Hello community,
here is the log from the commit of package yast2
checked in at Fri Feb 9 01:22:17 CET 2007.
--------
--- yast2/yast2.changes 2007-01-29 16:57:18.000000000 +0100
+++ /mounts/work_src_done/STABLE/yast2/yast2.changes 2007-02-08 17:59:03.000000000 +0100
@@ -1,0 +2,22 @@
+Thu Feb 8 16:46:18 CET 2007 - locilka@suse.cz
+
+- Tuning firewall services defined by packages (FATE #300687).
+- Added a lot of documentation and examples and comments into the
+ SuSEFirewall YCP module.
+- 2.15.6
+
+-------------------------------------------------------------------
+Thu Feb 8 11:06:41 CET 2007 - kmachalkova@suse.cz
+
+- Use UI::RunInTerminal in menu.ycp for text-mode only. In all other
+ cases run appropriate module in Qt(Gtk)
+- 2.15.5
+
+-------------------------------------------------------------------
+Wed Feb 7 16:15:41 CET 2007 - locilka@suse.cz
+
+- Added support for firewall services defined by packages
+ (FATE #300687).
+- Adjusted SuSEFirewall testsuite.
+
+-------------------------------------------------------------------
Old:
----
yast2-2.15.4.tar.bz2
New:
----
yast2-2.15.6.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2.spec ++++++
--- /var/tmp/diff_new_pack.P31309/_old 2007-02-09 01:21:57.000000000 +0100
+++ /var/tmp/diff_new_pack.P31309/_new 2007-02-09 01:21:57.000000000 +0100
@@ -1,5 +1,5 @@
#
-# spec file for package yast2 (Version 2.15.4)
+# spec file for package yast2 (Version 2.15.6)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -11,12 +11,12 @@
# norootforbuild
Name: yast2
-Version: 2.15.4
+Version: 2.15.6
Release: 1
License: GNU General Public License (GPL)
Group: System/YaST
BuildRoot: %{_tmppath}/%{name}-%{version}-build
-Source0: yast2-2.15.4.tar.bz2
+Source0: yast2-2.15.6.tar.bz2
prefix: /usr
BuildRequires: perl-XML-Writer update-desktop-files yast2-devtools yast2-pkg-bindings yast2-testsuite
# UI::RunInTerminal builtin
@@ -97,7 +97,7 @@
Steffen Winterfeldt
%prep
-%setup -n yast2-2.15.4
+%setup -n yast2-2.15.6
%build
%{prefix}/bin/y2tool y2autoconf
@@ -198,6 +198,19 @@
%doc %{prefix}/share/doc/packages/yast2/wizard
%changelog -n yast2
+* Thu Feb 08 2007 - locilka@suse.cz
+- Tuning firewall services defined by packages (FATE #300687).
+- Added a lot of documentation and examples and comments into the
+ SuSEFirewall YCP module.
+- 2.15.6
+* Thu Feb 08 2007 - kmachalkova@suse.cz
+- Use UI::RunInTerminal in menu.ycp for text-mode only. In all other
+ cases run appropriate module in Qt(Gtk)
+- 2.15.5
+* Wed Feb 07 2007 - locilka@suse.cz
+- Added support for firewall services defined by packages
+ (FATE #300687).
+- Adjusted SuSEFirewall testsuite.
* Mon Jan 29 2007 - mzugec@suse.de
- Internet connection test fails on s390 (#238246)
- 2.15.4
++++++ yast2-2.15.4.tar.bz2 -> yast2-2.15.6.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-2.15.4/configure new/yast2-2.15.6/configure
--- old/yast2-2.15.4/configure 2007-01-29 16:19:31.000000000 +0100
+++ new/yast2-2.15.6/configure 2007-02-08 17:05:35.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.60 for yast2 2.15.4.
+# Generated by GNU Autoconf 2.60 for yast2 2.15.6.
#
# Report bugs to http://bugs.opensuse.org/.
#
@@ -559,8 +559,8 @@
# Identity of this package.
PACKAGE_NAME='yast2'
PACKAGE_TARNAME='yast2'
-PACKAGE_VERSION='2.15.4'
-PACKAGE_STRING='yast2 2.15.4'
+PACKAGE_VERSION='2.15.6'
+PACKAGE_STRING='yast2 2.15.6'
PACKAGE_BUGREPORT='http://bugs.opensuse.org/'
ac_unique_file="RPMNAME"
@@ -1183,7 +1183,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures yast2 2.15.4 to adapt to many kinds of systems.
+\`configure' configures yast2 2.15.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1254,7 +1254,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of yast2 2.15.4:";;
+ short | recursive ) echo "Configuration of yast2 2.15.6:";;
esac
cat <<\_ACEOF
@@ -1332,7 +1332,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-yast2 configure 2.15.4
+yast2 configure 2.15.6
generated by GNU Autoconf 2.60
Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1346,7 +1346,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by yast2 $as_me 2.15.4, which was
+It was created by yast2 $as_me 2.15.6, which was
generated by GNU Autoconf 2.60. Invocation command line was
$ $0 $@
@@ -2147,7 +2147,7 @@
# Define the identity of the package.
PACKAGE='yast2'
- VERSION='2.15.4'
+ VERSION='2.15.6'
cat >>confdefs.h <<_ACEOF
@@ -2374,7 +2374,7 @@
-VERSION="2.15.4"
+VERSION="2.15.6"
RPMNAME="yast2"
MAINTAINER="Jiri Srain "
@@ -3366,7 +3366,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by yast2 $as_me 2.15.4, which was
+This file was extended by yast2 $as_me 2.15.6, which was
generated by GNU Autoconf 2.60. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -3409,7 +3409,7 @@
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-yast2 config.status 2.15.4
+yast2 config.status 2.15.6
configured by $0, generated by GNU Autoconf 2.60,
with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-2.15.4/configure.in new/yast2-2.15.6/configure.in
--- old/yast2-2.15.4/configure.in 2007-01-29 16:19:26.000000000 +0100
+++ new/yast2-2.15.6/configure.in 2007-02-08 17:05:30.000000000 +0100
@@ -3,7 +3,7 @@
dnl -- This file is generated by y2autoconf 2.14.0 - DO NOT EDIT! --
dnl (edit configure.in.in instead)
-AC_INIT(yast2, 2.15.4, http://bugs.opensuse.org/, yast2)
+AC_INIT(yast2, 2.15.6, http://bugs.opensuse.org/, yast2)
dnl Check for presence of file 'RPMNAME'
AC_CONFIG_SRCDIR([RPMNAME])
@@ -17,7 +17,7 @@
AM_INIT_AUTOMAKE(tar-ustar) dnl searches for some needed programs
dnl Important YaST2 variables
-VERSION="2.15.4"
+VERSION="2.15.6"
RPMNAME="yast2"
MAINTAINER="Jiri Srain "
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-2.15.4/library/desktop/src/menu.ycp new/yast2-2.15.6/library/desktop/src/menu.ycp
--- old/yast2-2.15.4/library/desktop/src/menu.ycp 2006-12-11 13:16:07.000000000 +0100
+++ new/yast2-2.15.6/library/desktop/src/menu.ycp 2007-02-08 16:46:09.000000000 +0100
@@ -4,7 +4,7 @@
* Summary: NCurses Control Center
* Authors: Michal Svec
*
- * $Id: menu.ycp 34853 2006-12-07 14:32:19Z lslezak $
+ * $Id: menu.ycp 35963 2007-02-08 10:21:04Z kmachalkova $
*
* Provides a list of available yast2 modules. This module is inteded for use
* with ncurses, for X the yast2 control center should be used.
@@ -87,13 +87,28 @@
string argument = Modules[modul, "X-SuSE-YaST-Argument"]:"";
y2debug("Calling: %1 (%2)", function, argument);
+ map display_info = UI::GetDisplayInfo();
+ boolean textmode = display_info["TextMode"]:false;
+
if(function != "") {
- string cmd = sformat ("/sbin/yast %1 %2 >&2", function, argument);
- any ret = UI::RunInTerminal(cmd);
+ string cmd = "";
+ any ret = nil;
+
+ //Use UI::RunInTerminal in text-mode only (#237332)
+ if (textmode) {
+ cmd = sformat ("/sbin/yast %1 %2 >&2", function, argument);
+ ret = UI::RunInTerminal(cmd);
+ }
+ //else (we have y2-qt, but no qt control centre) launch qt module
+ //this should never happen, but ...
+ else {
+ cmd = sformat ("/sbin/yast2 %1 %2 >&2", function, argument);
+ ret = SCR::Execute (.target.bash, cmd);
+ }
y2milestone ("Got %1 from %2", ret, cmd);
- if (function == "online_update" && ret == -42)
+ if ((function == "online_update" && ret == -42) || ret == `restart_menu)
{
y2milestone ("yast needs to be restarted - exiting...");
SCR::Execute (.target.bash, sformat ("touch %1", restart_file));
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-2.15.4/library/modules/Version.ycp new/yast2-2.15.6/library/modules/Version.ycp
--- old/yast2-2.15.4/library/modules/Version.ycp 2007-01-29 16:19:46.000000000 +0100
+++ new/yast2-2.15.6/library/modules/Version.ycp 2007-02-08 17:05:47.000000000 +0100
@@ -20,7 +20,7 @@
/**
* Version of the yast2 package
*/
-global string yast2 = "2.15.4";
+global string yast2 = "2.15.6";
/* EOF */
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-2.15.4/library/network/src/SuSEFirewallServices.ycp new/yast2-2.15.6/library/network/src/SuSEFirewallServices.ycp
--- old/yast2-2.15.4/library/network/src/SuSEFirewallServices.ycp 2006-12-11 13:15:57.000000000 +0100
+++ new/yast2-2.15.6/library/network/src/SuSEFirewallServices.ycp 2007-02-08 16:49:45.000000000 +0100
@@ -4,7 +4,7 @@
* Summary: Definition of Supported Firewall Services and Port Aliases.
* Authors: Lukas Ocilka
*
- * $Id: SuSEFirewallServices.ycp 33164 2006-09-27 08:42:24Z jsrain $
+ * $Id: SuSEFirewallServices.ycp 35972 2007-02-08 15:49:42Z locilka $
*
* Global Definition of Firewall Services
* Defined using TCP, UDP and RPC ports and IP protocols and Broadcast UDP
@@ -14,7 +14,11 @@
{
module "SuSEFirewallServices";
textdomain "base";
+
+ import "FileUtils";
+ // FIXME: repair by implementing FATE #300687: Ports for SuSEfirewall added via packages.
+ // add definition of services to the respective package
/* list of possibly conflict services because of sharing ports, for instance: "nis-server" and "nfs-server" */
list <string> possibly_conflict_services = ["nfs-server", "nis-server", "nfs-client", "nis-client"];
@@ -41,6 +45,25 @@
*
*/
+ string services_definitions_in = "/usr/share/SuSEfirewall2/services/";
+
+ map known_services_features = $[
+ "TCP" : "tcp_ports",
+ "UDP" : "udp_ports",
+ "RPC" : "rpc_ports",
+ "IP" : "ip_protocols",
+ "BROADCAST" : "broadcast_ports",
+ ];
+
+ map known_metadata = $[
+ "Name" : "name",
+ "Description" : "description",
+ ];
+
+ /**
+ * These definitions will be removed and replaced by definitions in packages.
+ * FATE #300687: Ports for SuSEfirewall added via packages.
+ */
define map > SERVICES = $[
"http" : $[
// TRANSLATORS: Name of Service, can be used as check box, item in multiple selection box...
@@ -222,6 +245,104 @@
];
/**
+ * Returns whether the service ID is defined by package.
+ *
+ * @example
+ * ServiceDefinedByPackage ("http-server") -> false
+ * ServiceDefinedByPackage ("service:http-server") -> true
+ */
+ global boolean ServiceDefinedByPackage (string service) {
+ return regexpmatch (service, "^service:.*");
+ }
+
+ term GetMetadataAgent (string filefullpath) {
+ return
+ `IniAgent(filefullpath, $[
+ "options" : [ "global_values", "flat", "read_only", "ignore_case_regexps" ],
+ "comments": [
+ // jail followed by anything but jail (immediately)
+ "^[ \t]*#[^#].*$",
+ // jail alone
+ "^[ \t]*#$",
+ // (empty space)
+ "^[ \t]*$",
+ // sysconfig entries
+ "^[ \t]*[a-zA-Z0-9_]+.*",
+ ],
+ "params" : [
+ $[ "match" : [ "^##[ \t]*([^:]+):[ \t]*(.*)[ \t]*$", "%s: %s" ] ],
+ ],
+ ]);
+ }
+
+ /**
+ * Reads definition of services that can be used in FW_CONFIGURATIONS_[EXT|INT|DMZ]
+ * in SuSEfirewall2.
+ */
+ global define boolean ReadServicesDefinedByRPMPackages () {
+ if (! FileUtils::Exists (services_definitions_in) || ! FileUtils::IsDirectory (services_definitions_in)) {
+ y2error ("Cannot read %1", services_definitions_in);
+ return false;
+ }
+
+ list <string> all_definitions = (list<string>) SCR::Read (.target.dir, services_definitions_in);
+ // skip the TEMPLATE file
+ all_definitions = filter (string filename, all_definitions, { return filename != "TEMPLATE"; });
+
+ string one_definition = nil;
+ string filefullpath = nil;
+ // for all files in that directory
+ foreach (string filename, all_definitions, {
+ // "service:abc_server" to distinguis between dynamic definition and the static one
+ one_definition = "service:" + filename;
+ filefullpath = services_definitions_in + filename;
+ SERVICES[one_definition] = $[];
+
+ // Registering sysconfig agent for this file
+ if (! SCR::RegisterAgent (.firewall_service_definition, `ag_ini (`SysConfigFile (filefullpath)))) {
+ y2error ("Cannot register agent for %1", filefullpath);
+ return;
+ }
+ string definition = nil;
+ list <string> definition_values = nil;
+ foreach (string known_feature, string map_key, known_services_features, {
+ definition = (string) SCR::Read (add(.firewall_service_definition, known_feature));
+ if (definition == nil) definition = "";
+
+ // map of services contains list of entries
+ definition_values = splitstring (definition, " \t\n");
+ definition_values = filter (string one_value, definition_values, { return one_value != ""; });
+ SERVICES[one_definition, map_key] = definition_values;
+ });
+
+ // Unregistering sysconfig agent for this file
+ SCR::UnregisterAgent (.firewall_service_definition);
+
+ // Fallback for presented service
+ SERVICES[one_definition, "name"] = sformat (_("Service: %1"), filename);
+ SERVICES[one_definition, "description"] = "";
+
+ // Registering sysconfig agent for this file (to get metadata)
+ if (SCR::RegisterAgent (.firewall_service_metadata, `ag_ini (GetMetadataAgent(filefullpath)))) {
+ foreach (string metadata_feature, string metadata_key, known_metadata, {
+ definition = (string) SCR::Read (add(.firewall_service_metadata, metadata_feature));
+ if (definition == nil || definition == "") return;
+ SERVICES[one_definition, metadata_key] = definition;
+ });
+
+ SCR::UnregisterAgent (.firewall_service_metadata);
+ } else {
+ y2error ("Cannot register agent for %1 (metadata)", filefullpath);
+ }
+
+ // can be removed later
+ y2milestone ("'%1' -> %2", filename, SERVICES[one_definition]:$[]);
+ });
+
+ return true;
+ }
+
+ /**
* Function returns if the service_id is a known (defined) service
*
* @param string service_id
@@ -238,7 +359,12 @@
/**
* Function returns the map of supported (known) services.
*
- * @return map [service_id, service_name]
+ * @return map $[service_id : localized_service_name]
+ * @struct
+ * $[
+ * "dns-server" : "DNS Server",
+ * "vnc" : "Remote Administration",
+ * ]
*/
global define map GetSupportedServices () {
map supported_services = $[];
@@ -253,6 +379,21 @@
}
/**
+ * Returns list of service-ids defined by packages.
+ *
+ * @return list <string> service ids
+ */
+ global define list <string> GetListOfServicesAddedByPackage () {
+ list <string> ret = maplist (string service_id, map service_definition, SERVICES, {
+ return service_id;
+ });
+ ret = filter (string service_id, ret, {
+ return ServiceDefinedByPackage (service_id);
+ });
+ return ret;
+ }
+
+ /**
* Function returns needed TCP ports for service
*
* @param string service
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/yast2-2.15.4/library/network/src/SuSEFirewall.ycp new/yast2-2.15.6/library/network/src/SuSEFirewall.ycp
--- old/yast2-2.15.4/library/network/src/SuSEFirewall.ycp 2007-01-24 18:25:59.000000000 +0100
+++ new/yast2-2.15.6/library/network/src/SuSEFirewall.ycp 2007-02-08 17:57:58.000000000 +0100
@@ -138,6 +138,10 @@
// Custom kernel modules, e.g., for FTP
"FW_LOAD_MODULES",
+
+ // Services defined in /usr/share/SuSEfirewall2/services/ directory
+ // FATE #300687: Ports for SuSEfirewall added via packages
+ "FW_CONFIGURATIONS_EXT", "FW_CONFIGURATIONS_INT", "FW_CONFIGURATIONS_DMZ",
];
# <!-- SuSEFirewall VARIABLES //-->
@@ -146,7 +150,7 @@
/**
* Function sets internal variable, which indicates, that any
- * "firewall settings were modified", to "true"
+ * "firewall settings were modified", to "true".
*/
global define void SetModified () {
modified = true;
@@ -163,6 +167,8 @@
* Function returns list of known firewall zones (shortnames)
*
* @return list <string> of firewall zones
+ *
+ * @example GetKnownFirewallZones() -> ["DMZ", "EXT", "INT"]
*/
global define list <string> GetKnownFirewallZones () {
return known_firewall_zones;
@@ -433,8 +439,17 @@
* Local function return map of allowed ports (without aliases).
* If any list for zone is defined but empty, all allowed
* UDP ports for this zone also accept broadcast packets.
+ * This function returns only ports that are mentioned in configuration,
+ * it doesn't return ports that are listed in some service (defined by package)
+ * which is enabled.
*
* @return map strings are allowed ports or port ranges
+ *
+ * @struct $[
+ * "ZONE1" : [ "port1", "port2" ],
+ * "ZONE2" : [ "port3", "port4" ],
+ * "ZONE3" : [ ]
+ * ]
*/
global define map GetBroadcastAllowedPorts () {
@@ -466,6 +481,7 @@
* Function creates allowed-broadcast-ports string from broadcast map and saves it.
*
* @param map strings are allowed ports or port ranges
+ * @see GetBroadcastAllowedPorts() for an example of data
*/
global define void SetBroadcastAllowedPorts (map broadcast) {
SetModified();
@@ -481,6 +497,8 @@
* @param list <string> ports
* @param string zone
* @return boolean if is allowed
+ *
+ * @example IsBroadcastAllowed (["port-xyz", "53"], "EXT") -> true
*/
boolean IsBroadcastAllowed (list <string> needed_ports, string zone) {
if (size(needed_ports)==0) {
@@ -709,6 +727,70 @@
}
/**
+ * Removes service defined by package (FATE #300687) from enabled services.
+ *
+ * @param string service_id
+ * @param string zone
+ *
+ * @example
+ * RemoveServiceDefinedByPackageFromZone ("service:irc-server", "EXT");
+ */
+ void RemoveServiceDefinedByPackageFromZone (string service, string zone) {
+ if (! IsKnownZone(zone)) {
+ return nil;
+ }
+
+ if (service == nil) {
+ y2error ("Service Id can't be nil!");
+ return nil;
+ } else if (regexpmatch (service, "^service:.*")) {
+ service = regexpsub (service, "^service:(.*)", "\\1");
+ }
+
+ // services defined by package are listed without "service:" which is here
+ // just to distinguish between dynamic and static definitions
+ list <string> supported_services = splitstring (SETTINGS["FW_CONFIGURATIONS_" + zone]:"", " ");
+ // Removing the service
+ supported_services = filter (string one_service, supported_services, {
+ return one_service != service;
+ });
+ SETTINGS["FW_CONFIGURATIONS_" + zone] = mergestring (supported_services, " ");
+
+ SetModified();
+ }
+
+ /**
+ * Adds service defined by package (FATE #300687) into list of enabled services.
+ *
+ * @param string service_id
+ * @param string zone
+ *
+ * @example
+ * AddServiceDefinedByPackageIntoZone ("service:irc-server", "EXT");
+ */
+ void AddServiceDefinedByPackageIntoZone (string service, string zone) {
+ if (! IsKnownZone(zone)) {
+ return nil;
+ }
+
+ if (service == nil) {
+ y2error ("Service Id can't be nil!");
+ return nil;
+ } else if (regexpmatch (service, "^service:.*")) {
+ service = regexpsub (service, "^service:(.*)", "\\1");
+ }
+
+ // services defined by package are listed without "service:" which is here
+ // just to distinguish between dynamic and static definitions
+ list <string> supported_services = splitstring (SETTINGS["FW_CONFIGURATIONS_" + zone]:"", " ");
+ // Adding the service
+ supported_services = toset (add (supported_services, service));
+ SETTINGS["FW_CONFIGURATIONS_" + zone] = mergestring (supported_services, " ");
+
+ SetModified();
+ }
+
+ /**
* Local function removes well-known service's support from zone.
* Allowed ports are removed with all of their port-aliases.
*
@@ -723,6 +805,14 @@
return nil;
}
+ // FATE #300687: Ports for SuSEfirewall added via packages
+ if (SuSEFirewallServices::ServiceDefinedByPackage (service)) {
+ if (IsServiceSupportedInZone (service,zone))
+ RemoveServiceDefinedByPackageFromZone (service, zone);
+
+ return nil;
+ }
+
SetModified();
// Removing service ports (and also port aliases for TCP and UDP)
@@ -754,7 +844,7 @@
* @param string zone
*/
void AddServiceSupportIntoZone (string service, string zone) {
- map needed = SuSEFirewallServices::GetNeededPortsAndProtocols(service);
+ map needed = SuSEFirewallServices::GetNeededPortsAndProtocols (service);
// unknown service
if (needed == nil) {
y2error("Undefined service '%1'", service);
@@ -763,6 +853,13 @@
SetModified();
+ // FATE #300687: Ports for SuSEfirewall added via packages
+ if (SuSEFirewallServices::ServiceDefinedByPackage (service)) {
+ AddServiceDefinedByPackageIntoZone (service, zone);
+
+ return nil;
+ }
+
// Removing service ports first (and also port aliases for TCP and UDP)
if (IsServiceSupportedInZone(service,zone)) {
RemoveServiceSupportFromZone(service,zone);
@@ -840,17 +937,23 @@
}
/**
- * Function resets flag which doesn't allow to read configuration from disk again
+ * Function resets flag which doesn't allow to read configuration from disk again.
+ * So you actually can reread the configuration from disk. Currently, only the first
+ * Read() call reads the configuration from disk.
*/
global define void ResetReadFlag () {
configuration_has_been_read = false;
}
/**
- * Function returns name of the zone identified by zone shortname.
+ * Function returns localized name of the zone identified by zone shortname.
*
* @param string short name
* @return string zone name
+ *
+ * @example
+ * LANG=en_US GetZoneFullName ("EXT") -> "External Zone"
+ * LANG=cs_CZ GetZoneFullName ("EXT") -> "Externí Zóna"
*/
global define string GetZoneFullName (string zone) {
// TRANSLATORS: Firewall zone full-name, used as combo box item or dialog title
@@ -873,7 +976,7 @@
}
/**
- * Function returns if firewall is protected from internal zone
+ * Function returns if firewall is protected from internal zone.
*
* @return boolean if protected from internal
*/
@@ -962,7 +1065,8 @@
}
/**
- * Function which returns if SuSEfirewall should start in Write process
+ * Function which returns if SuSEfirewall2 should start in Write process.
+ * In fact it means that SuSEfirewall2 will at the end.
*
* @return boolean if the firewall should start
*/
@@ -971,9 +1075,10 @@
}
/**
- * Function which sets if SuSEfirewall should start in Write process
+ * Function which sets if SuSEfirewall should start in Write process.
*
* @param boolean start_service at Write() process
+ * @see GetStartService()
*/
global define void SetStartService (boolean start_service) {
if (GetStartService() != start_service) {
@@ -991,6 +1096,7 @@
/**
* Function which returns whether SuSEfirewall should be enabled in
* /etc/init.d/ starting scripts during the Write() process
+ *
* @see Write()
* @see EnableServices()
*
@@ -1028,20 +1134,12 @@
// bug #215416
// SuSEfirewall2_init doesn't need to be called, only enabled
- //foreach (string service, firewall_services, {
- // y2debug("Starting service: %1", service);
- //
- // if (! Service::Start(service)) {
- // all_ok = false;
- // y2error("Error starting service: %1", service);
- // }
- //});
- //string tmpdir_file = (string) SCR::Read(.target.tmpdir);
- //if (tmpdir_file == nil || tmpdir_file == "") tmpdir_file = "/tmp";
-
- string tmpdir_file = "/var/lib/YaST2";
+ if (Mode::testsuite()) return true;
+ string tmpdir_file = (string) SCR::Read(.target.tmpdir);
+ if (tmpdir_file == nil || tmpdir_file == "") tmpdir_file = "/var/lib/YaST2";
tmpdir_file = tmpdir_file + "/SuSEfirewall2_YaST_output";
+
string command = sformat(
"/sbin/SuSEfirewall2 start 2>'%1'; cat '%1'; rm -rf '%1'",
tmpdir_file
@@ -1068,20 +1166,12 @@
// bug #215416
// SuSEfirewall2_init doesn't need to be called, only disabled
- //foreach (string service, firewall_services_reverse, {
- // y2debug("Stopping service: %1", service);
- //
- // if (! Service::Stop (service)) {
- // y2error("Error stopping service: %1", service);
- // all_ok = false;
- // }
- //});
- // string tmpdir_file = (string) SCR::Read(.target.tmpdir);
- // if (tmpdir_file == nil || tmpdir_file == "") tmpdir_file = "/tmp";
-
- string tmpdir_file = "/var/lib/YaST2";
+ if (Mode::testsuite()) return true;
+ string tmpdir_file = (string) SCR::Read(.target.tmpdir);
+ if (tmpdir_file == nil || tmpdir_file == "") tmpdir_file = "/var/lib/YaST2";
tmpdir_file = tmpdir_file + "/SuSEfirewall2_YaST_output";
+
string command = sformat(
"/sbin/SuSEfirewall2 stop 2>'%1'; cat '%1'; rm -rf '%1'",
tmpdir_file
@@ -1222,6 +1312,8 @@
* @param string interface
* @param string firewall zone
* @return boolean is in zone
+ *
+ * @example IsInterfaceInZone ("eth-id-01:11:DA:9C:8A:2F", "INT") -> false
*/
global define boolean IsInterfaceInZone(string interface, string zone) {
list <string> interfaces = splitstring(SETTINGS[ "FW_DEV_" + zone ]:"", " ");
@@ -1235,6 +1327,8 @@
*
* @param string interface
* @return string zone
+ *
+ * @example GetZoneOfInterface ("eth-id-01:11:DA:9C:8A:2F") -> "DMZ"
*/
global define string GetZoneOfInterface (string interface) {
list interface_zone = [];
@@ -1261,7 +1355,10 @@
* Function returns list of zones of requested interfaces
*
* @param list<string> interfaces
- * @param list<string> firewall zones
+ * @return list<string> firewall zones
+ *
+ * @example
+ * GetZonesOfInterfaces (["eth1","eth4"]) -> ["DMZ", "EXT"]
*/
global define list<string> GetZonesOfInterfaces (list<string> interfaces) {
list<string> zones = [];
@@ -1282,7 +1379,10 @@
* Special string 'any' in 'EXT' zone is supported.
*
* @param list<string> interfaces
- * @param list<string> firewall zones
+ * @return list<string> firewall zones
+ *
+ * @example
+ * GetZonesOfInterfaces (["eth1","eth4"]) -> ["EXT"]
*/
global define list<string> GetZonesOfInterfacesWithAnyFeatureSupported (list<string> interfaces) {
list<string> zones = [];
@@ -1354,6 +1454,7 @@
* Function returns list of non-dial-up interfaces.
*
* @return list <string> of non-dial-up interface names
+ * @example GetAllNonDialUpInterfaces() -> ["eth1", "eth2"]
*/
global define list <string> GetAllNonDialUpInterfaces () {
list <string> non_dial_up_interfaces = [];
@@ -1369,6 +1470,7 @@
* Function returns list of dial-up interfaces.
*
* @return list <string> of dial-up interface names
+ * @example GetAllDialUpInterfaces() -> ["modem0", "dsl5"]
*/
global define list <string> GetAllDialUpInterfaces () {
list <string> dial_up_interfaces = [];
@@ -1384,6 +1486,7 @@
* Function returns list of all known interfaces.
*
* @return list <string> of interfaces
+ * @example GetListOfKnownInterfaces() -> ["eth1", "eth2", "modem0", "dsl5"]
*/
global define list <string> GetListOfKnownInterfaces () {
list <string> interfaces = [];
@@ -1400,6 +1503,7 @@
*
* @param string interface
* @param string zone
+ * @example RemoveInterfaceFromZone ("modem0", "EXT")
*/
global define void RemoveInterfaceFromZone (string interface, string zone) {
SetModified();
@@ -1419,6 +1523,7 @@
*
* @param string interface
* @param string zone
+ * @example AddInterfaceIntoZone ("eth5", "DMZ")
*/
global define void AddInterfaceIntoZone (string interface, string zone) {
SetModified();
@@ -1448,6 +1553,7 @@
*
* @param string zone
* @return list <string> of interfaces
+ * @example GetInterfacesInZone ("DMZ") -> ["eth4", "eth5"]
*/
global define list<string> GetInterfacesInZone (string zone) {
list <string> interfaces_in_zone = splitstring (SETTINGS["FW_DEV_" + zone]:"", " ");
@@ -1463,7 +1569,7 @@
}
/**
- * Function returns all interfaces configured in firewall, already
+ * Function returns all interfaces already configured in firewall.
*
* @return list <string> of configured interfaces
*/
@@ -1480,10 +1586,11 @@
/**
* Returns list of interfaces not mentioned in any zone and covered by the
* special string 'any' in zone 'EXT' if such string exists there and the zone
- * is EXT.
+ * is EXT. If the feature 'any' is not set, function returns empty list.
*
* @param string zone
* @return list <string> of interfaces covered by special string 'any'
+ * @see IsAnyNetworkInterfaceSupported()
*/
global define list<string> InterfacesSupportedByAnyFeature (string zone) {
list <string> result = [];
@@ -1528,11 +1635,17 @@
/**
* Function returns if requested service is allowed in respective zone.
* Function takes care for service's aliases (only for TCP and UDP).
+ * Service is defined by set of parameters such as port and protocol.
*
* @param string service (service name, port name, port alias or port number)
* @param protocol TCP, UDP, RCP or IP
* @param interface name (like modem0), firewall zone (like "EXT") or "any" for all zones.
* @return boolean if service is allowed
+ *
+ * @example
+ * HaveService ("ssh", "TCP", "EXT") -> true
+ * HaveService ("ssh", "TCP", "modem0") -> false
+ * HaveService ("53", "UDP", "dsl") -> false
*/
global define boolean HaveService(string service, string protocol, string interface) {
if (! IsSupportedProtocol(protocol)) {
@@ -1585,6 +1698,10 @@
* @param string protocol TCP, UDP, RPC, IP
* @param string zone name or interface name
* @return boolean success
+ *
+ * @example
+ * AddService ("ssh", "TCP", "EXT")
+ * AddService ("ssh", "TCP", "dsl0")
*/
global define boolean AddService (string service, string protocol, string interface) {
boolean success = false;
@@ -1638,12 +1755,17 @@
/**
* Function removes service from selected zone (or for interface) for selected protocol.
- * Function take care about port-aliases, removes all of them.
+ * Function takes care about port-aliases, removes all of them.
*
* @param string service/port
* @param string protocol TCP, UDP, RPC, IP
* @param string zone name or interface name
* @return boolean success
+ *
+ * @example
+ * RemoveService ("22", "TCP", "DMZ") -> true
+ * is the same as
+ * RemoveService ("ssh", "TCP", "DMZ") -> true
*/
global define boolean RemoveService (string service, string protocol, string interface) {
boolean success = false;
@@ -1704,8 +1826,10 @@
* @param list <string> needed (checked) ports for service
* @param string protocol TCP, UDP, RPC or IP
* @param zone name like EXT
- * @param boolean check for port-aliases
+ * @param boolean check for port-aliases (true is a reasonable default)
* @return boolean if all ports are allowed
+ * @example
+ * ArePortsOrServicesAllowed (["53", "54"], "UDP", "INT", true) -> true
*/
boolean ArePortsOrServicesAllowed (list <string> needed_ports, string protocol, string zone, boolean check_for_aliases) {
boolean are_allowed = true;
@@ -1739,13 +1863,44 @@
}
/**
+ * Returns whether a service is mentioned in FW_CONFIGURATIONS_[EXT|INT|DMZ].
+ * These services are defined by random packages.
+ */
+ boolean IsServiceDefinedByPackageSupportedInZone (string service, string zone) {
+ if (! IsKnownZone(zone)) {
+ return nil;
+ }
+
+ if (service == nil) {
+ y2error ("Service Id can't be nil!");
+ return nil;
+ } else if (regexpmatch (service, "^service:.*")) {
+ service = regexpsub (service, "^service:(.*)", "\\1");
+ }
+
+ // services defined by package are listed without "service:" which is here
+ // just to distinguish between dynamic and static definitions
+ list <string> supported_services = splitstring (SETTINGS["FW_CONFIGURATIONS_" + zone]:"", " ");
+ return contains (supported_services, service);
+ }
+
+ /**
* Function returns if service is supported (allowed) in zone. Service must be defined
- * in the SuSEFirewallServices.
+ * in the SuSEFirewallServices. Works transparently also with services defined by packages.
+ * Such service starts with "service:" prefix.
*
- * @see Module SuSEFirewallServices
+ * @see YCP Module SuSEFirewallServices
* @param string service id
* @param string zone
* @return boolean if supported
+ *
+ * @example
+ * // All ports defined by dns-server service in SuSEFirewallServices module
+ * // are enabled in the respective zone
+ * IsServiceSupportedInZone ("dns-server", "EXT") -> true
+ * // irc-server definition exists on the system and the irc-server
+ * // is mentioned in FW_CONFIGURATIONS_EXT variable of SuSEfirewall2
+ * IsServiceSupportedInZone ("service:irc-server", "EXT") -> true
*/
global define boolean IsServiceSupportedInZone (string service, string zone) {
if (! IsKnownZone(zone)) {
@@ -1766,6 +1921,12 @@
return true;
}
+ // FATE #300687: Ports for SuSEfirewall added via packages
+ if (SuSEFirewallServices::ServiceDefinedByPackage(service)) {
+ boolean supported = IsServiceDefinedByPackageSupportedInZone (service, zone);
+ return supported;
+ }
+
// starting with nil value, any false means that the service is not supported
boolean service_is_supported = nil;
foreach (string key, service_defined_by, {
@@ -1800,6 +1961,12 @@
* @param list <string> of services
* @return map >
* @struct Returns $[service : $[ interface : supported_status ]]
+ *
+ * @example
+ * GetServicesInZones (["service:irc-server"]) -> $["service:irc-server":$["eth1":true]]
+ * // No such service "something"
+ * GetServicesInZones (["something"])) -> $["something":$["eth1":nil]]
+ * GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]
*/
global define map > GetServicesInZones (list<string> services) {
// list of interfaces for each zone
@@ -1840,6 +2007,14 @@
* @param list <string> of services
* @return map >
* @struct Returns $[service : $[ zone_name : supported_status]]
+ *
+ * @example
+ * // Firewall in not protected from internal zone, that's why
+ * // all services report that they are enabled in INT zone
+ * GetServices (["samba-server", "service:irc-server"]) -> $[
+ * "samba-server" : $["DMZ":false, "EXT":false, "INT":true],
+ * "service:irc-server" : $["DMZ":false, "EXT":true, "INT":true]
+ * ]
*/
global define map > GetServices (list<string> services) {
// $[ service : $[ firewall_zone : status ]]
@@ -1864,6 +2039,13 @@
* @param list <string> firewall zones (EXT|INT|DMZ...)
* @param boolean new status of services
* @return boolean if successfull
+ *
+ * @example
+ * SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false);
+ * SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);
+ *
+ * @see GetServicesInZones()
+ * @see GetServices()
*/
global define boolean SetServicesForZones (list<string> services_ids, list<string> firewall_zones, boolean new_status) {
// no groups == all groups
@@ -1895,12 +2077,19 @@
}
/**
- * Function sets status for several services in several network interfaces.
+ * Function sets status for several services on several network interfaces.
*
* @param list <string> service ids
* @param list <string> network interfaces
* @param boolean new status of services
* @return boolean if successfull
+ *
+ * @example
+ * // Disabling services
+ * SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], false)
+ * // Enabling services
+ * SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], true)
+ * @see SetServicesForZones()
*/
global define boolean SetServices (list<string> services_ids, list<string> interfaces, boolean new_status) {
list<string> firewall_zones = GetZonesOfInterfacesWithAnyFeatureSupported(interfaces);
@@ -1998,7 +2187,7 @@
// TRANSLATORS: Dialog caption
string read_caption = _("Initializing Firewall Configuration");
- Progress::New( read_caption, " ", 3,
+ Progress::New( read_caption, " ", 4,
[
// TRANSLATORS: Progress step
_("Check for network devices"),
@@ -2006,6 +2195,8 @@
_("Read current configuration"),
// TRANSLATORS: Progress step
_("Check possibly conflicting services"),
+ // TRANSLATORS: Progress step
+ _("Read dynamic definitions of installed services"),
],
[
// TRANSLATORS: Progress step
@@ -2014,6 +2205,8 @@
_("Reading current configuration..."),
// TRANSLATORS: Progress step
_("Checking possibly conflicting services..."),
+ // TRANSLATORS: Progress step
+ _("Reading dynamic definitions of installed services..."),
Message::Finished(),
],
""
@@ -2054,6 +2247,10 @@
if (have_progress) Progress::NextStage();
+ SuSEFirewallServices::ReadServicesDefinedByRPMPackages();
+
+ if (have_progress) Progress::NextStage();
+
if (have_progress) Progress::Finish();
return true;
@@ -2257,8 +2454,13 @@
/**
* This powerful function returns list of services/ports which are
* not assigned to any fully-supported known-services.
+ * This function doesn't check for services defined by packages.
+ * They are listed by a different way.
*
* @return list <string> of additional (unassigned) services
+ *
+ * @example
+ * GetAdditionalServices("TCP", "EXT") -> ["53", "128"]
*/
global define list <string> GetAdditionalServices (string protocol, string zone) {
list <string> additional_services = [];
@@ -2320,10 +2522,16 @@
/**
* Function sets additional ports/services from taken list. Firstly, all additional services
* are removed also with their aliases. Secondly new ports/protocols are added.
+ * It uses GetAdditionalServices() function to get the current state and
+ * then it removes what has been removed and adds what has been added.
*
* @param string protocol
* @param string zone
* @param list <string> list of ports/protocols
+ * @see GetAdditionalServices()
+ *
+ * @example
+ * SetAdditionalServices ("TCP", "EXT", ["53", "128"])
*/
global define void SetAdditionalServices (string protocol, string zone, list <string> new_list_services) {
list <string> old_list_services = toset(GetAdditionalServices(protocol, zone));
@@ -2406,6 +2614,9 @@
*
* @return map
* @struct map $[zone : [list of interfaces]]
+ *
+ * @example
+ * GetFirewallInterfacesMap() -> $["DMZ":[], "EXT":["dsl0"], "INT":["eth1", "eth2"]]
*/
global define map GetFirewallInterfacesMap () {
map firewall_interfaces_now = $[];
@@ -2429,6 +2640,9 @@
*
* @param string zone
* @return list <string> special strings or unknown interfaces
+ *
+ * @example
+ * GetSpecialInterfacesInZone("EXT") -> ["any", "unknown-1", "wrong-3"]
*/
global define list <string> GetSpecialInterfacesInZone (string zone) {
list <string> interfaces_in_zone = splitstring (SETTINGS["FW_DEV_" + zone]:"", " ");
@@ -2503,8 +2717,20 @@
* Function returns list of rules of forwarding ports
* to masqueraded IPs.
*
- * @retyrn list