Mailinglist Archive: yast-commit (396 mails)
| < Previous | Next > |
[yast-commit] r65399 - in /branches/SuSE-Code-11-SP1-Branch/yast2: library/network/agents/ library/network/src/ library/network/testsuite/tests/ package/
- From: locilka@xxxxxxxxxxxxxxxxx
- Date: Fri, 26 Aug 2011 11:30:57 -0000
- Message-id: <20110826113057.47FA032688@svn2.opensuse.org>
Author: locilka
Date: Fri Aug 26 13:30:56 2011
New Revision: 65399
URL: http://svn.opensuse.org/viewcvs/yast?rev=65399&view=rev
Log:
- Fixed handling of FW_SERVICES_ACCEPT_* in SuSEFirewall modules to
understand flags as the fifth parameter (bnc#712670)
- Fixed SuSEfirewall2 SCR agent to parse the sysconfig file
properly (bnc#712670)
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
---
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
(original)
+++
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
Fri Aug 26 13:30:56 2011
@@ -33,6 +33,12 @@
"comments": [ "^[ \t]*#.*$", "#.*", "^[ \t]*$", ],
"params" : [
$[
+ // with quotes
+ "match" : [ "^[ \t]*([_a-zA-Z0-9]+)[ \t]*=[ \t]*\"(.*)\"[
\t]*$", "%s=\"%s\"" ],
+ // without quotes
+ "match" : [ "^[ \t]*([_a-zA-Z0-9]+)[ \t]*=[ \t]*([^\"]*)[
\t]*$", "%s=\"%s\"" ],
+ ],
+ $[
"match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*\"([^\"]*)\"",
"%s=\"%s\"" ],
"multiline" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*\"([^\"]*)",
"([^\"]*)\"", ],
],
@@ -41,9 +47,6 @@
"match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*'([^']*)'",
"%s=\"%s\"" ],
"multiline" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*'([^']*)",
"([^\']*)'", ],
],
- $[
- "match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*([^\"]*[^ \t\"]|)[
\t]*$", "%s=\"%s\"",],
- ],
],
]
)
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
(original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
Fri Aug 26 13:30:56 2011
@@ -299,7 +299,8 @@
void ReadSysconfigSuSEFirewall (list<string> variables) {
foreach (string variable, variables, {
string value = (string)
SCR::Read(add(.sysconfig.SuSEfirewall2,variable));
- // if variable is undefined, get default value
+
+ // if value is undefined, get default value
if (value == nil || value == "")
value = GetDefaultValue(variable);
@@ -364,14 +365,14 @@
);
if (! write_status) {
-
Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall"));
+
Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2"));
break;
}
});
write_status = SCR::Write(.sysconfig.SuSEfirewall2, nil);
if (! write_status) {
-
Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall"));
+
Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2"));
}
return write_status;
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
---
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
(original)
+++
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
Fri Aug 26 13:30:56 2011
@@ -187,7 +187,7 @@
//
// FW_SERVICES_ACCEPT_EXT, FW_SERVICES_ACCEPT_INT,
FW_SERVICES_ACCEPT_DMZ
- // Format: space separated list of net,protocol[,dport][,sport]
+ // Format: space separated list of
net,protocol[,dport][,sport][,other-comma-separated-options]
//
list <map <string, string> > rules = maplist (
string one_rule,
@@ -195,11 +195,17 @@
{
// comma separated
list <string> rule_splitted = splitstring(one_rule, ",");
+
+ // additional options after sport (4th entry)
+ integer options_entries_count = size(rule_splitted) - 4;
+
return $[
"network" : rule_splitted[0]:"",
"protocol" : rule_splitted[1]:"",
"dport" : rule_splitted[2]:"",
"sport" : rule_splitted[3]:"",
+ // additional options if defined (offset 4 and more)
+ "options" : (options_entries_count > 0 ?
mergestring(sublist(rule_splitted, 4, options_entries_count), ",") : ""),
];
});
@@ -209,7 +215,8 @@
one_rule["network"]:"" == "" &&
one_rule["protocol"]:"" == "" &&
one_rule["dport"]:"" == "" &&
- one_rule["sport"]:"" == ""
+ one_rule["sport"]:"" == "" &&
+ one_rule["options"]:"" == ""
);
});
@@ -217,6 +224,36 @@
}
/**
+ * Creates a string with one rule definition as described by the given
params.
+ * All the trailing commas are removed
+ *
+ * @param map <string, string> params
+ * @return string rule definition
+ */
+ string CreateRuleFromParams (map <string, string> params) {
+ // Adjusting params (some empty entries are replaced with $everything
value)
+ params = AdjustParameters (params);
+
+ // Creating new record
+ string new_rule = params["network"]:""
+ + "," + params["protocol"]:""
+ + "," + params["dport"]:""
+ + "," + params["sport"]:""
+ + "," + params["options"]:"";
+
+ // Cut out all the trailing commas
+ while (regexpmatch (new_rule, ",\+$")) {
+ new_rule = regexpsub (new_rule, "(.*),\+$", "\\1");
+ }
+
+ if (new_rule == "0/0,all") {
+ y2warning("Created rule '%1' that allows everything from all
networks!", new_rule);
+ }
+
+ return new_rule;
+ }
+
+ /**
* Adds a new accept-rule. Possible keys for parameters are "network",
* "protocol", "dport" and "sport". Needed are "network" and "protocol".
*
@@ -230,7 +267,8 @@
* @example
* AddNewAcceptRule (
* "EXT",
- * $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp",
"sport":"22"]
+ * $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp",
"sport":"22",
+ * "options":"hitcount=3,blockseconds=60,recentname=ssh"]
* ) -> true
*/
global boolean AddNewAcceptRule (string zone, map <string, string> params)
{
@@ -241,7 +279,7 @@
y2error("Unknown firewall zone: %1", zone);
return nil;
}
-
+
// Get all current rules
string current_rules = SuSEFirewall::GetAcceptExpertRules(zone);
if (current_rules == nil) {
@@ -249,28 +287,10 @@
return false;
}
- // Adjusting params
- params = AdjustParameters(params);
-
- // Creating new record
- string new_rule = params["network"]:"" + "," + params["protocol"]:"";
-
- // either 'dport' or 'sport'
- if (params["dport"]:"" != "" || params["sport"]:"" != "") {
- // 'dport' can be empty even if 'sport' is set
- new_rule = new_rule + "," + params["dport"]:"";
-
- if (params["sport"]:"" != "") {
- new_rule = new_rule + "," + params["sport"]:"";
- }
- }
+ string new_rule = CreateRuleFromParams (params);
- if (new_rule == "0/0,all") {
- y2warning("Adding rule '%1' that allows everything from all
networks!", new_rule);
- }
-
current_rules = current_rules + (size(current_rules) > 0 ? " ":"") +
new_rule;
-
+
return SuSEFirewall::SetAcceptExpertRules(zone, current_rules);
}
@@ -305,10 +325,10 @@
return false;
}
+ integer current_rules_number = size (current_rules);
+
// Creating record to be removed
- string remove_rule = params["network"]:"" + "," + params["protocol"]:"";
- if (params["dport"]:"" != "") remove_rule = remove_rule + "," +
params["dport"]:"";
- if (params["sport"]:"" != "") remove_rule = remove_rule + "," +
params["sport"]:"";
+ string remove_rule = CreateRuleFromParams (params);
// Filtering out the record
list <string> current_rules_list = splitstring (current_rules, " \n");
@@ -316,8 +336,10 @@
return (one_rule != remove_rule && one_rule != "" && one_rule !=
",");
});
current_rules = mergestring (current_rules_list, " ");
-
- return SuSEFirewall::SetAcceptExpertRules(zone, current_rules);
+
+ SuSEFirewall::SetAcceptExpertRules (zone, current_rules);
+
+ return (size(SuSEFirewall::GetAcceptExpertRules(zone)) <
current_rules_number);
}
/**
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
---
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
(original)
+++
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
Fri Aug 26 13:30:56 2011
@@ -13,4 +13,22 @@
Return false
Return false
Return false
+Dump Testing adding/reading expert rules
+Return []
+Return true
+Return [$["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"hitcount=3,blockseconds=60,recentname=ssh", "protocol":"tcp",
"sport":"22"]]
+Return true
+Return [$["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"hitcount=3,blockseconds=60,recentname=ssh", "protocol":"tcp",
"sport":"22"], $["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"whatever=1", "protocol":"tcp", "sport":""]]
+Return true
+Return [$["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"whatever=1", "protocol":"tcp", "sport":""]]
+Dump Cannot remove rule that doesn't exist
+Return false
+Return [$["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"whatever=1", "protocol":"tcp", "sport":""]]
+Return true
+Return []
+Dump Adding special rule allowed 'from all networks'
+Return true
+Return [$["dport":"", "network":"0/0", "options":"", "protocol":"udp",
"sport":"888"]]
+Return true
+Return [$["dport":"", "network":"0/0", "options":"", "protocol":"udp",
"sport":"888"], $["dport":"", "network":"0.0.0.0/0", "options":"",
"protocol":"tcp", "sport":"999"]]
Dump == Done ==
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
---
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
(original)
+++
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
Fri Aug 26 13:30:56 2011
@@ -27,5 +27,46 @@
TEST(``(SuSEFirewallExpertRules::IsValidNetwork (check_this)), [], nil);
});
+ DUMP("Testing adding/reading expert rules");
+ // Rules are empty at the beginning
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+ $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22",
+ "options":"hitcount=3,blockseconds=60,recentname=ssh"])
+ ), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+ $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp",
"options":"whatever=1"])
+ ), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ // Deleting by rule ID (offset in list)
+ TEST(``(SuSEFirewallExpertRules::DeleteRuleID("EXT", 0)), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ DUMP("Cannot remove rule that doesn't exist");
+ TEST(``(SuSEFirewallExpertRules::RemoveAcceptRule("EXT",
+ $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp"])
+ ), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ // Now "options" match too
+ TEST(``(SuSEFirewallExpertRules::RemoveAcceptRule("EXT",
+ $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp",
"options":"whatever=1"])
+ ), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ DUMP("Adding special rule allowed 'from all networks'");
+ TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+ $["protocol":"UDP", "sport":"888"])), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ // Special all-IPv4-networks-(only) rule
+ TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+ $["protocol":"TCP", "sport":"999", "network":"0.0.0.0/0"])), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
DUMP("== Done ==");
}
Modified: branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes (original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes Fri Aug 26
13:30:56 2011
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Fri Aug 26 13:26:32 CEST 2011 - locilka@xxxxxxx
+
+- Fixed handling of FW_SERVICES_ACCEPT_* in SuSEFirewall modules to
+ understand flags as the fifth parameter (bnc#712670)
+- Fixed SuSEfirewall2 SCR agent to parse the sysconfig file
+ properly (bnc#712670)
+
+-------------------------------------------------------------------
Tue Aug 2 09:19:26 CEST 2011 - locilka@xxxxxxx
- Fixed Get/SetBroadcastAllowedPorts in SuSEFirewall to keep
--
To unsubscribe, e-mail: yast-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-commit+help@xxxxxxxxxxxx
Date: Fri Aug 26 13:30:56 2011
New Revision: 65399
URL: http://svn.opensuse.org/viewcvs/yast?rev=65399&view=rev
Log:
- Fixed handling of FW_SERVICES_ACCEPT_* in SuSEFirewall modules to
understand flags as the fifth parameter (bnc#712670)
- Fixed SuSEfirewall2 SCR agent to parse the sysconfig file
properly (bnc#712670)
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
---
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
(original)
+++
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
Fri Aug 26 13:30:56 2011
@@ -33,6 +33,12 @@
"comments": [ "^[ \t]*#.*$", "#.*", "^[ \t]*$", ],
"params" : [
$[
+ // with quotes
+ "match" : [ "^[ \t]*([_a-zA-Z0-9]+)[ \t]*=[ \t]*\"(.*)\"[
\t]*$", "%s=\"%s\"" ],
+ // without quotes
+ "match" : [ "^[ \t]*([_a-zA-Z0-9]+)[ \t]*=[ \t]*([^\"]*)[
\t]*$", "%s=\"%s\"" ],
+ ],
+ $[
"match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*\"([^\"]*)\"",
"%s=\"%s\"" ],
"multiline" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*\"([^\"]*)",
"([^\"]*)\"", ],
],
@@ -41,9 +47,6 @@
"match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*'([^']*)'",
"%s=\"%s\"" ],
"multiline" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*'([^']*)",
"([^\']*)'", ],
],
- $[
- "match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*([^\"]*[^ \t\"]|)[
\t]*$", "%s=\"%s\"",],
- ],
],
]
)
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
(original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
Fri Aug 26 13:30:56 2011
@@ -299,7 +299,8 @@
void ReadSysconfigSuSEFirewall (list<string> variables) {
foreach (string variable, variables, {
string value = (string)
SCR::Read(add(.sysconfig.SuSEfirewall2,variable));
- // if variable is undefined, get default value
+
+ // if value is undefined, get default value
if (value == nil || value == "")
value = GetDefaultValue(variable);
@@ -364,14 +365,14 @@
);
if (! write_status) {
-
Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall"));
+
Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2"));
break;
}
});
write_status = SCR::Write(.sysconfig.SuSEfirewall2, nil);
if (! write_status) {
-
Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall"));
+
Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2"));
}
return write_status;
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
---
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
(original)
+++
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
Fri Aug 26 13:30:56 2011
@@ -187,7 +187,7 @@
//
// FW_SERVICES_ACCEPT_EXT, FW_SERVICES_ACCEPT_INT,
FW_SERVICES_ACCEPT_DMZ
- // Format: space separated list of net,protocol[,dport][,sport]
+ // Format: space separated list of
net,protocol[,dport][,sport][,other-comma-separated-options]
//
list <map <string, string> > rules = maplist (
string one_rule,
@@ -195,11 +195,17 @@
{
// comma separated
list <string> rule_splitted = splitstring(one_rule, ",");
+
+ // additional options after sport (4th entry)
+ integer options_entries_count = size(rule_splitted) - 4;
+
return $[
"network" : rule_splitted[0]:"",
"protocol" : rule_splitted[1]:"",
"dport" : rule_splitted[2]:"",
"sport" : rule_splitted[3]:"",
+ // additional options if defined (offset 4 and more)
+ "options" : (options_entries_count > 0 ?
mergestring(sublist(rule_splitted, 4, options_entries_count), ",") : ""),
];
});
@@ -209,7 +215,8 @@
one_rule["network"]:"" == "" &&
one_rule["protocol"]:"" == "" &&
one_rule["dport"]:"" == "" &&
- one_rule["sport"]:"" == ""
+ one_rule["sport"]:"" == "" &&
+ one_rule["options"]:"" == ""
);
});
@@ -217,6 +224,36 @@
}
/**
+ * Creates a string with one rule definition as described by the given
params.
+ * All the trailing commas are removed
+ *
+ * @param map <string, string> params
+ * @return string rule definition
+ */
+ string CreateRuleFromParams (map <string, string> params) {
+ // Adjusting params (some empty entries are replaced with $everything
value)
+ params = AdjustParameters (params);
+
+ // Creating new record
+ string new_rule = params["network"]:""
+ + "," + params["protocol"]:""
+ + "," + params["dport"]:""
+ + "," + params["sport"]:""
+ + "," + params["options"]:"";
+
+ // Cut out all the trailing commas
+ while (regexpmatch (new_rule, ",\+$")) {
+ new_rule = regexpsub (new_rule, "(.*),\+$", "\\1");
+ }
+
+ if (new_rule == "0/0,all") {
+ y2warning("Created rule '%1' that allows everything from all
networks!", new_rule);
+ }
+
+ return new_rule;
+ }
+
+ /**
* Adds a new accept-rule. Possible keys for parameters are "network",
* "protocol", "dport" and "sport". Needed are "network" and "protocol".
*
@@ -230,7 +267,8 @@
* @example
* AddNewAcceptRule (
* "EXT",
- * $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp",
"sport":"22"]
+ * $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp",
"sport":"22",
+ * "options":"hitcount=3,blockseconds=60,recentname=ssh"]
* ) -> true
*/
global boolean AddNewAcceptRule (string zone, map <string, string> params)
{
@@ -241,7 +279,7 @@
y2error("Unknown firewall zone: %1", zone);
return nil;
}
-
+
// Get all current rules
string current_rules = SuSEFirewall::GetAcceptExpertRules(zone);
if (current_rules == nil) {
@@ -249,28 +287,10 @@
return false;
}
- // Adjusting params
- params = AdjustParameters(params);
-
- // Creating new record
- string new_rule = params["network"]:"" + "," + params["protocol"]:"";
-
- // either 'dport' or 'sport'
- if (params["dport"]:"" != "" || params["sport"]:"" != "") {
- // 'dport' can be empty even if 'sport' is set
- new_rule = new_rule + "," + params["dport"]:"";
-
- if (params["sport"]:"" != "") {
- new_rule = new_rule + "," + params["sport"]:"";
- }
- }
+ string new_rule = CreateRuleFromParams (params);
- if (new_rule == "0/0,all") {
- y2warning("Adding rule '%1' that allows everything from all
networks!", new_rule);
- }
-
current_rules = current_rules + (size(current_rules) > 0 ? " ":"") +
new_rule;
-
+
return SuSEFirewall::SetAcceptExpertRules(zone, current_rules);
}
@@ -305,10 +325,10 @@
return false;
}
+ integer current_rules_number = size (current_rules);
+
// Creating record to be removed
- string remove_rule = params["network"]:"" + "," + params["protocol"]:"";
- if (params["dport"]:"" != "") remove_rule = remove_rule + "," +
params["dport"]:"";
- if (params["sport"]:"" != "") remove_rule = remove_rule + "," +
params["sport"]:"";
+ string remove_rule = CreateRuleFromParams (params);
// Filtering out the record
list <string> current_rules_list = splitstring (current_rules, " \n");
@@ -316,8 +336,10 @@
return (one_rule != remove_rule && one_rule != "" && one_rule !=
",");
});
current_rules = mergestring (current_rules_list, " ");
-
- return SuSEFirewall::SetAcceptExpertRules(zone, current_rules);
+
+ SuSEFirewall::SetAcceptExpertRules (zone, current_rules);
+
+ return (size(SuSEFirewall::GetAcceptExpertRules(zone)) <
current_rules_number);
}
/**
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
---
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
(original)
+++
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
Fri Aug 26 13:30:56 2011
@@ -13,4 +13,22 @@
Return false
Return false
Return false
+Dump Testing adding/reading expert rules
+Return []
+Return true
+Return [$["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"hitcount=3,blockseconds=60,recentname=ssh", "protocol":"tcp",
"sport":"22"]]
+Return true
+Return [$["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"hitcount=3,blockseconds=60,recentname=ssh", "protocol":"tcp",
"sport":"22"], $["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"whatever=1", "protocol":"tcp", "sport":""]]
+Return true
+Return [$["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"whatever=1", "protocol":"tcp", "sport":""]]
+Dump Cannot remove rule that doesn't exist
+Return false
+Return [$["dport":"", "network":"192.168.0.1/255.255.240.0",
"options":"whatever=1", "protocol":"tcp", "sport":""]]
+Return true
+Return []
+Dump Adding special rule allowed 'from all networks'
+Return true
+Return [$["dport":"", "network":"0/0", "options":"", "protocol":"udp",
"sport":"888"]]
+Return true
+Return [$["dport":"", "network":"0/0", "options":"", "protocol":"udp",
"sport":"888"], $["dport":"", "network":"0.0.0.0/0", "options":"",
"protocol":"tcp", "sport":"999"]]
Dump == Done ==
Modified:
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
---
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
(original)
+++
branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
Fri Aug 26 13:30:56 2011
@@ -27,5 +27,46 @@
TEST(``(SuSEFirewallExpertRules::IsValidNetwork (check_this)), [], nil);
});
+ DUMP("Testing adding/reading expert rules");
+ // Rules are empty at the beginning
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+ $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22",
+ "options":"hitcount=3,blockseconds=60,recentname=ssh"])
+ ), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+ $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp",
"options":"whatever=1"])
+ ), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ // Deleting by rule ID (offset in list)
+ TEST(``(SuSEFirewallExpertRules::DeleteRuleID("EXT", 0)), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ DUMP("Cannot remove rule that doesn't exist");
+ TEST(``(SuSEFirewallExpertRules::RemoveAcceptRule("EXT",
+ $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp"])
+ ), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ // Now "options" match too
+ TEST(``(SuSEFirewallExpertRules::RemoveAcceptRule("EXT",
+ $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp",
"options":"whatever=1"])
+ ), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ DUMP("Adding special rule allowed 'from all networks'");
+ TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+ $["protocol":"UDP", "sport":"888"])), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+ // Special all-IPv4-networks-(only) rule
+ TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+ $["protocol":"TCP", "sport":"999", "network":"0.0.0.0/0"])), [], nil);
+ TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
DUMP("== Done ==");
}
Modified: branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes
URL:
http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes (original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes Fri Aug 26
13:30:56 2011
@@ -1,4 +1,12 @@
-------------------------------------------------------------------
+Fri Aug 26 13:26:32 CEST 2011 - locilka@xxxxxxx
+
+- Fixed handling of FW_SERVICES_ACCEPT_* in SuSEFirewall modules to
+ understand flags as the fifth parameter (bnc#712670)
+- Fixed SuSEfirewall2 SCR agent to parse the sysconfig file
+ properly (bnc#712670)
+
+-------------------------------------------------------------------
Tue Aug 2 09:19:26 CEST 2011 - locilka@xxxxxxx
- Fixed Get/SetBroadcastAllowedPorts in SuSEFirewall to keep
--
To unsubscribe, e-mail: yast-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-commit+help@xxxxxxxxxxxx
| < Previous | Next > |