Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at Tue Jun 9 17:50:00 CEST 2009. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2008-11-06 13:18:41.000000000 +0100 +++ /mounts/work_src_done/STABLE/SuSEfirewall2/SuSEfirewall2.changes 2009-06-09 16:23:08.000000000 +0200 @@ -1,0 +2,10 @@ +Tue Jun 9 14:19:27 UTC 2009 - lnussel@suse.de + +- add note that ulog doesn't work with IPv6 (bnc#442756) +- fix version number in help text +- allow service files to specify kernel modules and allow related packets +- silence an error from bash if a service config file is not available (bnc#487870) +- better wording for BROADCAST in template +- update firewall hook script (patch by Marius) + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- SuSEfirewall2-3.6_SVNr208.tar.bz2 New: ---- SuSEfirewall2-3.6_SVNr214.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.u26986/_old 2009-06-09 17:49:45.000000000 +0200 +++ /var/tmp/diff_new_pack.u26986/_new 2009-06-09 17:49:45.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package SuSEfirewall2 (Version 3.6_SVNr208) +# spec file for package SuSEfirewall2 (Version 3.6_SVNr214) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Name: SuSEfirewall2 -Version: 3.6_SVNr208 +Version: 3.6_SVNr214 Release: 1 License: GPL v2 or later Group: Productivity/Networking/Security @@ -80,6 +80,7 @@ /etc/sysconfig/scripts/SuSEfirewall2-qdisc /etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast /etc/sysconfig/network/scripts/SuSEfirewall2 +/etc/sysconfig/network/scripts/firewall /etc/sysconfig/network/if-up.d/SuSEfirewall2 /sbin/rcSuSEfirewall2 /sbin/SuSEfirewall2 @@ -196,6 +197,13 @@ rm -rf %{buildroot} %changelog +* Tue Jun 09 2009 lnussel@suse.de +- add note that ulog doesn't work with IPv6 (bnc#442756) +- fix version number in help text +- allow service files to specify kernel modules and allow related packets +- silence an error from bash if a service config file is not available (bnc#487870) +- better wording for BROADCAST in template +- update firewall hook script (patch by Marius) * Thu Nov 06 2008 lnussel@suse.de - check whether IPv6 support is available when stopping the firewall (bnc#442118) @@ -210,7 +218,7 @@ - SuSEfirewall2_init: don't fail if /usr is not available (bnc#429899) * Tue Sep 02 2008 lnussel@suse.de - fix "recent" match (bnc#421806) -* Mon Aug 25 2008 ro@suse.de +* Sun Aug 24 2008 ro@suse.de - remove outdated start variables from fillup_and_insserv call * Thu Jul 31 2008 werner@suse.de - Make boot script know about new upcoming startpar and insserv @@ -549,7 +557,7 @@ * Sat Sep 20 2003 garloff@suse.de - #27316: Fix determination of external interface in Personal- Firewall Mode. -* Tue Sep 02 2003 mmj@suse.de +* Mon Sep 01 2003 mmj@suse.de - Add sysconfig metadata [#28808] * Thu Jul 31 2003 kukuk@suse.de - serial was renamed to setserial [Bug #28353] @@ -594,7 +602,7 @@ - Move custom_before_port_handling before we split the rulechains into input_XXX and forward_XXX and introduce custom_after_port _handling at old position. -* Sun Oct 06 2002 garloff@suse.de +* Sat Oct 05 2002 garloff@suse.de - Consolidate patches: * Integrate fixes for FW_SERVICES_QUICK in it * Integrate fixes for service_noext in it @@ -619,7 +627,7 @@ * Sun Sep 15 2002 draht@suse.de - added missing -j option to iptables. Fix in SuSEfirewall2-3.1.correct-reject.diff -* Wed Sep 11 2002 draht@suse.de +* Tue Sep 10 2002 draht@suse.de - bug in interface address parsing from ifconfig output (#19384) * Sun Sep 08 2002 kukuk@suse.de - Add "Provides: personal-firewall" [Bug #19097] @@ -643,7 +651,7 @@ rulechain now). - Add optional FW_SERVICES_QUICK_ to make QUICK mode useful for many more people. Defaults to empty of course. -* Thu Sep 05 2002 garloff@suse.de +* Wed Sep 04 2002 garloff@suse.de - Unify spec file for older version of SL using %%if %%suse_version. * Wed Sep 04 2002 garloff@suse.de - Added Obsoletes: personal-firewall (#18691) @@ -725,7 +733,7 @@ * FW_*_ALLOW_HIGH_PORT: related connections always allowed now, therefore INCOMING_HIGHPORTS_TCP="no" by default now. * '!' support for FW_REDIRECT -* Wed Nov 28 2001 garloff@suse.de +* Tue Nov 27 2001 garloff@suse.de - Update to SuSEfirewall2-2.0: * Typo which created probs for ADSL users fixed. - Update to SuSEfirewall2-1.8: ++++++ SuSEfirewall2-3.6_SVNr208.tar.bz2 -> SuSEfirewall2-3.6_SVNr214.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr208/Makefile new/SuSEfirewall2-3.6_SVNr214/Makefile --- old/SuSEfirewall2-3.6_SVNr208/Makefile 2007-06-13 17:01:25.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr214/Makefile 2009-06-09 16:15:29.000000000 +0200 @@ -66,6 +66,7 @@ done install -m 755 SuSEfirewall2_ifup $(DESTDIR)/etc/sysconfig/network/scripts/SuSEfirewall2 ln -s /etc/sysconfig/network/scripts/SuSEfirewall2 $(DESTDIR)/etc/sysconfig/network/if-up.d + ln -s SuSEfirewall2 $(DESTDIR)/etc/sysconfig/network/scripts/firewall install -m 755 SuSEfirewall2-custom.sysconfig $(DESTDIR)/etc/sysconfig/scripts/SuSEfirewall2-custom install -m 644 SuSEfirewall2.service.TEMPLATE $(DESTDIR)/etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr208/SuSEfirewall2 new/SuSEfirewall2-3.6_SVNr214/SuSEfirewall2 --- old/SuSEfirewall2-3.6_SVNr208/SuSEfirewall2 2008-11-06 11:01:20.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr214/SuSEfirewall2 2009-06-09 16:15:29.000000000 +0200 @@ -48,7 +48,7 @@ help() { cat <<EOF -SuSEfirewall2 3.4, Copyright (C) 2005 SUSE LINUX Products GmbH +SuSEfirewall2 3.6, Copyright (C) 2005 SUSE LINUX Products GmbH stateful packet filter rules generator for iptables. @@ -1076,10 +1076,12 @@ local RPC='' local IP='' local BROADCAST='' + local RELATED='' + local MODULES='' # XXX: could use a sub shell in order to enforce use of known variables only if [ ! -r $CONFIGURATIONSDIR_0/$config ] || ! . $CONFIGURATIONSDIR_0/$config; then - if ! . $CONFIGURATIONSDIR_1/$config; then + if [ ! -r $CONFIGURATIONSDIR_1/$config ] || ! . $CONFIGURATIONSDIR_1/$config; then warning "config '$config' not available" continue fi @@ -1097,6 +1099,15 @@ eval $var=""$$var $BROADCAST"" fi fi + + if [ -n "$RELATED" ]; then + eval FW_SERVICES_ACCEPT_RELATED_`cibiz $zone`=""$FW_SERVICES_ACCEPT_RELATED_`cibiz $zone` $RELATED"" + fi + + if [ -n "$MODULES" ]; then + eval FW_LOAD_MODULES=""$FW_LOAD_MODULES $MODULES"" + fi + done done } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr208/SuSEfirewall2_ifup new/SuSEfirewall2-3.6_SVNr214/SuSEfirewall2_ifup --- old/SuSEfirewall2-3.6_SVNr208/SuSEfirewall2_ifup 2007-06-13 16:04:57.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr214/SuSEfirewall2_ifup 2009-06-09 16:15:29.000000000 +0200 @@ -26,18 +26,79 @@ export PATH=/sbin:/usr/sbin:/usr/bin:/bin -config="$1" -iface="$2" - . /etc/sysconfig/network/config 2>/dev/null -. /etc/sysconfig/network/ifcfg-"$config" 2>/dev/null || true - -[ "$FIREWALL" = 'yes' ] || exit 0 - -/sbin/SuSEfirewall2 -q status &>/dev/null case "$0" in - *if-up.d*) /sbin/SuSEfirewall2 -q start ;; - *if-down.d*) /sbin/SuSEfirewall2 -q start ;; + # + # network firewall actions executed via the link + # /etc/sysconfig/network/scripts/firewall + # by /etc/init.d/network and /sbin/ifstatus. + # + # Currently the following actions are available: + # - net-reconfig-init: + # /etc/init.d/network signals a manual restart + # to avoid firewall refresh on "up" and "down" + # of every single interface. + # + # - net-reconfig-done: + # /etc/init.d/network signals a restart end to + # reenable restarting and refresh the rules. + # + # - running: + # reports if the firewall script is running i.e. + # applying rules at the moment. + # Queried by ifstatus if the interface setup is + # still in progress; reports 'in background' then. + # + # - status: + # reports status if the firewall is active + # + # - try-restart: + # restarts the firewall when enabled and active + # + *scripts/firewall) + case $1 in + net-reconfig-init) + [ "$FIREWALL" = 'yes' ] || exit 2 + /sbin/SuSEfirewall2 -q status &>/dev/null || exit 3 + /sbin/SuSEfirewall2 bootlock + ;; + net-reconfig-done) + [ "$FIREWALL" = 'yes' ] || exit 2 + /sbin/SuSEfirewall2 -q status &>/dev/null || exit 3 + /sbin/SuSEfirewall2 --bootunlock start + ;; + running) + test -f /var/lock/SuSEfirewall2.pid + ;; + + status) + /sbin/SuSEfirewall2 -q status &>/dev/null + ;; + try-restart) + /sbin/chkconfig --check SuSEfirewall2_setup && \ + /sbin/SuSEfirewall2 -q status &>/dev/null && \ + /sbin/SuSEfirewall2 start + ;; + esac + ;; + # + # ifup /etc/sysconfig/network/if-{up,down}.d/ script part; + # refresh the firewall rules on interface "up" and "down". + # + (*if-up.d*|*if-down.d*) + + config="$1" + iface="$2" + + . /etc/sysconfig/network/ifcfg-"$config" 2>/dev/null || true + + [ "$FIREWALL" = 'yes' ] || exit 0 + + /sbin/chkconfig --check SuSEfirewall2_setup && \ + /sbin/SuSEfirewall2 -q status &>/dev/null && \ + /sbin/SuSEfirewall2 -q start + ;; *) echo "don't know what to do" >&2 ;; esac + diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr208/SuSEfirewall2.service.TEMPLATE new/SuSEfirewall2-3.6_SVNr214/SuSEfirewall2.service.TEMPLATE --- old/SuSEfirewall2-3.6_SVNr208/SuSEfirewall2.service.TEMPLATE 2007-03-01 16:28:51.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr214/SuSEfirewall2.service.TEMPLATE 2009-06-09 16:15:29.000000000 +0200 @@ -1,8 +1,10 @@ # Do not edit this file as it's just a template and will be # overwritten on package updates! Copy to a new file instead. +# Fill in the required variables and delete the unused ones. +# If in doubt ask security@suse.de # -# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed. -# More may be supported in the future. +# Only the variables TCP, UDP, RPC, IP, BROADCAST, RELATED and +# MODULES are allowed. More may be supported in the future. # # For a more detailed description of the individual variables see # the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2 @@ -23,5 +25,17 @@ # space separated list of allowed IP protocols IP="" -# space separated list of allowed UDP broadcast ports +# space separated list of allowed UDP ports that accept broadcasts BROADCAST="" + +### variables below are only needed in very special cases + +# space separated list of net,protocol[,sport[,dport]] +# see FW_SERVICES_ACCEPT_RELATED_EXT +# net 0/0 means IPv4 and IPv6. If this sevice should only work for +# IPv4 use 0.0.0.0/0 +RELATED="" + +# additional kernel modules needed for this service +# see FW_LOAD_MODULES +MODULES="" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.6_SVNr208/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6_SVNr214/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.6_SVNr208/SuSEfirewall2.sysconfig 2008-11-06 13:17:10.000000000 +0100 +++ new/SuSEfirewall2-3.6_SVNr214/SuSEfirewall2.sysconfig 2009-01-23 10:40:58.000000000 +0100 @@ -768,6 +768,8 @@ # You may specify an alternative logging target by starting the # string with "-j ". E.g. "-j ULOG --ulog-prefix SFW2" # +# Note that ULOG doesn't work with IPv6 +# # only change this if you know what you are doing! FW_LOG="" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org