Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at Mon Jan 24 16:00:53 CET 2011. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2011-01-10 14:15:55.000000000 +0100 +++ /mounts/work_src_done/STABLE/SuSEfirewall2/SuSEfirewall2.changes 2011-01-19 15:05:13.000000000 +0100 @@ -1,0 +2,6 @@ +Wed Jan 19 14:04:48 UTC 2011 - lnussel@suse.de + +- add zonein and zoneout parameters for FW_FORWARD +- fix typos + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- SuSEfirewall2-3.6.257.tar.bz2 New: ---- SuSEfirewall2-3.6.259.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.PY5nZl/_old 2011-01-24 16:00:36.000000000 +0100 +++ /var/tmp/diff_new_pack.PY5nZl/_new 2011-01-24 16:00:36.000000000 +0100 @@ -20,7 +20,7 @@ Name: SuSEfirewall2 -Version: 3.6.257 +Version: 3.6.259 Release: 1 License: GPLv2+ Group: Productivity/Networking/Security ++++++ SuSEfirewall2-3.6.257.tar.bz2 -> SuSEfirewall2-3.6.259.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.257/SuSEfirewall2 new/SuSEfirewall2-3.6.259/SuSEfirewall2 --- old/SuSEfirewall2-3.6.257/SuSEfirewall2 2011-01-10 14:14:08.000000000 +0100 +++ new/SuSEfirewall2-3.6.259/SuSEfirewall2 2011-01-19 14:42:05.000000000 +0100 @@ -71,8 +71,8 @@ help this output open open the specified services in the specified zone. You need to restart SuSEfirewall2 for changes to take effect. - on add SuSEfirwall2 initscripts to boot process and start - off remove SuSEfirwall2 initscripts from boot process and stop + on add SuSEfirewall2 initscripts to boot process and start + off remove SuSEefirwall2 initscripts from boot process and stop file FILENAME same as "start" but load alternate config file FILENAME @@ -129,7 +129,7 @@ { warning "$@ is deprecated and will likely be removed in the future." warning "If you think it should be kept please report your use case at" - warning "http://forge.novell.com/modules/xfmod/project/?susefirewall2" + warning "https://features.opensuse.org/" } error() @@ -1175,15 +1175,41 @@ create_chains() { local iptables + local zone target for iptables in "$IPTABLES" "$IP6TABLES"; do - for TARGET in input forward; do - for CHAIN in $all_zones; do - $iptables -N ${TARGET}_${CHAIN} + for target in input forward; do + for zone in $all_zones; do + $iptables -N ${target}_${zone} done done done } +# accept a packet coming from ext zone: +# create_cond_chain ACCEPT in ext +# reject paket leaving int zone: +# create_cond_chain REJECT out int +create_cond_chain() +{ + local iptables dir + local zone target chain chain devs + local check + target="$1" + dir="$2" + zone="$3" + chain="${target}_if_${dir}_${zone}" + eval check=\"\$${chain}_created\" + [ -z "$check" ] || return + eval devs="\$FW_DEV_$zone" + for iptables in "$IPTABLES" "$IP6TABLES"; do + $iptables -N $chain + for dev in $devs; do + $iptables -A $chain -j $target -i $dev + done + done + eval ${chain}_created=1 +} + ### configurations ### parse_configurations() @@ -1914,6 +1940,7 @@ forwarding_rules() { local nets net1 net2 flags more_args_in more_args_out chain iptables var services + local zone zonein zoneout local target="$1" if [ "$target" = ACCEPT ]; then var="FW_FORWARD" @@ -1928,22 +1955,25 @@ net2="$2" proto="$3" port="$4" - flags="$5" + shift; shift; shift; shift rport="" more_args_in= more_args_out= + zonein= + zoneout= - case "$flags" in - "") ;; - ipsec) - more_args_in="$IPSEC_INPUT_MATCH" - more_args_out="$IPSEC_OUTPUT_MATCH" - ;; - *) - echo "Error: unsupported flag in FW_FORWARD: $flags" - net1="" - ;; - esac + while [ "$#" -gt 0 ]; do + case "$1" in + ipsec) + more_args_in="$IPSEC_INPUT_MATCH" + more_args_out="$IPSEC_OUTPUT_MATCH" + ;; + zonein=*) zonein="${1#*=}" ;; + zoneout=*) zoneout="${1#*=}" ;; + *) error "unknown parameter $1 in FW_FORWARD -> $1"; net1= ;; + esac + shift + done if ! check_proto_port "$proto" "$port" '' "FW_FORWARD"; then continue @@ -1955,17 +1985,38 @@ else iptables=$IPTABLES fi - for chain in $forward_zones; do - chain=forward_$chain - $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port -m conntrack --ctstate NEW $more_args_in - $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port $more_args_in - $iptables -A $chain -j "$target" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_in - $iptables -A $chain -j "$target" -m conntrack --ctstate ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_in + for zone in $forward_zones; do + chain=forward_$zone + set -- $iptables -A $chain -s $net1 -d $net2 $proto $more_args_in + if [ -z "$zonein" -o "$zonein" = "$zone" ]; then + if [ -n "$zoneout" ]; then + create_cond_chain "$target" "out" "$zoneout" + jt=${target}_if_out_$zoneout + else + jt="$target" + fi + $LAC "$@" ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " $port -m conntrack --ctstate NEW $more_args_in + $LAA "$@" ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " $port $more_args_in + "$@" -j "$jt" -m conntrack --ctstate NEW,ESTABLISHED,RELATED $port + fi + if [ -z "$zoneout" -o "$zoneout" = "$zone" ]; then + if [ -n "$zonein" ]; then + create_cond_chain "$target" "in" "$zonein" + jt=${target}_if_in_$zonein + else + jt="$target" + fi + "$@" -j "$jt" -m conntrack --ctstate ESTABLISHED,RELATED $rport + fi if [ -n "$more_args_out" ]; then - $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port -m conntrack --ctstate NEW $more_args_out - $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port $more_args_out - $iptables -A $chain -j "$target" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out - $iptables -A $chain -j "$target" -m conntrack --ctstate ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out + if [ -z "$zonein" -o "$zonein" = "$zone" ]; then + $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port -m conntrack --ctstate NEW $more_args_out + $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port $more_args_out + fi + if [ -z "$zoneout" -o "$zoneout" = "$zone" ]; then + $iptables -A $chain -j "$target" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out + $iptables -A $chain -j "$target" -m conntrack --ctstate ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out + fi fi done else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.257/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6.259/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.6.257/SuSEfirewall2.sysconfig 2011-01-10 14:14:08.000000000 +0100 +++ new/SuSEfirewall2-3.6.259/SuSEfirewall2.sysconfig 2011-01-19 14:42:05.000000000 +0100 @@ -517,8 +517,12 @@ # # If the protocol is icmp then port is interpreted as icmp type # -# The only flag currently supported is 'ipsec' which means to only -# match packets that originate from an IPsec tunnel +# flags, separated by comma: +# ipsec: +# match packets that originate from an IPsec tunnel +# zonein=ZONE, zoneout=ZONE: +# match only packets coming in/going out on interfaces from +# the specified zone. # # Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any # service on the host 2.2.2.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.257/SuSEfirewall2_ifup new/SuSEfirewall2-3.6.259/SuSEfirewall2_ifup --- old/SuSEfirewall2-3.6.257/SuSEfirewall2_ifup 2011-01-10 14:14:08.000000000 +0100 +++ new/SuSEfirewall2-3.6.259/SuSEfirewall2_ifup 2011-01-19 14:42:05.000000000 +0100 @@ -21,7 +21,7 @@ set -e -unset ${!LC_*} LANUGUAGE +unset ${!LC_*} LANGUAGE export LANG=POSIX export PATH=/sbin:/usr/sbin:/usr/bin:/bin ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org