Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at 2018-01-20 11:22:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SuSEfirewall2 (Old) and /work/SRC/openSUSE:Factory/.SuSEfirewall2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SuSEfirewall2" Sat Jan 20 11:22:40 2018 rev:88 rq:566446 version:3.6.378 Changes: -------- --- /work/SRC/openSUSE:Factory/SuSEfirewall2/SuSEfirewall2.changes 2017-11-30 12:38:39.016624239 +0100 +++ /work/SRC/openSUSE:Factory/.SuSEfirewall2.new/SuSEfirewall2.changes 2018-01-20 11:22:41.883634105 +0100 @@ -1,0 +2,6 @@ +Tue Jan 16 10:58:23 UTC 2018 - [email protected] + +- Fixed a regression in setting up the final LOG/DROP/REJECT rules for IPv6 (bnc#1075251) +- Set RPC related rules also for IPv6 (bnc#1074933) + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6.376.tar.bz2 New: ---- SuSEfirewall2-3.6.378.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.RGwOsa/_old 2018-01-20 11:22:42.547603063 +0100 +++ /var/tmp/diff_new_pack.RGwOsa/_new 2018-01-20 11:22:42.547603063 +0100 @@ -1,7 +1,7 @@ # # spec file for package SuSEfirewall2 # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ %define newname SUSEfirewall2 Name: SuSEfirewall2 -Version: 3.6.376 +Version: 3.6.378 Release: 0 Url: http://en.opensuse.org/SuSEfirewall2 PreReq: /bin/sed textutils fileutils grep filesystem ++++++ SuSEfirewall2-3.6.376.tar.bz2 -> SuSEfirewall2-3.6.378.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.376/SuSEfirewall2 new/SuSEfirewall2-3.6.378/SuSEfirewall2 --- old/SuSEfirewall2-3.6.376/SuSEfirewall2 2017-11-28 14:32:03.000000000 +0100 +++ new/SuSEfirewall2-3.6.378/SuSEfirewall2 2018-01-16 11:49:38.000000000 +0100 @@ -2319,10 +2319,10 @@ port="$3" sport="$4" - iptables="$IPTABLES $IP6TABLES" + iptables_list=$IPTABLES_LIST case "$net" in - *:*) iptables="$IP6TABLES" ;; - [0-9]*.*.*.*) iptables="$IPTABLES" ;; + *:*) iptables_list="$IP6TABLES" ;; + [0-9]*.*.*.*) iptables_list="$IPTABLES" ;; esac if [ "$proto" = "_rpc_" ]; then @@ -2331,8 +2331,10 @@ comment_pars "rpc.$port" set -o pipefail rpcservicerules $service | while read ARG; do - $LDC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG - $IPTABLES $rpc_insert $comment -j "$target" $ARG + for iptables in $iptables_list; do + $LDC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG + $iptables $rpc_insert $comment -j "$target" $ARG + done done [ $? -eq 0 ] || die "Failed to setup rpc service rules for $service" set +o pipefail @@ -2340,7 +2342,7 @@ # don't add any other rules in update rpc mode continue elif check_proto_port "$proto" "$port" "$sport" "$var"; then - for iptables in $iptables; do + for iptables in $iptables_list; do $LDA $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW ${LOG}"-`rulelog $chain`-$action " $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW -j "$target" done @@ -2406,10 +2408,10 @@ ipt_recent_set="-m recent --set$ipt_recent_set" fi - iptables="$IPTABLES $IP6TABLES" + iptables_list=$IPTABLES_LIST case "$net" in - *:*) iptables="$IP6TABLES" ;; - [0-9]*.*.*.*) iptables="$IPTABLES" ;; + *:*) iptables_list="$IP6TABLES" ;; + [0-9]*.*.*.*) iptables_list="$IPTABLES" ;; esac if [ "$proto" = "_rpc_" ]; then @@ -2418,14 +2420,16 @@ comment_pars "rpc.$port" set -o pipefail rpcservicerules $service | while read ARG; do - if [ -n "$ipt_recent_set" ]; then - $LDC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck - $IPTABLES $rpc_insert $comment -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update - fi - $LAC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG - $LAA $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " $ARG - [ -n "$ipt_recent_set" ] && $IPTABLES $rpc_insert $comment -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set - $IPTABLES $rpc_insert $comment -j ACCEPT $ARG + for iptables in $iptables_list; do + if [ -n "$ipt_recent_set" ]; then + $LDC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck + $iptables $rpc_insert $comment -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update + fi + $LAC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG + $LAA $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " $ARG + [ -n "$ipt_recent_set" ] && $iptables $rpc_insert $comment -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set + $iptables $rpc_insert $comment -j ACCEPT $ARG + done done [ $? -eq 0 ] || die "Failed to setup rpc service rules for $service" set +o pipefail @@ -2433,7 +2437,7 @@ # don't add any other rules in update rpc mode continue elif check_proto_port "$proto" "$port" "$sport" "$var"; then - for iptables in $iptables; do + for iptables in $iptables_list; do if [ -n "$ipt_recent_set" ]; then $LDC $iptables -A $chain ${LOG}"-`rulelog $chain`-DROPr " -s $net $proto $port $sport -m conntrack --ctstate NEW $ipt_recent_rcheck $iptables -A $chain -j "$DROP" -s $net $proto $port $sport -m conntrack --ctstate NEW $ipt_recent_update @@ -2481,9 +2485,11 @@ comment_pars "rpc.$service" set -o pipefail rpcservicerules $service | while read ARG; do - $LAC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG - $LAA $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG - $IPTABLES $rpc_insert $comment -j "$ACCEPT" $ARG + for iptables in $IPTABLES_LIST; do + $LAC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG + $LAA $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG + $iptables $rpc_insert $comment -j "$ACCEPT" $ARG + done done [ $? -eq 0 ] || die "failed to setup rpc service rules for $service" set +o pipefail @@ -2895,12 +2901,12 @@ local chain local zone local drop - local chainprefix='input_' local comment comment_pars "insert.pos" for iptables in $IPTABLES_LIST; do local icmp_type=icmp + local chainprefix='input_' [ $iptables = $IP6TABLES ] && icmp_type=icmpv6 for zone in $input_zones '--' $forward_zones; do
