Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package ocserv for openSUSE:Factory checked
in at 2023-03-07 16:50:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ocserv (Old)
and /work/SRC/openSUSE:Factory/.ocserv.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ocserv"
Tue Mar 7 16:50:57 2023 rev:20 rq:1069915 version:1.1.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/ocserv/ocserv.changes 2022-08-15
20:00:24.377425835 +0200
+++ /work/SRC/openSUSE:Factory/.ocserv.new.31432/ocserv.changes 2023-03-07
16:51:23.057916405 +0100
@@ -1,0 +2,9 @@
+Wed Jan 18 13:17:42 UTC 2023 - Matthias Gerstner <matthias.gerst...@suse.com>
+
+- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
+ installed into /etc by a more tailored mechanism. Enabling IP routing
+ globally and permanently, just because the package is installed is quite
+ invasive. This new script will be invoked before and after the ocserv
+ service to switch on and off forwarding, if necessary (bsc#1174722).
+
+-------------------------------------------------------------------
Old:
----
ocserv.sysctl
New:
----
ocserv-forwarding.sh
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ocserv.spec ++++++
--- /var/tmp/diff_new_pack.PBmhf8/_old 2023-03-07 16:51:23.785920243 +0100
+++ /var/tmp/diff_new_pack.PBmhf8/_new 2023-03-07 16:51:23.793920285 +0100
@@ -1,7 +1,7 @@
#
# spec file for package ocserv
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@
Source2: ca.tmpl
Source3: server.tmpl
Source4: user.tmpl
-Source5: ocserv.sysctl
+Source5: ocserv-forwarding.sh
Source6: ocserv.firewalld.xml
Source99: README.SUSE
Source100: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
@@ -109,7 +109,7 @@
%install
make %{?_smp_mflags} DESTDIR=%{buildroot} install
-install -Dm 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysctl.d/60-ocserv.conf
+install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/ocserv-forwarding
%if 0%{suse_version} >= 1500
install -D -m 644 %{SOURCE6}
%{buildroot}%{_prefix}/lib/firewalld/services/ocserv.xml
%endif
@@ -128,6 +128,9 @@
install -m 0644 doc/systemd/socket-activated/ocserv.socket
%{buildroot}%{_unitdir}
install -m 0644 doc/systemd/socket-activated/ocserv.service
%{buildroot}%{_unitdir}
+sed -i '/^\[Service\].*/a ExecStopPost=%{_sbindir}/ocserv-forwarding
--disable' %{buildroot}%{_unitdir}/ocserv.service
+sed -i '/^\[Service\].*/a ExecStartPre=%{_sbindir}/ocserv-forwarding --enable'
%{buildroot}%{_unitdir}/ocserv.service
+
%pre
%service_add_pre ocserv.service ocserv.socket
@@ -148,7 +151,6 @@
%doc AUTHORS NEWS README.md
%license COPYING LICENSE
%config %{_sysconfdir}/ocserv
-%config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf
%if 0%{suse_version} >= 1500
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
@@ -159,6 +161,7 @@
%{_bindir}/ocserv-script
%{_bindir}/ocserv-fw
%{_sbindir}/ocserv
+%{_sbindir}/ocserv-forwarding
%{_sbindir}/ocserv-worker
%{_unitdir}/ocserv.service
%{_unitdir}/ocserv.socket
++++++ ocserv-forwarding.sh ++++++
#!/bin/bash
set -o errexit
# This script enables IP forwarding only for the time of ocserv running
#
# The script should be run as a pre and post script via the systemd service
# unit.
#
# It only touches a sysctl if it doesn't have the required value and is able
# to restore it back to the original value by keeping track of changed
# settings in a state file.
STATEDIR="/run/ocserv"
STATEFILE="$STATEDIR/changed_sysctls"
# the sysctls that need to be at '1' for ocserv to work properly
CONTROLS=("net.ipv4.ip_forward" "net.ipv6.conf.default.forwarding"
"net.ipv6.conf.all.forwarding")
errecho() {
echo $* 1>&2
}
usage() {
errecho "Usage: $0 [--enable|--disable]"
errecho
errecho "--enable: enable IP forwarding kernel settings, if necessary"
errecho "--disable: restore IP forwarding kernel settings that have
previously been changed via --enable"
errecho
errecho "This script temporarily enables IP forwarding while ocserv is
running"
exit 1
}
# make sure we don't create anything world readable for other users
umask 077
if [ $# -ne 1 ]; then
usage
fi
SYSCTL=`which sysctl`
if [ -z "$SYSCTL" ]; then
errecho "Couldn't find 'sysctl'. You need to be root to run this
script."
exit 1
fi
operation="$1"
if [ "$operation" = "-h" -o "$operation" = "--help" ]; then
usage
elif [ "$operation" = "--enable" ]; then
changed=()
for control in ${CONTROLS[@]}; do
val=$($SYSCTL -n "$control")
if [ $? -ne 0 ]; then
errecho "failed to run sysctl"
exit 2
fi
if [ "$val" -eq 0 ]; then
echo -n "enabling $control: "
$SYSCTL "${control}=1"
if [ $? -eq 0 ]; then
changed+=("$control")
fi
fi
done
if (( ${#changed[@]} )); then
mkdir -p "$STATEDIR"
for changed in ${changed[@]}; do
echo "$changed" >>"$STATEFILE"
done
fi
elif [ "$operation" = "--disable" ]; then
if [ ! -f "$STATEFILE" ]; then
# nothing to restore
exit 0
fi
for control in `cat $STATEFILE`; do
echo -n "restoring $control: "
$SYSCTL "${control}=0" || continue
done
rm -f "$STATEFILE"
else
errecho "invalid argument: $operation"
usage
fi
