Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:12.1:Update:Test checked in at 2011-12-01 15:45:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/SuSEfirewall2 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.SuSEfirewall2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SuSEfirewall2", Maintainer is "lnus...@suse.com" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/SuSEfirewall2/SuSEfirewall2.changes 2011-12-01 15:44:55.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.SuSEfirewall2.new/SuSEfirewall2.changes 2011-12-01 15:46:10.000000000 +0100 @@ -1,0 +2,5 @@ +Tue Nov 29 15:00:11 UTC 2011 - lnus...@suse.de + +- compat syntax for negated options no longer works (bnc#660156, bnc#731088) + +------------------------------------------------------------------- New: ---- SuSEfirewall2-negated-options.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.8AfmYm/_old 2011-12-01 15:46:11.000000000 +0100 +++ /var/tmp/diff_new_pack.8AfmYm/_new 2011-12-01 15:46:11.000000000 +0100 @@ -28,6 +28,7 @@ Requires: iptables coreutils perl sysconfig Summary: Stateful Packet Filter Using iptables and netfilter Source: SuSEfirewall2-%{version}.tar.bz2 +Patch0: SuSEfirewall2-negated-options.diff BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -41,6 +42,7 @@ %prep %setup +%patch0 -p1 # please send patches to lnussel for inclusion in git first # http://gitorious.org/opensuse/susefirewall2 ++++++ SuSEfirewall2-negated-options.diff ++++++ >From c0d28e8fd4b22b658e605bb57fc848f4c112abff Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nus...@suse.de> Date: Mon, 28 Nov 2011 16:57:25 +0100 Subject: [PATCH] compat syntax for negated options no longer works (bnc#660156, bnc#731088) --- SuSEfirewall2 | 89 +++++++++++++++++++++++++++++++++++---------------------- 1 files changed, 55 insertions(+), 34 deletions(-) diff --git a/SuSEfirewall2 b/SuSEfirewall2 index b9c7fc7..affb8aa 100755 --- a/SuSEfirewall2 +++ b/SuSEfirewall2 @@ -1873,10 +1873,34 @@ warn_highports() fi } +# construct -s/-d pairs with correct negation +net2srcdst() +{ + local name="$1" + local value=${2#\!} + if [ -z "$value" ]; then + echo "${name}_src=" + echo "${name}_dst=" + echo "${name}_neg=" + return + fi + local neg= + if [ "$2" != "$value" ]; then + neg='! ' + echo "${name}_neg=1" + else + echo "${name}_neg=" + fi + echo "${name}_src=\"$neg-s $value\"" + echo "${name}_dst=\"$neg-d $value\"" +} + # redirect packets from one port to another, opens ports in input_* redirect_rules() { - local chain nets net1 net2 proto port1 port2 + local chain nets proto port1 port2 + local net1 net1_neg net1_src net1_dst + local net2 net2_neg net2_src net2_dst local redirectinstalled for nets in $FW_REDIRECT; do IFS=, eval set -- \$nets @@ -1900,10 +1924,10 @@ redirect_rules() if [ -n "$port2" ]; then port2="--to-ports $port2" fi - net1=${net1/\!/\! } - net2=${net2/\!/\! } - $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto -s $net1 -d $net2 $port1 --set-mark $mark_redir - $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto -s $net1 -d $net2 $port1 $port2 + eval `net2srcdst net1 "$net1"` + eval `net2srcdst net2 "$net2"` + $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto $net1_src $net2_dst $port1 --set-mark $mark_redir + $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto $net1_src $net2_dst $port1 $port2 redirectinstalled=1 fi done @@ -2051,7 +2075,9 @@ forwarding_rules() masquerading_rules() { - local nets net1 net2 proto port dev snet2 sport + local nets proto port dev sport + local net1 net1_neg net1_src net1_dst + local net2 net2_neg net2_src net2_dst local szone dzone sdev sdevs local z d local var='FW_NOMASQ_NETS' @@ -2073,20 +2099,14 @@ masquerading_rules() elif [ -z "$net1" ]; then error "source network must not be empty in $var -> $nets" elif check_proto_port "$proto" "$port" '' "$var"; then - net1=${net1/\!/\! } - net2=${net2/\!/\! } - snet2="" - if [ -n "$net2" ]; then - snet2="-s $net2" - net2="-d $net2" - fi - + eval `net2srcdst net1 "$net1"` + eval `net2srcdst net2 "$net2"` for dev in $FW_MASQ_DEV; do d=${dev//[^A-Za-z0-9]/_} eval z=\${iface_$d} if [ "$var" = "FW_NOMASQ_NETS" ]; then # cheap hack - $IPTABLES -A POSTROUTING -j ACCEPT -t nat -s $net1 $net2 $proto $port -o $dev + $IPTABLES -A POSTROUTING -j ACCEPT -t nat $net1_src $net2_dst $proto $port -o $dev continue fi @@ -2099,19 +2119,19 @@ masquerading_rules() [ "$sdev" = "$dev" ] && continue if [ "forward_$z" != "$dzone" ]; then #echo "$dzone: $sdev ($szone) -> $dev ($z)" - $LAA $IPTABLES -A $dzone ${LOG}"-`rulelog $dzone`-ACC-MASQ " -s $net1 $net2 $proto $port -i $sdev -o $dev - $IPTABLES -A $dzone -j "$ACCEPT" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net1 $net2 $proto $port -i $sdev -o $dev + $LAA $IPTABLES -A $dzone ${LOG}"-`rulelog $dzone`-ACC-MASQ " $net1_src $net2_dst $proto $port -i $sdev -o $dev + $IPTABLES -A $dzone -j "$ACCEPT" -m conntrack --ctstate NEW,ESTABLISHED,RELATED $net1_src $net2_dst $proto $port -i $sdev -o $dev else #echo "$dzone: $sdev ($szone) <- $dev ($z)" # we need to allow the replies as well - $LAA $IPTABLES -A $dzone -d $net1 $snet2 $proto $rport -i $dev -o $sdev ${LOG}"-`rulelog $dzone`-ACC-MASQ " -m conntrack --ctstate ESTABLISHED,RELATED - $IPTABLES -A $dzone -d $net1 $snet2 $proto $rport -i $dev -o $sdev -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED + $LAA $IPTABLES -A $dzone $net1_dst $net2_src $proto $rport -i $dev -o $sdev ${LOG}"-`rulelog $dzone`-ACC-MASQ " -m conntrack --ctstate ESTABLISHED,RELATED + $IPTABLES -A $dzone $net1_dst $net2_src $proto $rport -i $dev -o $sdev -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED fi done done done - $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $net1 $net2 $proto $port -o $dev + $IPTABLES -A POSTROUTING -j MASQUERADE -t nat $net1_src $net2_dst $proto $port -o $dev done fi done @@ -2122,19 +2142,21 @@ masquerading_rules() # <source network>,<destination>,<protocol>,<port>,<ip to forward to>,<redirect port> forward_masquerading_rules() { - local nets net1 net2 proto port1 port2 lip + local nets proto port1 port2 lip + local net1 net1_neg net1_src net1_dst + local net2 net2_neg net2_src net2_dst for nets in $FW_FORWARD_MASQ; do IFS=, eval set -- \$nets net1="$1" - net2="$2" + target="$2" proto="$3" port1="$4" port2="$5" - lip="$6" + net2="$6" - case "$net2" in - */*|'') + case "$target" in + */*|\!*|'') error "target must be a single host in FW_FORWARD_MASQ -> $nets" continue ;; @@ -2149,29 +2171,28 @@ forward_masquerading_rules() elif [ -z "$port1" ]; then error "Port missing in FW_FORWARD_MASQ -> $nets" else - net1=${net1/\!/\! } - net2=${net2/\!/\! } + eval `net2srcdst net1 "$net1"` + eval `net2srcdst net2 "$net2"` proto="-p $proto" test -z "$port2" && port2="$port1" port1="--dport $port1" dport2="--dport $port2" port2=":${port2/:/-}" - test -n "$lip" && lip="-d $lip" for dev in $FW_MASQ_DEV; do - $IPTABLES -A PREROUTING -j DNAT -t nat $proto -s $net1 $lip $port1 --to-destination ${net2}${port2} -i $dev + $IPTABLES -A PREROUTING -j DNAT -t nat $proto $net1_src $net2_dst $port1 --to-destination ${target}${port2} -i $dev # to install minimal rule set we'd need to check if # $net1 is covered by $FW_MASQ_NETS. Not feasible in # bash code so just check for 0/0 if [ "$FW_MASQ_NETS" != "0/0" ]; then - $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $net1 -d $net2 $proto $dport2 -o $dev + $IPTABLES -A POSTROUTING -j MASQUERADE -t nat $net1_src $net2_dst $proto $dport2 -o $dev fi done for chain in $forward_zones; do chain=forward_$chain - $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto -s $net1 -d $net2 $dport2 -m conntrack --ctstate NEW - $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto -s $net1 -d $net2 $dport2 - $IPTABLES -A $chain -j "$ACCEPT" $proto -s $net1 -d $net2 $dport2 - $IPTABLES -A $chain -j "$ACCEPT" $proto -d $net1 -s $net2 -m conntrack --ctstate ESTABLISHED,RELATED + $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto $net1_src $net2_dst $dport2 -m conntrack --ctstate NEW + $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto $net1_src $net2_dst $dport2 + $IPTABLES -A $chain -j "$ACCEPT" $proto $net1_src $net2_dst $dport2 + $IPTABLES -A $chain -j "$ACCEPT" $proto $net1_dst $net2_src -m conntrack --ctstate ESTABLISHED,RELATED done fi done -- 1.7.7 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org