[yast-commit] r65399 - in /branches/SuSE-Code-11-SP1-Branch/yast2: library/network/agents/ library/network/src/ library/network/testsuite/tests/ package/

26 Aug 2011

Author: locilka
Date: Fri Aug 26 13:30:56 2011
New Revision: 65399

URL: http://svn.opensuse.org/viewcvs/yast?rev=65399&view=rev
Log:
- Fixed handling of FW_SERVICES_ACCEPT_* in SuSEFirewall modules to
  understand flags as the fifth parameter (bnc#712670)
- Fixed SuSEfirewall2 SCR agent to parse the sysconfig file
  properly (bnc#712670)


Modified:
    branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
    branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
    branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
    branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
    branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
    branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes

Modified: branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr
URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================

--- branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr (original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/library/network/agents/sysconfig_SuSEfirewall2.scr Fri Aug 26 13:30:56 2011
@@ -33,6 +33,12 @@
 	    "comments": [ "^[ \t]*#.*$", "#.*", "^[ \t]*$", ],
 	    "params" : [
 		$[
+		    // with quotes
+		    "match" : [ "^[ \t]*([_a-zA-Z0-9]+)[ \t]*=[ \t]*\"(.*)\"[ \t]*$", "%s=\"%s\"" ],
+		    // without quotes
+		    "match" : [ "^[ \t]*([_a-zA-Z0-9]+)[ \t]*=[ \t]*([^\"]*)[ \t]*$", "%s=\"%s\"" ],
+		],
+		$[
 		    "match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*\"([^\"]*)\"", "%s=\"%s\"" ],
 		    "multiline" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*\"([^\"]*)", "([^\"]*)\"", ],
 		],
@@ -41,9 +47,6 @@
 		    "match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*'([^']*)'", "%s=\"%s\"" ],
 		    "multiline" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*'([^']*)", "([^\']*)'", ],
 		],
-		$[
-		    "match" : [ "([a-zA-Z0-9_]+)[ \t]*=[ \t]*([^\"]*[^ \t\"]|)[ \t]*$", "%s=\"%s\"",],
-		],
 	    ],
 	]
     )

Modified: branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp
URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp (original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewall.ycp Fri Aug 26 13:30:56 2011
@@ -299,7 +299,8 @@
     void ReadSysconfigSuSEFirewall (list<string> variables) {
 	foreach (string variable, variables, {
 	    string value = (string) SCR::Read(add(.sysconfig.SuSEfirewall2,variable));
-	    // if variable is undefined, get default value
+
+	    // if value is undefined, get default value
 	    if (value == nil || value == "")
 		value = GetDefaultValue(variable);
 
@@ -364,14 +365,14 @@
 	    );
 
 	    if (! write_status) {
-		Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall"));
+		Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2"));
 		break;
 	    }
 	});
 
 	write_status = SCR::Write(.sysconfig.SuSEfirewall2, nil);
 	if (! write_status) {
-	    Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall"));
+	    Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2"));
 	}
 
 	return write_status;

Modified: branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp
URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp (original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/library/network/src/SuSEFirewallExpertRules.ycp Fri Aug 26 13:30:56 2011
@@ -187,7 +187,7 @@
 
 	//
 	// FW_SERVICES_ACCEPT_EXT, FW_SERVICES_ACCEPT_INT, FW_SERVICES_ACCEPT_DMZ
-	// Format: space separated list of net,protocol[,dport][,sport]
+	// Format: space separated list of net,protocol[,dport][,sport][,other-comma-separated-options]
 	//
 	list  > rules = maplist (
 	    string one_rule,
@@ -195,11 +195,17 @@
 	{
 	    // comma separated
 	    list <string> rule_splitted = splitstring(one_rule, ",");
+
+	    // additional options after sport (4th entry)
+	    integer options_entries_count = size(rule_splitted) - 4;
+
 	    return $[
 		"network"  : rule_splitted[0]:"",
 		"protocol" : rule_splitted[1]:"",
 		"dport"    : rule_splitted[2]:"",
 		"sport"    : rule_splitted[3]:"",
+		// additional options if defined (offset 4 and more)
+		"options"  : (options_entries_count > 0 ? mergestring(sublist(rule_splitted, 4, options_entries_count), ",") : ""),
 	    ];
 	});
 	
@@ -209,7 +215,8 @@
 		one_rule["network"]:""  == "" &&
 		one_rule["protocol"]:"" == "" &&
 		one_rule["dport"]:""    == "" &&
-		one_rule["sport"]:""    == ""
+		one_rule["sport"]:""    == "" &&
+		one_rule["options"]:""  == ""
 	    );
 	});
 	
@@ -217,6 +224,36 @@
     }
 
     /**
+     * Creates a string with one rule definition as described by the given params.
+     * All the trailing commas are removed
+     *
+     * @param	map  params
+     * @return	string rule definition
+     */
+    string CreateRuleFromParams (map  params) {
+	// Adjusting params (some empty entries are replaced with $everything value)
+	params = AdjustParameters (params);
+
+	// Creating new record
+	string new_rule = params["network"]:""
+	    + "," + params["protocol"]:""
+	    + "," + params["dport"]:""
+	    + "," + params["sport"]:""
+	    + "," + params["options"]:"";
+
+	// Cut out all the trailing commas
+	while (regexpmatch (new_rule, ",\+$")) {
+	    new_rule = regexpsub (new_rule, "(.*),\+$", "\\1");
+	}
+
+	if (new_rule == "0/0,all") {
+	    y2warning("Created rule '%1' that allows everything from all networks!", new_rule);
+	}
+
+	return new_rule;
+    }
+
+    /**
      * Adds a new accept-rule. Possible keys for parameters are "network",
      * "protocol", "dport" and "sport". Needed are "network" and "protocol".
      *
@@ -230,7 +267,8 @@
      * @example
      * AddNewAcceptRule (
      *     "EXT",
-     *     $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22"]
+     *     $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22",
+     *         "options":"hitcount=3,blockseconds=60,recentname=ssh"]
      * ) -> true
      */
     global boolean AddNewAcceptRule (string zone, map  params) {
@@ -241,7 +279,7 @@
 	    y2error("Unknown firewall zone: %1", zone);
 	    return nil;
 	}
-	
+
 	// Get all current rules
 	string current_rules = SuSEFirewall::GetAcceptExpertRules(zone);
 	if (current_rules == nil) {
@@ -249,28 +287,10 @@
 	    return false;
 	}
 
-	// Adjusting params
-	params = AdjustParameters(params);
-
-	// Creating new record
-	string new_rule = params["network"]:"" + "," + params["protocol"]:"";
-
-	// either 'dport' or 'sport'
-	if (params["dport"]:"" != "" || params["sport"]:"" != "") {
-	    // 'dport' can be empty even if 'sport' is set
-	    new_rule = new_rule + "," + params["dport"]:"";
-
-	    if (params["sport"]:"" != "") {
-		new_rule = new_rule + "," + params["sport"]:"";
-	    }
-	}
+	string new_rule = CreateRuleFromParams (params);
 
-	if (new_rule == "0/0,all") {
-	    y2warning("Adding rule '%1' that allows everything from all networks!", new_rule);
-	}
-	
 	current_rules = current_rules + (size(current_rules) > 0 ? " ":"") + new_rule;
-	
+
 	return SuSEFirewall::SetAcceptExpertRules(zone, current_rules);
     }
     
@@ -305,10 +325,10 @@
 	    return false;
 	}
 
+	integer current_rules_number = size (current_rules);
+
 	// Creating record to be removed
-	string remove_rule = params["network"]:"" + "," + params["protocol"]:"";
-	if (params["dport"]:"" != "") remove_rule = remove_rule + "," + params["dport"]:"";
-	if (params["sport"]:"" != "") remove_rule = remove_rule + "," + params["sport"]:"";
+	string remove_rule = CreateRuleFromParams (params);
 
 	// Filtering out the record
 	list <string> current_rules_list = splitstring (current_rules, " \n");
@@ -316,8 +336,10 @@
 	    return (one_rule != remove_rule && one_rule != "" && one_rule != ",");
 	});
 	current_rules = mergestring (current_rules_list, " ");
-	
-	return SuSEFirewall::SetAcceptExpertRules(zone, current_rules);
+
+	SuSEFirewall::SetAcceptExpertRules (zone, current_rules);
+
+	return (size(SuSEFirewall::GetAcceptExpertRules(zone)) < current_rules_number);
     }
 
     /**

Modified: branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out
URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out (original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.out Fri Aug 26 13:30:56 2011
@@ -13,4 +13,22 @@
 Return	false
 Return	false
 Return	false
+Dump	Testing adding/reading expert rules
+Return	[]
+Return	true
+Return	[$["dport":"", "network":"192.168.0.1/255.255.240.0", "options":"hitcount=3,blockseconds=60,recentname=ssh", "protocol":"tcp", "sport":"22"]]
+Return	true
+Return	[$["dport":"", "network":"192.168.0.1/255.255.240.0", "options":"hitcount=3,blockseconds=60,recentname=ssh", "protocol":"tcp", "sport":"22"], $["dport":"", "network":"192.168.0.1/255.255.240.0", "options":"whatever=1", "protocol":"tcp", "sport":""]]
+Return	true
+Return	[$["dport":"", "network":"192.168.0.1/255.255.240.0", "options":"whatever=1", "protocol":"tcp", "sport":""]]
+Dump	Cannot remove rule that doesn't exist
+Return	false
+Return	[$["dport":"", "network":"192.168.0.1/255.255.240.0", "options":"whatever=1", "protocol":"tcp", "sport":""]]
+Return	true
+Return	[]
+Dump	Adding special rule allowed 'from all networks'
+Return	true
+Return	[$["dport":"", "network":"0/0", "options":"", "protocol":"udp", "sport":"888"]]
+Return	true
+Return	[$["dport":"", "network":"0/0", "options":"", "protocol":"udp", "sport":"888"], $["dport":"", "network":"0.0.0.0/0", "options":"", "protocol":"tcp", "sport":"999"]]
 Dump	== Done ==

Modified: branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp
URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp (original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/library/network/testsuite/tests/SuSEFirewallExpertRules.ycp Fri Aug 26 13:30:56 2011
@@ -27,5 +27,46 @@
 	TEST(``(SuSEFirewallExpertRules::IsValidNetwork (check_this)), [], nil);
     });
 
+    DUMP("Testing adding/reading expert rules");
+    // Rules are empty at the beginning
+    TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+    TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+	$["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22",
+	"options":"hitcount=3,blockseconds=60,recentname=ssh"])
+    ), [], nil);
+    TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+    TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+	$["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "options":"whatever=1"])
+    ), [], nil);
+    TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+    // Deleting by rule ID (offset in list)
+    TEST(``(SuSEFirewallExpertRules::DeleteRuleID("EXT", 0)), [], nil);
+    TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+    DUMP("Cannot remove rule that doesn't exist");
+    TEST(``(SuSEFirewallExpertRules::RemoveAcceptRule("EXT",
+	$["network":"192.168.0.1/255.255.240.0", "protocol":"tcp"])
+    ), [], nil);
+    TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+    // Now "options" match too
+    TEST(``(SuSEFirewallExpertRules::RemoveAcceptRule("EXT",
+	$["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "options":"whatever=1"])
+    ), [], nil);
+    TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+    DUMP("Adding special rule allowed 'from all networks'");
+    TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+	$["protocol":"UDP", "sport":"888"])), [], nil);
+    TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
+    // Special all-IPv4-networks-(only) rule
+    TEST(``(SuSEFirewallExpertRules::AddNewAcceptRule("EXT",
+	$["protocol":"TCP", "sport":"999", "network":"0.0.0.0/0"])), [], nil);
+    TEST(``(SuSEFirewallExpertRules::GetListOfAcceptRules("EXT")), [], nil);
+
     DUMP("== Done ==");
 }

Modified: branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes
URL: http://svn.opensuse.org/viewcvs/yast/branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes?rev=65399&r1=65398&r2=65399&view=diff
==============================================================================
--- branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes (original)
+++ branches/SuSE-Code-11-SP1-Branch/yast2/package/yast2.changes Fri Aug 26 13:30:56 2011
@@ -1,4 +1,12 @@
 -------------------------------------------------------------------
+Fri Aug 26 13:26:32 CEST 2011 - locilka@suse.cz
+
+- Fixed handling of FW_SERVICES_ACCEPT_* in SuSEFirewall modules to
+  understand flags as the fifth parameter (bnc#712670)
+- Fixed SuSEfirewall2 SCR agent to parse the sysconfig file
+  properly (bnc#712670)
+
+-------------------------------------------------------------------
 Tue Aug  2 09:19:26 CEST 2011 - locilka@suse.cz
 
 - Fixed Get/SetBroadcastAllowedPorts in SuSEFirewall to keep

-- 
To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org
For additional commands, e-mail: yast-commit+help@opensuse.org

    

[yast-commit] r65399 - in /branches/SuSE-Code-11-SP1-Branch/yast2: library/network/agents/ library/network/src/ library/network/testsuite/tests/ package/

locilka＠svn2.opensuse.org