Hello community, here is the log from the commit of package yast2-firewall for openSUSE:Factory checked in at 2018-03-14 19:34:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-firewall (Old) and /work/SRC/openSUSE:Factory/.yast2-firewall.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-firewall" Wed Mar 14 19:34:20 2018 rev:63 rq:586266 version:4.0.19 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-firewall/yast2-firewall.changes 2018-03-04 11:49:16.917342588 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-firewall.new/yast2-firewall.changes 2018-03-14 19:34:21.887160878 +0100 @@ -1,0 +2,19 @@ +Tue Mar 13 07:24:55 UTC 2018 - [email protected] + +- Some fixes to the firewall AY schema (bsc#1013047) + - Use "name" in zones + - "default_zone" is a firewall attribute +- 4.0.19 + +------------------------------------------------------------------- +Tue Mar 6 07:04:46 UTC 2018 - [email protected] + +- SuSEFirewall2 importer changes (fate#323460) + - Use internal zone instead of trusted when the protection from + the INT zone is enabled which fits better with the definition. + - Removed the mapping of apache2 and apache2-ssl services to + firewalld services since the apache package will provide the + services definition and we will not use firewall defaults. +- 4.0.18 + +------------------------------------------------------------------- Old: ---- yast2-firewall-4.0.17.tar.bz2 New: ---- yast2-firewall-4.0.19.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-firewall.spec ++++++ --- /var/tmp/diff_new_pack.kIBFnV/_old 2018-03-14 19:34:23.003121243 +0100 +++ /var/tmp/diff_new_pack.kIBFnV/_new 2018-03-14 19:34:23.007121101 +0100 @@ -17,7 +17,7 @@ Name: yast2-firewall -Version: 4.0.17 +Version: 4.0.19 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-firewall-4.0.17.tar.bz2 -> yast2-firewall-4.0.19.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-firewall-4.0.17/package/yast2-firewall.changes new/yast2-firewall-4.0.19/package/yast2-firewall.changes --- old/yast2-firewall-4.0.17/package/yast2-firewall.changes 2018-02-27 14:11:28.000000000 +0100 +++ new/yast2-firewall-4.0.19/package/yast2-firewall.changes 2018-03-13 09:46:03.000000000 +0100 @@ -1,4 +1,23 @@ ------------------------------------------------------------------- +Tue Mar 13 07:24:55 UTC 2018 - [email protected] + +- Some fixes to the firewall AY schema (bsc#1013047) + - Use "name" in zones + - "default_zone" is a firewall attribute +- 4.0.19 + +------------------------------------------------------------------- +Tue Mar 6 07:04:46 UTC 2018 - [email protected] + +- SuSEFirewall2 importer changes (fate#323460) + - Use internal zone instead of trusted when the protection from + the INT zone is enabled which fits better with the definition. + - Removed the mapping of apache2 and apache2-ssl services to + firewalld services since the apache package will provide the + services definition and we will not use firewall defaults. +- 4.0.18 + +------------------------------------------------------------------- Tue Feb 27 13:08:22 UTC 2018 - [email protected] - Added textdomain for translation (bnc#1083015) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-firewall-4.0.17/package/yast2-firewall.spec new/yast2-firewall-4.0.19/package/yast2-firewall.spec --- old/yast2-firewall-4.0.17/package/yast2-firewall.spec 2018-02-27 14:11:28.000000000 +0100 +++ new/yast2-firewall-4.0.19/package/yast2-firewall.spec 2018-03-13 09:46:03.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-firewall -Version: 4.0.17 +Version: 4.0.19 Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-firewall-4.0.17/src/autoyast-rnc/firewall.rnc new/yast2-firewall-4.0.19/src/autoyast-rnc/firewall.rnc --- old/yast2-firewall-4.0.17/src/autoyast-rnc/firewall.rnc 2018-02-27 14:11:28.000000000 +0100 +++ new/yast2-firewall-4.0.19/src/autoyast-rnc/firewall.rnc 2018-03-13 09:46:03.000000000 +0100 @@ -24,7 +24,6 @@ | FW_SERVICES_EXT_IP | start_firewall | enable_firewall - | default_zone | FW_ALLOW_FW_BROADCAST_DMZ | FW_ALLOW_FW_BROADCAST_INT | FW_ALLOW_FW_BROADCAST_EXT @@ -85,7 +84,6 @@ FW_SERVICES_EXT_IP = element FW_SERVICES_EXT_IP { text } start_firewall = element start_firewall { BOOLEAN } enable_firewall = element enable_firewall { BOOLEAN } -default_zone = element default_zone { text } FW_ALLOW_FW_BROADCAST_DMZ = element FW_ALLOW_FW_BROADCAST_DMZ { text } FW_ALLOW_FW_BROADCAST_EXT = element FW_ALLOW_FW_BROADCAST_EXT { text } FW_ALLOW_FW_BROADCAST_INT = element FW_ALLOW_FW_BROADCAST_INT { text } @@ -131,36 +129,39 @@ zone = element zone { - interfaces - | services - | ports - | protocols - | masquerade + zone_name & + fwd_interfaces? & + fwd_services? & + fwd_ports? & + fwd_protocols? & + masquerade? } -services = +fwd_services = element services { LIST, - element service {text}+ + element service {text}* } -interfaces = +fwd_interfaces = element interfaces { LIST, - element interface {text}+ + element interface {text}* } -ports = +fwd_ports = element ports { LIST, - element ports {text}+ + element port {text}* } -protocols = +fwd_protocols = element protocols { LIST, - element protocols {text}+ + element protocol {text}* } +zone_name = element name { text } +default_zone = element default_zone { text } masquerade = element masquerade { BOOLEAN } log_denied_packets = element log_denied_packets { text } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-firewall-4.0.17/src/lib/y2firewall/importer_strategies/suse_firewall.rb new/yast2-firewall-4.0.19/src/lib/y2firewall/importer_strategies/suse_firewall.rb --- old/yast2-firewall-4.0.17/src/lib/y2firewall/importer_strategies/suse_firewall.rb 2018-02-27 14:11:28.000000000 +0100 +++ new/yast2-firewall-4.0.19/src/lib/y2firewall/importer_strategies/suse_firewall.rb 2018-03-13 09:46:03.000000000 +0100 @@ -42,8 +42,6 @@ # Best effort conversion of SuSEFirewall2 services into firewalld # predefined ones. SERVICE_MAP = { - "apache2" => ["http"], - "apache2-ssl" => ["https"], "bind" => ["dns"], "dhcp-server" => ["dhcp"], "dhcp6-server" => ["dhcpv6"], @@ -77,7 +75,8 @@ "FW_LOG_ACCEPT_CRIT", "FW_LOG_DROP_CRIT", "FW_LOG_DROP_ALL", - "FW_MASQUERADE" + "FW_MASQUERADE", + "FW_PROTECT_FROM_INT" ].freeze # @return [Array<string>] list of zones @@ -282,7 +281,7 @@ def zone_equivalent(name) case name.upcase when "INT" - "trusted" + trusted? ? "trusted" : "internal" when "EXT" masquerade? ? "external" : "public" when "DMZ" @@ -290,6 +289,13 @@ end end + # Return whether internal network is trusted or not + # + # @return [Boolean] true if trusted; false otherwise + def trusted? + profile.fetch("FW_PROTECT_FROM_INT", "no") == "no" + end + # Return whether masquerade is configured or not # # @return [Boolean] true if configured; false otherwise diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-firewall-4.0.17/test/lib/y2firewall/importer_strategies/suse_firewall.rb new/yast2-firewall-4.0.19/test/lib/y2firewall/importer_strategies/suse_firewall.rb --- old/yast2-firewall-4.0.17/test/lib/y2firewall/importer_strategies/suse_firewall.rb 2018-02-27 14:11:28.000000000 +0100 +++ new/yast2-firewall-4.0.19/test/lib/y2firewall/importer_strategies/suse_firewall.rb 2018-03-13 09:46:03.000000000 +0100 @@ -30,6 +30,7 @@ let(:known_zones) { Y2Firewall::Firewalld::Zone.known_zones.keys } let(:empty_zones) { known_zones.map { |name| Y2Firewall::Firewalld::Zone.new(name: name) } } let(:masquerade) { "yes" } + let(:int_protected) { "no" } before do firewalld.zones = empty_zones @@ -52,7 +53,8 @@ "FW_MASQUERADE" => masquerade, "FW_LOG_DROP_CRIT" => "yes", "FW_LOG_DROP_ALL" => "no", - "FW_LOG_ACCEPT_CRIT" => "no" + "FW_LOG_ACCEPT_CRIT" => "no", + "FW_PROTECT_FROM_INT" => int_protected } end @@ -69,12 +71,6 @@ subject.import end - it "configures the INT zone as the trusted" do - trusted = firewalld.find_zone("trusted") - - expect(trusted.interfaces).to eq(["eth1"]) - end - it "configures the DMZ zone as the dmz" do dmz = firewalld.find_zone("dmz") @@ -85,6 +81,34 @@ expect(firewalld.default_zone).to eql("dmz") end + context "and protection from INT zone is not defined" do + let(:profile) { { "FW_DEV_INT" => "eth1" } } + + it "configures the INT zone as the trusted" do + trusted = firewalld.find_zone("trusted") + + expect(trusted.interfaces).to eq(["eth1"]) + end + end + + context "and protection from INT zone is disabled" do + it "configures the INT zone as the trusted" do + trusted = firewalld.find_zone("trusted") + + expect(trusted.interfaces).to eq(["eth1"]) + end + end + + context "and protection from INT zone is enabled" do + let(:int_protected) { "yes" } + + it "configures the INT zone as the internal" do + internal = firewalld.find_zone("internal") + + expect(internal.interfaces).to eq(["eth1"]) + end + end + context "and masquerade is disabled" do let(:masquerade) { "no" }
