Hello community,
here is the log from the commit of package susefirewall2-to-firewalld for
openSUSE:Factory checked in at 2018-03-20 22:00:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/susefirewall2-to-firewalld (Old)
and /work/SRC/openSUSE:Factory/.susefirewall2-to-firewalld.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "susefirewall2-to-firewalld"
Tue Mar 20 22:00:11 2018 rev:2 rq:588608 version:0.0.2
Changes:
--------
---
/work/SRC/openSUSE:Factory/susefirewall2-to-firewalld/susefirewall2-to-firewalld.changes
2016-04-28 16:56:36.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.susefirewall2-to-firewalld.new/susefirewall2-to-firewalld.changes
2018-03-20 22:00:35.397185368 +0100
@@ -1,0 +2,8 @@
+Mon Mar 19 12:17:00 UTC 2018 - [email protected]
+
+- Version bump to 0.0.2
+ * Handle migration when SF2 is absent (bsc#1084177)
+ * Ensure that firewalld is enabled after migration
+ * Print firewalld commands in debug mode
+
+-------------------------------------------------------------------
Old:
----
susefirewall2-to-firewalld-0.0.1.tar.gz
New:
----
susefirewall2-to-firewalld-0.0.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ susefirewall2-to-firewalld.spec ++++++
--- /var/tmp/diff_new_pack.f7unE8/_old 2018-03-20 22:00:36.145158438 +0100
+++ /var/tmp/diff_new_pack.f7unE8/_new 2018-03-20 22:00:36.153158150 +0100
@@ -1,7 +1,7 @@
#
# spec file for package susefirewall2-to-firewalld
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,16 +17,16 @@
Name: susefirewall2-to-firewalld
-Version: 0.0.1
+Version: 0.0.2
Release: 0
Summary: Basic SuSEfirewall2 to FirewallD migration script
-License: GPL-2.0+
+License: GPL-2.0-or-later
Group: Productivity/Networking/Other
Url: https://github.com/openSUSE/susefirewall2-to-firewalld
Source:
https://github.com/openSUSE/%{name}/archive/%{name}-%{version}.tar.gz
Requires: firewalld
Requires: iptables
-Requires: SuSEfirewall2
+Recommends: SuSEfirewall2
BuildArch: noarch
%description
++++++ susefirewall2-to-firewalld-0.0.1.tar.gz ->
susefirewall2-to-firewalld-0.0.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/susefirewall2-to-firewalld-susefirewall2-to-firewalld-0.0.1/susefirewall2-to-firewalld
new/susefirewall2-to-firewalld-susefirewall2-to-firewalld-0.0.2/susefirewall2-to-firewalld
---
old/susefirewall2-to-firewalld-susefirewall2-to-firewalld-0.0.1/susefirewall2-to-firewalld
2016-03-03 11:45:08.000000000 +0100
+++
new/susefirewall2-to-firewalld-susefirewall2-to-firewalld-0.0.2/susefirewall2-to-firewalld
2018-03-19 13:11:53.000000000 +0100
@@ -64,7 +64,7 @@
if git describe --always --tags --abbrev > /dev/null 2>&1; then
VERSION="git$(git describe --always --tags --abbrev)"
else
- VERSION="0.0.1"
+ VERSION="0.0.2"
fi
#
@@ -93,6 +93,8 @@
declare -A interface_to_zone=()
# Map services to zones
declare -A service_to_zone=()
+# Map known services to zones
+declare -A known_service_to_zone=()
# Map masquerade to zones
declare -A masquerade_to_zone=()
# Map packets marked@port@protocol to zone
@@ -199,11 +201,20 @@
}
#
+# susefirewall2_present: Check the status of the SuSEfirewall2 package.
+#
+susefirewall2_present() {
+ rpm --quiet -qi SuSEfirewall2
+}
+
+#
# susefirewall2_init: Ensure all required services are in a well known state.
# We stop firewalld if it is running and we restart SuSEfirewall2 to get rid of
# transient strange rules which might be lurking around.
#
susefirewall2_init() {
+ susefirewall2_present || return 0
+
if [[ ${1} == true ]]; then
info "Stopping firewalld"
systemctl -q stop firewalld || error "Failed to stop firewalld"
@@ -214,7 +225,7 @@
info "Restarting SuSEfirewall2"
systemctl -q restart SuSEfirewall2 || error "Failed to start
SuSEfirewall2"
- else
+ elif [[ ${1} == false ]]; then
info "Stopping SuSEfirewall2"
systemctl -q stop SuSEfirewall2 || error "Failed to stop the
SuSEfirewall2 service"
@@ -223,6 +234,19 @@
info "Starting firewalld"
systemctl -q restart firewalld || error "Failed to start the firewalld
service"
+ elif [[ ${1} == switch ]]; then
+ ${commit} || return
+ info "Stopping and disabling SuSEfirewall2"
+ systemctl -q stop SuSEfirewall2 || error "Failed to stop the
SuSEfirewall2 service"
+ systemctl -q disable SuSEfirewall2 || error "Failed to disable the
SuSEfirewall2 service"
+
+ info "Stopping and disabling SuSEfirewall2_init"
+ systemctl -q stop SuSEfirewall2_init || error "Failed to stop the
SuSEfirewall2_init service"
+ systemctl -q disable SuSEfirewall2_init || error "Failed to disable
the SuSEfirewall2_init service"
+
+ info "Starting firewalld"
+ systemctl -q start firewalld || error "Failed to start the firewalld
service"
+ systemctl -q enable firewalld || error "Failed to enable the firewalld
service"
fi
}
@@ -425,6 +449,10 @@
do_fwd_cmd --zone=${zone_mappings[${zone}]}
--add-port="${ports}/${protocol}"
fi
done
+ for service in ${known_service_to_zone[$zone]}; do
+ info "Enabling service=\"${service}\" to
zone=\"${zone_mappings[${zone}]}\""
+ do_fwd_cmd --zone=${zone_mappings[${zone}]}
--add-service="${service}"
+ done
done
}
@@ -690,6 +718,7 @@
# The SuSEfirewall configurations and scripts
#
declare -r SUSEFIREWALL2_CONFIG="/etc/sysconfig/SuSEfirewall2"
+ declare -r
SUSEFIREWALL2_CONFIG_RPMSAVE="/etc/sysconfig/SuSEfirewall2.rpmsave"
declare -r SUSEFIREWALL2_SCRIPTS="/etc/sysconfig/scripts"
#
@@ -708,8 +737,16 @@
FW_ALLOW_CLASS_ROUTING
)
- info "Reading the ${SUSEFIREWALL2_CONFIG} file"
- source ${SUSEFIREWALL2_CONFIG}
+ if [[ -e ${SUSEFIREWALL2_CONFIG} ]]; then
+ info "Reading the ${SUSEFIREWALL2_CONFIG} file"
+ source ${SUSEFIREWALL2_CONFIG}
+ elif [[ -e ${SUSEFIREWALL2_CONFIG_RPMSAVE} ]]; then
+ info "Reading the ${SUSEFIREWALL2_CONFIG_RPMSAVE} file"
+ source ${SUSEFIREWALL2_CONFIG_RPMSAVE}
+ else
+ info "No SuSEfirewall2 configuration was found."
+ exit 1
+ fi
#
# There are certain things which simply generate iptables we can't really
@@ -770,7 +807,7 @@
detect_tools() {
local tool
- declare -r -a needed_tools=('diff' 'firewall-cmd' 'iptables' 'ip6tables'
'SuSEfirewall2' 'systemctl')
+ declare -r -a needed_tools=('diff' 'firewall-cmd' 'iptables' 'ip6tables'
'systemctl')
for tool in ${needed_tools[@]}; do
if ! which ${tool} > /dev/null 2>&1; then
@@ -927,13 +964,29 @@
}
#
-# add_service_to_zone: Add interface to zone
+# add_known_service_to_zone: Add known service to zone
+#
+# $1: zone
+# $2: service
+#
+add_known_service_to_zone() {
+ local service=$2 z zone=$1
+
+ for z in ${known_service_to_zone[${zone}]}; do
+ [[ ${z} == ${service} ]] && return 1
+ done
+ known_service_to_zone[${zone}]+="${service} "
+
+ return 0
+}
+
+# add_service_to_zone: Add service to zone
# $1: zone
# $2: protocol
# $3: ports
#
add_service_to_zone() {
- local ports=$3 proto=$2 z zone=$1 z
+ local ports=$3 proto=$2 z zone=$1
for z in ${service_to_zone[${zone}]}; do
[[ ${z} == ${proto}_${ports} ]] && return 1
@@ -1617,7 +1670,8 @@
do_fwd_cmd() {
debug "Executing: firewall-cmd $*"
# We need to see firewall-cmd errors so we can debug the script
- $commit && { all_firewalld_commands+=("$*"$'\n') && firewall-cmd "$@"
1>/dev/null || fwd_die; }
+ all_firewalld_commands+=("$*"$'\n')
+ $commit && { firewall-cmd "$@" 1>/dev/null || fwd_die; }
}
#
@@ -1638,6 +1692,9 @@
for zone in ${!service_to_zone[@]}; do
debug "ZONE=\"${zone}\" SERVICE=\"${service_to_zone[${zone}]}\""
done
+ for zone in ${!known_service_to_zone[@]}; do
+ debug "ZONE=\"${zone}\" SERVICE=\"${known_service_to_zone[${zone}]}\""
+ done
for zone in ${!masquerade_to_zone[@]}; do
debug "ZONE=\"${zone}\" MASQUERADE=\"${masquerade_to_zone[${zone}]}\""
done
@@ -1663,6 +1720,82 @@
debug
"#################################################################################"
}
+susefirewall2_absent_migration() {
+ declare -r
SUSEFIREWALL2_CONFIG_RPMSAVE="/etc/sysconfig/SuSEfirewall2.rpmsave"
+ local fw_zones=(EXT INT DMZ) cz z i rich_rule
+ local fw_services=(TCP UDP IP RPC) cs p s
+ local rich=(ACCEPT REJECT) r
+
+ info "SuSEfirewall2 is not installed. Will attempt to migrate only based
on the old configuration file"
+
+ source ${SUSEFIREWALL2_CONFIG_RPMSAVE}
+
+ info "Adding interfaces to zones"
+ for z in ${fw_zones[@]}; do
+ cz=FW_DEV_${z}
+ for i in ${!cz}; do
+ add_interface_to_zone "${z,,}" $i
+ done
+ done
+
+ info "Adding services to zones"
+ for z in ${fw_zones[@]}; do
+ for p in ${fw_services[@]}; do
+ cs=FW_SERVICES_${z}_${p}
+ for s in ${!cs}; do
+ if [[ ${s} =~ [a-z] ]]; then
+ add_known_service_to_zone "${z,,}" ${s}
+ else
+ add_service_to_zone "${z,,}" "${p,,}" ${s/:/-}
+ fi
+ done
+ done
+ done
+
+ info "Adding generic services to zones"
+ for z in ${fw_zones[@]}; do
+ for r in ${rich[@]}; do
+ cs=FW_SERVICES_${r}_${z}
+ for s in ${!cs}; do
+ IFS=',' && set -- $s && IFS=$orIFS
+ rich_rule="rule family=ipv4 source address=${1} "
+ # We can't have both protocol and port in the roles
+ if [[ ! -n ${3} ]]; then
+ rich_rule+="protocol value=${2} "
+ else
+ rich_rule+="port port=${3/:/-} protocol=${2} "
+ fi
+ rich_rule+=${r,,}
+ all_rich_rules[${z,,}]+="${rich_rule}"$'\n'
+ rinfo "${rich_rule}" "${z,,}"
+ done
+ done
+ done
+
+ info "Adding masquerade to zones"
+ if [[ ${FW_MASQUERADE:-''} == 'yes' ]]; then
+ for i in ${FW_MASQ_DEV}; do
+ if [[ ${i} =~ zone: ]]; then
+ debug "Enabling 'masquerade' on '${i#*:}' interface"
+ masquerade_to_zone[${i#*:}]=true
+ else
+ # We need to find the zone for the specific interface
+ debug "Enabling 'masquerade' to zone of the '${i}' interface"
&& \
+ for z in ${!interface_to_zone[@]}; do
+ [[ "${interface_to_zone[$z]}" =~ ${i} ]] && \
+ masquerade_to_zone[${z}]=true
+ done
+ fi
+ done
+ fi
+
+ info "Adding logging of dropped packages"
+ if [[ ${FW_LOG_DROP_CRIT:-''} == 'yes' ]] || \
+ [[ ${FW_LOG_DROP_ALL} == 'yes' ]]; then
+ LOG_DENIED=true
+ fi
+}
+
#
# dump_all_firewalld_commands: Print all the firewalld commands we executed
#
@@ -1671,7 +1804,7 @@
IFS=$'\n'
debug ""
- debug "############# The following FirewallD commands has been executed
################"
+ debug "############# The following FirewallD commands have been executed
################"
for cmd in ${all_firewalld_commands[@]}; do
debug "firewall-cmd" ${cmd}
done
@@ -1765,49 +1898,54 @@
# Reset everything if we mess up
trap recover_after_fail EXIT
-# We are now ready to do some iptables magic.
-while read rule; do
- set -- ${rule}
- action=$1; shift
- chain=$1
- vrule=$@
-
- debug "iptables rule: ${rule}"
-
- if echo "${rule}" | grep -q -- '-j LOG'; then
- # Only log denied rules
- if echo "${rule}" | grep -q -- 'DROP-DEFLT'; then
- LOG_DENIED=true
- else
- mwarn "${rule}"
+if ! susefirewall2_present; then
+ susefirewall2_absent_migration
+else
+
+ # We are now ready to do some iptables magic.
+ while read rule; do
+ set -- ${rule}
+ action=$1; shift
+ chain=$1
+ vrule=$@
+
+ debug "iptables rule: ${rule}"
+
+ if echo "${rule}" | grep -q -- '-j LOG'; then
+ # Only log denied rules
+ if echo "${rule}" | grep -q -- 'DROP-DEFLT'; then
+ LOG_DENIED=true
+ else
+ mwarn "${rule}"
+ fi
+ continue
fi
- continue
- fi
- #
- # SuSEfirewall2 does not normally generate rules with inverted components
- # so skip it for now. However this may exist in custom rules... The grep
- # is probably not great but it will do for now. Furthermore inverted rules
- # will probably need rich or direct rules which is something we don't
- # normally do.
- #
- echo "${rule}" | grep -q -- '!' && \
- { debug "Inverted rules are being ignored!"; continue; }
-
- case $action in
- -P) ;; # Skip policy rules. firewalld will do that for us
- -N) ;; # firewalld will create its own chains
- -A) do_iptables_new_rule $vrule ;;
- IP_VERSION*) eval ${action} && debug "Setting IP_VERSION to
\"${IP_VERSION}\"" ;;
- *) debug "Unhandled iptables action=${action} chain=${chain}
rule=${vrule}" ;;
- esac
+ #
+ # SuSEfirewall2 does not normally generate rules with inverted
components
+ # so skip it for now. However this may exist in custom rules... The
grep
+ # is probably not great but it will do for now. Furthermore inverted
rules
+ # will probably need rich or direct rules which is something we don't
+ # normally do.
+ #
+ echo "${rule}" | grep -q -- '!' && \
+ { debug "Inverted rules are being ignored!"; continue; }
- # Make sure IP_VERSION is not empty
- [[ -z ${IP_VERSION} ]] && need_bug_report && error "IP_VERSION is not set!"
-done < \
-<( \
- echo "IP_VERSION=ipv4"; iptables -w -t mangle -S; iptables -w -S; iptables
-w -t nat -S; \
- echo "IP_VERSION=ipv6"; ip6tables -w -t mangle -S; ip6tables -w -S;
ip6tables -w -t nat -S \
-)
+ case $action in
+ -P) ;; # Skip policy rules. firewalld will do that for us
+ -N) ;; # firewalld will create its own chains
+ -A) do_iptables_new_rule $vrule ;;
+ IP_VERSION*) eval ${action} && debug "Setting IP_VERSION to
\"${IP_VERSION}\"" ;;
+ *) debug "Unhandled iptables action=${action} chain=${chain}
rule=${vrule}" ;;
+ esac
+
+ # Make sure IP_VERSION is not empty
+ [[ -z ${IP_VERSION} ]] && need_bug_report && error "IP_VERSION is not
set!"
+ done < \
+ <( \
+ echo "IP_VERSION=ipv4"; iptables -w -t mangle -S; iptables -w -S;
iptables -w -t nat -S; \
+ echo "IP_VERSION=ipv6"; ip6tables -w -t mangle -S; ip6tables -w -S;
ip6tables -w -t nat -S \
+ )
+fi
add_interfaces_to_default_zone
@@ -1867,4 +2005,8 @@
# Phew! All done right?
trap EXIT
+# Make it official
+susefirewall2_init switch
+
exit 0
+# vim: set ts=4 sw=4 expandtab:
