Hello community, here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory checked in at 2012-05-31 17:10:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SuSEfirewall2 (Old) and /work/SRC/openSUSE:Factory/.SuSEfirewall2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SuSEfirewall2", Maintainer is "lnus...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/SuSEfirewall2/SuSEfirewall2.changes 2011-11-07 15:56:52.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.SuSEfirewall2.new/SuSEfirewall2.changes 2012-05-31 17:10:40.000000000 +0200 @@ -1,0 +2,17 @@ +Tue May 29 13:16:20 UTC 2012 - lnus...@suse.de + +- fix typo spotted by Frederic + +------------------------------------------------------------------- +Wed Jan 18 14:17:19 UTC 2012 - lnus...@suse.de + +- assume all interface names are correct (bnc#739084) + +------------------------------------------------------------------- +Wed Dec 14 16:55:43 UTC 2011 - lnus...@suse.de + +- fix forward masquerading (bnc#736205) +- compat syntax for negated options no longer works (bnc#660156, bnc#731088) +- enhance debug mode + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.6.282.tar.bz2 SuSEfirewall2.rpmlintrc New: ---- SuSEfirewall2-3.6.289.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.GJHq1k/_old 2012-05-31 17:10:42.000000000 +0200 +++ /var/tmp/diff_new_pack.GJHq1k/_new 2012-05-31 17:10:42.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package SuSEfirewall2 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ Name: SuSEfirewall2 -Version: 3.6.282 +Version: 3.6.289 Release: 1 License: GPL-2.0+ Group: Productivity/Networking/Security ++++++ SuSEfirewall2-3.6.282.tar.bz2 -> SuSEfirewall2-3.6.289.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.282/Makefile new/SuSEfirewall2-3.6.289/Makefile --- old/SuSEfirewall2-3.6.282/Makefile 2011-11-07 11:55:00.000000000 +0100 +++ new/SuSEfirewall2-3.6.289/Makefile 2012-05-29 15:10:20.000000000 +0200 @@ -69,8 +69,8 @@ install -m 644 LICENCE $(DESTDIR)$(pkgdocdir)/ install -m 644 SuSEfirewall2.sysconfig $(DESTDIR)$(pkgdocdir)/ -dist: - @./mktar +package: + @./obs/mkpackage doc: $(MAKE) -C doc @@ -78,4 +78,4 @@ clean: rm -f $(ARCHIVE) -.PHONY: clean doc dist install install_doc all +.PHONY: clean doc package install install_doc all diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.282/SuSEfirewall2 new/SuSEfirewall2-3.6.289/SuSEfirewall2 --- old/SuSEfirewall2-3.6.282/SuSEfirewall2 2011-11-07 11:55:00.000000000 +0100 +++ new/SuSEfirewall2-3.6.289/SuSEfirewall2 2012-05-29 15:10:20.000000000 +0200 @@ -72,7 +72,7 @@ open open the specified services in the specified zone. You need to restart SuSEfirewall2 for changes to take effect. on add SuSEfirewall2 initscripts to boot process and start - off remove SuSEefirwall2 initscripts from boot process and stop + off remove SuSEfirwall2 initscripts from boot process and stop file FILENAME same as "start" but load alternate config file FILENAME @@ -321,6 +321,10 @@ { echo modprobe "$@" } + syslog() + { + echo "# <$1> ${*:2}" + } else IPTABLES="$IPTABLES_BIN" IP6TABLES="$IP6TABLES_BIN" @@ -772,38 +776,6 @@ esac } -# set $dev to actual name of device $1 -getdevinfo() -{ - local dev= - local d="$1" - local var="$2" - if [ -d /sys/class/net/"$d" ]; then - dev="$d" - else - local deprecatediface= - if [ -x /sbin/getcfg-interface ]; then - dev=`/sbin/getcfg-interface "$d"` - elif [ -x "$hwdesc2iface" ]; then - case "$d" in - *-id-*) dev=`$hwdesc2iface id ${d#*-id-}`; deprecatediface=1 ;; - *-bus-*) dev=`$hwdesc2iface bus ${d#*-bus-}`; deprecatediface=1 ;; - esac - fi - - if [ -z "$dev" -o ! -d /sys/class/net/"$dev" ]; then - return 1 - fi - - if [ -n "$deprecatediface" ]; then - warning "$var: the notation '$d' is deprecated. Please use '$dev' instead" - fi - fi - - echo "$dev" - return 0 -} - setlock() { if [ "$remove_bootlock" -ne 0 ]; then @@ -872,7 +844,6 @@ warning "ignoring deprecated interface 'auto' in $var" continue fi - dev=`getdevinfo "$dev" "$var"` || continue case "$dev" in *:*) continue; ;; esac devs="$devs $dev" @@ -928,6 +899,7 @@ { local d z local have_override='' + [ "${FW_AUTODETECT_INTERFACES:-yes}" = 'yes' ] || return set -- /sys/class/net/* for d in "$@"; do test -d "$d" || continue @@ -1071,7 +1043,6 @@ continue fi fi - dev=`getdevinfo "$dev" FW_MASQ_DEV` || continue case "$dev" in *:*) continue; ;; esac devs="$devs $dev" @@ -1873,10 +1844,34 @@ fi } +# construct -s/-d pairs with correct negation +net2srcdst() +{ + local name="$1" + local value=${2#\!} + if [ -z "$value" ]; then + echo "${name}_src=" + echo "${name}_dst=" + echo "${name}_neg=" + return + fi + local neg= + if [ "$2" != "$value" ]; then + neg='! ' + echo "${name}_neg=1" + else + echo "${name}_neg=" + fi + echo "${name}_src=\"$neg-s $value\"" + echo "${name}_dst=\"$neg-d $value\"" +} + # redirect packets from one port to another, opens ports in input_* redirect_rules() { - local chain nets net1 net2 proto port1 port2 + local chain nets proto port1 port2 + local net1 net1_neg net1_src net1_dst + local net2 net2_neg net2_src net2_dst local redirectinstalled for nets in $FW_REDIRECT; do IFS=, eval set -- \$nets @@ -1900,10 +1895,10 @@ if [ -n "$port2" ]; then port2="--to-ports $port2" fi - net1=${net1/\!/\! } - net2=${net2/\!/\! } - $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto -s $net1 -d $net2 $port1 --set-mark $mark_redir - $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto -s $net1 -d $net2 $port1 $port2 + eval `net2srcdst net1 "$net1"` + eval `net2srcdst net2 "$net2"` + $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto $net1_src $net2_dst $port1 --set-mark $mark_redir + $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto $net1_src $net2_dst $port1 $port2 redirectinstalled=1 fi done @@ -2051,7 +2046,9 @@ masquerading_rules() { - local nets net1 net2 proto port dev snet2 sport + local nets proto port dev sport + local net1 net1_neg net1_src net1_dst + local net2 net2_neg net2_src net2_dst local szone dzone sdev sdevs local z d local var='FW_NOMASQ_NETS' @@ -2073,20 +2070,14 @@ elif [ -z "$net1" ]; then error "source network must not be empty in $var -> $nets" elif check_proto_port "$proto" "$port" '' "$var"; then - net1=${net1/\!/\! } - net2=${net2/\!/\! } - snet2="" - if [ -n "$net2" ]; then - snet2="-s $net2" - net2="-d $net2" - fi - + eval `net2srcdst net1 "$net1"` + eval `net2srcdst net2 "$net2"` for dev in $FW_MASQ_DEV; do d=${dev//[^A-Za-z0-9]/_} eval z=\${iface_$d} if [ "$var" = "FW_NOMASQ_NETS" ]; then # cheap hack - $IPTABLES -A POSTROUTING -j ACCEPT -t nat -s $net1 $net2 $proto $port -o $dev + $IPTABLES -A POSTROUTING -j ACCEPT -t nat $net1_src $net2_dst $proto $port -o $dev continue fi @@ -2099,19 +2090,19 @@ [ "$sdev" = "$dev" ] && continue if [ "forward_$z" != "$dzone" ]; then #echo "$dzone: $sdev ($szone) -> $dev ($z)" - $LAA $IPTABLES -A $dzone ${LOG}"-`rulelog $dzone`-ACC-MASQ " -s $net1 $net2 $proto $port -i $sdev -o $dev - $IPTABLES -A $dzone -j "$ACCEPT" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net1 $net2 $proto $port -i $sdev -o $dev + $LAA $IPTABLES -A $dzone ${LOG}"-`rulelog $dzone`-ACC-MASQ " $net1_src $net2_dst $proto $port -i $sdev -o $dev + $IPTABLES -A $dzone -j "$ACCEPT" -m conntrack --ctstate NEW,ESTABLISHED,RELATED $net1_src $net2_dst $proto $port -i $sdev -o $dev else #echo "$dzone: $sdev ($szone) <- $dev ($z)" # we need to allow the replies as well - $LAA $IPTABLES -A $dzone -d $net1 $snet2 $proto $rport -i $dev -o $sdev ${LOG}"-`rulelog $dzone`-ACC-MASQ " -m conntrack --ctstate ESTABLISHED,RELATED - $IPTABLES -A $dzone -d $net1 $snet2 $proto $rport -i $dev -o $sdev -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED + $LAA $IPTABLES -A $dzone $net1_dst $net2_src $proto $rport -i $dev -o $sdev ${LOG}"-`rulelog $dzone`-ACC-MASQ " -m conntrack --ctstate ESTABLISHED,RELATED + $IPTABLES -A $dzone $net1_dst $net2_src $proto $rport -i $dev -o $sdev -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED fi done done done - $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $net1 $net2 $proto $port -o $dev + $IPTABLES -A POSTROUTING -j MASQUERADE -t nat $net1_src $net2_dst $proto $port -o $dev done fi done @@ -2122,19 +2113,21 @@ # <source network>,<destination>,<protocol>,<port>,<ip to forward to>,<redirect port> forward_masquerading_rules() { - local nets net1 net2 proto port1 port2 lip + local nets proto port1 port2 lip + local net1 net1_neg net1_src net1_dst + local net2 net2_neg net2_src net2_dst for nets in $FW_FORWARD_MASQ; do IFS=, eval set -- \$nets net1="$1" - net2="$2" + target="$2" proto="$3" port1="$4" port2="$5" - lip="$6" + net2="$6" - case "$net2" in - */*|'') + case "$target" in + */*|\!*|'') error "target must be a single host in FW_FORWARD_MASQ -> $nets" continue ;; @@ -2149,29 +2142,29 @@ elif [ -z "$port1" ]; then error "Port missing in FW_FORWARD_MASQ -> $nets" else - net1=${net1/\!/\! } - net2=${net2/\!/\! } + eval `net2srcdst net1 "$net1"` + eval `net2srcdst net2 "$net2"` + eval `net2srcdst target "$target"` proto="-p $proto" test -z "$port2" && port2="$port1" port1="--dport $port1" dport2="--dport $port2" port2=":${port2/:/-}" - test -n "$lip" && lip="-d $lip" for dev in $FW_MASQ_DEV; do - $IPTABLES -A PREROUTING -j DNAT -t nat $proto -s $net1 $lip $port1 --to-destination ${net2}${port2} -i $dev + $IPTABLES -A PREROUTING -j DNAT -t nat $proto $net1_src $net2_dst $port1 --to-destination ${target}${port2} -i $dev # to install minimal rule set we'd need to check if # $net1 is covered by $FW_MASQ_NETS. Not feasible in # bash code so just check for 0/0 if [ "$FW_MASQ_NETS" != "0/0" ]; then - $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $net1 -d $net2 $proto $dport2 -o $dev + $IPTABLES -A POSTROUTING -j MASQUERADE -t nat $net1_src $net2_dst $proto $dport2 -o $dev fi done for chain in $forward_zones; do chain=forward_$chain - $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto -s $net1 -d $net2 $dport2 -m conntrack --ctstate NEW - $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto -s $net1 -d $net2 $dport2 - $IPTABLES -A $chain -j "$ACCEPT" $proto -s $net1 -d $net2 $dport2 - $IPTABLES -A $chain -j "$ACCEPT" $proto -d $net1 -s $net2 -m conntrack --ctstate ESTABLISHED,RELATED + $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto $net1_src $target_dst $dport2 -m conntrack --ctstate NEW + $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto $net1_src $target_dst $dport2 + $IPTABLES -A $chain -j "$ACCEPT" $proto $net1_src $target_dst $dport2 + $IPTABLES -A $chain -j "$ACCEPT" $proto $net1_dst $target_src -m conntrack --ctstate ESTABLISHED,RELATED done fi done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.282/mktar new/SuSEfirewall2-3.6.289/mktar --- old/SuSEfirewall2-3.6.282/mktar 2011-11-07 11:55:00.000000000 +0100 +++ new/SuSEfirewall2-3.6.289/mktar 1970-01-01 01:00:00.000000000 +0100 @@ -1,13 +0,0 @@ -#!/bin/sh -set -e -NAME=SuSEfirewall2 -VERSION=3.6 -revs=`git rev-list master|wc -l` -# there are two empty commits in svn were not converted to git -# commits so increase revs by two -let revs=revs+2 -vers="${VERSION:+${VERSION}.}$revs" -pfx="$NAME-$vers" -fn="$pfx".tar.bz2 -git archive --prefix="$pfx"/ HEAD | bzip2 > $fn -echo "version $vers -> $fn" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.282/obs/mkchanges new/SuSEfirewall2-3.6.289/obs/mkchanges --- old/SuSEfirewall2-3.6.282/obs/mkchanges 1970-01-01 01:00:00.000000000 +0100 +++ new/SuSEfirewall2-3.6.289/obs/mkchanges 2012-05-29 15:10:20.000000000 +0200 @@ -0,0 +1,11 @@ +#!/bin/sh +# create log suitable for c&p into rpm changes file +if [ -z "$1" ]; then + set -- remotes/origin/master..HEAD +elif [ "${1%.changes}" != "$1" ]; then + # parse time stamp of .changes file + d=`awk 'NR==2{FS=" - ";$0=$0;print $1;exit}' < $1` + set -- --since="$d" HEAD +fi +# no idea why it always prints those commit lines +git rev-list --pretty=format:"- %s" "$@" |grep -v ^commit diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.282/obs/mkpackage new/SuSEfirewall2-3.6.289/obs/mkpackage --- old/SuSEfirewall2-3.6.282/obs/mkpackage 1970-01-01 01:00:00.000000000 +0100 +++ new/SuSEfirewall2-3.6.289/obs/mkpackage 2012-05-29 15:10:20.000000000 +0200 @@ -0,0 +1,61 @@ +#!/bin/bash +set -e +shopt -s nullglob +name="`pwd -P`" +name=${name##*/} +name=${name%%.*} +dstdir="package" +src="$PWD" +if [ ! -d "$dstdir/.osc" ]; then + echo "*** Error: please check out the package:" + echo "osc branch openSUSE:Factory $name" + echo "ln -s home\:*\:branches\:*/$name $dstdir" + exit 1 +fi +if [ "`git --no-pager diff --name-only|wc -l`" != '0' -o "`git --no-pager diff --name-only --cached|wc -l`" != 0 ]; then + echo "*** Error: uncomitted changes" + echo "run 'git add file' to add files, 'git commit -a' to commit changes" + exit 1 +fi +cd "$dstdir" +echo "osc up" +osc up +cd "$src" +"$src"/obs/mkchanges "$dstdir/$name".changes | tee "$dstdir"/.changes +#test ! -s $dstdir/.changes || git push +for i in *.bz2; do + /bin/rm -vi "$i" +done +cd "$src" +eval `"$src"/obs/mktar` +mv "$FILENAME" "$dstdir" +cd "$dstdir" +osc add "$FILENAME" +if [ -n "$VERSION" ]; then + read sourcefile < <(/usr/lib/build/spectool --tag "/source0?/" "$name".spec) + if [ -n "$sourcefile" ]; then + sourcefile="${sourcefile/*: /}" + if [ -e "$sourcefile" ]; then + osc rm -f "$sourcefile" || true + fi + fi + sed -i -e "0,/^Version: /{s/^\(Version: *\).*/\1$VERSION/;}" "$name".spec +fi +osc vc "$name".changes .changes && rm -f .changes +cd "$src" +if [ -n "`git rev-list remotes/origin/master..HEAD`" ]; then + pushed= + if ! grep -q refs/heads/master .git/HEAD; then + echo "Warning: not on master branch" + elif read -p "push changes now? (Y/n) "; then + if [ -z "$REPLY" -o "${REPLY#y}" != "$REPLY" ]; then + git push && pushed=1 || true + fi + fi + if [ -z "$pushed" ]; then + echo "*** Warning: changes not pushed!" + else + cd "$dstdir" + osc ci + fi +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.282/obs/mktar new/SuSEfirewall2-3.6.289/obs/mktar --- old/SuSEfirewall2-3.6.282/obs/mktar 1970-01-01 01:00:00.000000000 +0100 +++ new/SuSEfirewall2-3.6.289/obs/mktar 2012-05-29 15:10:20.000000000 +0200 @@ -0,0 +1,17 @@ +#!/bin/sh +set -e +NAME=SuSEfirewall2 +VERSION=3.6 +revs=`git rev-list master|wc -l` +# there are two empty commits in svn were not converted to git +# commits so increase revs by two +let revs=revs+2 +vers="${VERSION:+${VERSION}.}$revs" +pfx="$NAME-$vers" +fn="$pfx".tar.bz2 +if ! git config --get tar.umask >/dev/null 2>&1 ; then + git config --add tar.umask 022 +fi +git archive --prefix="$pfx"/ HEAD | bzip2 > $fn +echo "VERSION=$vers" +echo "FILENAME=$fn" -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org