Hello community, here is the log from the commit of package yast2-vpn for openSUSE:Factory checked in at 2016-03-31 13:03:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-vpn (Old) and /work/SRC/openSUSE:Factory/.yast2-vpn.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-vpn" Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-vpn/yast2-vpn.changes 2015-10-28 17:30:51.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-vpn.new/yast2-vpn.changes 2016-03-31 13:03:35.000000000 +0200 @@ -1,0 +2,10 @@ +Thu Mar 24 11:15:40 UTC 2016 - h...@suse.com + +- Fix several important issues: + * Properly reduce TCP MSS instead of setting it to a fixed value. + * Force UDP encapsulation in case of IPv4 gateway. + * Fix two cases of incorrect SUSEfirewall and iptables configuration. + +Further implements fate#320616. + +------------------------------------------------------------------- Old: ---- yast2-vpn-3.1.2.tar.bz2 New: ---- yast2-vpn-3.1.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-vpn.spec ++++++ --- /var/tmp/diff_new_pack.B5jnFa/_old 2016-03-31 13:03:36.000000000 +0200 +++ /var/tmp/diff_new_pack.B5jnFa/_new 2016-03-31 13:03:36.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package yast2-vpn # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: yast2-vpn -Version: 3.1.2 +Version: 3.1.3 Release: 0 Url: https://github.com/yast/yast-vpn Source0: %{name}-%{version}.tar.bz2 ++++++ yast2-vpn-3.1.2.tar.bz2 -> yast2-vpn-3.1.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/package/yast2-vpn.changes new/yast2-vpn-3.1.3/package/yast2-vpn.changes --- old/yast2-vpn-3.1.2/package/yast2-vpn.changes 2015-10-27 09:42:34.000000000 +0100 +++ new/yast2-vpn-3.1.3/package/yast2-vpn.changes 2016-03-30 09:32:33.000000000 +0200 @@ -1,4 +1,14 @@ ------------------------------------------------------------------- +Thu Mar 24 11:15:40 UTC 2016 - h...@suse.com + +- Fix several important issues: + * Properly reduce TCP MSS instead of setting it to a fixed value. + * Force UDP encapsulation in case of IPv4 gateway. + * Fix two cases of incorrect SUSEfirewall and iptables configuration. + +Further implements fate#320616. + +------------------------------------------------------------------- Tue Oct 27 08:42:26 UTC 2015 - h...@suse.com - Fix build failure on Leap. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/package/yast2-vpn.spec new/yast2-vpn-3.1.3/package/yast2-vpn.spec --- old/yast2-vpn-3.1.2/package/yast2-vpn.spec 2015-10-27 09:42:24.000000000 +0100 +++ new/yast2-vpn-3.1.3/package/yast2-vpn.spec 2016-03-30 09:32:33.000000000 +0200 @@ -16,7 +16,7 @@ # Name: yast2-vpn -Version: 3.1.2 +Version: 3.1.3 Release: 0 License: GPL-2.0 URL: https://github.com/yast/yast-vpn diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/src/lib/vpn/ipsec.rb new/yast2-vpn-3.1.3/src/lib/vpn/ipsec.rb --- old/yast2-vpn-3.1.2/src/lib/vpn/ipsec.rb 2015-09-07 14:42:44.000000000 +0200 +++ new/yast2-vpn-3.1.3/src/lib/vpn/ipsec.rb 2016-03-30 09:32:33.000000000 +0200 @@ -413,6 +413,9 @@ end end get_current_conn[param_name] = val + if val == nil + get_current_conn.delete(param_name) + end end # Change gateway password. @@ -518,16 +521,14 @@ conn_template = SCENARIO_TEMPLATES[conf["scenario"]] # Find customised parameters customisation = conf.select{|key, val| conn_template[key] == nil} - # Remove keys that don't belong to the scenario - customisation.delete_if {|key, val| !conn_template.has_key?(key)} # Merge customised with the template merged_conf = conn_template.merge(customisation) # Remove parameters that aren't configuration or don't belong to the scenario merged_conf.delete("name") merged_conf.delete("scenario") # Find blanks that aren't filled - param_blanks = merged_conf.select{|key, val| val == nil || val.strip == ""}.keys - if param_blanks.length > 0 + param_blanks = merged_conf.select{|_key, val| val.to_s.strip == ""}.keys + if param_blanks.any? unfilled_blanks[name] = param_blanks end scr_conf[name] = merged_conf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/src/lib/vpn/main_dialog.rb new/yast2-vpn-3.1.3/src/lib/vpn/main_dialog.rb --- old/yast2-vpn-3.1.2/src/lib/vpn/main_dialog.rb 2015-09-07 13:33:28.000000000 +0200 +++ new/yast2-vpn-3.1.3/src/lib/vpn/main_dialog.rb 2016-03-30 09:32:33.000000000 +0200 @@ -67,7 +67,7 @@ VBox( Left(CheckBox(Id(:enable_daemon), _("Enable VPN daemon"), Yast::IPSecConf.DaemonEnabled?)), Left(HBox( - CheckBox(Id(:fix_mss), _("Reduce TCP MSS"), Yast::IPSecConf.TCPMSS1024Enabled?), + CheckBox(Id(:fix_mss), _("Reduce TCP MSS"), Yast::IPSecConf.TCPReduceMSS?), PushButton(Id(:fix_mss_help), "?"))) )), Frame(_("All VPNs"), ReplacePoint(Id(:conn_list), Empty())), @@ -84,7 +84,7 @@ ), HBox( PushButton(Id(:ok), Yast::Label.OKButton), - PushButton(Id(:abort), Yast::Label.AbortButton) + PushButton(Id(:cancel), Yast::Label.CancelButton) ) ) end @@ -156,7 +156,7 @@ # Save new settings and apply Yast::IPSecConf.Import({ "enable_ipsec" => enable_daemon, - "tcp_mss_1024" => !!Yast::UI.QueryWidget(:fix_mss, :Value), + "tcp_reduce_mss" => !!Yast::UI.QueryWidget(:fix_mss, :Value), "ipsec_conns" => scr_conf, "ipsec_secrets" => IPSec.make_scr_secrets }) @@ -188,11 +188,9 @@ end end - # Abandon all changes and quit. - def abort_handler - if Yast::Popup.ReallyAbort(true) - finish_dialog(:abort) - end + # Quit the dialog. + def cancel_handler + finish_dialog(:cancel) end # Select a connection from connection list, load its configuration. @@ -212,6 +210,8 @@ else IPSec.change_conn_param("rightsubnet", "0.0.0.0/0") end + # Force UDP encapsulation only for IPv4 (it does not work for v6) + IPSec.change_conn_param("forceencaps", "yes") # Disable specific subnet input Yast::UI.ChangeWidget(Id(:conn_access_subnet), :Enabled, false) Yast::UI.ChangeWidget(Id(:conn_access_subnet), :Value, "") @@ -225,6 +225,8 @@ else IPSec.change_conn_param("rightsubnet", "::/0") end + # If this was an IPv4 gateway and now an IPv6 gateway, make sure there's no forceencaps + IPSec.change_conn_param("forceencaps", nil) # Disable specific subnet input Yast::UI.ChangeWidget(Id(:conn_access_subnet), :Enabled, false) Yast::UI.ChangeWidget(Id(:conn_access_subnet), :Value, "") @@ -239,6 +241,8 @@ # Client: specify networks (CIDRs) accessed via IPSec tunnel. def conn_access_subnet_handler subnet = Yast::UI.QueryWidget(Id(:conn_access_subnet), :Value) + # Since I cannot tell whether the new subnet is v4 or v6, get rid of forceencaps. + IPSec.change_conn_param("forceencaps", nil) if IPSec.get_current_conn_type == :gateway IPSec.change_conn_param("leftsubnet", subnet) else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/src/modules/IPSecConf.rb new/yast2-vpn-3.1.3/src/modules/IPSecConf.rb --- old/yast2-vpn-3.1.2/src/modules/IPSecConf.rb 2015-09-09 10:39:50.000000000 +0200 +++ new/yast2-vpn-3.1.3/src/modules/IPSecConf.rb 2016-03-30 09:32:33.000000000 +0200 @@ -30,6 +30,9 @@ include Yast::Logger FW_CUSTOMRULES_FILE = "/etc/YaST2/vpn_firewall_rules" + # If TCP MSS reduction is required, the new MSS will be this value. + REDUCED_MSS = 1220 + def initialize log.info "IPSecConf is initialised" @orig_conf = {} @@ -41,7 +44,7 @@ @ipsec_secrets = {"psk" => [], "rsa" => [], "eap" => [], "xauth" => []} @enable_ipsec = false - @tcp_mss_1024 = false + @tcp_reduce_mss = false @autoyast_modified = false end @@ -58,7 +61,7 @@ # Read daemon settings @enable_ipsec = Service.Enabled("strongswan") customrules_content = SCR.Read(path(".target.string"), FW_CUSTOMRULES_FILE) - @tcp_mss_1024 = !customrules_content.nil? && customrules_content.include?("--set-mss 1024") + @tcp_reduce_mss = !customrules_content.nil? && customrules_content.include?("--set-mss #{REDUCED_MSS}") @autoyast_modified = true end @@ -97,9 +100,9 @@ return @enable_ipsec end - # Return true if TCP MSS 1024 workaround is enabled, otherwise false. - def TCPMSS1024Enabled? - return @tcp_mss_1024 + # Return true if TCP MSS reduction workaround is enabled, otherwise false. + def TCPReduceMSS? + return @tcp_reduce_mss end # Create a firewall configuration script for all VPN gateways. Return the script content @@ -129,19 +132,18 @@ script << func_template % {func_name: "fw_custom_before_port_handling", content: ""} # Reduce TCP MSS - if this has to be done, it must come before FORWARD and MASQUERADE inet_access = "" - if @tcp_mss_1024 - inet_access += "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024\n" + - "ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024\n" + if @tcp_reduce_mss + inet_access += "iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss #{REDUCED_MSS+1}:65535 -j TCPMSS --set-mss #{REDUCED_MSS}\n" + + "ip6tables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss #{REDUCED_MSS+1}:65535 -j TCPMSS --set-mss #{REDUCED_MSS}\n" end # Forwarding for Internet access - forward_template = "%s -A FORWARD -s %s -j ACCEPT\n" - masq_template = "%s -t nat -A POSTROUTING -s %s -j MASQUERADE\n" inet_access_networks.each { |cidr| iptables = "iptables" if cidr.include?(":") iptables = "ip6tables" end - inet_access += forward_template % [iptables, cidr] + masq_template % [iptables, cidr] + inet_access += "#{iptables} -A FORWARD -s #{cidr} -j ACCEPT\n#{iptables} -A FORWARD -d #{cidr} -j ACCEPT\n" + inet_access += "#{iptables} -t nat -A POSTROUTING -s #{cidr} -j MASQUERADE\n" } script << func_template % {func_name: "fw_custom_before_masq", content: inet_access} # Nothing in denyall or finished @@ -219,6 +221,7 @@ SCR.Write(path(".sysconfig.SuSEfirewall2.FW_CUSTOMRULES"), existing_rules + FW_CUSTOMRULES_FILE) SCR.Write(path(".sysconfig.SuSEfirewall2"), nil) end + SuSEFirewall.Read if SuSEFirewall.IsEnabled if @enable_ipsec if !SuSEFirewall.IsStarted @@ -255,7 +258,7 @@ return false end @enable_ipsec = !!params["enable_ipsec"] - @tcp_mss_1024 = !!params["tcp_mss_1024"] + @tcp_reduce_mss = !!params["tcp_reduce_mss"] @ipsec_conns = params.fetch("ipsec_conns", {}) @ipsec_secrets = params.fetch("ipsec_secrets", {}) @autoyast_modified = true @@ -267,7 +270,7 @@ log.info("IPSecConf.Export is called, connections are: " + @ipsec_conns.keys.to_s) return { "enable_ipsec" => @enable_ipsec, - "tcp_mss_1024" => @tcp_mss_1024, + "tcp_reduce_mss" => @tcp_reduce_mss, "ipsec_conns" => @ipsec_conns, "ipsec_secrets" => @ipsec_secrets } @@ -278,7 +281,7 @@ log.info("IPSecConf.Summary is called") ret = Summary.AddHeader("", _("VPN Global Settings")) ret = Summary.AddLine(ret, _("Enable VPN (IPSec) daemon: %s") % [(!!@enable_ipsec).to_s]) - ret = Summary.AddLine(ret, _("Reduce TCP MSS to 1024: %s") % [(!!@tcp_mss_1024).to_s]) + ret = Summary.AddLine(ret, _("Reduce TCP MSS: %s") % [(!!@tcp_reduce_mss).to_s]) ret = Summary.AddHeader(ret, _("Gateway and Connections")) if @ipsec_conns != nil @ipsec_conns.each{|name, conf| @@ -320,7 +323,7 @@ @ipsec_secrets = {"psk" => [], "rsa" => [], "eap" => [], "xauth" => []} @enable_ipsec = false - @tcp_mss_1024 = false + @tcp_reduce_mss = false @autoyast_modified = false end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/test/ipsec_test.rb new/yast2-vpn-3.1.3/test/ipsec_test.rb --- old/yast2-vpn-3.1.2/test/ipsec_test.rb 2015-10-27 09:42:05.000000000 +0100 +++ new/yast2-vpn-3.1.3/test/ipsec_test.rb 2016-03-30 09:32:33.000000000 +0200 @@ -19,10 +19,7 @@ # Summary: Test the functions and features of IPSec configuration models. # Authors: Howard Guo <h...@suse.com> -ENV["Y2DIR"] = File.expand_path("../../src", __FILE__) - -require "yast" -require "yast/rspec" +require_relative "./test_helper" require "vpn/ipsec" describe VPN::IPSec do @@ -327,7 +324,7 @@ end describe ".make_scr_conf" do - it "Makes SCR-compatible IPSec config" do + it "Makes SCR-compatible IPSec config with new parameter assignments" do # Introduce unnecessary parameters, make_scr_conf will get rid of these VPN::IPSec.switch_conn("gw_psk0") VPN::IPSec.change_conn_param("abc", 123) @@ -348,6 +345,7 @@ "dpdtimeout"=>"600", "dpddelay"=>"60", "leftsubnet"=>"192.168.82.0/24", + "abc" => 123, "rightsourceip"=>"192.168.83.0/24"}, "gw_cert1"=> {"auto"=>"add", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/test/ipsecconf_test.rb new/yast2-vpn-3.1.3/test/ipsecconf_test.rb --- old/yast2-vpn-3.1.2/test/ipsecconf_test.rb 2015-10-27 09:41:55.000000000 +0100 +++ new/yast2-vpn-3.1.3/test/ipsecconf_test.rb 2016-03-30 09:32:33.000000000 +0200 @@ -19,10 +19,7 @@ # Summary: Test the functions and features of IPSec configuration agents. # Authors: Howard Guo <h...@suse.com> -ENV["Y2DIR"] = File.expand_path("../../src", __FILE__) - -require "yast" -require "yast/rspec" +require_relative "./test_helper" Yast.import "IPSecConf" describe Yast::IPSecConf do @@ -211,9 +208,9 @@ it "Creates a SuSE firewall script for all connections" do # Set reduce MSS to true exported = Yast::IPSecConf.Export - exported["tcp_mss_1024"] = true + exported["tcp_reduce_mss"] = true Yast::IPSecConf.Import(exported) - expect(Yast::IPSecConf.GenFirewallScript).to eq("""# The file is automatically generated by YaST VPN module. + expect(Yast::IPSecConf.GenFirewallScript).to eq "# The file is automatically generated by YaST VPN module. # You may run the file using bourne-shell-compatible interpreter. fw_custom_after_chain_creation() { iptables -A INPUT -p udp --dport 500 -j ACCEPT @@ -230,13 +227,16 @@ } fw_custom_before_port_handling fw_custom_before_masq() { -iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024 -ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1024 +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220 +ip6tables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220 iptables -A FORWARD -s 192.168.83.0/24 -j ACCEPT +iptables -A FORWARD -d 192.168.83.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.83.0/24 -j MASQUERADE iptables -A FORWARD -s 192.168.98.0/24 -j ACCEPT +iptables -A FORWARD -d 192.168.98.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.98.0/24 -j MASQUERADE iptables -A FORWARD -s 192.168.99.0/24 -j ACCEPT +iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.99.0/24 -j MASQUERADE true } @@ -249,7 +249,7 @@ true } fw_custom_after_finished -""") +" end end end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.2/test/test_helper.rb new/yast2-vpn-3.1.3/test/test_helper.rb --- old/yast2-vpn-3.1.2/test/test_helper.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-vpn-3.1.3/test/test_helper.rb 2016-03-30 09:32:33.000000000 +0200 @@ -0,0 +1,22 @@ +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# +# This program is free software; you can redistribute it and/or modify it under +# the terms of version 2 of the GNU General Public License as published by the +# Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along with +# this program; if not, contact SUSE Linux GmbH. +# +# ------------------------------------------------------------------------------ +# +# Summary: Common header for test source files. +# Authors: Howard Guo <h...@suse.com> + +ENV["Y2DIR"] = File.expand_path("../../src", __FILE__) + +require "yast" +require "yast/rspec"
