Class: Yast::SuSEFirewall2Class

Inherits:
SuSEFirewallClass show all
Includes:
Logger
Defined in:
library/network/src/lib/network/susefirewall2.rb

Overview


SuSEFirewall2/SF2 Class. The original, simply created from the Firewall factory class.

Constant Summary collapse

CONFIG_FILE =
"/etc/sysconfig/SuSEfirewall2".freeze

Instance Attribute Summary

Attributes inherited from SuSEFirewallClass

#firewall_service

Instance Method Summary collapse

Methods inherited from SuSEFirewallClass

#AddService, #AddXenSupport, #ArePortsOrServicesAllowed, #DisableServices, #EnableServices, #GetAllKnownInterfaces, #GetEnableService, #GetKnownFirewallZones, #GetListOfKnownInterfaces, #GetModified, #GetServices, #GetServicesInZones, #GetStartService, #GetZoneFullName, #GetZonesOfInterfaces, #HaveService, #IsEnabled, #IsKnownZone, #IsOtherFirewallRunning, #IsStarted, #IsSupportedProtocol, #RemoveAllowedPortsOrServices, #RemoveService, #ResetModified, #SaveAndRestartService, #SetAdditionalServices, #SetEnableService, #SetInstallPackagesIfMissing, #SetModified, #SetServices, #SetStartService, #StartServices, #StopServices, #SuSEFirewallIsInstalled, #SuSEFirewallIsSelectedOrInstalled, #initialize

Constructor Details

This class inherits a constructor from Yast::SuSEFirewallClass

Instance Method Details

#ActivateConfigurationBoolean

Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

Returns:

  • (Boolean)

    if successful



1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
# File 'library/network/src/lib/network/susefirewall2.rb', line 1620

def ActivateConfiguration
  # just disabled
  return true if !SuSEFirewallIsInstalled()

  # starting firewall during second stage can cause deadlock in systemd - bnc#798620
  # Moreover, it is not needed. Firewall gets started via dependency on multi-user.target
  # when second stage is over.
  if Mode.installation && !Mode.autoinst
    Builtins.y2milestone("Do not touch firewall services during installation")

    return true
  end

  # Firewall should start after Write()
  if GetStartService()
    # Not started - start it
    if !IsStarted()
      Builtins.y2milestone("Starting firewall services")
      StartServices()
    # Started - restart it
    # modified - restart it, or ...
    # bugzilla #186186
    # If any RPC service is configured to be allowed, always restart the firewall
    # Some of these service's ports might have been reallocated (when SuSEFirewall
    # is used from outside, e.g., yast2-nfs-server)
    elsif GetModified() || AnyRPCServiceInConfiguration()
      Builtins.y2milestone("Stopping firewall services")
      StopServices()
      Builtins.y2milestone("Starting firewall services")
      StartServices()
    # not modified - skip restart
    else
      Builtins.y2milestone(
        "Configuration hasn't modified, skipping restarting services"
      )
      true
    end
  # Firewall should stop after Write()
  # started - stop
  elsif IsStarted()
    Builtins.y2milestone("Stopping firewall services")
    StopServices()
    # stopped - skip stopping
  else
    Builtins.y2milestone("Firewall has been stopped already")
    true
  end
end

#AddAllowedBroadcast(needed_ports, zone) ⇒ Object

Local function adds list of ports to ports accepting broadcast

Parameters:



643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
# File 'library/network/src/lib/network/susefirewall2.rb', line 643

def AddAllowedBroadcast(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  # changing only if ports are not allowed
  if !IsBroadcastAllowed(needed_ports, zone)
    SetModified()

    allowed_ports = GetBroadcastAllowedPorts()
    list_ports_allowed = Ops.get(allowed_ports, zone, [])

    # ports to be allowed one by one
    Builtins.foreach(needed_ports) do |allow_this_port|
      # at first: remove all aliases of ports yet mentioned in zone
      aliases_of_port = PortAliases.GetListOfServiceAliases(allow_this_port)
      list_ports_allowed = Builtins.filter(list_ports_allowed) do |just_allowed|
        !Builtins.contains(aliases_of_port, just_allowed)
      end
      # at second: add only one
      list_ports_allowed = Builtins.add(list_ports_allowed, allow_this_port)
    end
    Ops.set(allowed_ports, zone, list_ports_allowed)

    # save it using function
    SetBroadcastAllowedPorts(allowed_ports)
  end

  nil
end

#AddAllowedPortsOrServices(add_ports, protocol, zone) ⇒ Object

Local function allows ports for requested protocol and zone.

Parameters:

  • add_ports (Array<string>)

    ports to be added

  • protocol (String)
  • zone (String)


2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
# File 'library/network/src/lib/network/susefirewall2.rb', line 2649

def AddAllowedPortsOrServices(add_ports, protocol, zone)
  add_ports = deep_copy(add_ports)
  if Ops.less_than(Builtins.size(add_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return
  end

  SetModified()

  # all allowed ports
  allowed_services = GetAllowedServicesForZoneProto(zone, protocol)

  allowed_services = Convert.convert(
    Builtins.union(allowed_services, add_ports),
    from: "list",
    to:   "list <string>"
  )
  allowed_services = PortRanges.FlattenServices(allowed_services, protocol)

  SetAllowedServicesForZoneProto(allowed_services, zone, protocol)

  nil
end

#AddForwardIntoMasqueradeRule(source_net, forward_to_ip, protocol, req_port, redirect_to_port, requested_ip) ⇒ Object

Adds forward into masquerade rule.

Examples:

AddForwardIntoMasqueradeRule ("0/0", "192.168.32.1", "TCP", "80", "8080", "10.0.0.1")

Parameters:



2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
# File 'library/network/src/lib/network/susefirewall2.rb', line 2097

def AddForwardIntoMasqueradeRule(source_net, forward_to_ip, protocol, req_port, redirect_to_port, requested_ip)
  SetModified()

  masquerade_rules = Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", "")

  masquerade_rules = Ops.add(
    Ops.add(
      Ops.add(
        Ops.add(
          Ops.add(
            Ops.add(
              Ops.add(
                Ops.add(masquerade_rules, (masquerade_rules != "") ? " " : ""),
                source_net
              ),
              ","
            ),
            forward_to_ip
          ),
          ","
        ),
        protocol
      ),
      ","
    ),
    req_port
  )

  if redirect_to_port != "" || requested_ip != ""
    if requested_ip != ""
      masquerade_rules = Ops.add(
        Ops.add(
          Ops.add(Ops.add(masquerade_rules, ","), redirect_to_port),
          ","
        ),
        requested_ip
      )
      # port1 -> port2 are same
    elsif redirect_to_port != req_port
      masquerade_rules = Ops.add(
        Ops.add(masquerade_rules, ","),
        redirect_to_port
      )
    end
  end

  Ops.set(@SETTINGS, "FW_FORWARD_MASQ", masquerade_rules)

  nil
end

#AddInterfaceIntoZone(interface, zone) ⇒ Object

Functions adds interface into defined zone. All appearances of interface in other zones are removed.

Examples:

AddInterfaceIntoZone ("eth5", "DMZ")

Parameters:



1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
# File 'library/network/src/lib/network/susefirewall2.rb', line 1166

def AddInterfaceIntoZone(interface, zone)
  SetModified()

  current_zone = GetZoneOfInterface(interface)

  DecreaseVerbosity()
  # removing all appearances of interface in zones, excepting current_zone==new_zone
  while !current_zone.nil? && current_zone != zone
    # interface is in any zone already, removing it at first
    RemoveInterfaceFromZone(interface, current_zone) if current_zone != zone
    current_zone = GetZoneOfInterface(interface)
  end
  IncreaseVerbosity()

  Builtins.y2milestone(
    "Adding interface '%1' into '%2' zone.",
    interface,
    zone
  )
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.toset(
    Builtins.add(interfaces_in_zone, interface)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#AddServiceDefinedByPackageIntoZone(service, zone) ⇒ Object

Adds service defined by package (FATE #300687) into list of enabled services.

Examples:

AddServiceDefinedByPackageIntoZone ("service:irc-server", "EXT");

Parameters:



742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
# File 'library/network/src/lib/network/susefirewall2.rb', line 742

def AddServiceDefinedByPackageIntoZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  # Adding the service
  supported_services = Builtins.toset(
    Builtins.add(supported_services, service)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_CONFIGURATIONS_", zone),
    Builtins.mergestring(supported_services, " ")
  )

  SetModified()

  nil
end

#AddServiceSupportIntoZone(service, zone) ⇒ Object

Local function adds well-known service's support into zone. It first of all removes the current support for service with port-aliases.

Parameters:



826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
# File 'library/network/src/lib/network/susefirewall2.rb', line 826

def AddServiceSupportIntoZone(service, zone)
  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)
  # unknown service
  if needed.nil?
    Builtins.y2error("Undefined service '%1'", service)
    return nil
  end

  SetModified()

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    AddServiceDefinedByPackageIntoZone(service, zone)

    return nil
  end

  # Removing service ports first (and also port aliases for TCP and UDP)
  RemoveServiceSupportFromZone(service, zone) if IsServiceSupportedInZone(service, zone) == true

  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []

    case key
    when "tcp_ports"
      AddAllowedPortsOrServices(needed_ports, "TCP", zone)
    when "udp_ports"
      AddAllowedPortsOrServices(needed_ports, "UDP", zone)
    when "rpc_ports"
      AddAllowedPortsOrServices(needed_ports, "RPC", zone)
    when "ip_protocols"
      AddAllowedPortsOrServices(needed_ports, "IP", zone)
    when "broadcast_ports"
      AddAllowedBroadcast(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
  end

  nil
end

#AddSpecialInterfaceIntoZone(interface, zone) ⇒ Object

Function adds special string into defined zone.

Parameters:



1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
# File 'library/network/src/lib/network/susefirewall2.rb', line 1944

def AddSpecialInterfaceIntoZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Adding special string '%1' into '%2' zone.",
    interface,
    zone
  )
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.toset(
    Builtins.add(interfaces_in_zone, interface)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#AnyRPCServiceInConfigurationBoolean

Function returns whether some RPC service is allowed in the configuration. These services reallocate their ports when restarted. See details in bugzilla bug #186186.

Returns:

  • (Boolean)

    some_RPC_service_used



1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
# File 'library/network/src/lib/network/susefirewall2.rb', line 1590

def AnyRPCServiceInConfiguration
  ret = false

  Builtins.foreach(GetKnownFirewallZones()) do |fw_zone|
    fw_rule = Builtins.sformat("FW_SERVICES_%1_RPC", fw_zone)
    listed_services = Ops.get_string(@SETTINGS, fw_rule) do
      GetDefaultValue(fw_rule)
    end
    # easy case
    next if listed_services.nil? || listed_services == ""

    # something listed but it still might be empty definition
    services_list = Builtins.splitstring(listed_services, " \n\t")
    services_list = Builtins.filter(services_list) do |service|
      service != ""
    end
    if Ops.greater_than(Builtins.size(services_list), 0)
      ret = true
      raise Break
    end
  end

  Builtins.y2milestone("Some RPC service found: %1", ret)
  ret
end

#CheckKernelModulesObject



2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
# File 'library/network/src/lib/network/susefirewall2.rb', line 2442

def CheckKernelModules
  needs_additional_module = false

  Builtins.foreach(GetKnownFirewallZones()) do |one_zone|
    if Ops.greater_or_equal(
      Builtins.size(GetServicesAcceptRelated(one_zone)),
      0
    )
      Builtins.y2milestone("Some ServicesAcceptRelated are defined")
      needs_additional_module = true
      raise Break
    end
  end

  if needs_additional_module
    k_modules = Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_LOAD_MODULES", ""),
      " "
    )

    if !Builtins.contains(k_modules, @broadcast_related_module)
      Builtins.y2warning(
        "FW_LOAD_MODULES doesn't contain %1, adding",
        @broadcast_related_module
      )
      k_modules = Builtins.add(k_modules, @broadcast_related_module)
      Ops.set(
        @SETTINGS,
        "FW_LOAD_MODULES",
        Builtins.mergestring(k_modules, " ")
      )
      SetModified()
    end
  end

  nil
end

#ConvertToServicesDefinedByPackagesObject

Converts old built-in service definitions to services defined by packages.

See Also:

  • 399217


2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
# File 'library/network/src/lib/network/susefirewall2.rb', line 2529

def ConvertToServicesDefinedByPackages
  return if @already_converted

  if FileUtils.Exists(@converted_to_services_dbp_file)
    @already_converted = true
    return
  end

  # $[ zone : $[ protocol : [ list of ports ] ] ]
  current_conf = {}

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Ops.set(current_conf, zone, {})
    Builtins.foreach(@supported_protocols) do |protocol|
      Ops.set(
        current_conf,
        [zone, protocol],
        GetAllowedServicesForZoneProto(zone, protocol)
      )
      Ops.set(
        current_conf,
        [zone, "broadcast"],
        Builtins.splitstring(GetBroadcastConfiguration(zone), " \n")
      )
    end
  end

  Builtins.y2milestone("Current conf: %1", current_conf)

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Builtins.foreach(SuSEFirewallServices.OLD_SERVICES) do |old_service_id, old_service_def|
      Builtins.y2milestone("Checking %1 in %2 zone", old_service_id, zone)
      if Ops.get_list(old_service_def, "tcp_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "tcp_ports", []),
            "TCP",
            zone,
            true
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "udp_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "udp_ports", []),
            "UDP",
            zone,
            true
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "rpc_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "rpc_ports", []),
            "RPC",
            zone,
            false
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "ip_protocols", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "ip_protocols", []),
            "IP",
            zone,
            false
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "broadcast_ports", []) != [] &&
          IsBroadcastAllowed(
            Ops.get_list(old_service_def, "broadcast_ports", []),
            zone
          ) != true
        next
      end

      if Ops.get_list(old_service_def, "convert_to", []) == []
        Builtins.y2milestone(
          "Service %1 supported, but it doesn't have any replacement",
          old_service_id
        )
        next
      end
      replaced = false
      Builtins.foreach(Ops.get_list(old_service_def, "convert_to", [])) do |replacement|
        if SuSEFirewallServices.IsKnownService(replacement)
          Builtins.y2milestone(
            "Old service %1 matches %2",
            old_service_id,
            replacement
          )
          RemoveOldAllowedServiceFromZone(old_service_def, zone)
          SetServicesForZones([replacement], [zone], true)
          replaced = true
          raise Break
        end
      end
      if !replaced
        Builtins.y2warning(
          "Old service %1 matches %2 but none are installed",
          old_service_id,
          Ops.get_list(old_service_def, "convert_to", [])
        )
      end
    end
  end

  Builtins.y2milestone("Converting done")
  @already_converted = true

  nil
end

#DecreaseVerbosityObject

Local function for decreasing the verbosity level.



302
303
304
305
306
# File 'library/network/src/lib/network/susefirewall2.rb', line 302

def DecreaseVerbosity
  @verbose_level = Ops.subtract(@verbose_level, 1)

  nil
end

#ExportHash{String => Object}

Function for getting exported SuSEFirewall configuration

Returns:

  • (Hash{String => Object})

    with configuration



988
989
990
# File 'library/network/src/lib/network/susefirewall2.rb', line 988

def Export
  deep_copy(@SETTINGS)
end

#FillUpEmptyConfigObject

Fills the configuration with default settings, adjusts internal variables that firewall cannot be configured.



1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
# File 'library/network/src/lib/network/susefirewall2.rb', line 1480

def FillUpEmptyConfig
  # do not call it again
  @configuration_has_been_read = true

  # Default settings, services are disabled
  @SETTINGS = deep_copy(@DEFAULT_SETTINGS)
  Ops.set(@SETTINGS, "enable_firewall", false)
  Ops.set(@SETTINGS, "start_firewall", false)

  # Cannot be configured, packages weren't installed
  @fw_service_can_be_configured = false

  nil
end

#full_init_on_boot(new_state) ⇒ Boolean

Sets whether ports need to be open already during boot bsc#916376

Parameters:

  • new_state (Boolean)

Returns:

  • (Boolean)

    current state



2681
2682
2683
2684
2685
# File 'library/network/src/lib/network/susefirewall2.rb', line 2681

def full_init_on_boot(new_state)
  @SETTINGS["FW_BOOT_FULL_INIT"] = new_state ? "yes" : "no"
  SetModified()
  @SETTINGS["FW_BOOT_FULL_INIT"] == "yes"
end

#GetAcceptExpertRules(zone) ⇒ String

Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.

Parameters:

Returns:



2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
# File 'library/network/src/lib/network/susefirewall2.rb', line 2272

def GetAcceptExpertRules(zone)
  zone = Builtins.toupper(zone)

  # Check for zone
  if !Builtins.contains(GetKnownFirewallZones(), zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return nil
  end

  Ops.get_string(@SETTINGS, Ops.add("FW_SERVICES_ACCEPT_", zone), "")
end

#GetAdditionalServices(protocol, zone) ⇒ Array<String>

This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different method.

Examples:

GetAdditionalServices("TCP", "EXT") -> ["53", "128"]

Returns:

  • (Array<String>)

    of additional (unassigned) services



1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
# File 'library/network/src/lib/network/susefirewall2.rb', line 1795

def GetAdditionalServices(protocol, zone)
  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol '%1'", protocol)
    return nil
  end
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  # all ports or services allowed in zone for protocol
  all_allowed_services = GetAllowedServicesForZoneProto(zone, protocol)

  # all ports or services used by known service
  all_used_services = []

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  # trying all possible (known) services
  Builtins.foreach(SuSEFirewallServices.GetSupportedServices) do |service_id, _service_name|
    # only when the service is allowed in zone - remove all its needed ports
    if IsServiceSupportedInZone(service_id, zone) == true
      # all needed ports etc for service/protocol
      needed_all = []
      case protocol
      when "TCP"
        needed_all = SuSEFirewallServices.GetNeededTCPPorts(service_id)
      when "UDP"
        needed_all = SuSEFirewallServices.GetNeededUDPPorts(service_id)
      when "RPC"
        needed_all = SuSEFirewallServices.GetNeededRPCPorts(service_id)
      when "IP"
        needed_all = SuSEFirewallServices.GetNeededIPProtocols(service_id)
      end
      Builtins.foreach(needed_all) do |remove_port|
        # all used services and their aliases
        all_used_services = Convert.convert(
          Builtins.union(
            all_used_services,
            PortAliases.GetListOfServiceAliases(remove_port)
          ),
          from: "list",
          to:   "list <string>"
        )
      end
    end
  end

  # some services are used by known defined-services
  if Ops.greater_than(Builtins.size(all_used_services), 0)
    all_used_services = Builtins.toset(all_used_services)
    # removing all used services from all allowed
    all_allowed_services = Builtins.filter(all_allowed_services) do |port|
      !Builtins.contains(all_used_services, port)
    end
  end

  # well, actually it returns list of services not-assigned to any well-known service
  deep_copy(all_allowed_services)
end

#GetAllDialUpInterfacesArray<String>

Function returns list of dial-up interfaces.

Examples:

GetAllDialUpInterfaces() -> ["modem0", "dsl5"]

Returns:

  • (Array<String>)

    of dial-up interface names



1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
# File 'library/network/src/lib/network/susefirewall2.rb', line 1116

def GetAllDialUpInterfaces
  dial_up_interfaces = []
  Builtins.foreach(GetAllKnownInterfaces()) do |interface|
    if Ops.get(interface, "type") == "dial_up"
      dial_up_interfaces = Builtins.add(
        dial_up_interfaces,
        Ops.get(interface, "id", "")
      )
    end
  end

  deep_copy(dial_up_interfaces)
end

#GetAllNonDialUpInterfacesArray<String>

Function returns list of non-dial-up interfaces.

Examples:

GetAllNonDialUpInterfaces() -> ["eth1", "eth2"]

Returns:

  • (Array<String>)

    of non-dial-up interface names



1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
# File 'library/network/src/lib/network/susefirewall2.rb', line 1098

def GetAllNonDialUpInterfaces
  non_dial_up_interfaces = []
  Builtins.foreach(GetAllKnownInterfaces()) do |interface|
    if Ops.get(interface, "type") != "dial_up"
      non_dial_up_interfaces = Builtins.add(
        non_dial_up_interfaces,
        Ops.get(interface, "id", "")
      )
    end
  end

  deep_copy(non_dial_up_interfaces)
end

#GetAllowedServicesForZoneProto(zone, protocol) ⇒ Array<String>

Function returns list of allowed services for zone and protocol

Parameters:

Returns:

  • (Array<String>)

    of allowed services/ports



438
439
440
441
442
443
444
445
446
447
# File 'library/network/src/lib/network/susefirewall2.rb', line 438

def GetAllowedServicesForZoneProto(zone, protocol)
  Builtins.splitstring(
    Ops.get_string(
      @SETTINGS,
      Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol),
      ""
    ),
    " "
  )
end

#GetBroadcastAllowedPortsHash{String => Array<String>}

Local function returns map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.

Structure:

$[
   "ZONE1" : [ "port1", "port2" ],
   "ZONE2" : [ "port3", "port4" ],
   "ZONE3" : [ ]
 ]
 or
 $[
   "ZONE1" : [ "yes" ],  // will work for all ports automatically
   "ZONE3" : [ ],
   "ZONE3" : [ ]
 ]

Returns:

  • (Hash{String => Array<String>})

    strings are allowed ports or port ranges



513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
# File 'library/network/src/lib/network/susefirewall2.rb', line 513

def GetBroadcastAllowedPorts
  allowed_ports = {}

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    broadcast = GetBroadcastConfiguration(zone)
    # no broadcast allowed for this zone
    case broadcast
    when "no"
      Ops.set(allowed_ports, zone, [])
      # BNC #694782: "yes" is automatically translated by SuSEfirewall2
    when "yes"
      Ops.set(allowed_ports, zone, ["yes"])
      # only listed ports allow broadcast
    else
      Ops.set(allowed_ports, zone, Builtins.splitstring(broadcast, " "))
      Ops.set(
        allowed_ports,
        zone,
        Builtins.filter(Builtins.splitstring(broadcast, " ")) do |not_space|
          not_space != ""
        end
      )
    end
  end

  Builtins.y2debug("Allowed Broadcast Ports: %1", allowed_ports)

  deep_copy(allowed_ports)
end

#GetBroadcastConfiguration(zone) ⇒ String

Local function returns configuration string for broadcast packets.

Returns:

  • (String)

    with broadcast configuration



470
471
472
# File 'library/network/src/lib/network/susefirewall2.rb', line 470

def GetBroadcastConfiguration(zone)
  Ops.get_string(@SETTINGS, Ops.add("FW_ALLOW_FW_BROADCAST_", zone), "no")
end

#GetConfigurationStringZone(zone_string) ⇒ String

Local function returns zone name (shortname) for configuration string. For instance "EXT" for "ext" zone.

Parameters:

  • zone_string (String)

    configuration string

Returns:



424
425
426
427
428
429
430
431
# File 'library/network/src/lib/network/susefirewall2.rb', line 424

def GetConfigurationStringZone(zone_string)
  if IsKnownZone(Builtins.toupper(zone_string))
    # zones in SuSEFirewall configuration are identified by lowercased zone shorters
    return Builtins.toupper(zone_string)
  end

  nil
end

#GetDefaultValue(variable) ⇒ String

Local function for returning default values (if defined) for sysconfig variables.

Parameters:

  • variable (String)

    sysconfig variable

Returns:



321
322
323
# File 'library/network/src/lib/network/susefirewall2.rb', line 321

def GetDefaultValue(variable)
  Ops.get(@DEFAULT_SETTINGS, variable, "")
end

#GetFirewallInterfacesArray<String>

Function returns all interfaces already configured in firewall.

Returns:

  • (Array<String>)

    of configured interfaces



1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
# File 'library/network/src/lib/network/susefirewall2.rb', line 1226

def GetFirewallInterfaces
  firewall_configured_devices = []

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    firewall_configured_devices = Convert.convert(
      Builtins.union(firewall_configured_devices, GetInterfacesInZone(zone)),
      from: "list",
      to:   "list <string>"
    )
  end

  Builtins.toset(firewall_configured_devices)
end

#GetFirewallInterfacesMapHash{String => Array<String>}

Function returns map of interfaces in zones.

Structure:

   map $[zone : [list of interfaces]]

Examples:

GetFirewallInterfacesMap() -> $["DMZ":[], "EXT":["dsl0"], "INT":["eth1", "eth2"]]

Returns:



1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
# File 'library/network/src/lib/network/susefirewall2.rb', line 1867

def GetFirewallInterfacesMap
  firewall_interfaces_now = {}

  # list of all known interfaces
  known_interfaces = GetListOfKnownInterfaces()

  # searching each zone
  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    # filtering non-existing interfaces
    Ops.set(
      firewall_interfaces_now,
      zone,
      Builtins.filter(GetInterfacesInZone(zone)) do |interface|
        Builtins.contains(known_interfaces, interface)
      end
    )
  end

  deep_copy(firewall_interfaces_now)
end

#GetFirewallKernelModulesArray<String>

Returns list of additional kernel modules, that are loaded by firewall on startup. For instance "ip_conntrack_ftp" and "ip_nat_ftp" for FTP service.

Returns:

  • (Array<String>)

    of kernel modules

See Also:

  • option nr. 32 (FW_LOAD_MODULES)


2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
# File 'library/network/src/lib/network/susefirewall2.rb', line 2310

def GetFirewallKernelModules
  k_modules = Builtins.splitstring(
    Ops.get_string(@SETTINGS, "FW_LOAD_MODULES", ""),
    " \t\n"
  )

  k_modules = Builtins.filter(k_modules) { |one_module| one_module != "" }

  Builtins.toset(k_modules)
end

#GetIgnoreLoggingBroadcast(zone) ⇒ String

Function returns yes/no - ignoring broadcast for zone

Examples:

# Does not log ignored broadcast packets
GetIgnoreLoggingBroadcast ("EXT") -> "yes"

Parameters:

Returns:



2234
2235
2236
2237
2238
2239
2240
2241
# File 'library/network/src/lib/network/susefirewall2.rb', line 2234

def GetIgnoreLoggingBroadcast(zone)
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  Ops.get_string(@SETTINGS, Ops.add("FW_IGNORE_FW_BROADCAST_", zone), "no")
end

#GetInterfacesInZone(zone) ⇒ Array<String>

Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

Examples:

GetInterfacesInZone ("DMZ") -> ["eth4", "eth5"]

Parameters:

Returns:

  • (Array<String>)

    of interfaces



1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
# File 'library/network/src/lib/network/susefirewall2.rb', line 1207

def GetInterfacesInZone(zone)
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )

  known_interfaces_now = GetListOfKnownInterfaces()

  # filtering special strings
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |interface|
    interface != "" && Builtins.contains(known_interfaces_now, interface)
  end

  deep_copy(interfaces_in_zone)
end

#GetInterfacesInZoneSupportingAnyFeature(zone) ⇒ Array<String>

Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

Parameters:

Returns:

  • (Array<String>)

    of interfaces



1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
# File 'library/network/src/lib/network/susefirewall2.rb', line 1275

def GetInterfacesInZoneSupportingAnyFeature(zone)
  interfaces_in_zone = GetInterfacesInZone(zone)

  # 'any' in EXT zone, add all interfaces without zone to this one
  interfaces_covered_by_any = InterfacesSupportedByAnyFeature(zone)
  if Ops.greater_than(Builtins.size(interfaces_covered_by_any), 0)
    interfaces_in_zone = Convert.convert(
      Builtins.union(interfaces_in_zone, interfaces_covered_by_any),
      from: "list",
      to:   "list <string>"
    )
  end

  deep_copy(interfaces_in_zone)
end

#GetListOfForwardsIntoMasqueradeArray<Hash{String => String>}

Function returns list of rules of forwarding ports to masqueraded IPs.

Structure:

list [$[ key: value ]]

$[ "forward_to":"172.24.233.1", "protocol":"tcp", "req_ip":"192.168.0.3", "req_port":"355", "source_net":"192.168.0.0/20", "to_port":"533"], ... ]

Examples:

GetListOfForwardsIntoMasquerade() -> [

Returns:



2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
# File 'library/network/src/lib/network/susefirewall2.rb', line 2013

def GetListOfForwardsIntoMasquerade
  list_of_rules = []

  Builtins.foreach(
    Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", ""),
      " "
    )
  ) do |forward_rule|
    next if forward_rule == ""

    # Format: <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
    fw_rul = Builtins.splitstring(forward_rule, ",")
    # first four parameters has to be defined
    if Ops.get(fw_rul, 0, "") == "" || Ops.get(fw_rul, 1, "") == "" ||
        Ops.get(fw_rul, 2, "") == "" ||
        Ops.get(fw_rul, 3, "") == ""
      Builtins.y2warning(
        "Wrong definition of redirect rule: '%1', part of '%2'",
        forward_rule,
        Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", "")
      )
    end
    list_of_rules = Builtins.add(
      list_of_rules,
      "source_net" => Ops.get(fw_rul, 0, ""),
      "forward_to" => Ops.get(fw_rul, 1, ""),
      "protocol"   => Builtins.tolower(Ops.get(fw_rul, 2, "")),
      "req_port"   => Builtins.tolower(Ops.get(fw_rul, 3, "")),
      # to_port is req_port when undefined
      "to_port"    => Builtins.tolower(
        Ops.get(fw_rul, 4, Ops.get(fw_rul, 3, ""))
      ),
      "req_ip"     => Builtins.tolower(Ops.get(fw_rul, 5, ""))
    )
  end

  deep_copy(list_of_rules)
end

#GetListOfSuSEFirewallVariablesArray<String>

Function return list of variables needed for SuSEFirewall's settings.

Returns:

  • (Array<String>)

    of names of variables



290
291
292
# File 'library/network/src/lib/network/susefirewall2.rb', line 290

def GetListOfSuSEFirewallVariables
  deep_copy(@SuSEFirewall_variables)
end

#GetLoggingSettings(rule) ⇒ String

Function returns actual state of logging for rule taken as parameter.

Examples:

GetLoggingSettings("ACCEPT") -> "CRIT"
GetLoggingSettings("DROP") -> "CRIT"

Parameters:

  • rule (String)

    definition 'ACCEPT' or 'DROP'

Returns:

  • (String)

    'ALL', 'CRIT', or 'NONE'



2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
# File 'library/network/src/lib/network/susefirewall2.rb', line 2156

def GetLoggingSettings(rule)
  ret_val = nil

  case rule
  when "ACCEPT"
    ret_val = if Ops.get_string(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no") == "yes"
      "ALL"
    elsif Ops.get_string(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes") == "yes"
      "CRIT"
    else
      "NONE"
    end
  when "DROP"
    ret_val = if Ops.get_string(@SETTINGS, "FW_LOG_DROP_ALL", "no") == "yes"
      "ALL"
    elsif Ops.get_string(@SETTINGS, "FW_LOG_DROP_CRIT", "yes") == "yes"
      "CRIT"
    else
      "NONE"
    end
  else
    Builtins.y2error("Possible rules are only 'ACCEPT' or 'DROP'")
  end

  ret_val
end

#GetMasquerade(_zone = nil) ⇒ Boolean

Function returns actual state of Masquerading support.

Parameters:

  • _zone (defaults to: nil)

    Ignored

Returns:

  • (Boolean)

    if supported



1972
1973
1974
1975
# File 'library/network/src/lib/network/susefirewall2.rb', line 1972

def GetMasquerade(_zone = nil)
  Ops.get_string(@SETTINGS, "FW_MASQUERADE", "no") == "yes" &&
    Ops.get_string(@SETTINGS, "FW_ROUTE", "no") == "yes"
end

#GetProtectFromInternalZoneBoolean

Function returns if firewall is protected from internal zone.

Returns:

  • (Boolean)

    if protected from internal



898
899
900
# File 'library/network/src/lib/network/susefirewall2.rb', line 898

def GetProtectFromInternalZone
  Ops.get_string(@SETTINGS, "FW_PROTECT_FROM_INT", "no") == "yes"
end

#GetProtocolTranslatedName(protocol) ⇒ String

Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.

Parameters:

  • protocol (String)

    from sysconfig (e.g., rpc)

Returns:

  • (String)

    translated string (e.g., RPC)



2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
# File 'library/network/src/lib/network/susefirewall2.rb', line 2370

def GetProtocolTranslatedName(protocol)
  protocol = Builtins.tolower(protocol)

  if protocol == ""
    ""
  elsif Ops.get(@protocol_translations, protocol).nil?
    Builtins.y2error("Unknown protocol: %1", protocol)
    # table item, %1 stands for the buggy protocol name
    Builtins.sformat(_("Unknown protocol (%1)"), protocol)
  else
    Ops.get(@protocol_translations, protocol, "")
  end
end

#GetServicesAcceptRelated(zone) ⇒ Array<String>

Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Examples:

GetServicesAcceptRelated ("EXT") -> ["0/0,udp,427", "0/0,udp,137"]

Parameters:

Returns:

  • (Array<String>)

    list of definitions

See Also:

  • #SetServicesAcceptRelated()


2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
# File 'library/network/src/lib/network/susefirewall2.rb', line 2395

def GetServicesAcceptRelated(zone)
  if !IsKnownZone(zone)
    Builtins.y2error("Uknown zone '%1'", zone)
    return []
  end

  Builtins.splitstring(
    Ops.get_string(
      @SETTINGS,
      Ops.add("FW_SERVICES_ACCEPT_RELATED_", zone),
      ""
    ),
    " \t\n"
  )
end

#GetSpecialInterfacesInZone(zone) ⇒ Array<String>

Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

Examples:

GetSpecialInterfacesInZone("EXT") -> ["any", "unknown-1", "wrong-3"]

Parameters:

Returns:

  • (Array<String>)

    special strings or unknown interfaces



1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
# File 'library/network/src/lib/network/susefirewall2.rb', line 1895

def GetSpecialInterfacesInZone(zone)
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )

  known_interfaces_now = GetInterfacesInZone(zone)

  # filtering known interfaces and spaces
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |interface|
    interface != "" && !Builtins.contains(known_interfaces_now, interface)
  end

  deep_copy(interfaces_in_zone)
end

#GetSupportRouteBoolean

Function returns if firewall supports routing.

Returns:

  • (Boolean)

    if route is supported



922
923
924
# File 'library/network/src/lib/network/susefirewall2.rb', line 922

def GetSupportRoute
  Ops.get_string(@SETTINGS, "FW_ROUTE", "no") == "yes"
end

#GetTrustIPsecAsString

Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

Returns:



959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
# File 'library/network/src/lib/network/susefirewall2.rb', line 959

def GetTrustIPsecAs
  # do not trust
  return "no" if Ops.get(@SETTINGS, "FW_IPSEC_TRUST") == "no"

  # default value for 'yes" ~= "INT"
  return "INT" if Ops.get(@SETTINGS, "FW_IPSEC_TRUST") == "yes"

  zone = GetConfigurationStringZone(
    Ops.get_string(@SETTINGS, "FW_IPSEC_TRUST", "")
  )

  # trust as named zone (if known)
  return zone if IsKnownZone(zone)

  # unknown zone, change to default value
  SetModified()
  defaultv = GetDefaultValue("FW_IPSEC_TRUST")
  Builtins.y2warning(
    "Trust IPsec as '%1' (unknown zone) changed to '%2'",
    Ops.get_string(@SETTINGS, "FW_IPSEC_TRUST", ""),
    defaultv
  )
  SetTrustIPsecAs(defaultv)
  "no"
end

#GetZoneConfigurationString(zone) ⇒ String

Local function returns configuration string used in configuration for zone. For instance "ext" for "EXT" zone.

Parameters:

Returns:

  • (String)

    zone configuration string



410
411
412
413
414
415
416
417
# File 'library/network/src/lib/network/susefirewall2.rb', line 410

def GetZoneConfigurationString(zone)
  if IsKnownZone(zone)
    # zones in SuSEFirewall configuration are identified by lowercased zone shorters
    return Builtins.tolower(zone)
  end

  nil
end

#GetZoneOfInterface(interface) ⇒ String

Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

Examples:

GetZoneOfInterface ("eth-id-01:11:DA:9C:8A:2F") -> "DMZ"

Parameters:

Returns:



1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
# File 'library/network/src/lib/network/susefirewall2.rb', line 1028

def GetZoneOfInterface(interface)
  interface_zone = []

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    interface_zone = Builtins.add(interface_zone, zone) if IsInterfaceInZone(interface, zone)
  end

  # Fallback handling for 'any' in the FW_DEV_* configuration
  if interface == @special_all_interface_string &&
      Builtins.size(interface_zone) == 0
    interface_zone = [@special_all_interface_zone]
  end

  if IsVerbose() && Ops.greater_than(Builtins.size(interface_zone), 1)
    # TRANSLATORS: Error message, %1 = interface name (like eth0)
    Report.Error(
      Builtins.sformat(
        _(
          "Interface '%1' is included in multiple firewall zones.\n" \
          "Continuing with configuration can produce errors.\n" \
          "\n" \
          "It is recommended to leave the configuration and repair it manually in\n" \
          "the file '/etc/sysconfig/SuSEFirewall'."
        ),
        interface
      )
    )
  end

  # return the first existence of interface in zones
  # if it is not presented anywhere, nil is returned
  Ops.get_string(interface_zone, 0)
end

#GetZonesOfInterfacesWithAnyFeatureSupported(interfaces) ⇒ Array<String>

Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

Examples:

GetZonesOfInterfaces (["eth1","eth4"]) -> ["EXT"]

Parameters:

Returns:

  • (Array<String>)

    firewall zones



1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
# File 'library/network/src/lib/network/susefirewall2.rb', line 1070

def GetZonesOfInterfacesWithAnyFeatureSupported(interfaces)
  interfaces = deep_copy(interfaces)
  zones = []
  zone = ""

  # 'any' in 'EXT'
  interfaces_covered_by_any = GetInterfacesInZoneSupportingAnyFeature(
    @special_all_interface_zone
  )

  Builtins.foreach(interfaces) do |interface|
    # interface is covered by 'any' in 'EXT'
    zone = if Builtins.contains(interfaces_covered_by_any, interface)
      @special_all_interface_zone
    else
      # interface is explicitely mentioned in some zone
      GetZoneOfInterface(interface)
    end
    zones = Builtins.add(zones, zone) if !zone.nil?
  end

  Builtins.toset(zones)
end

#Import(import_settings) ⇒ Object

Function for setting SuSEFirewall configuration from input

Parameters:

  • import_settings (Hash<String, Object>)

    with configuration



995
996
997
998
999
1000
1001
1002
1003
# File 'library/network/src/lib/network/susefirewall2.rb', line 995

def Import(import_settings)
  Read()
  @SETTINGS.merge!(import_settings || {})
  @configuration_has_been_read = true

  SetModified()

  nil
end

#IncreaseVerbosityObject

Local function for increasing the verbosity level.



295
296
297
298
299
# File 'library/network/src/lib/network/susefirewall2.rb', line 295

def IncreaseVerbosity
  @verbose_level = Ops.add(@verbose_level, 1)

  nil
end

#InterfacesSupportedByAnyFeature(zone) ⇒ Array<String>

Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.

Parameters:

Returns:

  • (Array<String>)

    of interfaces covered by special string 'any'

See Also:

  • #IsAnyNetworkInterfaceSupported()


1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
# File 'library/network/src/lib/network/susefirewall2.rb', line 1247

def InterfacesSupportedByAnyFeature(zone)
  result = []

  if zone == @special_all_interface_zone && IsAnyNetworkInterfaceSupported()
    known_interfaces_now = GetListOfKnownInterfaces()
    configured_interfaces = GetFirewallInterfaces()
    Builtins.foreach(known_interfaces_now) do |one_interface|
      if !Builtins.contains(configured_interfaces, one_interface)
        Builtins.y2milestone(
          "Interface '%1' supported by special string '%2' in zone '%3'",
          one_interface,
          @special_all_interface_string,
          @special_all_interface_zone
        )
        result = Builtins.add(result, one_interface)
      end
    end
  end

  deep_copy(result)
end

#IsAnyNetworkInterfaceSupportedBoolean

Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone. Updated: Currently returns only 'true' as every unassigned interface is automatically assigned to the EXT zone by SuSEfirewall2.

Returns:

  • (Boolean)

    is_supported whether the feature is supported or not



282
283
284
285
# File 'library/network/src/lib/network/susefirewall2.rb', line 282

def IsAnyNetworkInterfaceSupported
  # Currently unassigned interfaces belong to the EXT zone by dafault
  true
end

#IsBroadcastAllowed(needed_ports, zone) ⇒ Boolean

Function returns if broadcast is allowed for needed ports in zone.

Examples:

IsBroadcastAllowed (["port-xyz", "53"], "EXT") -> true

Parameters:

Returns:

  • (Boolean)

    if is allowed



570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
# File 'library/network/src/lib/network/susefirewall2.rb', line 570

def IsBroadcastAllowed(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  if Builtins.size(needed_ports) == 0
    Builtins.y2warning("Unknown service with no needed ports!")
    return nil
  end

  # getting broadcast allowed ports
  allowed_ports_map = GetBroadcastAllowedPorts()

  # Divide allowed port ranges and aliases (also with their port aliases)
  allowed_ports_divided = PortRanges.DividePortsAndPortRanges(
    Ops.get(allowed_ports_map, zone, []),
    true
  )

  # If there are no allowed ports at all
  if Ops.get(allowed_ports_divided, "ports", []) == [] &&
      Ops.get(allowed_ports_divided, "port_ranges", []) == []
    return false
  end

  is_allowed = true
  # checking all needed ports;
  Builtins.foreach(needed_ports) do |needed_port|
    # allowed ports don't contain the needed one and also portranges don't
    if !Builtins.contains(
      Ops.get(allowed_ports_divided, "ports", []),
      needed_port
    ) &&
        !PortRanges.PortIsInPortranges(
          needed_port,
          Ops.get(allowed_ports_divided, "port_ranges", [])
        )
      is_allowed = false
      raise Break
    end
  end

  is_allowed
end

#IsInterfaceInZone(interface, zone) ⇒ Boolean

Function returns if the interface is in zone.

Examples:

IsInterfaceInZone ("eth-id-01:11:DA:9C:8A:2F", "INT") -> false

Parameters:

Returns:

  • (Boolean)

    is in zone



1012
1013
1014
1015
1016
1017
1018
# File 'library/network/src/lib/network/susefirewall2.rb', line 1012

def IsInterfaceInZone(interface, zone)
  interfaces = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  Builtins.contains(interfaces, interface)
end

#IsServiceDefinedByPackageSupportedInZone(service, zone) ⇒ Boolean

Returns whether a service is mentioned in FW_CONFIGURATIONS_[EXT|INT|DMZ]. These services are defined by random packages.

Examples:

IsServiceDefinedByPackageSupportedInZone ("service:sshd", "EXT") -> true

Parameters:

  • service (String)

    e.g., "service:sshd"

  • zone (String)

    e.g., "EXT"

Returns:

  • (Boolean)

    if service is supported in zone



1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
# File 'library/network/src/lib/network/susefirewall2.rb', line 1300

def IsServiceDefinedByPackageSupportedInZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  Builtins.contains(supported_services, service)
end

#IsServiceSupportedInZone(service, zone) ⇒ Boolean

Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with "service:" prefix.

// irc-server definition exists on the system and the irc-server // is mentioned in FW_CONFIGURATIONS_EXT variable of SuSEfirewall2 IsServiceSupportedInZone ("service:irc-server", "EXT") -> true

Examples:

// All ports defined by dns-server service in SuSEFirewallServices module
// are enabled in the respective zone
IsServiceSupportedInZone ("dns-server", "EXT") -> true

Parameters:

Returns:

  • (Boolean)

    if supported

See Also:

  • Module SuSEFirewallServices


1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
# File 'library/network/src/lib/network/susefirewall2.rb', line 1335

def IsServiceSupportedInZone(service, zone)
  return nil if !IsKnownZone(zone)

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)

  # SuSEFirewall feature FW_PROTECT_FROM_INT
  # should not be protected and searched zones include also internal (or the zone IS internal, sure)
  if zone == @int_zone_shortname && !GetProtectFromInternalZone()
    Builtins.y2milestone(
      "Checking for service '%1', in '%2', PROTECT_FROM_INTERNAL='no' => allowed",
      service,
      zone
    )
    return true
  end

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    supported = IsServiceDefinedByPackageSupportedInZone(service, zone)
    return supported
  end

  # starting with nil value, any false means that the service is not supported
  service_is_supported = nil
  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []

    case key
    when "tcp_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "TCP",
        zone,
        true
      )
    when "udp_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "UDP",
        zone,
        true
      )
    when "rpc_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "RPC",
        zone,
        false
      )
    when "ip_protocols"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "IP",
        zone,
        false
      )
    when "broadcast_ports"
      # testing for allowed broadcast ports
      service_is_supported = IsBroadcastAllowed(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
    # service is not supported, we don't have to do more tests
    raise Break if service_is_supported == false
  end

  service_is_supported
end

#IsVerboseBoolean

Local function returns if other functions should produce verbose output. like popups, reporting errors, etc.

Returns:

  • (Boolean)

    is_verbose



312
313
314
315
# File 'library/network/src/lib/network/susefirewall2.rb', line 312

def IsVerbose
  # verbose level must be above zero to be verbose
  Ops.greater_than(@verbose_level, 0)
end

#mainObject



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
# File 'library/network/src/lib/network/susefirewall2.rb', line 43

def main
  textdomain "base"

  Yast.import "Mode"
  Yast.import "Service"
  Yast.import "NetworkInterfaces"
  Yast.import "PortAliases"
  Yast.import "Report"
  Yast.import "Message"
  Yast.import "Progress"
  Yast.import "PortRanges"
  Yast.import "FileUtils"
  Yast.import "Directory"
  Yast.import "Stage"
  Yast.import "Pkg"

  # <!-- SuSEFirewall VARIABLES //-->

  @FIREWALL_PACKAGE = "SuSEfirewall2"

  # configuration hasn't been read for the default
  # this should reduce the readings to only ONE
  @configuration_has_been_read = false

  # String which includes all interfaces not-defined in any zone
  @special_all_interface_string = "any"

  # Maximal number of port number, they are in the interval 1-65535 included
  @max_port_number = PortRanges.max_port_number

  # Zone which works with the special_all_interface_string string
  @special_all_interface_zone = "EXT"

  # firewall settings map
  @SETTINGS = {}

  # configuration was modified when true
  @modified = false

  # defines if SuSEFirewall is running
  @is_running = false

  # default settings for SuSEFirewall
  @DEFAULT_SETTINGS = {
    "FW_LOG_ACCEPT_ALL"          => "no",
    "FW_LOG_ACCEPT_CRIT"         => "yes",
    "FW_LOG_DROP_ALL"            => "no",
    "FW_LOG_DROP_CRIT"           => "yes",
    "FW_PROTECT_FROM_INT"        => "no",
    "FW_ROUTE"                   => "no",
    "FW_STOP_KEEP_ROUTING_STATE" => "no",
    "FW_MASQUERADE"              => "no",
    "FW_ALLOW_FW_TRACEROUTE"     => "yes",
    "FW_ALLOW_PING_FW"           => "yes",
    "FW_ALLOW_FW_BROADCAST_EXT"  => "no",
    "FW_ALLOW_FW_BROADCAST_INT"  => "no",
    "FW_ALLOW_FW_BROADCAST_DMZ"  => "no",
    "FW_IGNORE_FW_BROADCAST_EXT" => "yes",
    "FW_IGNORE_FW_BROADCAST_INT" => "no",
    "FW_IGNORE_FW_BROADCAST_DMZ" => "no",
    "FW_IPSEC_TRUST"             => "no",
    "FW_BOOT_FULL_INIT"          => "no"
  }

  # verbose_level -> if verbosity is more than 0, be verbose, starting in verbose mode
  @verbose_level = 1

  # list of known firewall zones
  @known_firewall_zones = ["INT", "DMZ", "EXT"]

  # map defines zone name for all known firewall zones
  @zone_names = {
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "EXT" => _(
      "External Zone"
    ),
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "INT" => _(
      "Internal Zone"
    ),
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "DMZ" => _(
      "Demilitarized Zone"
    )
  }

  # internal zone identification - useful for protect-from-internal
  @int_zone_shortname = "INT"

  # list of protocols supported in firewall, use only upper-cases
  @supported_protocols = ["TCP", "UDP", "RPC", "IP"]

  # list of keys in map of definition well-known services
  @service_defined_by = [
    "tcp_ports",
    "udp_ports",
    "rpc_ports",
    "ip_protocols",
    "broadcast_ports"
  ]

  # list of services currently allowed, which share ports (for instance RPC services)
  @allowed_conflict_services = {}

  @firewall_service = "SuSEfirewall2"

  @SuSEFirewall_variables = [
    # zones and interfaces
    "FW_DEV_INT",
    "FW_DEV_DMZ",
    "FW_DEV_EXT",
    # services in zones
    "FW_SERVICES_INT_TCP",
    "FW_SERVICES_INT_UDP",
    "FW_SERVICES_INT_RPC",
    "FW_SERVICES_INT_IP",
    "FW_SERVICES_DMZ_TCP",
    "FW_SERVICES_DMZ_UDP",
    "FW_SERVICES_DMZ_RPC",
    "FW_SERVICES_DMZ_IP",
    "FW_SERVICES_EXT_TCP",
    "FW_SERVICES_EXT_UDP",
    "FW_SERVICES_EXT_RPC",
    "FW_SERVICES_EXT_IP",
    "FW_PROTECT_FROM_INT",
    # global routing, masquerading
    "FW_ROUTE",
    "FW_STOP_KEEP_ROUTING_STATE",
    "FW_MASQUERADE",
    "FW_FORWARD_MASQ",
    "FW_FORWARD_ALWAYS_INOUT_DEV",
    # broadcast packets
    "FW_ALLOW_FW_BROADCAST_EXT",
    "FW_ALLOW_FW_BROADCAST_INT",
    "FW_ALLOW_FW_BROADCAST_DMZ",
    "FW_IGNORE_FW_BROADCAST_EXT",
    "FW_IGNORE_FW_BROADCAST_INT",
    "FW_IGNORE_FW_BROADCAST_DMZ",
    # FATE #300970: Support for 'Samba & friends' browsing
    "FW_SERVICES_ACCEPT_RELATED_EXT",
    "FW_SERVICES_ACCEPT_RELATED_INT",
    "FW_SERVICES_ACCEPT_RELATED_DMZ",
    # logging
    "FW_LOG_DROP_CRIT",
    "FW_LOG_DROP_ALL",
    "FW_LOG_ACCEPT_CRIT",
    "FW_LOG_ACCEPT_ALL",
    # IPsec support
    "FW_IPSEC_TRUST",
    # Custom rulezz
    #     net,protocol[,dport][,sport]
    "FW_SERVICES_ACCEPT_EXT",
    "FW_SERVICES_ACCEPT_INT",
    "FW_SERVICES_ACCEPT_DMZ",
    # Custom kernel modules, e.g., for FTP
    "FW_LOAD_MODULES",
    # Services defined in /usr/share/SuSEfirewall2/services/ directory
    # FATE #300687: Ports for SuSEfirewall added via packages
    "FW_CONFIGURATIONS_EXT",
    "FW_CONFIGURATIONS_INT",
    "FW_CONFIGURATIONS_DMZ",
    # bsc#916376: Ports need to be open already during boot
    "FW_BOOT_FULL_INIT"
  ]

  # FATE #300970: Firewall support for SMB browsing
  @broadcast_related_module = "nf_conntrack_netbios_ns"

  # Variable for ReportOnlyOnce() function
  @report_only_once = []

  # <!-- SuSEFirewall LOCAL FUNCTIONS //-->

  # <!-- SuSEFirewall GLOBAL FUNCTIONS //-->

  # bnc #388773
  # By default needed packages are just checked, not installed
  @check_and_install_package = false

  # Are needed packages (SuSEfirewall2) installed?
  @needed_packages_installed = nil

  # Configuration has been read and it's useful
  @fw_service_can_be_configured = false

  # old internal services definitions are converted to new services defined by packages
  # but only once
  @converted_to_services_dbp_file = Ops.add(
    Directory.vardir,
    "/yast2-firewall-already-converted-to-sdbp"
  )

  # services have been already converted
  @already_converted = false

  @protocol_translations = {
    # protocol name
    "tcp"   => _("TCP"),
    # protocol name
    "udp"   => _("UDP"),
    # protocol name
    "_rpc_" => _("RPC"),
    # protocol name
    "ip"    => _("IP")
  }
end

#ReadBoolean

Function for reading SuSEFirewall configuration. Fills internal variables only.

Returns:

  • (Boolean)

    if successful



1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
# File 'library/network/src/lib/network/susefirewall2.rb', line 1499

def Read
  # Do not read it again and again
  # to avoid rewriting changes already made
  if @configuration_has_been_read
    Builtins.y2milestone(
      "SuSEfirewall2 configuration has been read already."
    )
    return @fw_service_can_be_configured
  end

  # bnc #887406
  if !FileUtils.Exists(CONFIG_FILE) || !SuSEFirewallIsSelectedOrInstalled()
    log.warn "No firewall config -> firewall can't be read"
    FillUpEmptyConfig()
    return false
  end

  # Can be configured, packages were installed
  @fw_service_can_be_configured = true

  # Progress only for normal configuration
  have_progress = Mode.normal

  if have_progress
    # TRANSLATORS: Dialog caption
    read_caption = _("Initializing Firewall Configuration")

    Progress.New(
      read_caption,
      " ",
      3,
      [
        # TRANSLATORS: Progress step
        _("Check for network devices"),
        # TRANSLATORS: Progress step
        _("Read current configuration"),
        # TRANSLATORS: Progress step
        _("Check possibly conflicting services")
      ],
      [
        # TRANSLATORS: Progress step
        _("Checking for network devices..."),
        # TRANSLATORS: Progress step
        _("Reading current configuration..."),
        # TRANSLATORS: Progress step
        _("Checking possibly conflicting services..."),
        Message.Finished
      ],
      ""
    )

    Progress.NextStage
  end

  # Always call NI::Read, bnc #396646
  NetworkInterfaces.Read

  Progress.NextStage if have_progress

  ReadCurrentConfiguration()

  Progress.NextStage if have_progress

  # checking if any possibly conficting services were turned on in configuration
  # filling internal values for later checkings
  # CheckAllPossiblyConflictingServices();
  # -- Function has been turned off as we don't support services defined by YaST itself anymore --

  Builtins.y2milestone(
    "Firewall configuration has been read: %1.",
    @SETTINGS
  )
  # to read configuration only once
  @configuration_has_been_read = true

  Progress.NextStage if have_progress

  # bnc #399217
  # Converting built-in service definitions to services defined by packages
  ConvertToServicesDefinedByPackages()

  Progress.Finish if have_progress

  true
end

#ReadCurrentConfigurationObject

Local function reads current configuration and fills internal values.



1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
# File 'library/network/src/lib/network/susefirewall2.rb', line 1465

def ReadCurrentConfiguration
  @SETTINGS = {}

  # is firewall enabled in /etc/init.d/ ?
  Ops.set(@SETTINGS, "enable_firewall", IsEnabled())
  # is firewall started now?
  Ops.set(@SETTINGS, "start_firewall", IsStarted())

  ReadSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())

  nil
end

#ReadDefaultConfigurationObject

Local function sets the default configuration and fills internal values.



1456
1457
1458
1459
1460
1461
1462
# File 'library/network/src/lib/network/susefirewall2.rb', line 1456

def ReadDefaultConfiguration
  @SETTINGS = {}

  ResetSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())

  nil
end

#ReadSysconfigSuSEFirewall(variables) ⇒ Object

Local function for reading list of sysconfig variables into internal variables.

Parameters:

  • variables (Array<String>)

    of sysconfig variables



328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
# File 'library/network/src/lib/network/susefirewall2.rb', line 328

def ReadSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  Builtins.foreach(variables) do |variable|
    value = Convert.to_string(
      SCR.Read(Builtins.add(path(".sysconfig.SuSEfirewall2"), variable))
    )
    # if value is undefined, get default value
    value = GetDefaultValue(variable) if value.nil? || value == ""
    # BNC #426000
    # backslash at the end
    if Builtins.regexpmatch(value, "[ \t]*\\\\[ \t]*\n")
      rules = Builtins.splitstring(value, "\\ \t\n")
      rules = Builtins.filter(rules) do |one_rule|
        !one_rule.nil? && one_rule != ""
      end
      value = Builtins.mergestring(rules, " ")
    end
    # BNC #194419
    # replace all "\n" with " " in variables
    value = Builtins.mergestring(Builtins.splitstring(value, "\n"), " ") if Builtins.regexpmatch(value, "\n")
    # replace all "\t" with " " in variables
    value = Builtins.mergestring(Builtins.splitstring(value, "\t"), " ") if Builtins.regexpmatch(value, "\t")
    Ops.set(@SETTINGS, variable, value)
  end

  nil
end

#RemoveAllowedBroadcast(needed_ports, zone) ⇒ Object

Local function removes list of ports from port allowing broadcast packets in zone.

Parameters:

  • needed_ports (Array<String>)

    to be removed

  • zone (String)


616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
# File 'library/network/src/lib/network/susefirewall2.rb', line 616

def RemoveAllowedBroadcast(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  SetModified()

  allowed_ports = GetBroadcastAllowedPorts()
  list_ports_allowed = Ops.get(allowed_ports, zone, [])

  # ports to be allowed one by one
  Builtins.foreach(needed_ports) do |allow_this_port|
    # remove all aliases of ports yet mentioned in zone
    aliases_of_port = PortAliases.GetListOfServiceAliases(allow_this_port)
    list_ports_allowed = Builtins.filter(list_ports_allowed) do |just_allowed|
      !Builtins.contains(aliases_of_port, just_allowed)
    end
  end
  Ops.set(allowed_ports, zone, list_ports_allowed)

  # save it using function
  SetBroadcastAllowedPorts(allowed_ports)

  nil
end

#RemoveForwardIntoMasqueradeRule(remove_item) ⇒ Object

Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().

Parameters:

  • remove_item (Integer)

    item number

See Also:

  • #GetListOfForwardsIntoMasquerade()


2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
# File 'library/network/src/lib/network/susefirewall2.rb', line 2059

def RemoveForwardIntoMasqueradeRule(remove_item)
  SetModified()

  forward_rules = []

  row_counter = 0
  Builtins.foreach(
    Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", ""),
      " "
    )
  ) do |forward_rule|
    next if forward_rule == ""

    forward_rules = Builtins.add(forward_rules, forward_rule) if row_counter != remove_item
    row_counter = Ops.add(row_counter, 1)
  end

  Ops.set(
    @SETTINGS,
    "FW_FORWARD_MASQ",
    Builtins.mergestring(forward_rules, " ")
  )

  nil
end

#RemoveInterfaceFromZone(interface, zone) ⇒ Object

Function removes interface from defined zone.

Examples:

RemoveInterfaceFromZone ("modem0", "EXT")

Parameters:



1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
# File 'library/network/src/lib/network/susefirewall2.rb', line 1135

def RemoveInterfaceFromZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Removing interface '%1' from '%2' zone.",
    interface,
    zone
  )

  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |single_interface|
    single_interface != "" && single_interface != interface
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#RemoveOldAllowedServiceFromZone(old_service_def, zone) ⇒ Object

Removes old-service definitions before they are added as services defined by packages.



2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
# File 'library/network/src/lib/network/susefirewall2.rb', line 2482

def RemoveOldAllowedServiceFromZone(old_service_def, zone)
  old_service_def = deep_copy(old_service_def)
  Builtins.y2milestone("Removing: %1 from zone %2", old_service_def, zone)

  if Ops.get_list(old_service_def, "tcp_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "tcp_ports", [])) do |one_service|
      RemoveService(one_service, "TCP", zone)
    end
  end

  if Ops.get_list(old_service_def, "udp_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "udp_ports", [])) do |one_service|
      RemoveService(one_service, "UDP", zone)
    end
  end

  if Ops.get_list(old_service_def, "rpc_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "rpc_ports", [])) do |one_service|
      RemoveService(one_service, "RPC", zone)
    end
  end

  if Ops.get_list(old_service_def, "ip_protocols", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "ip_protocols", [])) do |one_service|
      RemoveService(one_service, "IP", zone)
    end
  end

  if Ops.get_list(old_service_def, "broadcast_ports", []) != []
    broadcast = GetBroadcastAllowedPorts()

    Ops.set(broadcast, zone, Builtins.filter(Ops.get(broadcast, zone, [])) do |one_port|
      !Builtins.contains(
        Ops.get_list(old_service_def, "broadcast_ports", []),
        one_port
      )
    end)

    SetBroadcastAllowedPorts(broadcast)
  end

  nil
end

#RemoveServiceDefinedByPackageFromZone(service, zone) ⇒ Object

Removes service defined by package (FATE #300687) from enabled services.

Examples:

RemoveServiceDefinedByPackageFromZone ("service:irc-server", "EXT");

Parameters:



704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
# File 'library/network/src/lib/network/susefirewall2.rb', line 704

def RemoveServiceDefinedByPackageFromZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  # Removing the service
  supported_services = Builtins.filter(supported_services) do |one_service|
    one_service != service
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_CONFIGURATIONS_", zone),
    Builtins.mergestring(supported_services, " ")
  )

  SetModified()

  nil
end

#RemoveServiceFromProtocolZone(remove_service, protocol, zone) ⇒ Boolean

Local function for removing (disallowing) single service/port for defined protocol and zone. Functions doesn't take care of port-aliases.

Parameters:

Returns:

  • (Boolean)

    success



679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
# File 'library/network/src/lib/network/susefirewall2.rb', line 679

def RemoveServiceFromProtocolZone(remove_service, protocol, zone)
  SetModified()

  key = Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol)

  allowed = Builtins.splitstring(Ops.get_string(@SETTINGS, key, ""), " ")
  allowed = Builtins.filter(allowed) do |single_service|
    single_service != "" && single_service != remove_service
  end
  Ops.set(
    @SETTINGS,
    key,
    Builtins.mergestring(Builtins.toset(allowed), " ")
  )

  true
end

#RemoveServiceSupportFromZone(service, zone) ⇒ Object

Local function removes well-known service's support from zone. Allowed ports are removed with all of their port-aliases.

Parameters:



778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
# File 'library/network/src/lib/network/susefirewall2.rb', line 778

def RemoveServiceSupportFromZone(service, zone)
  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)
  # unknown service
  if needed.nil?
    Builtins.y2error("Undefined service '%1'", service)
    return nil
  end

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    RemoveServiceDefinedByPackageFromZone(service, zone) if IsServiceSupportedInZone(service, zone) == true

    return nil
  end

  SetModified()

  # Removing service ports (and also port aliases for TCP and UDP)
  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []

    case key
    when "tcp_ports"
      RemoveAllowedPortsOrServices(needed_ports, "TCP", zone, true)
    when "udp_ports"
      RemoveAllowedPortsOrServices(needed_ports, "UDP", zone, true)
    when "rpc_ports"
      RemoveAllowedPortsOrServices(needed_ports, "RPC", zone, false)
    when "ip_protocols"
      RemoveAllowedPortsOrServices(needed_ports, "IP", zone, false)
    when "broadcast_ports"
      RemoveAllowedBroadcast(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
  end

  nil
end

#RemoveSpecialInterfaceFromZone(interface, zone) ⇒ Object

Function removes special string from defined zone.

Parameters:



1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
# File 'library/network/src/lib/network/susefirewall2.rb', line 1915

def RemoveSpecialInterfaceFromZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Removing special string '%1' from '%2' zone.",
    interface,
    zone
  )

  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |single_interface|
    single_interface != "" && single_interface != interface
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#ReportOnlyOnce(what_to_report) ⇒ Boolean

Report the error, warning, message only once. Stores the error, warning, message in memory. This is just a helper function that could avoid from filling y2log up with a lot of the very same messages - 'foreach()' is a very powerful builtin.

Examples:

string error = sformat("Port number %1 is invalid.", port_nr);
if (ReportOnlyOnce(error)) y2error(error);

Parameters:

  • what_to_report (String)

    error, warning or message

Returns:

  • (Boolean)

    whether the message should be reported or not



265
266
267
268
269
270
# File 'library/network/src/lib/network/susefirewall2.rb', line 265

def ReportOnlyOnce(what_to_report)
  return false if Builtins.contains(@report_only_once, what_to_report)

  @report_only_once = Builtins.add(@report_only_once, what_to_report)
  true
end

#ResetReadFlagObject

Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.



874
875
876
877
878
# File 'library/network/src/lib/network/susefirewall2.rb', line 874

def ResetReadFlag
  @configuration_has_been_read = false

  nil
end

#ResetSysconfigSuSEFirewall(variables) ⇒ Object

Local function for resetting list of sysconfig variables in internal variables.

Parameters:

  • variables (Array<String>)

    of sysconfig variables



359
360
361
362
363
364
365
366
367
# File 'library/network/src/lib/network/susefirewall2.rb', line 359

def ResetSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  Builtins.foreach(variables) do |variable|
    # reseting means getting default variables
    Ops.set(@SETTINGS, variable, GetDefaultValue(variable))
  end

  nil
end

#SetAcceptExpertRules(zone, expert_rules) ⇒ Boolean

Sets expert allow rules for zone.

Parameters:

  • zone (String)
  • expert_rules (String)

    whitespace-separated expert_rules

Returns:

  • (Boolean)

    if successful



2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
# File 'library/network/src/lib/network/susefirewall2.rb', line 2289

def SetAcceptExpertRules(zone, expert_rules)
  zone = Builtins.toupper(zone)

  # Check for zone
  if !Builtins.contains(GetKnownFirewallZones(), zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return false
  end

  Ops.set(@SETTINGS, Ops.add("FW_SERVICES_ACCEPT_", zone), expert_rules)
  SetModified()

  true
end

#SetAllowedServicesForZoneProto(allowed_services, zone, protocol) ⇒ Object

Function sets list of services as allowed ports for zone and protocol

Parameters:

  • allowed_services (Array<String>)

    of allowed ports/services

  • zone (String)
  • protocol (String)


454
455
456
457
458
459
460
461
462
463
464
465
# File 'library/network/src/lib/network/susefirewall2.rb', line 454

def SetAllowedServicesForZoneProto(allowed_services, zone, protocol)
  allowed_services = deep_copy(allowed_services)
  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol),
    Builtins.mergestring(Builtins.toset(allowed_services), " ")
  )

  nil
end

#SetBroadcastAllowedPorts(broadcast) ⇒ Object

Function creates allowed-broadcast-ports string from broadcast map and saves it.

Parameters:

  • broadcast (Hash<String,Array<String>>)

    strings are allowed ports or port ranges

See Also:

  • for an example of data


547
548
549
550
551
552
553
554
555
556
557
558
559
560
# File 'library/network/src/lib/network/susefirewall2.rb', line 547

def SetBroadcastAllowedPorts(broadcast)
  broadcast = deep_copy(broadcast)
  SetModified()

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Ops.set(broadcast, zone, ["no"]) if Ops.get(broadcast, zone, []) == []
    SetBroadcastConfiguration(
      zone,
      Builtins.mergestring(Ops.get(broadcast, zone, []), " ")
    )
  end

  nil
end

#SetBroadcastConfiguration(zone, broadcast_configuration) ⇒ Object

Local function saves configuration string for broadcast packets.

Parameters:

  • zone (String)
  • broadcast_configuration (String)

    with broadcast configuration



478
479
480
481
482
483
484
485
486
487
488
# File 'library/network/src/lib/network/susefirewall2.rb', line 478

def SetBroadcastConfiguration(zone, broadcast_configuration)
  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add("FW_ALLOW_FW_BROADCAST_", zone),
    broadcast_configuration
  )

  nil
end

#SetFirewallKernelModules(k_modules) ⇒ Object

Sets list of additional kernel modules to be loaded by firewall on startup.

Examples:

SuSEFirewall::SetFirewallKernelModules (["ip_conntrack_ftp","ip_nat_ftp"]);

Parameters:

  • k_modules (Array<String>)

    list of kernel modules

See Also:

  • option nr. 32


2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
# File 'library/network/src/lib/network/susefirewall2.rb', line 2329

def SetFirewallKernelModules(k_modules)
  k_modules = deep_copy(k_modules)
  k_modules = Builtins.filter(k_modules) do |one_module|
    if one_module.nil?
      Builtins.y2error(
        "List of modules %1 contains 'nil'! It will be ignored.",
        k_modules
      )
      next false
    elsif one_module == ""
      Builtins.y2warning(
        "List of modules %1 contains an empty string, it will be ignored.",
        k_modules
      )
      next false
    end
    if Builtins.regexpmatch(one_module, " ") ||
        Builtins.regexpmatch(one_module, "\t")
      Builtins.y2warning(
        "Additional module '%1' contains spaces. They will be evaluated as two or more modules later.",
        one_module
      )
    end
    true
  end

  Ops.set(
    @SETTINGS,
    "FW_LOAD_MODULES",
    Builtins.mergestring(k_modules, " ")
  )
  SetModified()

  nil
end

#SetIgnoreLoggingBroadcast(zone, bcast) ⇒ Object

Function sets yes/no - ignoring broadcast for zone

Examples:

# Does not log broadcast packets from DMZ
SetIgnoreLoggingBroadcast ("DMZ", "yes")

Parameters:



2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
# File 'library/network/src/lib/network/susefirewall2.rb', line 2251

def SetIgnoreLoggingBroadcast(zone, bcast)
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  SetModified()

  Ops.set(@SETTINGS, Ops.add("FW_IGNORE_FW_BROADCAST_", zone), bcast)

  nil
end

#SetLoggingSettings(rule, state) ⇒ Object

Function sets state of logging for rule taken as parameter.

Examples:

SetLoggingSettings ("ACCEPT", "ALL")
SetLoggingSettings ("DROP", "NONE")

Parameters:

  • rule (String)

    definition 'ACCEPT' or 'DROP'

  • state (String)

    new logging state 'ALL', 'CRIT', or 'NONE'



2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
# File 'library/network/src/lib/network/susefirewall2.rb', line 2191

def SetLoggingSettings(rule, state)
  SetModified()

  case rule
  when "ACCEPT"
    case state
    when "ALL"
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "yes")
    when "CRIT"
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no")
    else
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "no")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no")
    end
  when "DROP"
    case state
    when "ALL"
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "yes")
    when "CRIT"
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "no")
    else
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "no")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "no")
    end
  else
    Builtins.y2error("Possible rules are only 'ACCEPT' or 'DROP'")
  end

  nil
end

#SetMasquerade(enable, _zone = nil) ⇒ Object

Function sets Masquerade support.

Parameters:

  • enable (Boolean)

    to support or not to support it

  • _zone (defaults to: nil)

    ignored



1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
# File 'library/network/src/lib/network/susefirewall2.rb', line 1981

def SetMasquerade(enable, _zone = nil)
  SetModified()

  Ops.set(@SETTINGS, "FW_MASQUERADE", enable ? "yes" : "no")

  # routing is needed for masquerading, but we can't switch it off when disabling masquerading
  Ops.set(@SETTINGS, "FW_ROUTE", "yes") if enable

  nil
end

#SetProtectFromInternalZone(set_protect) ⇒ Object

Function sets if firewall should be protected from internal zone.

Parameters:

  • set_protect (Boolean)

    set to be protected from internal zone



883
884
885
886
887
888
889
890
891
892
893
# File 'library/network/src/lib/network/susefirewall2.rb', line 883

def SetProtectFromInternalZone(set_protect)
  SetModified()

  if set_protect
    Ops.set(@SETTINGS, "FW_PROTECT_FROM_INT", "yes")
  else
    Ops.set(@SETTINGS, "FW_PROTECT_FROM_INT", "no")
  end

  nil
end

#SetServicesAcceptRelated(zone, ruleset) ⇒ Object

Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Examples:

SetServicesAcceptRelated ("EXT", ["0/0,udp,427", "0/0,udp,137"])

Parameters:

See Also:

  • #GetServicesAcceptRelated()


2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
# File 'library/network/src/lib/network/susefirewall2.rb', line 2422

def SetServicesAcceptRelated(zone, ruleset)
  ruleset = deep_copy(ruleset)
  if !IsKnownZone(zone)
    Builtins.y2error("Uknown zone '%1'", zone)
    return
  end

  ruleset = Builtins.filter(ruleset) { |one_rule| !one_rule.nil? }

  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add("FW_SERVICES_ACCEPT_RELATED_", zone),
    Builtins.mergestring(ruleset, "\n")
  )

  nil
end

#SetServicesForZones(services_ids, firewall_zones, new_status) ⇒ Object

Function sets status for several services in several firewall zones.

Examples:

SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false);
SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);

Parameters:

  • services_ids (Array<String>)
  • firewall_zones (Array<String>)

    (EXT|INT|DMZ...)

  • new_status (Boolean)

    of services

Returns:

  • nil

See Also:

  • #GetServicesInZones()
  • #GetServices()


1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
# File 'library/network/src/lib/network/susefirewall2.rb', line 1420

def SetServicesForZones(services_ids, firewall_zones, new_status)
  # setting for each service
  Builtins.foreach(services_ids) do |service_id|
    Builtins.foreach(firewall_zones) do |firewall_zone|
      # zone must be known one
      if !IsKnownZone(firewall_zone)
        Builtins.y2error(
          "Zone '%1' is unknown firewall zone, skipping...",
          firewall_zone
        )
        next
      end
      SetModified()
      # setting new status
      if new_status == true
        Builtins.y2milestone(
          "Adding '%1' into '%2' zone",
          service_id,
          firewall_zone
        )
        AddServiceSupportIntoZone(service_id, firewall_zone)
      else
        Builtins.y2milestone(
          "Removing '%1' from '%2' zone",
          service_id,
          firewall_zone
        )
        RemoveServiceSupportFromZone(service_id, firewall_zone)
      end
    end
  end

  nil
end

#SetSupportRoute(set_route) ⇒ Object

Function sets if firewall should support routing.

Parameters:

  • set_route (Boolean)

    set to support route or not



905
906
907
908
909
910
911
912
913
914
915
916
917
# File 'library/network/src/lib/network/susefirewall2.rb', line 905

def SetSupportRoute(set_route)
  SetModified()

  if set_route
    Ops.set(@SETTINGS, "FW_STOP_KEEP_ROUTING_STATE", "yes")
    Ops.set(@SETTINGS, "FW_ROUTE", "yes")
  else
    Ops.set(@SETTINGS, "FW_STOP_KEEP_ROUTING_STATE", "no")
    Ops.set(@SETTINGS, "FW_ROUTE", "no")
  end

  nil
end

#SetTrustIPsecAs(zone) ⇒ Object

Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

Parameters:



931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
# File 'library/network/src/lib/network/susefirewall2.rb', line 931

def SetTrustIPsecAs(zone)
  SetModified()

  # do not trust
  if zone == "no"
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", "no")
  # trust IPsec is a known zone
  elsif IsKnownZone(zone)
    zone = GetZoneConfigurationString(zone)
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", zone)
    # unknown zone, changing to default value
  else
    defaultv = GetDefaultValue("FW_IPSEC_TRUST")
    Builtins.y2warning(
      "Trust IPsec as '%1' (unknown zone) changed to '%2'",
      zone,
      defaultv
    )
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", defaultv)
  end

  nil
end

#WriteBoolean

Function for writing and enabling configuration, it is a union of WriteConfiguration() and ActivateConfiguration().

Returns:

  • (Boolean)

    if succesfull



1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
# File 'library/network/src/lib/network/susefirewall2.rb', line 1773

def Write
  CheckKernelModules()

  # just disabled
  return true if !SuSEFirewallIsInstalled()

  return false if !WriteConfiguration()

  return false if !ActivateConfiguration()

  true
end

#WriteConfigurationBoolean

Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

Returns:

  • (Boolean)

    if successful



1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
# File 'library/network/src/lib/network/susefirewall2.rb', line 1675

def WriteConfiguration
  # just disabled
  return true if !SuSEFirewallIsInstalled()

  # Progress only for normal configuration and command line
  have_progress = Mode.normal

  if have_progress
    # TRANSLATORS: Dialog caption
    write_caption = _("Writing Firewall Configuration")

    Progress.New(
      write_caption,
      " ",
      2,
      [
        # TRANSLATORS: Progress step
        _("Write firewall settings"),
        # TRANSLATORS: Progress step
        _("Adjust firewall service")
      ],
      [
        # TRANSLATORS: Progress step
        _("Writing firewall settings..."),
        # TRANSLATORS: Progress step
        _("Adjusting firewall service..."),
        # TRANSLATORS: Progress step
        Message.Finished
      ],
      ""
    )

    Progress.NextStage
  end

  # only modified configuration is written
  if GetModified()
    Builtins.y2milestone(
      "Firewall configuration has been changed. Writing: %1.",
      @SETTINGS
    )

    if !WriteSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())
      # TRANSLATORS: a popup error message
      Report.Error(_("Writing settings failed"))
      return false
    end
  else
    Builtins.y2milestone("Firewall settings weren't modified, skipping...")
  end

  Progress.NextStage if have_progress

  # Adjusting services
  if GetModified()
    # enabling firewall in /etc/init.d/
    if Ops.get_boolean(@SETTINGS, "enable_firewall", false)
      Builtins.y2milestone("Enabling firewall services")
      return false if !EnableServices()
      # disabling firewall in /etc/init.d/
    else
      Builtins.y2milestone("Disabling firewall services")
      return false if !DisableServices()
    end
  else
    Builtins.y2milestone(
      "Firewall enable/disable wasn't modified, skipping..."
    )
  end

  Progress.NextStage if have_progress

  if @already_converted &&
      !FileUtils.Exists(@converted_to_services_dbp_file)
    Builtins.y2milestone(
      "Writing %1: %2",
      @converted_to_services_dbp_file,
      SCR.Write(path(".target.string"), @converted_to_services_dbp_file, "")
    )
  end

  Progress.Finish if have_progress

  true
end

#WriteOnlyBoolean

Helper function for backward compatibility. See WriteConfiguration(). Remove from code ASAP.

Returns:

  • (Boolean)

    if succesful



1765
1766
1767
# File 'library/network/src/lib/network/susefirewall2.rb', line 1765

def WriteOnly
  WriteConfiguration()
end

#WriteSysconfigSuSEFirewall(variables) ⇒ Boolean

Local function for writing the list of internal variables into sysconfig. List of variables is list of keys in SETTINGS map, to sync configuration into the disk, use nil as the last list item.

Parameters:

  • variables (Array<String>)

    of sysconfig variables

Returns:

  • (Boolean)

    if successful



375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
# File 'library/network/src/lib/network/susefirewall2.rb', line 375

def WriteSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  write_status = true
  value = ""

  Builtins.foreach(variables) do |variable|
    # if variable is undefined, get default value
    value = Ops.get_string(@SETTINGS, variable) { GetDefaultValue(variable) }
    write_status = SCR.Write(
      Builtins.add(path(".sysconfig.SuSEfirewall2"), variable),
      value
    )
    if !write_status
      Report.Error(
        Message.CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2")
      )
      raise Break
    end
  end

  write_status = SCR.Write(path(".sysconfig.SuSEfirewall2"), nil)
  if !write_status
    Report.Error(
      Message.CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2")
    )
  end

  write_status
end