Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at 2015-06-30 10:15:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SuSEfirewall2 (Old) and /work/SRC/openSUSE:Factory/.SuSEfirewall2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SuSEfirewall2" Changes: -------- --- /work/SRC/openSUSE:Factory/SuSEfirewall2/SuSEfirewall2.changes 2014-08-20 10:51:50.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.SuSEfirewall2.new/SuSEfirewall2.changes 2015-06-30 10:15:01.000000000 +0200 @@ -1,0 +2,8 @@ +Wed Jun 24 12:07:08 UTC 2015 - [email protected] + +- reduce amount of setprocinfo set values, adjusted to existence and + also current kernel defaults. +- missing IPv6 commands to enable broadcast (e.g.: avahi over ipv6) + (bsc#935716) + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6.312.tar.bz2 New: ---- SuSEfirewall2-3.6.315.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.aKcojP/_old 2015-06-30 10:15:02.000000000 +0200 +++ /var/tmp/diff_new_pack.aKcojP/_new 2015-06-30 10:15:02.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package SuSEfirewall2 # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ Name: SuSEfirewall2 -Version: 3.6.312 +Version: 3.6.315 Release: 0 Url: http://en.opensuse.org/SuSEfirewall2 PreReq: %fillup_prereq %insserv_prereq /bin/sed textutils fileutils grep filesystem ++++++ SuSEfirewall2-3.6.312.tar.bz2 -> SuSEfirewall2-3.6.315.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.312/SuSEfirewall2 new/SuSEfirewall2-3.6.315/SuSEfirewall2 --- old/SuSEfirewall2-3.6.312/SuSEfirewall2 2014-08-15 18:02:23.000000000 +0200 +++ new/SuSEfirewall2-3.6.315/SuSEfirewall2 2015-06-24 14:06:41.000000000 +0200 @@ -1181,24 +1181,24 @@ set_proc_stuff() { if [ "$FW_KERNEL_SECURITY" != no ]; then - setproc 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + # kernel default 1: setproc 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # test "$FW_ALLOW_PING_FW" = yes || setproc 1 /proc/sys/net/ipv4/icmp_echo_ignore_all # XXX - setproc 1 /proc/sys/net/ipv4/ip_always_defrag # XXX not there? - setproc 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses - setproc 5 /proc/sys/net/ipv4/icmp_echoreply_rate - setproc 5 /proc/sys/net/ipv4/icmp_destunreach_rate - setproc 5 /proc/sys/net/ipv4/icmp_paramprob_rate - setproc 6 /proc/sys/net/ipv4/icmp_timeexceed_rate - setproc 20 /proc/sys/net/ipv4/ipfrag_time + # gone? setproc 1 /proc/sys/net/ipv4/ip_always_defrag # XXX not there? + # kernel default 1: setproc 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + # gone? setproc 5 /proc/sys/net/ipv4/icmp_echoreply_rate + # gone? setproc 5 /proc/sys/net/ipv4/icmp_destunreach_rate + # gone? setproc 5 /proc/sys/net/ipv4/icmp_paramprob_rate + # gone? setproc 6 /proc/sys/net/ipv4/icmp_timeexceed_rate + # 30*HZ in the kernel, setproc 20 /proc/sys/net/ipv4/ipfrag_time for i in /proc/sys/net/ipv4/conf/*; do - setproc 1 $i/log_martians - setproc 0 $i/bootp_relay - [ "$FW_ROUTE" != yes ] && setproc 0 $i/forwarding - setproc 0 $i/proxy_arp - setproc 1 $i/secure_redirects + setproc 1 $i/log_martians # default is 0 in the kernel + #kernel default 0: setproc 0 $i/bootp_relay + [ "$FW_ROUTE" != yes ] && setproc 0 $i/forwarding # should stay + # kernel default 0: setproc 0 $i/proxy_arp + # kernel default 1: setproc 1 $i/secure_redirects #setproc 0 $i/accept_redirects # let kernel decide this - setproc 0 $i/accept_source_route - setproc 1 $i/rp_filter + setproc 0 $i/accept_source_route # default is 1, should stay? + setproc 1 $i/rp_filter # default is 0, should stay? done setproc 1 /proc/sys/net/ipv4/route/flush fi @@ -1324,21 +1324,26 @@ [ $port = no -o $port = yes ] && continue $LAA $IPTABLES $match -p udp --dport $port ${LOG}"-ACC-BCAST${zone:0:1} " $IPTABLES $match -p udp --dport $port -j "$ACCEPT" + $LAA $IP6TABLES $match -p udp --dport $port ${LOG}"-ACC-BCAST${zone:0:1} " + $IP6TABLES $match -p udp --dport $port -j "$ACCEPT" done if [ "$ignore" != yes ]; then for port in $ignore; do [ $port = no ] && continue $IPTABLES $match -p udp --dport $port -j "$DROP" + $IP6TABLES $match -p udp --dport $port -j "$DROP" done if [ "$allow" != 'yes' ]; then $LDA $IPTABLES $match ${LOG}"-DROP-BCAST${zone:0:1} " + $LDA $IP6TABLES $match ${LOG}"-DROP-BCAST${zone:0:1} " fi fi if [ "$allow" != 'yes' ]; then $IPTABLES $match -j "$DROP" # no need to send icmp for broadcasts + $IP6TABLES $match -j "$DROP" # no need to send icmp for broadcasts fi done }
