Mailinglist Archive: yast-commit (953 mails)

< Previous Next >
[yast-commit] r49749 - in /trunk/yast2: library/network/src/SuSEFirewall.ycp library/network/src/SuSEFirewallServices.ycp package/yast2.changes
  • From: locilka@xxxxxxxxxxxxxxxx
  • Date: Wed, 06 Aug 2008 08:36:32 -0000
  • Message-id: <20080806083632.384B62652B@xxxxxxxxxxxxxxxx>
Author: locilka
Date: Wed Aug 6 10:36:31 2008
New Revision: 49749

URL: http://svn.opensuse.org/viewcvs/yast?rev=49749&view=rev
Log:
- Converting old built-in allowed services configuration in
firewall to services defined by packages (bnc #399217).


Modified:
trunk/yast2/library/network/src/SuSEFirewall.ycp
trunk/yast2/library/network/src/SuSEFirewallServices.ycp
trunk/yast2/package/yast2.changes

Modified: trunk/yast2/library/network/src/SuSEFirewall.ycp
URL:
http://svn.opensuse.org/viewcvs/yast/trunk/yast2/library/network/src/SuSEFirewall.ycp?rev=49749&r1=49748&r2=49749&view=diff
==============================================================================
--- trunk/yast2/library/network/src/SuSEFirewall.ycp (original)
+++ trunk/yast2/library/network/src/SuSEFirewall.ycp Wed Aug 6 10:36:31 2008
@@ -25,6 +25,8 @@
import "Progress";
import "PortRanges";
import "PackageSystem";
+ import "FileUtils";
+ import "Directory";

// <!-- SuSEFirewall VARIABLES //-->

@@ -2213,6 +2215,15 @@
ReadSysconfigSuSEFirewall ( GetListOfSuSEFirewallVariables() );
}

+ // old internal services definitions are converted to new services defined
by packages
+ // but only once
+ string converted_to_services_dbp_file = Directory::vardir +
"/yast2-firewall-already-converted-to-sdbp";
+
+ // services have been already converted
+ boolean already_converted = false;
+
+ global void ConvertToServicesDefinedByPackages();
+
/**
* Function for reading SuSEFirewall configuration.
* Fills internal variables only.
@@ -2322,6 +2333,10 @@

if (have_progress) Progress::NextStage();

+ // bnc #399217
+ // Converting built-in service definitions to services defined by
packages
+ ConvertToServicesDefinedByPackages();
+
if (have_progress) Progress::Finish();

return true;
@@ -2481,6 +2496,13 @@

if (have_progress) Progress::NextStage();

+ if (already_converted && ! FileUtils::Exists
(converted_to_services_dbp_file)) {
+ y2milestone ("Writing %1: %2",
+ converted_to_services_dbp_file,
+ SCR::Write (.target.string, converted_to_services_dbp_file, "")
+ );
+ }
+
if (have_progress) Progress::Finish();

return true;
@@ -2570,7 +2592,7 @@
// only when the service is allowed in zone - remove all its needed
ports
if (IsServiceSupportedInZone(service_id, zone) == true) {

- // all needed ports etc for service/protocol, well, I'm not
good at function pointers :-<
+ // all needed ports etc for service/protocol
list <string> needed_all = [];
if (protocol == "TCP") {
needed_all =
SuSEFirewallServices::GetNeededTCPPorts(service_id);
@@ -3259,6 +3281,124 @@
}
}

+ /**
+ * Removes old-service definitions before they are added as services
defined
+ * by packages.
+ */
+ void RemoveOldAllowedServiceFromZone (map <string, any> old_service_def,
string zone) {
+ y2milestone ("Removing: %1 from zone %2", old_service_def, zone);
+
+ if (old_service_def["tcp_ports"]:[] != []) {
+ foreach (string one_service, old_service_def["tcp_ports"]:[], {
+ RemoveService (one_service, "TCP", zone);
+ });
+ }
+
+ if (old_service_def["udp_ports"]:[] != []) {
+ foreach (string one_service, old_service_def["udp_ports"]:[], {
+ RemoveService (one_service, "UDP", zone);
+ });
+ }
+
+ if (old_service_def["rpc_ports"]:[] != []) {
+ foreach (string one_service, old_service_def["rpc_ports"]:[], {
+ RemoveService (one_service, "RPC", zone);
+ });
+ }
+
+ if (old_service_def["ip_protocols"]:[] != []) {
+ foreach (string one_service, old_service_def["ip_protocols"]:[], {
+ RemoveService (one_service, "IP", zone);
+ });
+ }
+
+ if (old_service_def["broadcast_ports"]:[] != []) {
+ map <string, list <string> > broadcast = GetBroadcastAllowedPorts();
+
+ broadcast[zone] = filter (string one_port, broadcast[zone]:[], {
+ return (! contains (old_service_def["broadcast_ports"]:[],
one_port));
+ });
+
+ SetBroadcastAllowedPorts (broadcast);
+ }
+ }
+
+ /**
+ * Converts old built-in service definitions to services defined by
packages.
+ *
+ * @see #bnc 399217
+ */
+ global void ConvertToServicesDefinedByPackages () {
+ if (already_converted) {
+ return;
+ }
+
+ if (FileUtils::Exists (converted_to_services_dbp_file)) {
+ y2milestone ("Configuration has been already converted");
+ already_converted = true;
+ return;
+ }
+
+ // $[ zone : $[ protocol : [ list of ports ] ] ]
+ map <string, map <string, list <string> > > current_conf = $[];
+
+ foreach (string zone, GetKnownFirewallZones (), {
+ current_conf[zone] = $[];
+
+ foreach (string protocol, supported_protocols, {
+ current_conf[zone, protocol] = GetAllowedServicesForZoneProto
(zone, protocol);
+ current_conf[zone, "broadcast"] = splitstring
(GetBroadcastConfiguration (zone), " \n");
+ });
+ });
+
+ y2milestone ("Current conf: %1", current_conf);
+
+ foreach (string zone, GetKnownFirewallZones (), {
+ foreach (string old_service_id, map <string, any> old_service_def,
SuSEFirewallServices::OLD_SERVICES, {
+ y2milestone ("Checking %1 in %2 zone", old_service_id, zone);
+
+ if (old_service_def["tcp_ports"]:[] != [] &&
ArePortsOrServicesAllowed (old_service_def["tcp_ports"]:[], "TCP", zone, true)
!= true)
+ return;
+
+ if (old_service_def["udp_ports"]:[] != [] &&
ArePortsOrServicesAllowed (old_service_def["udp_ports"]:[], "UDP", zone, true)
!= true)
+ return;
+
+ if (old_service_def["rpc_ports"]:[] != [] &&
ArePortsOrServicesAllowed (old_service_def["rpc_ports"]:[], "RPC", zone, false)
!= true)
+ return;
+
+ if (old_service_def["ip_protocols"]:[] != [] &&
ArePortsOrServicesAllowed (old_service_def["ip_protocols"]:[], "IP", zone,
false) != true)
+ return;
+
+ if (old_service_def["broadcast_ports"]:[] != [] &&
IsBroadcastAllowed (old_service_def["broadcast_ports"]:[], zone) != true)
+ return;
+
+ if (old_service_def["convert_to"]:[] == []) {
+ y2milestone ("Service %1 supported, but it doesn't have any
replacement", old_service_id);
+ return;
+ }
+
+ boolean replaced = false;
+
+ foreach (string replacement, old_service_def["convert_to"]:[], {
+ if (SuSEFirewallServices::IsKnownService (replacement)) {
+ y2milestone ("Old service %1 matches %2",
old_service_id, replacement);
+ RemoveOldAllowedServiceFromZone (old_service_def, zone);
+ SetServicesForZones ([replacement], [zone], true);
+ replaced = true;
+ break;
+ }
+ });
+
+ if (! replaced) {
+ y2warning ("Old service %1 matches %2 but none are
installed", old_service_id, old_service_def["convert_to"]:[]);
+ }
+ });
+ });
+
+ y2milestone ("Converting done");
+ already_converted = true;
+ }
+
// <!-- SuSEFirewall GLOBAL FUNCTIONS //-->

/* EOF */

Modified: trunk/yast2/library/network/src/SuSEFirewallServices.ycp
URL:
http://svn.opensuse.org/viewcvs/yast/trunk/yast2/library/network/src/SuSEFirewallServices.ycp?rev=49749&r1=49748&r2=49749&view=diff
==============================================================================
--- trunk/yast2/library/network/src/SuSEFirewallServices.ycp (original)
+++ trunk/yast2/library/network/src/SuSEFirewallServices.ycp Wed Aug 6
10:36:31 2008
@@ -77,14 +77,14 @@
/**
* Services definitions for conversion to the new ones.
*/
- define map <string, map<string, any> > OLD_SERVICES = $[
+ global define map <string, map<string, any> > OLD_SERVICES = $[
"http" : $[
"tcp_ports" : [ "http" ],
- "convert_to" : [ "apache2", "lighttpd" ],
+ "convert_to" : [ "service:apache2", "service:lighttpd" ],
],
"https" : $[
"tcp_ports" : [ "https" ],
- "convert_to" : [ "apache2-ssl", "lighttpd-ssl" ],
+ "convert_to" : [ "service:apache2-ssl", "service:lighttpd-ssl" ],
],
"smtp" : $[
"tcp_ports" : [ "smtp" ],
@@ -100,11 +100,11 @@
],
"imap" : $[
"tcp_ports" : [ "imap" ],
- "convert_to" : [ "courier-imapd" ],
+ "convert_to" : [ "service:courier-imapd" ],
],
"imaps" : $[
"tcp_ports" : [ "imaps" ],
- "convert_to" : [ "courier-imap-ssl" ],
+ "convert_to" : [ "service:courier-imap-ssl" ],
],
"samba-server" : $[
"tcp_ports" : [ "netbios-ssn", "microsoft-ds" ], // TCP:
139, 445
@@ -114,7 +114,7 @@
],
"ssh" : $[
"tcp_ports" : [ "ssh" ],
- "convert_to" : [ "sshd" ],
+ "convert_to" : [ "service:sshd" ],
],
"rsync" : $[
"tcp_ports" : [ "rsync" ],
@@ -123,7 +123,7 @@
"dhcp-server" : $[
"udp_ports" : [ "bootps" ],
"broadcast_ports" : [ "bootps" ],
- "convert_to" : [ "dhcp-server" ],
+ "convert_to" : [ "service:dhcp-server" ],
],
"dhcp-client" : $[
"udp_ports" : [ "bootpc" ],
@@ -132,11 +132,11 @@
"dns-server" : $[
"tcp_ports" : [ "domain" ],
"udp_ports" : [ "domain" ],
- "convert_to" : [ "bind" ],
+ "convert_to" : [ "service:bind" ],
],
"nfs-client" : $[
"rpc_ports" : [ "portmap", "status", "nlockmgr" ],
- "convert_to" : [ "nfs-client" ],
+ "convert_to" : [ "service:nfs-client" ],
],
"nfs-server" : $[
"rpc_ports" : [ "portmap", "status", "nlockmgr", "mountd", "nfs",
"nfs_acl" ],
@@ -144,7 +144,7 @@
],
"nis-client" : $[
"rpc_ports" : [ "portmap", "ypbind" ],
- "convert_to" : [ "ypserv" ],
+ "convert_to" : [ "service:ypserv" ],
],
"nis-server" : $[
"rpc_ports" : [ "portmap", "ypserv", "fypxfrd", "ypbind",
"yppasswdd" ],
@@ -174,11 +174,11 @@
"ntp-server" : $[
"udp_ports" : [ "ntp" ],
"broadcast_ports" : [ "ntp" ],
- "convert_to" : [ "ntp" ],
+ "convert_to" : [ "service:ntp" ],
],
"ldap" : $[
"tcp_ports" : [ "ldap" ],
- "convert_to" : [ "openldap" ],
+ "convert_to" : [ "service:openldap" ],
],
"ldaps" : $[
"tcp_ports" : [ "ldaps" ],
@@ -216,11 +216,11 @@
],
"mysql-server" : $[
"tcp_ports" : [ "mysql" ],
- "convert_to" : [ "mysql" ],
+ "convert_to" : [ "service:mysql" ],
],
"iscsi-server" : $[
"tcp_ports" : [ "iscsi-target" ],
- "convert_to" : [ "iscsitarget" ],
+ "convert_to" : [ "service:iscsitarget" ],
],
];


Modified: trunk/yast2/package/yast2.changes
URL:
http://svn.opensuse.org/viewcvs/yast/trunk/yast2/package/yast2.changes?rev=49749&r1=49748&r2=49749&view=diff
==============================================================================
--- trunk/yast2/package/yast2.changes (original)
+++ trunk/yast2/package/yast2.changes Wed Aug 6 10:36:31 2008
@@ -1,4 +1,10 @@
-------------------------------------------------------------------
+Wed Aug 6 10:34:07 CEST 2008 - locilka@xxxxxxx
+
+- Converting old built-in allowed services configuration in
+ firewall to services defined by packages (bnc #399217).
+
+-------------------------------------------------------------------
Wed Jul 30 11:53:35 CEST 2008 - lslezak@xxxxxxx

- PackageLock::Connect() - display more details about owner of the

--
To unsubscribe, e-mail: yast-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages