commit yast2-vpn for openSUSE:Factory
Hello community,
here is the log from the commit of package yast2-vpn for openSUSE:Factory checked in at 2016-03-31 13:03:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-vpn (Old)
and /work/SRC/openSUSE:Factory/.yast2-vpn.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-vpn"
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-vpn/yast2-vpn.changes 2015-10-28 17:30:51.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.yast2-vpn.new/yast2-vpn.changes 2016-03-31 13:03:35.000000000 +0200
@@ -1,0 +2,10 @@
+Thu Mar 24 11:15:40 UTC 2016 - hguo@suse.com
+
+- Fix several important issues:
+ * Properly reduce TCP MSS instead of setting it to a fixed value.
+ * Force UDP encapsulation in case of IPv4 gateway.
+ * Fix two cases of incorrect SUSEfirewall and iptables configuration.
+
+Further implements fate#320616.
+
+-------------------------------------------------------------------
Old:
----
yast2-vpn-3.1.2.tar.bz2
New:
----
yast2-vpn-3.1.3.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-vpn.spec ++++++
--- /var/tmp/diff_new_pack.B5jnFa/_old 2016-03-31 13:03:36.000000000 +0200
+++ /var/tmp/diff_new_pack.B5jnFa/_new 2016-03-31 13:03:36.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package yast2-vpn
#
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: yast2-vpn
-Version: 3.1.2
+Version: 3.1.3
Release: 0
Url: https://github.com/yast/yast-vpn
Source0: %{name}-%{version}.tar.bz2
++++++ yast2-vpn-3.1.2.tar.bz2 -> yast2-vpn-3.1.3.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/package/yast2-vpn.changes new/yast2-vpn-3.1.3/package/yast2-vpn.changes
--- old/yast2-vpn-3.1.2/package/yast2-vpn.changes 2015-10-27 09:42:34.000000000 +0100
+++ new/yast2-vpn-3.1.3/package/yast2-vpn.changes 2016-03-30 09:32:33.000000000 +0200
@@ -1,4 +1,14 @@
-------------------------------------------------------------------
+Thu Mar 24 11:15:40 UTC 2016 - hguo@suse.com
+
+- Fix several important issues:
+ * Properly reduce TCP MSS instead of setting it to a fixed value.
+ * Force UDP encapsulation in case of IPv4 gateway.
+ * Fix two cases of incorrect SUSEfirewall and iptables configuration.
+
+Further implements fate#320616.
+
+-------------------------------------------------------------------
Tue Oct 27 08:42:26 UTC 2015 - hguo@suse.com
- Fix build failure on Leap.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/package/yast2-vpn.spec new/yast2-vpn-3.1.3/package/yast2-vpn.spec
--- old/yast2-vpn-3.1.2/package/yast2-vpn.spec 2015-10-27 09:42:24.000000000 +0100
+++ new/yast2-vpn-3.1.3/package/yast2-vpn.spec 2016-03-30 09:32:33.000000000 +0200
@@ -16,7 +16,7 @@
#
Name: yast2-vpn
-Version: 3.1.2
+Version: 3.1.3
Release: 0
License: GPL-2.0
URL: https://github.com/yast/yast-vpn
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/src/lib/vpn/ipsec.rb new/yast2-vpn-3.1.3/src/lib/vpn/ipsec.rb
--- old/yast2-vpn-3.1.2/src/lib/vpn/ipsec.rb 2015-09-07 14:42:44.000000000 +0200
+++ new/yast2-vpn-3.1.3/src/lib/vpn/ipsec.rb 2016-03-30 09:32:33.000000000 +0200
@@ -413,6 +413,9 @@
end
end
get_current_conn[param_name] = val
+ if val == nil
+ get_current_conn.delete(param_name)
+ end
end
# Change gateway password.
@@ -518,16 +521,14 @@
conn_template = SCENARIO_TEMPLATES[conf["scenario"]]
# Find customised parameters
customisation = conf.select{|key, val| conn_template[key] == nil}
- # Remove keys that don't belong to the scenario
- customisation.delete_if {|key, val| !conn_template.has_key?(key)}
# Merge customised with the template
merged_conf = conn_template.merge(customisation)
# Remove parameters that aren't configuration or don't belong to the scenario
merged_conf.delete("name")
merged_conf.delete("scenario")
# Find blanks that aren't filled
- param_blanks = merged_conf.select{|key, val| val == nil || val.strip == ""}.keys
- if param_blanks.length > 0
+ param_blanks = merged_conf.select{|_key, val| val.to_s.strip == ""}.keys
+ if param_blanks.any?
unfilled_blanks[name] = param_blanks
end
scr_conf[name] = merged_conf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/src/lib/vpn/main_dialog.rb new/yast2-vpn-3.1.3/src/lib/vpn/main_dialog.rb
--- old/yast2-vpn-3.1.2/src/lib/vpn/main_dialog.rb 2015-09-07 13:33:28.000000000 +0200
+++ new/yast2-vpn-3.1.3/src/lib/vpn/main_dialog.rb 2016-03-30 09:32:33.000000000 +0200
@@ -67,7 +67,7 @@
VBox(
Left(CheckBox(Id(:enable_daemon), _("Enable VPN daemon"), Yast::IPSecConf.DaemonEnabled?)),
Left(HBox(
- CheckBox(Id(:fix_mss), _("Reduce TCP MSS"), Yast::IPSecConf.TCPMSS1024Enabled?),
+ CheckBox(Id(:fix_mss), _("Reduce TCP MSS"), Yast::IPSecConf.TCPReduceMSS?),
PushButton(Id(:fix_mss_help), "?")))
)),
Frame(_("All VPNs"), ReplacePoint(Id(:conn_list), Empty())),
@@ -84,7 +84,7 @@
),
HBox(
PushButton(Id(:ok), Yast::Label.OKButton),
- PushButton(Id(:abort), Yast::Label.AbortButton)
+ PushButton(Id(:cancel), Yast::Label.CancelButton)
)
)
end
@@ -156,7 +156,7 @@
# Save new settings and apply
Yast::IPSecConf.Import({
"enable_ipsec" => enable_daemon,
- "tcp_mss_1024" => !!Yast::UI.QueryWidget(:fix_mss, :Value),
+ "tcp_reduce_mss" => !!Yast::UI.QueryWidget(:fix_mss, :Value),
"ipsec_conns" => scr_conf,
"ipsec_secrets" => IPSec.make_scr_secrets
})
@@ -188,11 +188,9 @@
end
end
- # Abandon all changes and quit.
- def abort_handler
- if Yast::Popup.ReallyAbort(true)
- finish_dialog(:abort)
- end
+ # Quit the dialog.
+ def cancel_handler
+ finish_dialog(:cancel)
end
# Select a connection from connection list, load its configuration.
@@ -212,6 +210,8 @@
else
IPSec.change_conn_param("rightsubnet", "0.0.0.0/0")
end
+ # Force UDP encapsulation only for IPv4 (it does not work for v6)
+ IPSec.change_conn_param("forceencaps", "yes")
# Disable specific subnet input
Yast::UI.ChangeWidget(Id(:conn_access_subnet), :Enabled, false)
Yast::UI.ChangeWidget(Id(:conn_access_subnet), :Value, "")
@@ -225,6 +225,8 @@
else
IPSec.change_conn_param("rightsubnet", "::/0")
end
+ # If this was an IPv4 gateway and now an IPv6 gateway, make sure there's no forceencaps
+ IPSec.change_conn_param("forceencaps", nil)
# Disable specific subnet input
Yast::UI.ChangeWidget(Id(:conn_access_subnet), :Enabled, false)
Yast::UI.ChangeWidget(Id(:conn_access_subnet), :Value, "")
@@ -239,6 +241,8 @@
# Client: specify networks (CIDRs) accessed via IPSec tunnel.
def conn_access_subnet_handler
subnet = Yast::UI.QueryWidget(Id(:conn_access_subnet), :Value)
+ # Since I cannot tell whether the new subnet is v4 or v6, get rid of forceencaps.
+ IPSec.change_conn_param("forceencaps", nil)
if IPSec.get_current_conn_type == :gateway
IPSec.change_conn_param("leftsubnet", subnet)
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/src/modules/IPSecConf.rb new/yast2-vpn-3.1.3/src/modules/IPSecConf.rb
--- old/yast2-vpn-3.1.2/src/modules/IPSecConf.rb 2015-09-09 10:39:50.000000000 +0200
+++ new/yast2-vpn-3.1.3/src/modules/IPSecConf.rb 2016-03-30 09:32:33.000000000 +0200
@@ -30,6 +30,9 @@
include Yast::Logger
FW_CUSTOMRULES_FILE = "/etc/YaST2/vpn_firewall_rules"
+ # If TCP MSS reduction is required, the new MSS will be this value.
+ REDUCED_MSS = 1220
+
def initialize
log.info "IPSecConf is initialised"
@orig_conf = {}
@@ -41,7 +44,7 @@
@ipsec_secrets = {"psk" => [], "rsa" => [], "eap" => [], "xauth" => []}
@enable_ipsec = false
- @tcp_mss_1024 = false
+ @tcp_reduce_mss = false
@autoyast_modified = false
end
@@ -58,7 +61,7 @@
# Read daemon settings
@enable_ipsec = Service.Enabled("strongswan")
customrules_content = SCR.Read(path(".target.string"), FW_CUSTOMRULES_FILE)
- @tcp_mss_1024 = !customrules_content.nil? && customrules_content.include?("--set-mss 1024")
+ @tcp_reduce_mss = !customrules_content.nil? && customrules_content.include?("--set-mss #{REDUCED_MSS}")
@autoyast_modified = true
end
@@ -97,9 +100,9 @@
return @enable_ipsec
end
- # Return true if TCP MSS 1024 workaround is enabled, otherwise false.
- def TCPMSS1024Enabled?
- return @tcp_mss_1024
+ # Return true if TCP MSS reduction workaround is enabled, otherwise false.
+ def TCPReduceMSS?
+ return @tcp_reduce_mss
end
# Create a firewall configuration script for all VPN gateways. Return the script content
@@ -129,19 +132,18 @@
script << func_template % {func_name: "fw_custom_before_port_handling", content: ""}
# Reduce TCP MSS - if this has to be done, it must come before FORWARD and MASQUERADE
inet_access = ""
- if @tcp_mss_1024
- inet_access += "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024\n" +
- "ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024\n"
+ if @tcp_reduce_mss
+ inet_access += "iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss #{REDUCED_MSS+1}:65535 -j TCPMSS --set-mss #{REDUCED_MSS}\n" +
+ "ip6tables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss #{REDUCED_MSS+1}:65535 -j TCPMSS --set-mss #{REDUCED_MSS}\n"
end
# Forwarding for Internet access
- forward_template = "%s -A FORWARD -s %s -j ACCEPT\n"
- masq_template = "%s -t nat -A POSTROUTING -s %s -j MASQUERADE\n"
inet_access_networks.each { |cidr|
iptables = "iptables"
if cidr.include?(":")
iptables = "ip6tables"
end
- inet_access += forward_template % [iptables, cidr] + masq_template % [iptables, cidr]
+ inet_access += "#{iptables} -A FORWARD -s #{cidr} -j ACCEPT\n#{iptables} -A FORWARD -d #{cidr} -j ACCEPT\n"
+ inet_access += "#{iptables} -t nat -A POSTROUTING -s #{cidr} -j MASQUERADE\n"
}
script << func_template % {func_name: "fw_custom_before_masq", content: inet_access}
# Nothing in denyall or finished
@@ -219,6 +221,7 @@
SCR.Write(path(".sysconfig.SuSEfirewall2.FW_CUSTOMRULES"), existing_rules + FW_CUSTOMRULES_FILE)
SCR.Write(path(".sysconfig.SuSEfirewall2"), nil)
end
+ SuSEFirewall.Read
if SuSEFirewall.IsEnabled
if @enable_ipsec
if !SuSEFirewall.IsStarted
@@ -255,7 +258,7 @@
return false
end
@enable_ipsec = !!params["enable_ipsec"]
- @tcp_mss_1024 = !!params["tcp_mss_1024"]
+ @tcp_reduce_mss = !!params["tcp_reduce_mss"]
@ipsec_conns = params.fetch("ipsec_conns", {})
@ipsec_secrets = params.fetch("ipsec_secrets", {})
@autoyast_modified = true
@@ -267,7 +270,7 @@
log.info("IPSecConf.Export is called, connections are: " + @ipsec_conns.keys.to_s)
return {
"enable_ipsec" => @enable_ipsec,
- "tcp_mss_1024" => @tcp_mss_1024,
+ "tcp_reduce_mss" => @tcp_reduce_mss,
"ipsec_conns" => @ipsec_conns,
"ipsec_secrets" => @ipsec_secrets
}
@@ -278,7 +281,7 @@
log.info("IPSecConf.Summary is called")
ret = Summary.AddHeader("", _("VPN Global Settings"))
ret = Summary.AddLine(ret, _("Enable VPN (IPSec) daemon: %s") % [(!!@enable_ipsec).to_s])
- ret = Summary.AddLine(ret, _("Reduce TCP MSS to 1024: %s") % [(!!@tcp_mss_1024).to_s])
+ ret = Summary.AddLine(ret, _("Reduce TCP MSS: %s") % [(!!@tcp_reduce_mss).to_s])
ret = Summary.AddHeader(ret, _("Gateway and Connections"))
if @ipsec_conns != nil
@ipsec_conns.each{|name, conf|
@@ -320,7 +323,7 @@
@ipsec_secrets = {"psk" => [], "rsa" => [], "eap" => [], "xauth" => []}
@enable_ipsec = false
- @tcp_mss_1024 = false
+ @tcp_reduce_mss = false
@autoyast_modified = false
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/test/ipsec_test.rb new/yast2-vpn-3.1.3/test/ipsec_test.rb
--- old/yast2-vpn-3.1.2/test/ipsec_test.rb 2015-10-27 09:42:05.000000000 +0100
+++ new/yast2-vpn-3.1.3/test/ipsec_test.rb 2016-03-30 09:32:33.000000000 +0200
@@ -19,10 +19,7 @@
# Summary: Test the functions and features of IPSec configuration models.
# Authors: Howard Guo
participants (1)
-
root@hilbert.suse.de