Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at Fri Aug 21 17:50:08 CEST 2009. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2009-07-17 12:05:19.000000000 +0200 +++ SuSEfirewall2/SuSEfirewall2.changes 2009-08-21 13:10:41.000000000 +0200 @@ -1,0 +2,6 @@ +Fri Aug 21 11:09:40 UTC 2009 - lnussel@suse.de + +- implement runtime override of interface zones +- allow disabling NOTRACK rules on lo (bnc#519526) + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- SuSEfirewall2-3.6_SVNr220.tar.bz2 New: ---- SuSEfirewall2-3.6_SVNr223.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.EQToud/_old 2009-08-21 17:49:42.000000000 +0200 +++ /var/tmp/diff_new_pack.EQToud/_new 2009-08-21 17:49:42.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package SuSEfirewall2 (Version 3.6_SVNr220) +# spec file for package SuSEfirewall2 (Version 3.6_SVNr223) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,7 +20,7 @@ Name: SuSEfirewall2 -Version: 3.6_SVNr220 +Version: 3.6_SVNr223 Release: 1 License: GPL v2 or later Group: Productivity/Networking/Security ++++++ SuSEfirewall2-3.6_SVNr220.tar.bz2 -> SuSEfirewall2-3.6_SVNr223.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6_SVNr220/SuSEfirewall2 new/SuSEfirewall2-3.6_SVNr223/SuSEfirewall2 --- old/SuSEfirewall2-3.6_SVNr220/SuSEfirewall2 2009-07-09 15:49:12.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr223/SuSEfirewall2 2009-08-21 13:08:15.000000000 +0200 @@ -160,6 +160,7 @@ FWCONFIG="/etc/sysconfig/SuSEfirewall2" LOCKFILE="/var/lock/SuSEfirewall2.pid" BOOTLOCKFILE="/var/lock/SuSEfirewall2.booting" +STATUSDIR="/var/run/SuSEfirewall2" FW_CUSTOMRULES="" FW_ZONE_DEFAULT="" @@ -654,15 +655,14 @@ reset_rules "$DROP_JUMP" ACCEPT "$DROP_JUMP" # loopback is always allowed - $IPTABLES -A INPUT -j "$ACCEPT" -i lo - $IPTABLES -A OUTPUT -j "$ACCEPT" -o lo - $IPTABLES -t raw -A PREROUTING -j NOTRACK -i lo - $IPTABLES -t raw -A OUTPUT -j NOTRACK -o lo - - $IP6TABLES -A INPUT -j "$ACCEPT" -i lo - $IP6TABLES -A OUTPUT -j "$ACCEPT" -o lo - $IP6TABLES -t raw -A PREROUTING -j NOTRACK -i lo - $IP6TABLES -t raw -A OUTPUT -j NOTRACK -o lo + for iptables in "$IPTABLES" "$IP6TABLES"; do + $iptables -A INPUT -j "$ACCEPT" -i lo + $iptables -A OUTPUT -j "$ACCEPT" -o lo + if [ "$FW_LO_NOTRACK" != 'no' ]; then + $iptables -t raw -A PREROUTING -j NOTRACK -i lo + $iptables -t raw -A OUTPUT -j NOTRACK -o lo + fi + done # Special REJECT function # @@ -877,13 +877,38 @@ . $dir/ifcfg-$cfg 2>/dev/null } +check_iface_override() +{ + local iface="$1" + local f="$STATUSDIR/override/interfaces/$iface/zone" + local z dummy + test -e "$f" || return 0 + read z dummy < "$f" || return 0 + echo "$z" +} + autodetect_interfaces() { local d z + local have_override='' set -- `cd /sys/class/net; echo *` 2>/dev/null for d in "$@"; do [ -z "$d" -o "$d" = 'lo' -o "$d" = 'sit0' ] && continue d=${d//[^A-Za-z0-9]/_} + unset z + if [ "$FW_RUNTIME_OVERRIDE" != 'no' ]; then + z=`check_iface_override $d` + if [ -n "$z" ]; then + eval iface_$d=$z + if eval [ -n "\"\$zone_$z\"" ]; then + message "runtime zone override '$z' for interface '$d'" + have_override=1 + continue + else + error "invalid zone '$z' as override for interface '$d'" + fi + fi + fi eval z=\${iface_$d} [ -n "$z" ] && continue eval [ -n "\"\$seen_$d\"" ] && continue @@ -907,6 +932,72 @@ warning "no firewall zone defined for interface $d" fi done + + # runtime override, we have to reconstruct FW_DEV_* + if [ -n "$have_override" ]; then + for z in $all_zones; do + eval "FW_DEV_$z=''" + done + for d in ${!iface_*}; do + eval z="\$$d" + eval "FW_DEV_$z=\"\$FW_DEV_$z ${d#iface_}\"" + done + fi +} + +write_interface_status() +{ + local d z + mkdir -p "$STATUSDIR"/status/interfaces + for d in "$STATUSDIR/status/interfaces/"*; do + d=${d##*/} + [ "$d" != '*' ] || break + d=${d//[^A-Za-z0-9]/_} + eval z="\$iface_$d" + if [ -z "$z" ]; then + rm -rf "$STATUSDIR/status/interfaces/$d" + else + eval local seen_$d=1 + echo $z > "$STATUSDIR/status/interfaces/$d/zone" + fi + done + for d in ${!iface_*}; do + eval z="\$$d" + d=${d#iface_} + eval [ -n "\"\$seen_$d\"" ] && continue + mkdir "$STATUSDIR/status/interfaces/$d" + echo $z > "$STATUSDIR/status/interfaces/$d/zone" + done +} + +write_zone_status() +{ + local v z + mkdir -p "$STATUSDIR/status/zones" + for z in "$STATUSDIR/status/zones/"*; do + z=${z##*/} + [ "$z" != '*' ] || break + z=${z//[^A-Za-z0-9]/_} + eval v="\$zone_$d" + if [ -z "$v" ]; then + rm -rf "$STATUSDIR/status/zones/$z" + else + eval local seen_$z=1 + fi + done + for z in $all_zones; do + eval [ -n "\"\$seen_$z\"" ] && continue + mkdir "$STATUSDIR/status/zones/$z" + done +} + +write_status() +{ + [ "$MODE" != "debug" ] || return + [ "$FW_WRITE_STATUS" != "no" ] || return + + write_interface_status + write_zone_status } parse_interfaces() @@ -2197,6 +2288,7 @@ parse_interfaces check_interfaces_unique autodetect_interfaces +write_status process_masq_dev load_customrules diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6_SVNr220/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6_SVNr223/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.6_SVNr220/SuSEfirewall2.sysconfig 2009-07-09 15:49:12.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr223/SuSEfirewall2.sysconfig 2009-08-21 13:08:15.000000000 +0200 @@ -1204,3 +1204,37 @@ # Defaults to "auto" if not set # FW_FORWARD_ALLOW_BRIDGING= + +## Type: yesno +## Default: yes +# +# Write status information to /var/run/SuSEfirewall2/status for use +# by e.g. graphical user interfaces. Can safely be disabled on +# servers. +# +# Defaults to "yes" if not set +# +FW_WRITE_STATUS= + +## Type: yesno +## Default: yes +# +# Allow dynamic configuration overrides in +# /var/run/SuSEfirewall2/override for use by e.g. graphical user +# interfaces. Can safely be disabled on servers. +# +# Defaults to "yes" if not set +# +FW_RUNTIME_OVERRIDE= + +## Type: yesno +## Default: yes +# +# Install NOTRACK target for interface lo in the raw table. Doing so +# speeds up packet processing on the loopback interface. This breaks +# certain firewall setups that need to e.g. redirect outgoing +# packets via custom rules on the local machine. +# +# Defaults to "yes" if not set +# +FW_LO_NOTRACK= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6_SVNr220/SuSEfirewall2_init new/SuSEfirewall2-3.6_SVNr223/SuSEfirewall2_init --- old/SuSEfirewall2-3.6_SVNr220/SuSEfirewall2_init 2008-09-30 10:47:51.000000000 +0200 +++ new/SuSEfirewall2-3.6_SVNr223/SuSEfirewall2_init 2009-08-21 13:08:15.000000000 +0200 @@ -34,6 +34,7 @@ echo -n "Starting Firewall Initialization " if test -x /usr/sbin/iptables; then echo -n '(phase 1 of 2) ' + /bin/rm -rf /var/run/SuSEfirewall2 $SUSEFWALL --bootlock -q close else echo -n "${extd}iptables not available (yet)${norm}" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org