Hello community,
here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory
checked in at 2012-05-31 17:10:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/SuSEfirewall2 (Old)
and /work/SRC/openSUSE:Factory/.SuSEfirewall2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SuSEfirewall2", Maintainer is "lnus...@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/SuSEfirewall2/SuSEfirewall2.changes
2011-11-07 15:56:52.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.SuSEfirewall2.new/SuSEfirewall2.changes
2012-05-31 17:10:40.000000000 +0200
@@ -1,0 +2,17 @@
+Tue May 29 13:16:20 UTC 2012 - lnus...@suse.de
+
+- fix typo spotted by Frederic
+
+-------------------------------------------------------------------
+Wed Jan 18 14:17:19 UTC 2012 - lnus...@suse.de
+
+- assume all interface names are correct (bnc#739084)
+
+-------------------------------------------------------------------
+Wed Dec 14 16:55:43 UTC 2011 - lnus...@suse.de
+
+- fix forward masquerading (bnc#736205)
+- compat syntax for negated options no longer works (bnc#660156, bnc#731088)
+- enhance debug mode
+
+-------------------------------------------------------------------
Old:
----
SuSEfirewall2-3.6.282.tar.bz2
SuSEfirewall2.rpmlintrc
New:
----
SuSEfirewall2-3.6.289.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ SuSEfirewall2.spec ++++++
--- /var/tmp/diff_new_pack.GJHq1k/_old 2012-05-31 17:10:42.000000000 +0200
+++ /var/tmp/diff_new_pack.GJHq1k/_new 2012-05-31 17:10:42.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package SuSEfirewall2
#
-# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
Name: SuSEfirewall2
-Version: 3.6.282
+Version: 3.6.289
Release: 1
License: GPL-2.0+
Group: Productivity/Networking/Security
++++++ SuSEfirewall2-3.6.282.tar.bz2 -> SuSEfirewall2-3.6.289.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.282/Makefile
new/SuSEfirewall2-3.6.289/Makefile
--- old/SuSEfirewall2-3.6.282/Makefile 2011-11-07 11:55:00.000000000 +0100
+++ new/SuSEfirewall2-3.6.289/Makefile 2012-05-29 15:10:20.000000000 +0200
@@ -69,8 +69,8 @@
install -m 644 LICENCE $(DESTDIR)$(pkgdocdir)/
install -m 644 SuSEfirewall2.sysconfig $(DESTDIR)$(pkgdocdir)/
-dist:
- @./mktar
+package:
+ @./obs/mkpackage
doc:
$(MAKE) -C doc
@@ -78,4 +78,4 @@
clean:
rm -f $(ARCHIVE)
-.PHONY: clean doc dist install install_doc all
+.PHONY: clean doc package install install_doc all
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.282/SuSEfirewall2
new/SuSEfirewall2-3.6.289/SuSEfirewall2
--- old/SuSEfirewall2-3.6.282/SuSEfirewall2 2011-11-07 11:55:00.000000000
+0100
+++ new/SuSEfirewall2-3.6.289/SuSEfirewall2 2012-05-29 15:10:20.000000000
+0200
@@ -72,7 +72,7 @@
open open the specified services in the specified zone. You need to
restart SuSEfirewall2 for changes to take effect.
on add SuSEfirewall2 initscripts to boot process and start
- off remove SuSEefirwall2 initscripts from boot process and stop
+ off remove SuSEfirwall2 initscripts from boot process and stop
file FILENAME same as "start" but load alternate config file FILENAME
@@ -321,6 +321,10 @@
{
echo modprobe "$@"
}
+ syslog()
+ {
+ echo "# <$1> ${*:2}"
+ }
else
IPTABLES="$IPTABLES_BIN"
IP6TABLES="$IP6TABLES_BIN"
@@ -772,38 +776,6 @@
esac
}
-# set $dev to actual name of device $1
-getdevinfo()
-{
- local dev=
- local d="$1"
- local var="$2"
- if [ -d /sys/class/net/"$d" ]; then
- dev="$d"
- else
- local deprecatediface=
- if [ -x /sbin/getcfg-interface ]; then
- dev=`/sbin/getcfg-interface "$d"`
- elif [ -x "$hwdesc2iface" ]; then
- case "$d" in
- *-id-*) dev=`$hwdesc2iface id ${d#*-id-}`; deprecatediface=1 ;;
- *-bus-*) dev=`$hwdesc2iface bus ${d#*-bus-}`; deprecatediface=1
;;
- esac
- fi
-
- if [ -z "$dev" -o ! -d /sys/class/net/"$dev" ]; then
- return 1
- fi
-
- if [ -n "$deprecatediface" ]; then
- warning "$var: the notation '$d' is deprecated. Please use '$dev'
instead"
- fi
- fi
-
- echo "$dev"
- return 0
-}
-
setlock()
{
if [ "$remove_bootlock" -ne 0 ]; then
@@ -872,7 +844,6 @@
warning "ignoring deprecated interface 'auto' in $var"
continue
fi
- dev=`getdevinfo "$dev" "$var"` || continue
case "$dev" in *:*) continue; ;; esac
devs="$devs $dev"
@@ -928,6 +899,7 @@
{
local d z
local have_override=''
+ [ "${FW_AUTODETECT_INTERFACES:-yes}" = 'yes' ] || return
set -- /sys/class/net/*
for d in "$@"; do
test -d "$d" || continue
@@ -1071,7 +1043,6 @@
continue
fi
fi
- dev=`getdevinfo "$dev" FW_MASQ_DEV` || continue
case "$dev" in *:*) continue; ;; esac
devs="$devs $dev"
@@ -1873,10 +1844,34 @@
fi
}
+# construct -s/-d pairs with correct negation
+net2srcdst()
+{
+ local name="$1"
+ local value=${2#\!}
+ if [ -z "$value" ]; then
+ echo "${name}_src="
+ echo "${name}_dst="
+ echo "${name}_neg="
+ return
+ fi
+ local neg=
+ if [ "$2" != "$value" ]; then
+ neg='! '
+ echo "${name}_neg=1"
+ else
+ echo "${name}_neg="
+ fi
+ echo "${name}_src=\"$neg-s $value\""
+ echo "${name}_dst=\"$neg-d $value\""
+}
+
# redirect packets from one port to another, opens ports in input_*
redirect_rules()
{
- local chain nets net1 net2 proto port1 port2
+ local chain nets proto port1 port2
+ local net1 net1_neg net1_src net1_dst
+ local net2 net2_neg net2_src net2_dst
local redirectinstalled
for nets in $FW_REDIRECT; do
IFS=, eval set -- \$nets
@@ -1900,10 +1895,10 @@
if [ -n "$port2" ]; then
port2="--to-ports $port2"
fi
- net1=${net1/\!/\! }
- net2=${net2/\!/\! }
- $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto -s $net1 -d
$net2 $port1 --set-mark $mark_redir
- $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto -s $net1 -d
$net2 $port1 $port2
+ eval `net2srcdst net1 "$net1"`
+ eval `net2srcdst net2 "$net2"`
+ $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto $net1_src
$net2_dst $port1 --set-mark $mark_redir
+ $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto $net1_src
$net2_dst $port1 $port2
redirectinstalled=1
fi
done
@@ -2051,7 +2046,9 @@
masquerading_rules()
{
- local nets net1 net2 proto port dev snet2 sport
+ local nets proto port dev sport
+ local net1 net1_neg net1_src net1_dst
+ local net2 net2_neg net2_src net2_dst
local szone dzone sdev sdevs
local z d
local var='FW_NOMASQ_NETS'
@@ -2073,20 +2070,14 @@
elif [ -z "$net1" ]; then
error "source network must not be empty in $var -> $nets"
elif check_proto_port "$proto" "$port" '' "$var"; then
- net1=${net1/\!/\! }
- net2=${net2/\!/\! }
- snet2=""
- if [ -n "$net2" ]; then
- snet2="-s $net2"
- net2="-d $net2"
- fi
-
+ eval `net2srcdst net1 "$net1"`
+ eval `net2srcdst net2 "$net2"`
for dev in $FW_MASQ_DEV; do
d=${dev//[^A-Za-z0-9]/_}
eval z=\${iface_$d}
if [ "$var" = "FW_NOMASQ_NETS" ]; then # cheap hack
- $IPTABLES -A POSTROUTING -j ACCEPT -t nat -s $net1 $net2
$proto $port -o $dev
+ $IPTABLES -A POSTROUTING -j ACCEPT -t nat $net1_src
$net2_dst $proto $port -o $dev
continue
fi
@@ -2099,19 +2090,19 @@
[ "$sdev" = "$dev" ] && continue
if [ "forward_$z" != "$dzone" ]; then
#echo "$dzone: $sdev ($szone) -> $dev ($z)"
- $LAA $IPTABLES -A $dzone ${LOG}"-`rulelog
$dzone`-ACC-MASQ " -s $net1 $net2 $proto $port -i $sdev -o $dev
- $IPTABLES -A $dzone -j "$ACCEPT" -m conntrack
--ctstate NEW,ESTABLISHED,RELATED -s $net1 $net2 $proto $port -i $sdev -o $dev
+ $LAA $IPTABLES -A $dzone ${LOG}"-`rulelog
$dzone`-ACC-MASQ " $net1_src $net2_dst $proto $port -i $sdev -o $dev
+ $IPTABLES -A $dzone -j "$ACCEPT" -m conntrack
--ctstate NEW,ESTABLISHED,RELATED $net1_src $net2_dst $proto $port -i $sdev -o
$dev
else
#echo "$dzone: $sdev ($szone) <- $dev ($z)"
# we need to allow the replies as well
- $LAA $IPTABLES -A $dzone -d $net1 $snet2 $proto
$rport -i $dev -o $sdev ${LOG}"-`rulelog $dzone`-ACC-MASQ " -m conntrack
--ctstate ESTABLISHED,RELATED
- $IPTABLES -A $dzone -d $net1 $snet2 $proto
$rport -i $dev -o $sdev -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED
+ $LAA $IPTABLES -A $dzone $net1_dst $net2_src
$proto $rport -i $dev -o $sdev ${LOG}"-`rulelog $dzone`-ACC-MASQ " -m conntrack
--ctstate ESTABLISHED,RELATED
+ $IPTABLES -A $dzone $net1_dst $net2_src $proto
$rport -i $dev -o $sdev -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED
fi
done
done
done
- $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $net1 $net2
$proto $port -o $dev
+ $IPTABLES -A POSTROUTING -j MASQUERADE -t nat $net1_src
$net2_dst $proto $port -o $dev
done
fi
done
@@ -2122,19 +2113,21 @@
# <source network>,<destination>,<protocol>,<port>,<ip to forward
to>,<redirect port>
forward_masquerading_rules()
{
- local nets net1 net2 proto port1 port2 lip
+ local nets proto port1 port2 lip
+ local net1 net1_neg net1_src net1_dst
+ local net2 net2_neg net2_src net2_dst
for nets in $FW_FORWARD_MASQ; do
IFS=, eval set -- \$nets
net1="$1"
- net2="$2"
+ target="$2"
proto="$3"
port1="$4"
port2="$5"
- lip="$6"
+ net2="$6"
- case "$net2" in
- */*|'')
+ case "$target" in
+ */*|\!*|'')
error "target must be a single host in FW_FORWARD_MASQ -> $nets"
continue
;;
@@ -2149,29 +2142,29 @@
elif [ -z "$port1" ]; then
error "Port missing in FW_FORWARD_MASQ -> $nets"
else
- net1=${net1/\!/\! }
- net2=${net2/\!/\! }
+ eval `net2srcdst net1 "$net1"`
+ eval `net2srcdst net2 "$net2"`
+ eval `net2srcdst target "$target"`
proto="-p $proto"
test -z "$port2" && port2="$port1"
port1="--dport $port1"
dport2="--dport $port2"
port2=":${port2/:/-}"
- test -n "$lip" && lip="-d $lip"
for dev in $FW_MASQ_DEV; do
- $IPTABLES -A PREROUTING -j DNAT -t nat $proto -s $net1 $lip
$port1 --to-destination ${net2}${port2} -i $dev
+ $IPTABLES -A PREROUTING -j DNAT -t nat $proto $net1_src
$net2_dst $port1 --to-destination ${target}${port2} -i $dev
# to install minimal rule set we'd need to check if
# $net1 is covered by $FW_MASQ_NETS. Not feasible in
# bash code so just check for 0/0
if [ "$FW_MASQ_NETS" != "0/0" ]; then
- $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $net1 -d
$net2 $proto $dport2 -o $dev
+ $IPTABLES -A POSTROUTING -j MASQUERADE -t nat $net1_src
$net2_dst $proto $dport2 -o $dev
fi
done
for chain in $forward_zones; do
chain=forward_$chain
- $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ "
$proto -s $net1 -d $net2 $dport2 -m conntrack --ctstate NEW
- $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ "
$proto -s $net1 -d $net2 $dport2
- $IPTABLES -A $chain -j "$ACCEPT" $proto -s $net1 -d $net2
$dport2
- $IPTABLES -A $chain -j "$ACCEPT" $proto -d $net1 -s $net2 -m
conntrack --ctstate ESTABLISHED,RELATED
+ $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ "
$proto $net1_src $target_dst $dport2 -m conntrack --ctstate NEW
+ $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ "
$proto $net1_src $target_dst $dport2
+ $IPTABLES -A $chain -j "$ACCEPT" $proto $net1_src $target_dst
$dport2
+ $IPTABLES -A $chain -j "$ACCEPT" $proto $net1_dst $target_src
-m conntrack --ctstate ESTABLISHED,RELATED
done
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.282/mktar
new/SuSEfirewall2-3.6.289/mktar
--- old/SuSEfirewall2-3.6.282/mktar 2011-11-07 11:55:00.000000000 +0100
+++ new/SuSEfirewall2-3.6.289/mktar 1970-01-01 01:00:00.000000000 +0100
@@ -1,13 +0,0 @@
-#!/bin/sh
-set -e
-NAME=SuSEfirewall2
-VERSION=3.6
-revs=`git rev-list master|wc -l`
-# there are two empty commits in svn were not converted to git
-# commits so increase revs by two
-let revs=revs+2
-vers="${VERSION:+${VERSION}.}$revs"
-pfx="$NAME-$vers"
-fn="$pfx".tar.bz2
-git archive --prefix="$pfx"/ HEAD | bzip2 > $fn
-echo "version $vers -> $fn"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.282/obs/mkchanges
new/SuSEfirewall2-3.6.289/obs/mkchanges
--- old/SuSEfirewall2-3.6.282/obs/mkchanges 1970-01-01 01:00:00.000000000
+0100
+++ new/SuSEfirewall2-3.6.289/obs/mkchanges 2012-05-29 15:10:20.000000000
+0200
@@ -0,0 +1,11 @@
+#!/bin/sh
+# create log suitable for c&p into rpm changes file
+if [ -z "$1" ]; then
+ set -- remotes/origin/master..HEAD
+elif [ "${1%.changes}" != "$1" ]; then
+ # parse time stamp of .changes file
+ d=`awk 'NR==2{FS=" - ";$0=$0;print $1;exit}' < $1`
+ set -- --since="$d" HEAD
+fi
+# no idea why it always prints those commit lines
+git rev-list --pretty=format:"- %s" "$@" |grep -v ^commit
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.282/obs/mkpackage
new/SuSEfirewall2-3.6.289/obs/mkpackage
--- old/SuSEfirewall2-3.6.282/obs/mkpackage 1970-01-01 01:00:00.000000000
+0100
+++ new/SuSEfirewall2-3.6.289/obs/mkpackage 2012-05-29 15:10:20.000000000
+0200
@@ -0,0 +1,61 @@
+#!/bin/bash
+set -e
+shopt -s nullglob
+name="`pwd -P`"
+name=${name##*/}
+name=${name%%.*}
+dstdir="package"
+src="$PWD"
+if [ ! -d "$dstdir/.osc" ]; then
+ echo "*** Error: please check out the package:"
+ echo "osc branch openSUSE:Factory $name"
+ echo "ln -s home\:*\:branches\:*/$name $dstdir"
+ exit 1
+fi
+if [ "`git --no-pager diff --name-only|wc -l`" != '0' -o "`git --no-pager diff
--name-only --cached|wc -l`" != 0 ]; then
+ echo "*** Error: uncomitted changes"
+ echo "run 'git add file' to add files, 'git commit -a' to commit
changes"
+ exit 1
+fi
+cd "$dstdir"
+echo "osc up"
+osc up
+cd "$src"
+"$src"/obs/mkchanges "$dstdir/$name".changes | tee "$dstdir"/.changes
+#test ! -s $dstdir/.changes || git push
+for i in *.bz2; do
+ /bin/rm -vi "$i"
+done
+cd "$src"
+eval `"$src"/obs/mktar`
+mv "$FILENAME" "$dstdir"
+cd "$dstdir"
+osc add "$FILENAME"
+if [ -n "$VERSION" ]; then
+ read sourcefile < <(/usr/lib/build/spectool --tag "/source0?/"
"$name".spec)
+ if [ -n "$sourcefile" ]; then
+ sourcefile="${sourcefile/*: /}"
+ if [ -e "$sourcefile" ]; then
+ osc rm -f "$sourcefile" || true
+ fi
+ fi
+ sed -i -e "0,/^Version: /{s/^\(Version: *\).*/\1$VERSION/;}"
"$name".spec
+fi
+osc vc "$name".changes .changes && rm -f .changes
+cd "$src"
+if [ -n "`git rev-list remotes/origin/master..HEAD`" ]; then
+ pushed=
+ if ! grep -q refs/heads/master .git/HEAD; then
+ echo "Warning: not on master branch"
+ elif read -p "push changes now? (Y/n) "; then
+ if [ -z "$REPLY" -o "${REPLY#y}" != "$REPLY" ]; then
+ git push && pushed=1 || true
+ fi
+ fi
+ if [ -z "$pushed" ]; then
+ echo "*** Warning: changes not pushed!"
+ else
+ cd "$dstdir"
+ osc ci
+ fi
+fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/SuSEfirewall2-3.6.282/obs/mktar
new/SuSEfirewall2-3.6.289/obs/mktar
--- old/SuSEfirewall2-3.6.282/obs/mktar 1970-01-01 01:00:00.000000000 +0100
+++ new/SuSEfirewall2-3.6.289/obs/mktar 2012-05-29 15:10:20.000000000 +0200
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+NAME=SuSEfirewall2
+VERSION=3.6
+revs=`git rev-list master|wc -l`
+# there are two empty commits in svn were not converted to git
+# commits so increase revs by two
+let revs=revs+2
+vers="${VERSION:+${VERSION}.}$revs"
+pfx="$NAME-$vers"
+fn="$pfx".tar.bz2
+if ! git config --get tar.umask >/dev/null 2>&1 ; then
+ git config --add tar.umask 022
+fi
+git archive --prefix="$pfx"/ HEAD | bzip2 > $fn
+echo "VERSION=$vers"
+echo "FILENAME=$fn"
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
