, chain)