Do not create table nat for ipv6 unless the user wants this
authorMichael Schwarz <mschwar2@math.uni-paderborn.de>
Wed, 10 Sep 2014 14:25:30 +0000 (16:25 +0200)
committerMichael Schwarz <mschwar2@math.uni-paderborn.de>
Wed, 10 Sep 2014 14:25:30 +0000 (16:25 +0200)
python/alff/ruleset.py

index 4432f90..1622553 100644 (file)
@@ -68,18 +68,22 @@ class Ruleset (object):
                }
 
 
-               for ruleset in self.ruleset.values ():
+               for protocol, ruleset in self.ruleset.iteritems ():
                        for table in TABLES:
-                               ruleset[table] = {
-                                       "chains" : {},
-                               }
-
-                               for chain in DEFAULT_CHAINS[table]:
-                                       ruleset[table]["chains"][chain] = {
-                                               "policy" : "ACCEPT",
-                                               "rules" : [],
-                                               "refs" : 1,
+                               # Do not create nat table for ipv6 unless the user forced this
+                               if protocol == 6 and table == "nat" and self.config.get_option("support_ipv6_nat") != "yes":
+                                       pass
+                               else:
+                                       ruleset[table] = {
+                                               "chains" : {},
                                        }
+       
+                                       for chain in DEFAULT_CHAINS[table]:
+                                               ruleset[table]["chains"][chain] = {
+                                                       "policy" : "ACCEPT",
+                                                       "rules" : [],
+                                                       "refs" : 1,
+                                               }
 
        def clear_cache (self):
                try:
@@ -410,58 +414,62 @@ class Ruleset (object):
 
 
                for table in TABLES:
-                       table_dict = self.ruleset[protocol][table]
-
-                       # Don't ever skip empty tables as there may have been chains/rules in here before
-                       # and we want to make sure they are cleared out.
+                       # Do not create nat table for ipv6 unless the user forced this
+                       if protocol == 6 and table == "nat" and self.config.get_option("support_ipv6_nat") != "yes":
+                               self.log.debug ("Suppressing table 'nat' for ipv6")
+                       else:
+                               table_dict = self.ruleset[protocol][table]
 
-                       self.log.debug ("Generating table '%s'.." % table)
-                       fh.write ("# Generated by alff %s on %s\n" % ('2.0-rc1', now ()))
-                       fh.write ("*%s\n" % table)
+                               # Don't ever skip empty tables as there may have been chains/rules in here before
+                               # and we want to make sure they are cleared out.
 
-                       chains_dict = table_dict["chains"]
-                       chains = sorted (chains_dict.keys ())
+                               self.log.debug ("Generating table '%s'.." % table)
+                               fh.write ("# Generated by alff %s on %s\n" % ('2.0-rc1', now ()))
+                               fh.write ("*%s\n" % table)
 
-                       ignore_chain = {}
-                       ignore_target = {}
+                               chains_dict = table_dict["chains"]
+                               chains = sorted (chains_dict.keys ())
 
-                       for chain in chains:
-                               policy = chains_dict[chain]["policy"]
+                               ignore_chain = {}
+                               ignore_target = {}
 
-                               # If this is a user defined chain we _maybe_ want to ignore it.
-                               if policy == "-":
+                               for chain in chains:
+                                       policy = chains_dict[chain]["policy"]
 
-                                       # If this chain isn't referenced anywhere and we should remove empty chains
-                                       # silently ignore it.
-                                       if self.suppress_unreferenced_chains and chains_dict[chain]["refs"] == 0:
-                                               self.log.debug ("Suppressing unreferenced chain '%s' (IPv%s)." % (chain, protocol))
-                                               ignore_chain[chain] = True
-                                               continue
+                                       # If this is a user defined chain we _maybe_ want to ignore it.
+                                       if policy == "-":
 
-                                       if self.suppress_empty_chains and len (chains_dict[chain]["rules"]) == 0:
-                                               self.log.debug ("Suppressing empty chain '%s' (IPv%s)." % (chain, protocol))
-                                               ignore_target[chain] = True
-                                               continue
+                                               # If this chain isn't referenced anywhere and we should remove empty chains
+                                               # silently ignore it.
+                                               if self.suppress_unreferenced_chains and chains_dict[chain]["refs"] == 0:
+                                                       self.log.debug ("Suppressing unreferenced chain '%s' (IPv%s)." % (chain, protocol))
+                                                       ignore_chain[chain] = True
+                                                       continue
 
+                                               if self.suppress_empty_chains and len (chains_dict[chain]["rules"]) == 0:
+                                                       self.log.debug ("Suppressing empty chain '%s' (IPv%s)." % (chain, protocol))
+                                                       ignore_target[chain] = True
+                                                       continue
 
-                               fh.write (":%s %s [0:0]\n" % (chain, policy))
 
-                       for chain in chains:
-                               # Ignore rules for suppressed chains
-                               if chain in ignore_chain:
-                                       continue
+                                       fh.write (":%s %s [0:0]\n" % (chain, policy))
 
-                               for rule in chains_dict[chain]["rules"]:
-                                       # Ignore rules with jump to suppressed target chain
-                                       match = re.search (r"-j\s+(\S+)", rule)
-                                       if match and match.group (1) in ignore_target:
-                                               self.log.debug ("Suppressing jump to empty chain '%s' (IPv%s)." % (match.group (1), protocol))
+                               for chain in chains:
+                                       # Ignore rules for suppressed chains
+                                       if chain in ignore_chain:
                                                continue
 
-                                       fh.write (rule + "\n")
+                                       for rule in chains_dict[chain]["rules"]:
+                                               # Ignore rules with jump to suppressed target chain
+                                               match = re.search (r"-j\s+(\S+)", rule)
+                                               if match and match.group (1) in ignore_target:
+                                                       self.log.debug ("Suppressing jump to empty chain '%s' (IPv%s)." % (match.group (1), protocol))
+                                                       continue
+
+                                               fh.write (rule + "\n")
 
-                       fh.write ("COMMIT\n")
-                       fh.write ("# Completed on %s\n" % now ())
+                               fh.write ("COMMIT\n")
+                               fh.write ("# Completed on %s\n" % now ())
 
 
        def _validate_protocol (self, protocol):