Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at 2017-07-30 11:26:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SuSEfirewall2 (Old) and /work/SRC/openSUSE:Factory/.SuSEfirewall2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "SuSEfirewall2" Sun Jul 30 11:26:25 2017 rev:85 rq:512885 version:3.6.365 Changes: -------- --- /work/SRC/openSUSE:Factory/SuSEfirewall2/SuSEfirewall2.changes 2017-07-02 13:37:21.174044525 +0200 +++ /work/SRC/openSUSE:Factory/.SuSEfirewall2.new/SuSEfirewall2.changes 2017-07-30 11:26:37.675762321 +0200 @@ -1,0 +2,25 @@ +Fri Jul 28 08:40:55 UTC 2017 - matthias.gerstner@suse.com + +- Removed bogus nfs alias units, added correct nfs-client target in + SuSEfirewall2.service (bnc#946325). + + The nfs alias units are false friends, because they don't fix the startup + ordering between nfs and SuSEfirewall2. + + The missing nfs-client target could cause nfs mounts for nfs versions < 4.1 + to be unable to receive callbacks from the server, when the nfs client was + started before the SuSEfirewall2 was started on boot. + +------------------------------------------------------------------- +Wed Jul 12 13:40:57 UTC 2017 - matthias.gerstner@suse.com + +- sysctl settings: make list of sysctl.d directories configurable via + FW_SYSCTL_PATHS (bnc#1044523) + +------------------------------------------------------------------- +Thu Jul 6 10:05:41 UTC 2017 - matthias.gerstner@suse.com + +- clarified warning message about FW_ROUTE being enabled but ip_forwarding not configured +- sysctl.d: avoid error messages if no /etc/sysctl.d/*.conf files are existing (bnc#1044523) + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6.360.tar.bz2 New: ---- SuSEfirewall2-3.6.365.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.sRUgFr/_old 2017-07-30 11:26:38.419657352 +0200 +++ /var/tmp/diff_new_pack.sRUgFr/_new 2017-07-30 11:26:38.419657352 +0200 @@ -19,7 +19,7 @@ %define newname SUSEfirewall2 Name: SuSEfirewall2 -Version: 3.6.360 +Version: 3.6.365 Release: 0 Url: http://en.opensuse.org/SuSEfirewall2 PreReq: /bin/sed textutils fileutils grep filesystem ++++++ SuSEfirewall2-3.6.360.tar.bz2 -> SuSEfirewall2-3.6.365.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.360/SuSEfirewall2 new/SuSEfirewall2-3.6.365/SuSEfirewall2 --- old/SuSEfirewall2-3.6.360/SuSEfirewall2 2017-06-28 11:18:23.000000000 +0200 +++ new/SuSEfirewall2-3.6.365/SuSEfirewall2 2017-07-28 10:40:25.000000000 +0200 @@ -135,7 +135,7 @@ { [ "$MODE" != "debug" ] && return - message $* + message ${FUNCNAME[1]} $* } deprecated() @@ -628,23 +628,53 @@ # checks multiple sysctl.d config locations for configure values function get_any_sysctl_cfg() { - local path="$1" + local value="$1" + + if [ -z "$FW_SYSCTL_PATHS" ]; then + # don't check all available sysctl.d directories for the + # reason discussed in bnc#1044523 + FW_SYSCTL_PATHS="/etc/sysctl.conf /etc/sysctl.d /usr/local/lib/sysctl.d" + fi + + local path + for path in $FW_SYSCTL_PATHS; do + dbgmessage "Checking for sysctl value $value in path $path" + if [ -d "$path" ]; then + # expand to any config files found in the sysctl.d + # style directory + paths=$path/*.conf + dbgmessage "Expanded $path to $paths" + else + paths=$path + fi - for file in /etc/sysctl.conf /etc/sysctl.d/*.conf; do - get_sysctl_cfg "$path" "$file" && return 0 + for file in $paths; do + # check for existence, because the wildcard match + # above might yield no matches, which would result in + # error messages otherwise + if [ -r "$file" ]; then + dbgmessage "Checking in file $file" + get_sysctl_cfg "$value" "$file" && sysctl_file="$file" && return 0 + dbgmessage "no match" + fi + done done + sysctl_file="" return 1 } -# outputs the configured value of the sysctl setting passed as $1 in the +# returns the configured value of the sysctl setting passed as $1 in the # configuration file $2. -# return code of 0 if a value was found and output, 1 if none was found +# return code of 0 if a value was found and returned, 1 if none was found +# +# the sysctl setting's value is returned in the sysctl_value variable function get_sysctl_cfg() { local path="$1" local sysctl="$2" local line + sysctl_value="" # translate the proc path to a sysctl path syspath=`echo "$path" | /usr/bin/cut -d '/' -f 4- | /usr/bin/tr '/' '.'` @@ -656,7 +686,7 @@ line=`/usr/bin/grep "^[^#]*$syspath" $sysctl` if [ $? -eq 0 ]; then - /usr/bin/cut -d '=' -f 2 <<<"$line" | /usr/bin/tr -d ' \t' + sysctl_value=`/usr/bin/cut -d '=' -f 2 <<<"$line" | /usr/bin/tr -d ' \t'` return 0 fi @@ -690,10 +720,13 @@ [ -z "$path" -o ! -w "$path" ] && return - cfg_value=`get_any_sysctl_cfg $path` && have_cfg=true || have_cfg=false + local sysctl_value="" + local sysctl_file="" + local have_cfg=false + get_any_sysctl_cfg "$path" && have_cfg=true if $have_cfg; then - [ "$cfg_value" = "$value" ] && same_value=true || same_value=false + [ "$sysctl_value" = "$value" ] && same_value=true || same_value=false # this mode stuff is mostly to allow for backward compatibility # regarding ip forwarding. If forwarding is not explicitly enabled @@ -701,16 +734,16 @@ # what force and reset mode are for. if [ "$mode" = "reset" ]; then if ! $same_value; then - dbgmessage "value for $path in sysctl is different, not resetting it" + dbgmessage "value for $path in $sysctl_file is different, not resetting it" # configure value is different, so do nothing return 1 fi elif [ "$mode" = "force" ]; then if ! $same_value; then - warning "value for $path in sysctl.conf is different, but required by firewall, overriding" + warning "value for $path in $sysctl_file is different, but required by firewall, overriding" fi else - dbgmessage "$path override in sysctl.conf, not setting it" + message "$path override in $sysctl_file, not setting it" return 1 fi fi @@ -1445,7 +1478,7 @@ [ "$enabled" -eq 1 ] && return setproc 1 $PROC_PATH "force" - warning "$PROC_PATH is not enabled, you should configure this in /etc/sysctl.conf" + warning "$PROC_PATH is not enabled, but required for FW_ROUTE, you should configure this in /etc/sysctl.conf. This option has been implicitly enabled now." } disable_ip_forwarding() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.360/SuSEfirewall2.service new/SuSEfirewall2-3.6.365/SuSEfirewall2.service --- old/SuSEfirewall2-3.6.360/SuSEfirewall2.service 2017-06-28 11:18:23.000000000 +0200 +++ new/SuSEfirewall2-3.6.365/SuSEfirewall2.service 2017-07-28 10:40:25.000000000 +0200 @@ -1,6 +1,6 @@ [Unit] Description=SuSEfirewall2 phase 2 -After=network.target ypbind.service nfs.service nfsserver.service nfs-server.service rpcbind.service SuSEfirewall2_init.service +After=network.target nfs-client.target ypbind.service nfs-server.service rpcbind.service SuSEfirewall2_init.service Wants=SuSEfirewall2_init.service Conflicts=firewalld.service diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.360/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6.365/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.6.360/SuSEfirewall2.sysconfig 2017-06-28 11:18:23.000000000 +0200 +++ new/SuSEfirewall2-3.6.365/SuSEfirewall2.sysconfig 2017-07-28 10:40:25.000000000 +0200 @@ -718,7 +718,7 @@ # # If you have configured one of these settings in /etc/sysctl.conf then # SuSEfirewall2 won't apply any different value to allow you to override some -# of these settings to your liking. +# of these settings to your liking. Also see FW_SYSCTL_DIRS. # # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it @@ -728,6 +728,18 @@ # FW_KERNEL_SECURITY="" +## Type: string +# +# Consider the following sysctl.d style directories and sysctl.conf style +# files before modifying any sysctl values during runtime. If a value is +# already configured in one of these dirs/files then it won't be changed by +# SuSEFirewall any more. +# +# This affects FW_KERNEL_SECURITY settings and forwarding settings for +# FW_ROUTE. If empty this defaults to /etc/sysctl.conf, /etc/sysctl.d, +# /usr/local/lib/sysctl.d.conf. +FW_SYSCTL_PATHS="" + ## Type: yesno # # Whether ip routing should be disabled when the firewall is shut diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.360/obs/mkpackage new/SuSEfirewall2-3.6.365/obs/mkpackage --- old/SuSEfirewall2-3.6.360/obs/mkpackage 2017-06-28 11:18:23.000000000 +0200 +++ new/SuSEfirewall2-3.6.365/obs/mkpackage 2017-07-28 10:40:25.000000000 +0200 @@ -18,11 +18,16 @@ echo "ln -s home\:*\:branches\:*/$name $dstdir" exit 1 fi +if [ ! -f "$dstdir/$name.spec" ]; then + echo "*** Error: Couldn't find $dstdir/$name.spec" + exit 1 +fi if [ "`git --no-pager diff --name-only|wc -l`" != '0' -o "`git --no-pager diff --name-only --cached|wc -l`" != 0 ]; then echo "*** Error: uncomitted changes" echo "run 'git add file' to add files, 'git commit -a' to commit changes" exit 1 fi + cd "$dstdir" echo "osc up" osc up