Hello community, here is the log from the commit of package SuSEfirewall2 checked in at Thu Oct 16 02:01:13 CEST 2008. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2008-09-30 10:49:44.000000000 +0200 +++ /d/STABLE/SuSEfirewall2/SuSEfirewall2.changes 2008-10-15 15:50:44.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Oct 15 15:50:36 CEST 2008 - lnussel@suse.de + +- check status of SuSEfirewall2 without triggering module load (bnc#435653) +- add missing iptables-batch commitpoint for IPv4 + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- SuSEfirewall2-3.6_SVNr204.tar.bz2 New: ---- SuSEfirewall2-3.6_SVNr206.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.ze7466/_old 2008-10-16 02:00:05.000000000 +0200 +++ /var/tmp/diff_new_pack.ze7466/_new 2008-10-16 02:00:05.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package SuSEfirewall2 (Version 3.6_SVNr204) +# spec file for package SuSEfirewall2 (Version 3.6_SVNr206) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,7 +20,7 @@ Name: SuSEfirewall2 -Version: 3.6_SVNr204 +Version: 3.6_SVNr206 Release: 1 License: GPL v2 or later Group: Productivity/Networking/Security @@ -196,6 +196,9 @@ rm -rf %{buildroot} %changelog +* Wed Oct 15 2008 lnussel@suse.de +- check status of SuSEfirewall2 without triggering module load (bnc#435653) +- add missing iptables-batch commitpoint for IPv4 * Tue Sep 30 2008 lnussel@suse.de - don't modify the ip local port range - allow negated rules via ! in FW_FORWARD_MASQ (bnc#413046) ++++++ SuSEfirewall2-3.6_SVNr204.tar.bz2 -> SuSEfirewall2-3.6_SVNr206.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr204/SuSEfirewall2 new/SuSEfirewall2-3.6_SVNr206/SuSEfirewall2 --- old/SuSEfirewall2-3.6_SVNr204/SuSEfirewall2 2008-09-12 15:58:33.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr206/SuSEfirewall2 2008-10-15 15:49:55.000000000 +0200 @@ -305,24 +305,6 @@ esac - if [ "$IP6TABLES" != ':' ]; then - # Do we have a kernel with IPv6 enabled? - $IP6TABLES -nvL >/dev/null 2>&1 || IP6TABLES=: - if ! $IP6TABLES -m state --help >/dev/null 2>&1 || \ - ( ! $modinfo ip6t_state >/dev/null 2>&1 && ! $modinfo xt_state >/dev/null 2>&1); then - warning "ip6tables does not support state matching. Extended IPv6 support disabled." - IP6TABLES_HAVE_STATE=0 - # reject incoming packets if not specified otherwise - [ "$FW_IPv6" != 'no' -a "$FW_IPv6" != 'drop' ] && FW_IPv6='reject' - fi - - $modinfo ip6t_REJECT >/dev/null 2>&1 || IP6TABLES_HAVE_REJECT=0 - - if [ \( "$FW_REJECT" = "yes" -o "$FW_IPv6" = "reject" \) \ - -a "$IP6TABLES_HAVE_REJECT" != 1 ]; then - warning "Kernel lacks support for IPv6 REJECT target! Using DROP for IPv6 instead." - fi - fi #### if [ -n "$USE_IPTABLES_BATCH" ]; then @@ -361,6 +343,33 @@ ############### +check_ip6tables_support() +{ + [ "$IP6TABLES" != ':' ] || return + + # Do we have a kernel with IPv6 enabled? + $IP6TABLES_BIN -nvL >/dev/null 2>&1 || IP6TABLES=: + if ! $IP6TABLES_BIN -m state --help >/dev/null 2>&1 || \ + ( ! $modinfo ip6t_state >/dev/null 2>&1 && ! $modinfo xt_state >/dev/null 2>&1); then + warning "ip6tables does not support state matching. Extended IPv6 support disabled." + IP6TABLES_HAVE_STATE=0 + # reject incoming packets if not specified otherwise + [ "$FW_IPv6" != 'no' -a "$FW_IPv6" != 'drop' ] && FW_IPv6='reject' + fi + + $modinfo ip6t_REJECT >/dev/null 2>&1 || IP6TABLES_HAVE_REJECT=0 + + if [ \( "$FW_REJECT" = "yes" -o "$FW_IPv6" = "reject" \) \ + -a "$IP6TABLES_HAVE_REJECT" != 1 ]; then + warning "Kernel lacks support for IPv6 REJECT target! Using DROP for IPv6 instead." + fi +} + +is_running() +{ + test -e /proc/net/ip_tables_names && $IPTABLES_BIN -nL reject_func >/dev/null 2>&1 +} + parse_logging() { if [ -z "$FW_LOG_LIMIT" ]; then @@ -622,6 +631,8 @@ { local itype + check_ip6tables_support + load_modules ip_tables ip_conntrack $FW_LOAD_MODULES if [ "$IP6TABLES" != ':' ]; then @@ -2130,7 +2141,7 @@ if [ "$UID" != 0 ]; then die 2 "You need to be root to check the status" fi - if ! $IPTABLES -nL reject_func >/dev/null 2>&1; then + if ! is_running; then die 1 "SuSEfirewall2 not active" fi diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr204/SuSEfirewall2-batch new/SuSEfirewall2-3.6_SVNr206/SuSEfirewall2-batch --- old/SuSEfirewall2-3.6_SVNr204/SuSEfirewall2-batch 2005-08-01 16:29:57.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr206/SuSEfirewall2-batch 2008-10-15 15:49:55.000000000 +0200 @@ -60,6 +60,7 @@ iptables_batch_commitpoint() { + echo commit >&4 echo commit >&6 } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org