Class: Yast::SuSEFirewall2Class

Inherits:
SuSEFirewallClass show all
Includes:
Logger
Defined in:
library/network/src/lib/network/susefirewall2.rb

Overview


SuSEFirewall2/SF2 Class. The original, simply created from the Firewall factory class.

Constant Summary

CONFIG_FILE =
"/etc/sysconfig/SuSEfirewall2".freeze

Instance Attribute Summary

Attributes inherited from SuSEFirewallClass

#firewall_service

Instance Method Summary collapse

Methods inherited from SuSEFirewallClass

#AddService, #AddXenSupport, #ArePortsOrServicesAllowed, #DisableServices, #EnableServices, #GetAllKnownInterfaces, #GetEnableService, #GetKnownFirewallZones, #GetListOfKnownInterfaces, #GetModified, #GetServices, #GetServicesInZones, #GetStartService, #GetZoneFullName, #GetZonesOfInterfaces, #HaveService, #IsEnabled, #IsKnownZone, #IsOtherFirewallRunning, #IsStarted, #IsSupportedProtocol, #RemoveAllowedPortsOrServices, #RemoveService, #ResetModified, #SaveAndRestartService, #SetAdditionalServices, #SetEnableService, #SetInstallPackagesIfMissing, #SetModified, #SetServices, #SetStartService, #StartServices, #StopServices, #SuSEFirewallIsInstalled, #SuSEFirewallIsSelectedOrInstalled, #initialize

Constructor Details

This class inherits a constructor from Yast::SuSEFirewallClass

Instance Method Details

#ActivateConfigurationBoolean

Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).



1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
# File 'library/network/src/lib/network/susefirewall2.rb', line 1623

def ActivateConfiguration
  # just disabled
  return true if !SuSEFirewallIsInstalled()

  # starting firewall during second stage can cause deadlock in systemd - bnc#798620
  # Moreover, it is not needed. Firewall gets started via dependency on multi-user.target
  # when second stage is over.
  if Mode.installation
    Builtins.y2milestone("Do not touch firewall services during installation")

    return true
  end

  # Firewall should start after Write()
  if GetStartService()
    # Not started - start it
    if !IsStarted()
      Builtins.y2milestone("Starting firewall services")
      return StartServices()
    # Started - restart it
    # modified - restart it, or ...
    # bugzilla #186186
    # If any RPC service is configured to be allowed, always restart the firewall
    # Some of these service's ports might have been reallocated (when SuSEFirewall
    # is used from outside, e.g., yast2-nfs-server)
    elsif GetModified() || AnyRPCServiceInConfiguration()
      Builtins.y2milestone("Stopping firewall services")
      StopServices()
      Builtins.y2milestone("Starting firewall services")
      return StartServices()
    # not modified - skip restart
    else
      Builtins.y2milestone(
        "Configuration hasn't modified, skipping restarting services"
      )
      return true
    end
  # Firewall should stop after Write()
  # started - stop
  elsif IsStarted()
    Builtins.y2milestone("Stopping firewall services")
    return StopServices()
    # stopped - skip stopping
  else
    Builtins.y2milestone("Firewall has been stopped already")
    return true
  end
end

#AddAllowedBroadcast(needed_ports, zone) ⇒ Object

Local function adds list of ports to ports accepting broadcast



647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
# File 'library/network/src/lib/network/susefirewall2.rb', line 647

def AddAllowedBroadcast(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  # changing only if ports are not allowed
  if !IsBroadcastAllowed(needed_ports, zone)
    SetModified()

    allowed_ports = GetBroadcastAllowedPorts()
    list_ports_allowed = Ops.get(allowed_ports, zone, [])

    # ports to be allowed one by one
    Builtins.foreach(needed_ports) do |allow_this_port|
      # at first: remove all aliases of ports yet mentioned in zone
      aliases_of_port = PortAliases.GetListOfServiceAliases(allow_this_port)
      list_ports_allowed = Builtins.filter(list_ports_allowed) do |just_allowed|
        !Builtins.contains(aliases_of_port, just_allowed)
      end
      # at second: add only one
      list_ports_allowed = Builtins.add(list_ports_allowed, allow_this_port)
    end
    Ops.set(allowed_ports, zone, list_ports_allowed)

    # save it using function
    SetBroadcastAllowedPorts(allowed_ports)
  end

  nil
end

#AddAllowedPortsOrServices(add_ports, protocol, zone) ⇒ Object

Local function allows ports for requested protocol and zone.



2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
# File 'library/network/src/lib/network/susefirewall2.rb', line 2648

def AddAllowedPortsOrServices(add_ports, protocol, zone)
  add_ports = deep_copy(add_ports)
  if Ops.less_than(Builtins.size(add_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return
  end

  SetModified()

  # all allowed ports
  allowed_services = GetAllowedServicesForZoneProto(zone, protocol)

  allowed_services = Convert.convert(
    Builtins.union(allowed_services, add_ports),
    from: "list",
    to:   "list <string>"
  )
  allowed_services = PortRanges.FlattenServices(allowed_services, protocol)

  SetAllowedServicesForZoneProto(allowed_services, zone, protocol)

  nil
end

#AddForwardIntoMasqueradeRule(source_net, forward_to_ip, protocol, req_port, redirect_to_port, requested_ip) ⇒ Object

Adds forward into masquerade rule.

Examples:

AddForwardIntoMasqueradeRule ("0/0", "192.168.32.1", "TCP", "80", "8080", "10.0.0.1")


2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
# File 'library/network/src/lib/network/susefirewall2.rb', line 2101

def AddForwardIntoMasqueradeRule(source_net, forward_to_ip, protocol, req_port, redirect_to_port, requested_ip)
  SetModified()

  masquerade_rules = Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", "")

  masquerade_rules = Ops.add(
    Ops.add(
      Ops.add(
        Ops.add(
          Ops.add(
            Ops.add(
              Ops.add(
                Ops.add(masquerade_rules, masquerade_rules != "" ? " " : ""),
                source_net
              ),
              ","
            ),
            forward_to_ip
          ),
          ","
        ),
        protocol
      ),
      ","
    ),
    req_port
  )

  if redirect_to_port != "" || requested_ip != ""
    if requested_ip != ""
      masquerade_rules = Ops.add(
        Ops.add(
          Ops.add(Ops.add(masquerade_rules, ","), redirect_to_port),
          ","
        ),
        requested_ip
      )
      # port1 -> port2 are same
    elsif redirect_to_port != req_port
      masquerade_rules = Ops.add(
        Ops.add(masquerade_rules, ","),
        redirect_to_port
      )
    end
  end

  Ops.set(@SETTINGS, "FW_FORWARD_MASQ", masquerade_rules)

  nil
end

#AddInterfaceIntoZone(interface, zone) ⇒ Object

Functions adds interface into defined zone. All appearances of interface in other zones are removed.

Examples:

AddInterfaceIntoZone (“eth5”, “DMZ”)



1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
# File 'library/network/src/lib/network/susefirewall2.rb', line 1172

def AddInterfaceIntoZone(interface, zone)
  SetModified()

  current_zone = GetZoneOfInterface(interface)

  DecreaseVerbosity()
  # removing all appearances of interface in zones, excepting current_zone==new_zone
  while !current_zone.nil? && current_zone != zone
    # interface is in any zone already, removing it at first
    RemoveInterfaceFromZone(interface, current_zone) if current_zone != zone
    current_zone = GetZoneOfInterface(interface)
  end
  IncreaseVerbosity()

  Builtins.y2milestone(
    "Adding interface '%1' into '%2' zone.",
    interface,
    zone
  )
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.toset(
    Builtins.add(interfaces_in_zone, interface)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#AddServiceDefinedByPackageIntoZone(service, zone) ⇒ Object

Adds service defined by package (FATE #300687) into list of enabled services.

Examples:

AddServiceDefinedByPackageIntoZone ("service:irc-server", "EXT");


746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
# File 'library/network/src/lib/network/susefirewall2.rb', line 746

def AddServiceDefinedByPackageIntoZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  # Adding the service
  supported_services = Builtins.toset(
    Builtins.add(supported_services, service)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_CONFIGURATIONS_", zone),
    Builtins.mergestring(supported_services, " ")
  )

  SetModified()

  nil
end

#AddServiceSupportIntoZone(service, zone) ⇒ Object

Local function adds well-known service's support into zone. It first of all removes the current support for service with port-aliases.



830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
# File 'library/network/src/lib/network/susefirewall2.rb', line 830

def AddServiceSupportIntoZone(service, zone)
  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)
  # unknown service
  if needed.nil?
    Builtins.y2error("Undefined service '%1'", service)
    return nil
  end

  SetModified()

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    AddServiceDefinedByPackageIntoZone(service, zone)

    return nil
  end

  # Removing service ports first (and also port aliases for TCP and UDP)
  if IsServiceSupportedInZone(service, zone) == true
    RemoveServiceSupportFromZone(service, zone)
  end

  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []
    if key == "tcp_ports"
      AddAllowedPortsOrServices(needed_ports, "TCP", zone)
    elsif key == "udp_ports"
      AddAllowedPortsOrServices(needed_ports, "UDP", zone)
    elsif key == "rpc_ports"
      AddAllowedPortsOrServices(needed_ports, "RPC", zone)
    elsif key == "ip_protocols"
      AddAllowedPortsOrServices(needed_ports, "IP", zone)
    elsif "broadcast_ports" == key
      AddAllowedBroadcast(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
  end

  nil
end

#AddSpecialInterfaceIntoZone(interface, zone) ⇒ Object

Functions adds special string into defined zone.



1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
# File 'library/network/src/lib/network/susefirewall2.rb', line 1946

def AddSpecialInterfaceIntoZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Adding special string '%1' into '%2' zone.",
    interface,
    zone
  )
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.toset(
    Builtins.add(interfaces_in_zone, interface)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#AnyRPCServiceInConfigurationBoolean

Function returns whether some RPC service is allowed in the configuration. These services reallocate their ports when restarted. See details in bugzilla bug #186186.



1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
# File 'library/network/src/lib/network/susefirewall2.rb', line 1594

def AnyRPCServiceInConfiguration
  ret = false

  Builtins.foreach(GetKnownFirewallZones()) do |fw_zone|
    fw_rule = Builtins.sformat("FW_SERVICES_%1_RPC", fw_zone)
    listed_services = Ops.get_string(@SETTINGS, fw_rule) do
      GetDefaultValue(fw_rule)
    end
    # easy case
    next if listed_services.nil? || listed_services == ""
    # something listed but it still might be empty definition
    services_list = Builtins.splitstring(listed_services, " \n\t")
    services_list = Builtins.filter(services_list) do |service|
      service != ""
    end
    if Ops.greater_than(Builtins.size(services_list), 0)
      ret = true
      raise Break
    end
  end

  Builtins.y2milestone("Some RPC service found: %1", ret)
  ret
end

#CheckKernelModulesObject



2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
# File 'library/network/src/lib/network/susefirewall2.rb', line 2442

def CheckKernelModules
  needs_additional_module = false

  Builtins.foreach(GetKnownFirewallZones()) do |one_zone|
    if Ops.greater_or_equal(
      Builtins.size(GetServicesAcceptRelated(one_zone)),
      0
    )
      Builtins.y2milestone("Some ServicesAcceptRelated are defined")
      needs_additional_module = true
      raise Break
    end
  end

  if needs_additional_module
    k_modules = Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_LOAD_MODULES", ""),
      " "
    )

    if !Builtins.contains(k_modules, @broadcast_related_module)
      Builtins.y2warning(
        "FW_LOAD_MODULES doesn't contain %1, adding",
        @broadcast_related_module
      )
      k_modules = Builtins.add(k_modules, @broadcast_related_module)
      Ops.set(
        @SETTINGS,
        "FW_LOAD_MODULES",
        Builtins.mergestring(k_modules, " ")
      )
      SetModified()
    end
  end

  nil
end

#ConvertToServicesDefinedByPackagesObject

Converts old built-in service definitions to services defined by packages.

See Also:

  • 399217


2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
# File 'library/network/src/lib/network/susefirewall2.rb', line 2529

def ConvertToServicesDefinedByPackages
  return if @already_converted

  if FileUtils.Exists(@converted_to_services_dbp_file)
    @already_converted = true
    return
  end

  # $[ zone : $[ protocol : [ list of ports ] ] ]
  current_conf = {}

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Ops.set(current_conf, zone, {})
    Builtins.foreach(@supported_protocols) do |protocol|
      Ops.set(
        current_conf,
        [zone, protocol],
        GetAllowedServicesForZoneProto(zone, protocol)
      )
      Ops.set(
        current_conf,
        [zone, "broadcast"],
        Builtins.splitstring(GetBroadcastConfiguration(zone), " \n")
      )
    end
  end

  Builtins.y2milestone("Current conf: %1", current_conf)

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Builtins.foreach(SuSEFirewallServices.OLD_SERVICES) do |old_service_id, old_service_def|
      Builtins.y2milestone("Checking %1 in %2 zone", old_service_id, zone)
      if Ops.get_list(old_service_def, "tcp_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "tcp_ports", []),
            "TCP",
            zone,
            true
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "udp_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "udp_ports", []),
            "UDP",
            zone,
            true
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "rpc_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "rpc_ports", []),
            "RPC",
            zone,
            false
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "ip_protocols", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "ip_protocols", []),
            "IP",
            zone,
            false
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "broadcast_ports", []) != [] &&
          IsBroadcastAllowed(
            Ops.get_list(old_service_def, "broadcast_ports", []),
            zone
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "convert_to", []) == []
        Builtins.y2milestone(
          "Service %1 supported, but it doesn't have any replacement",
          old_service_id
        )
        next
      end
      replaced = false
      Builtins.foreach(Ops.get_list(old_service_def, "convert_to", [])) do |replacement|
        if SuSEFirewallServices.IsKnownService(replacement)
          Builtins.y2milestone(
            "Old service %1 matches %2",
            old_service_id,
            replacement
          )
          RemoveOldAllowedServiceFromZone(old_service_def, zone)
          SetServicesForZones([replacement], [zone], true)
          replaced = true
          raise Break
        end
      end
      if !replaced
        Builtins.y2warning(
          "Old service %1 matches %2 but none are installed",
          old_service_id,
          Ops.get_list(old_service_def, "convert_to", [])
        )
      end
    end
  end

  Builtins.y2milestone("Converting done")
  @already_converted = true

  nil
end

#DecreaseVerbosityObject

Local function for decreasing the verbosity level.



305
306
307
308
309
# File 'library/network/src/lib/network/susefirewall2.rb', line 305

def DecreaseVerbosity
  @verbose_level = Ops.subtract(@verbose_level, 1)

  nil
end

#ExportHash{String => Object}

Function for getting exported SuSEFirewall configuration



992
993
994
# File 'library/network/src/lib/network/susefirewall2.rb', line 992

def Export
  deep_copy(@SETTINGS)
end

#FillUpEmptyConfigObject

Fills the configuration with default settings, adjusts internal variables that firewall cannot be configured.



1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
# File 'library/network/src/lib/network/susefirewall2.rb', line 1484

def FillUpEmptyConfig
  # do not call it again
  @configuration_has_been_read = true

  # Default settings, services are disabled
  @SETTINGS = deep_copy(@DEFAULT_SETTINGS)
  Ops.set(@SETTINGS, "enable_firewall", false)
  Ops.set(@SETTINGS, "start_firewall", false)

  # Cannot be configured, packages weren't installed
  @fw_service_can_be_configured = false

  nil
end

#full_init_on_boot(new_state) ⇒ Boolean

Sets whether ports need to be open already during boot bsc#916376



2680
2681
2682
2683
2684
# File 'library/network/src/lib/network/susefirewall2.rb', line 2680

def full_init_on_boot(new_state)
  @SETTINGS["FW_BOOT_FULL_INIT"] = new_state ? "yes" : "no"
  SetModified()
  @SETTINGS["FW_BOOT_FULL_INIT"] == "yes"
end

#GetAcceptExpertRules(zone) ⇒ String

Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.



2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
# File 'library/network/src/lib/network/susefirewall2.rb', line 2272

def GetAcceptExpertRules(zone)
  zone = Builtins.toupper(zone)

  # Check for zone
  if !Builtins.contains(GetKnownFirewallZones(), zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return nil
  end

  Ops.get_string(@SETTINGS, Ops.add("FW_SERVICES_ACCEPT_", zone), "")
end

#GetAdditionalServices(protocol, zone) ⇒ Array<String>

This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different way.

Examples:

GetAdditionalServices("TCP", "EXT") -> ["53", "128"]


1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
# File 'library/network/src/lib/network/susefirewall2.rb', line 1798

def GetAdditionalServices(protocol, zone)
  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol '%1'", protocol)
    return nil
  end
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  # all ports or services allowed in zone for protocol
  all_allowed_services = GetAllowedServicesForZoneProto(zone, protocol)

  # all ports or services used by known service
  all_used_services = []

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  # trying all possible (known) services
  Builtins.foreach(SuSEFirewallServices.GetSupportedServices) do |service_id, _service_name|
    # only when the service is allowed in zone - remove all its needed ports
    if IsServiceSupportedInZone(service_id, zone) == true
      # all needed ports etc for service/protocol
      needed_all = []
      if protocol == "TCP"
        needed_all = SuSEFirewallServices.GetNeededTCPPorts(service_id)
      elsif protocol == "UDP"
        needed_all = SuSEFirewallServices.GetNeededUDPPorts(service_id)
      elsif protocol == "RPC"
        needed_all = SuSEFirewallServices.GetNeededRPCPorts(service_id)
      elsif protocol == "IP"
        needed_all = SuSEFirewallServices.GetNeededIPProtocols(service_id)
      end
      Builtins.foreach(needed_all) do |remove_port|
        # all used services and their aliases
        all_used_services = Convert.convert(
          Builtins.union(
            all_used_services,
            PortAliases.GetListOfServiceAliases(remove_port)
          ),
          from: "list",
          to:   "list <string>"
        )
      end
    end
  end

  # some services are used by known defined-services
  if Ops.greater_than(Builtins.size(all_used_services), 0)
    all_used_services = Builtins.toset(all_used_services)
    # removing all used services from all allowed
    all_allowed_services = Builtins.filter(all_allowed_services) do |port|
      !Builtins.contains(all_used_services, port)
    end
  end

  # well, actually it returns list of services not-assigned to any well-known service
  deep_copy(all_allowed_services)
end

#GetAllDialUpInterfacesArray<String>

Function returns list of dial-up interfaces.

Examples:

GetAllDialUpInterfaces() -> [“modem0”, “dsl5”]



1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
# File 'library/network/src/lib/network/susefirewall2.rb', line 1122

def GetAllDialUpInterfaces
  dial_up_interfaces = []
  Builtins.foreach(GetAllKnownInterfaces()) do |interface|
    if Ops.get(interface, "type") == "dial_up"
      dial_up_interfaces = Builtins.add(
        dial_up_interfaces,
        Ops.get(interface, "id", "")
      )
    end
  end

  deep_copy(dial_up_interfaces)
end

#GetAllNonDialUpInterfacesArray<String>

Function returns list of non-dial-up interfaces.

Examples:

GetAllNonDialUpInterfaces() -> [“eth1”, “eth2”]



1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
# File 'library/network/src/lib/network/susefirewall2.rb', line 1104

def GetAllNonDialUpInterfaces
  non_dial_up_interfaces = []
  Builtins.foreach(GetAllKnownInterfaces()) do |interface|
    if Ops.get(interface, "type") != "dial_up"
      non_dial_up_interfaces = Builtins.add(
        non_dial_up_interfaces,
        Ops.get(interface, "id", "")
      )
    end
  end

  deep_copy(non_dial_up_interfaces)
end

#GetAllowedServicesForZoneProto(zone, protocol) ⇒ Array<String>

Function returns list of allowed services for zone and protocol



443
444
445
446
447
448
449
450
451
452
# File 'library/network/src/lib/network/susefirewall2.rb', line 443

def GetAllowedServicesForZoneProto(zone, protocol)
  Builtins.splitstring(
    Ops.get_string(
      @SETTINGS,
      Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol),
      ""
    ),
    " "
  )
end

#GetBroadcastAllowedPortsHash{String => Array<String>}

Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.

*Structure:*

$[
   "ZONE1" : [ "port1", "port2" ],
   "ZONE2" : [ "port3", "port4" ],
   "ZONE3" : [ ]
 ]
 or
 $[
   "ZONE1" : [ "yes" ],  // will work for all ports automatically
   "ZONE3" : [ ],
   "ZONE3" : [ ]
 ]


518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
# File 'library/network/src/lib/network/susefirewall2.rb', line 518

def GetBroadcastAllowedPorts
  allowed_ports = {}

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    broadcast = GetBroadcastConfiguration(zone)
    # no broadcast allowed for this zone
    if broadcast == "no"
      Ops.set(allowed_ports, zone, [])
      # BNC #694782: "yes" is automatically translated by SuSEfirewall2
    elsif broadcast == "yes"
      Ops.set(allowed_ports, zone, ["yes"])
      # only listed ports allows broadcast
    else
      Ops.set(allowed_ports, zone, Builtins.splitstring(broadcast, " "))
      Ops.set(
        allowed_ports,
        zone,
        Builtins.filter(Builtins.splitstring(broadcast, " ")) do |not_space|
          not_space != ""
        end
      )
    end
  end

  Builtins.y2debug("Allowed Broadcast Ports: %1", allowed_ports)

  deep_copy(allowed_ports)
end

#GetBroadcastConfiguration(zone) ⇒ String

Local function returns configuration string for broadcast packets.



475
476
477
# File 'library/network/src/lib/network/susefirewall2.rb', line 475

def GetBroadcastConfiguration(zone)
  Ops.get_string(@SETTINGS, Ops.add("FW_ALLOW_FW_BROADCAST_", zone), "no")
end

#GetConfigurationStringZone(zone_string) ⇒ String

Local function returns zone name (shortname) for configuration string. For instance “EXT” for “ext” zone.



430
431
432
433
434
435
436
# File 'library/network/src/lib/network/susefirewall2.rb', line 430

def GetConfigurationStringZone(zone_string)
  if IsKnownZone(Builtins.toupper(zone_string))
    # zones in SuSEFirewall configuration are identified by lowercased zone shorters
    return Builtins.toupper(zone_string)
  end
  nil
end

#GetDefaultValue(variable) ⇒ String

Local function for returning default values (if defined) for sysconfig variables.



324
325
326
# File 'library/network/src/lib/network/susefirewall2.rb', line 324

def GetDefaultValue(variable)
  Ops.get(@DEFAULT_SETTINGS, variable, "")
end

#GetFirewallInterfacesArray<String>

Function returns all interfaces already configured in firewall.



1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
# File 'library/network/src/lib/network/susefirewall2.rb', line 1232

def GetFirewallInterfaces
  firewall_configured_devices = []

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    firewall_configured_devices = Convert.convert(
      Builtins.union(firewall_configured_devices, GetInterfacesInZone(zone)),
      from: "list",
      to:   "list <string>"
    )
  end

  Builtins.toset(firewall_configured_devices)
end

#GetFirewallInterfacesMapHash{String => Array<String>}

Function returns map of `interfaces in zones`.

*Structure:*

map $[zone : [list of interfaces]]

Examples:

GetFirewallInterfacesMap() -> $["DMZ":[], "EXT":["dsl0"], "INT":["eth1", "eth2"]]


1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
# File 'library/network/src/lib/network/susefirewall2.rb', line 1869

def GetFirewallInterfacesMap
  firewall_interfaces_now = {}

  # list of all known interfaces
  known_interfaces = GetListOfKnownInterfaces()

  # searching each zone
  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    # filtering non-existing interfaces
    Ops.set(
      firewall_interfaces_now,
      zone,
      Builtins.filter(GetInterfacesInZone(zone)) do |interface|
        Builtins.contains(known_interfaces, interface)
      end
    )
  end

  deep_copy(firewall_interfaces_now)
end

#GetFirewallKernelModulesArray<String>

Returns list of additional kernel modules, that are loaded by firewall on startup. For instance “ip_conntrack_ftp” and “ip_nat_ftp” for FTP service.

See Also:

  • option nr. 32 (FW_LOAD_MODULES)


2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
# File 'library/network/src/lib/network/susefirewall2.rb', line 2310

def GetFirewallKernelModules
  k_modules = Builtins.splitstring(
    Ops.get_string(@SETTINGS, "FW_LOAD_MODULES", ""),
    " \t\n"
  )

  k_modules = Builtins.filter(k_modules) { |one_module| one_module != "" }

  Builtins.toset(k_modules)
end

#GetIgnoreLoggingBroadcast(zone) ⇒ String

Function returns yes/no - ingoring broadcast for zone

Examples:

# Does not log ignored broadcast packets
GetIgnoreLoggingBroadcast ("EXT") -> "yes"


2234
2235
2236
2237
2238
2239
2240
2241
# File 'library/network/src/lib/network/susefirewall2.rb', line 2234

def GetIgnoreLoggingBroadcast(zone)
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  Ops.get_string(@SETTINGS, Ops.add("FW_IGNORE_FW_BROADCAST_", zone), "no")
end

#GetInterfacesInZone(zone) ⇒ Array<String>

Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

Examples:

GetInterfacesInZone (“DMZ”) -> [“eth4”, “eth5”]



1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
# File 'library/network/src/lib/network/susefirewall2.rb', line 1213

def GetInterfacesInZone(zone)
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )

  known_interfaces_now = GetListOfKnownInterfaces()

  # filtering special strings
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |interface|
    interface != "" && Builtins.contains(known_interfaces_now, interface)
  end

  deep_copy(interfaces_in_zone)
end

#GetInterfacesInZoneSupportingAnyFeature(zone) ⇒ Array<String>

Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.



1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
# File 'library/network/src/lib/network/susefirewall2.rb', line 1281

def GetInterfacesInZoneSupportingAnyFeature(zone)
  interfaces_in_zone = GetInterfacesInZone(zone)

  # 'any' in EXT zone, add all interfaces without zone to this one
  interfaces_covered_by_any = InterfacesSupportedByAnyFeature(zone)
  if Ops.greater_than(Builtins.size(interfaces_covered_by_any), 0)
    interfaces_in_zone = Convert.convert(
      Builtins.union(interfaces_in_zone, interfaces_covered_by_any),
      from: "list",
      to:   "list <string>"
    )
  end

  deep_copy(interfaces_in_zone)
end

#GetListOfForwardsIntoMasqueradeArray<Hash{String => String>}

Function returns list of rules of forwarding ports to masqueraded IPs.

*Structure:*

list [$[ key: value ]]

$[

"forward_to":"172.24.233.1",
"protocol":"tcp",
"req_ip":"192.168.0.3",
"req_port":"355",
"source_net":"192.168.0.0/20",
"to_port":"533"],
...

]

Examples:

GetListOfForwardsIntoMasquerade() -> [


2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
# File 'library/network/src/lib/network/susefirewall2.rb', line 2015

def GetListOfForwardsIntoMasquerade
  list_of_rules = []

  Builtins.foreach(
    Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", ""),
      " "
    )
  ) do |forward_rule|
    next if forward_rule == ""
    # Format: <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
    fw_rul = Builtins.splitstring(forward_rule, ",")
    # first four parameters has to be defined
    if Ops.get(fw_rul, 0, "") == "" || Ops.get(fw_rul, 1, "") == "" ||
        Ops.get(fw_rul, 2, "") == "" ||
        Ops.get(fw_rul, 3, "") == ""
      Builtins.y2warning(
        "Wrong definition of redirect rule: '%1', part of '%2'",
        forward_rule,
        Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", "")
      )
    end
    list_of_rules = Builtins.add(
      list_of_rules,

      "source_net" => Ops.get(fw_rul, 0, ""),
      "forward_to" => Ops.get(fw_rul, 1, ""),
      "protocol"   => Builtins.tolower(Ops.get(fw_rul, 2, "")),
      "req_port"   => Builtins.tolower(Ops.get(fw_rul, 3, "")),
      # to_port is req_port when undefined
      "to_port"    => Builtins.tolower(
        Ops.get(fw_rul, 4, Ops.get(fw_rul, 3, ""))
      ),
      "req_ip"     => Builtins.tolower(Ops.get(fw_rul, 5, ""))

    )
  end

  deep_copy(list_of_rules)
end

#GetListOfSuSEFirewallVariablesArray<String>

Function return list of variables needed for SuSEFirewall's settings.



293
294
295
# File 'library/network/src/lib/network/susefirewall2.rb', line 293

def GetListOfSuSEFirewallVariables
  deep_copy(@SuSEFirewall_variables)
end

#GetLoggingSettings(rule) ⇒ String

Function returns actual state of logging for rule taken as parameter.

Examples:

GetLoggingSettings("ACCEPT") -> "CRIT"
GetLoggingSettings("DROP") -> "CRIT"


2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
# File 'library/network/src/lib/network/susefirewall2.rb', line 2160

def GetLoggingSettings(rule)
  ret_val = nil

  if rule == "ACCEPT"
    ret_val = if Ops.get_string(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no") == "yes"
      "ALL"
    elsif Ops.get_string(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes") == "yes"
      "CRIT"
    else
      "NONE"
    end
  elsif rule == "DROP"
    ret_val = if Ops.get_string(@SETTINGS, "FW_LOG_DROP_ALL", "no") == "yes"
      "ALL"
    elsif Ops.get_string(@SETTINGS, "FW_LOG_DROP_CRIT", "yes") == "yes"
      "CRIT"
    else
      "NONE"
    end
  else
    Builtins.y2error("Possible rules are only 'ACCEPT' or 'DROP'")
  end

  ret_val
end

#GetMasquerade(_zone = nil) ⇒ Boolean

Function returns actual state of Masquerading support.



1974
1975
1976
1977
# File 'library/network/src/lib/network/susefirewall2.rb', line 1974

def GetMasquerade(_zone = nil)
  Ops.get_string(@SETTINGS, "FW_MASQUERADE", "no") == "yes" &&
    Ops.get_string(@SETTINGS, "FW_ROUTE", "no") == "yes"
end

#GetProtectFromInternalZoneBoolean

Function returns if firewall is protected from internal zone.



902
903
904
# File 'library/network/src/lib/network/susefirewall2.rb', line 902

def GetProtectFromInternalZone
  Ops.get_string(@SETTINGS, "FW_PROTECT_FROM_INT", "no") == "yes"
end

#GetProtocolTranslatedName(protocol) ⇒ String

Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.



2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
# File 'library/network/src/lib/network/susefirewall2.rb', line 2370

def GetProtocolTranslatedName(protocol)
  protocol = Builtins.tolower(protocol)

  if protocol == ""
    ""
  elsif Ops.get(@protocol_translations, protocol).nil?
    Builtins.y2error("Unknown protocol: %1", protocol)
    # table item, %1 stands for the buggy protocol name
    Builtins.sformat(_("Unknown protocol (%1)"), protocol)
  else
    Ops.get(@protocol_translations, protocol, "")
  end
end

#GetServicesAcceptRelated(zone) ⇒ Array<String>

Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Examples:

GetServicesAcceptRelated ("EXT") -> ["0/0,udp,427", "0/0,udp,137"]

See Also:

  • #SetServicesAcceptRelated()


2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
# File 'library/network/src/lib/network/susefirewall2.rb', line 2395

def GetServicesAcceptRelated(zone)
  if !IsKnownZone(zone)
    Builtins.y2error("Uknown zone '%1'", zone)
    return []
  end

  Builtins.splitstring(
    Ops.get_string(
      @SETTINGS,
      Ops.add("FW_SERVICES_ACCEPT_RELATED_", zone),
      ""
    ),
    " \t\n"
  )
end

#GetSpecialInterfacesInZone(zone) ⇒ Array<String>

Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

Examples:

GetSpecialInterfacesInZone("EXT") -> ["any", "unknown-1", "wrong-3"]


1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
# File 'library/network/src/lib/network/susefirewall2.rb', line 1897

def GetSpecialInterfacesInZone(zone)
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )

  known_interfaces_now = GetInterfacesInZone(zone)

  # filtering known interfaces and spaces
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |interface|
    interface != "" && !Builtins.contains(known_interfaces_now, interface)
  end

  deep_copy(interfaces_in_zone)
end

#GetSupportRouteBoolean

Function returns if firewall supports routing.



926
927
928
# File 'library/network/src/lib/network/susefirewall2.rb', line 926

def GetSupportRoute
  Ops.get_string(@SETTINGS, "FW_ROUTE", "no") == "yes"
end

#GetTrustIPsecAsString

Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.



963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
# File 'library/network/src/lib/network/susefirewall2.rb', line 963

def GetTrustIPsecAs
  # do not trust
  return "no" if Ops.get(@SETTINGS, "FW_IPSEC_TRUST") == "no"

  # default value for 'yes" ~= "INT"
  return "INT" if Ops.get(@SETTINGS, "FW_IPSEC_TRUST") == "yes"

  zone = GetConfigurationStringZone(
    Ops.get_string(@SETTINGS, "FW_IPSEC_TRUST", "")
  )

  # trust as named zone (if known)
  return zone if IsKnownZone(zone)

  # unknown zone, change to default value
  SetModified()
  defaultv = GetDefaultValue("FW_IPSEC_TRUST")
  Builtins.y2warning(
    "Trust IPsec as '%1' (unknown zone) changed to '%2'",
    Ops.get_string(@SETTINGS, "FW_IPSEC_TRUST", ""),
    defaultv
  )
  SetTrustIPsecAs(defaultv)
  "no"
end

#GetZoneConfigurationString(zone) ⇒ String

Local function returns configuration string used in configuration for zone. For instance “ext” for “EXT” zone.



417
418
419
420
421
422
423
# File 'library/network/src/lib/network/susefirewall2.rb', line 417

def GetZoneConfigurationString(zone)
  if IsKnownZone(zone)
    # zones in SuSEFirewall configuration are identified by lowercased zone shorters
    return Builtins.tolower(zone)
  end
  nil
end

#GetZoneOfInterface(interface) ⇒ String

Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

Examples:

GetZoneOfInterface (“eth-id-01:11:DA:9C:8A:2F”) -> “DMZ”



1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
# File 'library/network/src/lib/network/susefirewall2.rb', line 1032

def GetZoneOfInterface(interface)
  interface_zone = []

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    if IsInterfaceInZone(interface, zone)
      interface_zone = Builtins.add(interface_zone, zone)
    end
  end

  # Fallback handling for 'any' in the FW_DEV_* configuration
  if interface == @special_all_interface_string &&
      Builtins.size(interface_zone) == 0
    interface_zone = [@special_all_interface_zone]
  end

  if IsVerbose() && Ops.greater_than(Builtins.size(interface_zone), 1)
    # TRANSLATORS: Error message, %1 = interface name (like eth0)
    Report.Error(
      Builtins.sformat(
        _(
          "Interface '%1' is included in multiple firewall zones.\n" \
            "Continuing with configuration can produce errors.\n" \
            "\n" \
            "It is recommended to leave the configuration and repair it manually in\n" \
            "the file '/etc/sysconfig/SuSEFirewall'."
        ),
        interface
      )
    )
  end

  # return the first existence of interface in zones
  # if it is not presented anywhere, nil is returned
  Ops.get_string(interface_zone, 0)
end

#GetZonesOfInterfacesWithAnyFeatureSupported(interfaces) ⇒ Array<String>

Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

Examples:

GetZonesOfInterfaces (["eth1","eth4"]) -> ["EXT"]


1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
# File 'library/network/src/lib/network/susefirewall2.rb', line 1076

def GetZonesOfInterfacesWithAnyFeatureSupported(interfaces)
  interfaces = deep_copy(interfaces)
  zones = []
  zone = ""

  # 'any' in 'EXT'
  interfaces_covered_by_any = GetInterfacesInZoneSupportingAnyFeature(
    @special_all_interface_zone
  )

  Builtins.foreach(interfaces) do |interface|
    # interface is covered by 'any' in 'EXT'
    zone = if Builtins.contains(interfaces_covered_by_any, interface)
      @special_all_interface_zone
    else
      # interface is explicitely mentioned in some zone
      GetZoneOfInterface(interface)
    end
    zones = Builtins.add(zones, zone) if !zone.nil?
  end

  Builtins.toset(zones)
end

#Import(import_settings) ⇒ Object

Function for setting SuSEFirewall configuration from input



999
1000
1001
1002
1003
1004
1005
1006
1007
# File 'library/network/src/lib/network/susefirewall2.rb', line 999

def Import(import_settings)
  Read()
  @SETTINGS.merge!(import_settings || {})
  @configuration_has_been_read = true

  SetModified()

  nil
end

#IncreaseVerbosityObject

Local function for increasing the verbosity level.



298
299
300
301
302
# File 'library/network/src/lib/network/susefirewall2.rb', line 298

def IncreaseVerbosity
  @verbose_level = Ops.add(@verbose_level, 1)

  nil
end

#InterfacesSupportedByAnyFeature(zone) ⇒ Array<String>

Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.

See Also:

  • #IsAnyNetworkInterfaceSupported()


1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
# File 'library/network/src/lib/network/susefirewall2.rb', line 1253

def InterfacesSupportedByAnyFeature(zone)
  result = []

  if zone == @special_all_interface_zone && IsAnyNetworkInterfaceSupported()
    known_interfaces_now = GetListOfKnownInterfaces()
    configured_interfaces = GetFirewallInterfaces()
    Builtins.foreach(known_interfaces_now) do |one_interface|
      if !Builtins.contains(configured_interfaces, one_interface)
        Builtins.y2milestone(
          "Interface '%1' supported by special string '%2' in zone '%3'",
          one_interface,
          @special_all_interface_string,
          @special_all_interface_zone
        )
        result = Builtins.add(result, one_interface)
      end
    end
  end

  deep_copy(result)
end

#IsAnyNetworkInterfaceSupportedBoolean

Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone. Updated: Currently returns only 'true' as every unasigned interface is automatically assigned to the EXT zone by SuSEfirewall2.



285
286
287
288
# File 'library/network/src/lib/network/susefirewall2.rb', line 285

def IsAnyNetworkInterfaceSupported
  # Currently unasigned interfaces belong to the EXT zone by dafault
  true
end

#IsBroadcastAllowed(needed_ports, zone) ⇒ Boolean

Function returns if broadcast is allowed for needed ports in zone.

Examples:

IsBroadcastAllowed (["port-xyz", "53"], "EXT") -> true


574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
# File 'library/network/src/lib/network/susefirewall2.rb', line 574

def IsBroadcastAllowed(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  if Builtins.size(needed_ports) == 0
    Builtins.y2warning("Unknown service with no needed ports!")
    return nil
  end

  # getting broadcast allowed ports
  allowed_ports_map = GetBroadcastAllowedPorts()

  # Divide allowed port ranges and aliases (also with their port aliases)
  allowed_ports_divided = PortRanges.DividePortsAndPortRanges(
    Ops.get(allowed_ports_map, zone, []),
    true
  )

  # If there are no allowed ports at all
  if Ops.get(allowed_ports_divided, "ports", []) == [] &&
      Ops.get(allowed_ports_divided, "port_ranges", []) == []
    return false
  end

  is_allowed = true
  # checking all needed ports;
  Builtins.foreach(needed_ports) do |needed_port|
    # allowed ports don't contain the needed one and also portranges don't
    if !Builtins.contains(
      Ops.get(allowed_ports_divided, "ports", []),
      needed_port
    ) &&
        !PortRanges.PortIsInPortranges(
          needed_port,
          Ops.get(allowed_ports_divided, "port_ranges", [])
        )
      is_allowed = false
      raise Break
    end
  end

  is_allowed
end

#IsInterfaceInZone(interface, zone) ⇒ Boolean

Function returns if the interface is in zone.

Examples:

IsInterfaceInZone (“eth-id-01:11:DA:9C:8A:2F”, “INT”) -> false



1016
1017
1018
1019
1020
1021
1022
# File 'library/network/src/lib/network/susefirewall2.rb', line 1016

def IsInterfaceInZone(interface, zone)
  interfaces = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  Builtins.contains(interfaces, interface)
end

#IsServiceDefinedByPackageSupportedInZone(service, zone) ⇒ Boolean

Returns whether a service is mentioned in FW_CONFIGURATIONS_. These services are defined by random packages.

Examples:

IsServiceDefinedByPackageSupportedInZone ("service:sshd", "EXT") -> true


1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
# File 'library/network/src/lib/network/susefirewall2.rb', line 1306

def IsServiceDefinedByPackageSupportedInZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  Builtins.contains(supported_services, service)
end

#IsServiceSupportedInZone(service, zone) ⇒ Boolean

Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with “service:” prefix.

// irc-server definition exists on the system and the irc-server
// is mentioned in FW_CONFIGURATIONS_EXT variable of SuSEfirewall2
IsServiceSupportedInZone ("service:irc-server", "EXT") -> true

Examples:

// All ports defined by dns-server service in SuSEFirewallServices module
// are enabled in the respective zone
IsServiceSupportedInZone ("dns-server", "EXT") -> true

See Also:

  • Module SuSEFirewallServices


1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
# File 'library/network/src/lib/network/susefirewall2.rb', line 1341

def IsServiceSupportedInZone(service, zone)
  return nil if !IsKnownZone(zone)

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)

  # SuSEFirewall feature FW_PROTECT_FROM_INT
  # should not be protected and searched zones include also internal (or the zone IS internal, sure)
  if zone == @int_zone_shortname && !GetProtectFromInternalZone()
    Builtins.y2milestone(
      "Checking for service '%1', in '%2', PROTECT_FROM_INTERNAL='no' => allowed",
      service,
      zone
    )
    return true
  end

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    supported = IsServiceDefinedByPackageSupportedInZone(service, zone)
    return supported
  end

  # starting with nil value, any false means that the service is not supported
  service_is_supported = nil
  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []
    if key == "tcp_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "TCP",
        zone,
        true
      )
    elsif key == "udp_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "UDP",
        zone,
        true
      )
    elsif key == "rpc_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "RPC",
        zone,
        false
      )
    elsif key == "ip_protocols"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "IP",
        zone,
        false
      )
    elsif "broadcast_ports" == key
      # testing for allowed broadcast ports
      service_is_supported = IsBroadcastAllowed(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
    # service is not supported, we don't have to do more tests
    raise Break if service_is_supported == false
  end

  service_is_supported
end

#IsVerboseBoolean

Local function returns if other functions should produce verbose output. like popups, reporting errors, etc.



315
316
317
318
# File 'library/network/src/lib/network/susefirewall2.rb', line 315

def IsVerbose
  # verbose level must be above zero to be verbose
  Ops.greater_than(@verbose_level, 0)
end

#mainObject



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# File 'library/network/src/lib/network/susefirewall2.rb', line 45

def main
  textdomain "base"

  Yast.import "Mode"
  Yast.import "Service"
  Yast.import "NetworkInterfaces"
  Yast.import "PortAliases"
  Yast.import "Report"
  Yast.import "Message"
  Yast.import "Progress"
  Yast.import "PortRanges"
  Yast.import "PackageSystem"
  Yast.import "FileUtils"
  Yast.import "Directory"
  Yast.import "Stage"
  Yast.import "Pkg"

  # <!-- SuSEFirewall VARIABLES //-->

  @FIREWALL_PACKAGE = "SuSEfirewall2"

  # configuration hasn't been read for the default
  # this should reduce the readings to only ONE
  @configuration_has_been_read = false

  # String which includes all interfaces not-defined in any zone
  @special_all_interface_string = "any"

  # Maximal number of port number, they are in the interval 1-65535 included
  @max_port_number = PortRanges.max_port_number

  # Zone which works with the special_all_interface_string string
  @special_all_interface_zone = "EXT"

  # firewall settings map
  @SETTINGS = {}

  # configuration was modified when true
  @modified = false

  # defines if SuSEFirewall is running
  @is_running = false

  # default settings for SuSEFirewall
  @DEFAULT_SETTINGS = {
    "FW_LOG_ACCEPT_ALL"          => "no",
    "FW_LOG_ACCEPT_CRIT"         => "yes",
    "FW_LOG_DROP_ALL"            => "no",
    "FW_LOG_DROP_CRIT"           => "yes",
    "FW_PROTECT_FROM_INT"        => "no",
    "FW_ROUTE"                   => "no",
    "FW_STOP_KEEP_ROUTING_STATE" => "no",
    "FW_MASQUERADE"              => "no",
    "FW_ALLOW_FW_TRACEROUTE"     => "yes",
    "FW_ALLOW_PING_FW"           => "yes",
    "FW_ALLOW_FW_BROADCAST_EXT"  => "no",
    "FW_ALLOW_FW_BROADCAST_INT"  => "no",
    "FW_ALLOW_FW_BROADCAST_DMZ"  => "no",
    "FW_IGNORE_FW_BROADCAST_EXT" => "yes",
    "FW_IGNORE_FW_BROADCAST_INT" => "no",
    "FW_IGNORE_FW_BROADCAST_DMZ" => "no",
    "FW_IPSEC_TRUST"             => "no",
    "FW_BOOT_FULL_INIT"          => "no"
  }

  # verbose_level -> if verbosity is more than 0, be verbose, starting in verbose mode
  @verbose_level = 1

  # list of known firewall zones
  @known_firewall_zones = ["INT", "DMZ", "EXT"]

  # map defines zone name for all known firewall zones
  @zone_names = {
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "EXT" => _(
      "External Zone"
    ),
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "INT" => _(
      "Internal Zone"
    ),
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "DMZ" => _(
      "Demilitarized Zone"
    )
  }

  # internal zone identification - useful for protect-from-internal
  @int_zone_shortname = "INT"

  # list of protocols supported in firewall, use only upper-cases
  @supported_protocols = ["TCP", "UDP", "RPC", "IP"]

  # list of keys in map of definition well-known services
  @service_defined_by = [
    "tcp_ports",
    "udp_ports",
    "rpc_ports",
    "ip_protocols",
    "broadcast_ports"
  ]

  # list of services currently allowed, which share ports (for instance RPC services)
  @allowed_conflict_services = {}

  @firewall_service = "SuSEfirewall2"

  @SuSEFirewall_variables = [
    # zones and interfaces
    "FW_DEV_INT",
    "FW_DEV_DMZ",
    "FW_DEV_EXT",
    # services in zones
    "FW_SERVICES_INT_TCP",
    "FW_SERVICES_INT_UDP",
    "FW_SERVICES_INT_RPC",
    "FW_SERVICES_INT_IP",
    "FW_SERVICES_DMZ_TCP",
    "FW_SERVICES_DMZ_UDP",
    "FW_SERVICES_DMZ_RPC",
    "FW_SERVICES_DMZ_IP",
    "FW_SERVICES_EXT_TCP",
    "FW_SERVICES_EXT_UDP",
    "FW_SERVICES_EXT_RPC",
    "FW_SERVICES_EXT_IP",
    "FW_PROTECT_FROM_INT",
    # global routing, masquerading
    "FW_ROUTE",
    "FW_STOP_KEEP_ROUTING_STATE",
    "FW_MASQUERADE",
    "FW_FORWARD_MASQ",
    "FW_FORWARD_ALWAYS_INOUT_DEV",
    # broadcast packets
    "FW_ALLOW_FW_BROADCAST_EXT",
    "FW_ALLOW_FW_BROADCAST_INT",
    "FW_ALLOW_FW_BROADCAST_DMZ",
    "FW_IGNORE_FW_BROADCAST_EXT",
    "FW_IGNORE_FW_BROADCAST_INT",
    "FW_IGNORE_FW_BROADCAST_DMZ",
    # FATE #300970: Support for 'Samba & friends' browsing
    "FW_SERVICES_ACCEPT_RELATED_EXT",
    "FW_SERVICES_ACCEPT_RELATED_INT",
    "FW_SERVICES_ACCEPT_RELATED_DMZ",
    # logging
    "FW_LOG_DROP_CRIT",
    "FW_LOG_DROP_ALL",
    "FW_LOG_ACCEPT_CRIT",
    "FW_LOG_ACCEPT_ALL",
    # IPsec support
    "FW_IPSEC_TRUST",
    # Custom rulezz
    #     net,protocol[,dport][,sport]
    "FW_SERVICES_ACCEPT_EXT",
    "FW_SERVICES_ACCEPT_INT",
    "FW_SERVICES_ACCEPT_DMZ",
    # Custom kernel modules, e.g., for FTP
    "FW_LOAD_MODULES",
    # Services defined in /usr/share/SuSEfirewall2/services/ directory
    # FATE #300687: Ports for SuSEfirewall added via packages
    "FW_CONFIGURATIONS_EXT",
    "FW_CONFIGURATIONS_INT",
    "FW_CONFIGURATIONS_DMZ",
    # bsc#916376: Ports need to be open already during boot
    "FW_BOOT_FULL_INIT"
  ]

  # FATE #300970: Firewall support for SMB browsing
  @broadcast_related_module = "nf_conntrack_netbios_ns"

  # Variable for ReportOnlyOnce() function
  @report_only_once = []

  # <!-- SuSEFirewall LOCAL FUNCTIONS //-->

  # <!-- SuSEFirewall GLOBAL FUNCTIONS //-->

  # bnc #388773
  # By default needed packages are just checked, not installed
  @check_and_install_package = false

  # Are needed packages (SuSEfirewall2) installed?
  @needed_packages_installed = nil

  # Configuration has been read and it's useful
  @fw_service_can_be_configured = false

  # old internal services definitions are converted to new services defined by packages
  # but only once
  @converted_to_services_dbp_file = Ops.add(
    Directory.vardir,
    "/yast2-firewall-already-converted-to-sdbp"
  )

  # services have been already converted
  @already_converted = false

  @protocol_translations = {
    # protocol name
    "tcp"   => _("TCP"),
    # protocol name
    "udp"   => _("UDP"),
    # protocol name
    "_rpc_" => _("RPC"),
    # protocol name
    "ip"    => _("IP")
  }
end

#ReadBoolean

Function for reading SuSEFirewall configuration. Fills internal variables only.



1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
# File 'library/network/src/lib/network/susefirewall2.rb', line 1503

def Read
  # Do not read it again and again
  # to avoid rewriting changes already made
  if @configuration_has_been_read
    Builtins.y2milestone(
      "SuSEfirewall2 configuration has been read already."
    )
    return @fw_service_can_be_configured
  end

  # bnc #887406
  if !FileUtils.Exists(CONFIG_FILE) || !SuSEFirewallIsSelectedOrInstalled()
    log.warn "No firewall config -> firewall can't be read"
    FillUpEmptyConfig()
    return false
  end

  # Can be configured, packages were installed
  @fw_service_can_be_configured = true

  # Progress only for normal configuration
  have_progress = Mode.normal

  if have_progress
    # TRANSLATORS: Dialog caption
    read_caption = _("Initializing Firewall Configuration")

    Progress.New(
      read_caption,
      " ",
      3,
      [
        # TRANSLATORS: Progress step
        _("Check for network devices"),
        # TRANSLATORS: Progress step
        _("Read current configuration"),
        # TRANSLATORS: Progress step
        _("Check possibly conflicting services")
      ],
      [
        # TRANSLATORS: Progress step
        _("Checking for network devices..."),
        # TRANSLATORS: Progress step
        _("Reading current configuration..."),
        # TRANSLATORS: Progress step
        _("Checking possibly conflicting services..."),
        Message.Finished
      ],
      ""
    )

    Progress.NextStage
  end

  # Always call NI::Read, bnc #396646
  NetworkInterfaces.Read

  Progress.NextStage if have_progress

  ReadCurrentConfiguration()

  Progress.NextStage if have_progress

  # checking if any possibly conficting services were turned on in configuration
  # filling internal values for later checkings
  # CheckAllPossiblyConflictingServices();
  # -- Function has been turned off as we don't support services defined by YaST itself anymore --

  Builtins.y2milestone(
    "Firewall configuration has been read: %1.",
    @SETTINGS
  )
  # to read configuration only once
  @configuration_has_been_read = true

  Progress.NextStage if have_progress

  # bnc #399217
  # Converting built-in service definitions to services defined by packages
  ConvertToServicesDefinedByPackages()

  Progress.Finish if have_progress

  true
end

#ReadCurrentConfigurationObject

Local function reads current configuration and fills internal values.



1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
# File 'library/network/src/lib/network/susefirewall2.rb', line 1469

def ReadCurrentConfiguration
  @SETTINGS = {}

  # is firewall enabled in /etc/init.d/ ?
  Ops.set(@SETTINGS, "enable_firewall", IsEnabled())
  # is firewall started now?
  Ops.set(@SETTINGS, "start_firewall", IsStarted())

  ReadSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())

  nil
end

#ReadDefaultConfigurationObject

Local function sets the default configuration and fills internal values.



1460
1461
1462
1463
1464
1465
1466
# File 'library/network/src/lib/network/susefirewall2.rb', line 1460

def ReadDefaultConfiguration
  @SETTINGS = {}

  ResetSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())

  nil
end

#ReadSysconfigSuSEFirewall(variables) ⇒ Object

Local function for reading list of sysconfig variables into internal variables.



331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
# File 'library/network/src/lib/network/susefirewall2.rb', line 331

def ReadSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  Builtins.foreach(variables) do |variable|
    value = Convert.to_string(
      SCR.Read(Builtins.add(path(".sysconfig.SuSEfirewall2"), variable))
    )
    # if value is undefined, get default value
    value = GetDefaultValue(variable) if value.nil? || value == ""
    # BNC #426000
    # backslash at the end
    if Builtins.regexpmatch(value, "[ \t]*\\\\[ \t]*\n")
      rules = Builtins.splitstring(value, "\\ \t\n")
      rules = Builtins.filter(rules) do |one_rule|
        !one_rule.nil? && one_rule != ""
      end
      value = Builtins.mergestring(rules, " ")
    end
    # BNC #194419
    # replace all "\n" with " " in variables
    if Builtins.regexpmatch(value, "\n")
      value = Builtins.mergestring(Builtins.splitstring(value, "\n"), " ")
    end
    # replace all "\t" with " " in variables
    if Builtins.regexpmatch(value, "\t")
      value = Builtins.mergestring(Builtins.splitstring(value, "\t"), " ")
    end
    Ops.set(@SETTINGS, variable, value)
  end

  nil
end

#RemoveAllowedBroadcast(needed_ports, zone) ⇒ Object

Local function removes list of ports from port allowing broadcast packets in zone.



620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
# File 'library/network/src/lib/network/susefirewall2.rb', line 620

def RemoveAllowedBroadcast(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  SetModified()

  allowed_ports = GetBroadcastAllowedPorts()
  list_ports_allowed = Ops.get(allowed_ports, zone, [])

  # ports to be allowed one by one
  Builtins.foreach(needed_ports) do |allow_this_port|
    # remove all aliases of ports yet mentioned in zone
    aliases_of_port = PortAliases.GetListOfServiceAliases(allow_this_port)
    list_ports_allowed = Builtins.filter(list_ports_allowed) do |just_allowed|
      !Builtins.contains(aliases_of_port, just_allowed)
    end
  end
  Ops.set(allowed_ports, zone, list_ports_allowed)

  # save it using function
  SetBroadcastAllowedPorts(allowed_ports)

  nil
end

#RemoveForwardIntoMasqueradeRule(remove_item) ⇒ Object

Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().

See Also:

  • #GetListOfForwardsIntoMasquerade()


2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
# File 'library/network/src/lib/network/susefirewall2.rb', line 2062

def RemoveForwardIntoMasqueradeRule(remove_item)
  SetModified()

  forward_rules = []

  row_counter = 0
  Builtins.foreach(
    Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", ""),
      " "
    )
  ) do |forward_rule|
    next if forward_rule == ""
    if row_counter != remove_item
      forward_rules = Builtins.add(forward_rules, forward_rule)
    end
    row_counter = Ops.add(row_counter, 1)
  end

  Ops.set(
    @SETTINGS,
    "FW_FORWARD_MASQ",
    Builtins.mergestring(forward_rules, " ")
  )

  nil
end

#RemoveInterfaceFromZone(interface, zone) ⇒ Object

Function removes interface from defined zone.

Examples:

RemoveInterfaceFromZone (“modem0”, “EXT”)



1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
# File 'library/network/src/lib/network/susefirewall2.rb', line 1141

def RemoveInterfaceFromZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Removing interface '%1' from '%2' zone.",
    interface,
    zone
  )

  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |single_interface|
    single_interface != "" && single_interface != interface
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#RemoveOldAllowedServiceFromZone(old_service_def, zone) ⇒ Object

Removes old-service definitions before they are added as services defined by packages.



2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
# File 'library/network/src/lib/network/susefirewall2.rb', line 2482

def RemoveOldAllowedServiceFromZone(old_service_def, zone)
  old_service_def = deep_copy(old_service_def)
  Builtins.y2milestone("Removing: %1 from zone %2", old_service_def, zone)

  if Ops.get_list(old_service_def, "tcp_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "tcp_ports", [])) do |one_service|
      RemoveService(one_service, "TCP", zone)
    end
  end

  if Ops.get_list(old_service_def, "udp_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "udp_ports", [])) do |one_service|
      RemoveService(one_service, "UDP", zone)
    end
  end

  if Ops.get_list(old_service_def, "rpc_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "rpc_ports", [])) do |one_service|
      RemoveService(one_service, "RPC", zone)
    end
  end

  if Ops.get_list(old_service_def, "ip_protocols", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "ip_protocols", [])) do |one_service|
      RemoveService(one_service, "IP", zone)
    end
  end

  if Ops.get_list(old_service_def, "broadcast_ports", []) != []
    broadcast = GetBroadcastAllowedPorts()

    Ops.set(broadcast, zone, Builtins.filter(Ops.get(broadcast, zone, [])) do |one_port|
      !Builtins.contains(
        Ops.get_list(old_service_def, "broadcast_ports", []),
        one_port
      )
    end)

    SetBroadcastAllowedPorts(broadcast)
  end

  nil
end

#RemoveServiceDefinedByPackageFromZone(service, zone) ⇒ Object

Removes service defined by package (FATE #300687) from enabled services.

Examples:

RemoveServiceDefinedByPackageFromZone ("service:irc-server", "EXT");


708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
# File 'library/network/src/lib/network/susefirewall2.rb', line 708

def RemoveServiceDefinedByPackageFromZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  # Removing the service
  supported_services = Builtins.filter(supported_services) do |one_service|
    one_service != service
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_CONFIGURATIONS_", zone),
    Builtins.mergestring(supported_services, " ")
  )

  SetModified()

  nil
end

#RemoveServiceFromProtocolZone(remove_service, protocol, zone) ⇒ Boolean

Local function for removing (disallowing) single service/port for defined protocol and zone. Functions doesn't take care of port-aliases.



683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
# File 'library/network/src/lib/network/susefirewall2.rb', line 683

def RemoveServiceFromProtocolZone(remove_service, protocol, zone)
  SetModified()

  key = Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol)

  allowed = Builtins.splitstring(Ops.get_string(@SETTINGS, key, ""), " ")
  allowed = Builtins.filter(allowed) do |single_service|
    single_service != "" && single_service != remove_service
  end
  Ops.set(
    @SETTINGS,
    key,
    Builtins.mergestring(Builtins.toset(allowed), " ")
  )

  true
end

#RemoveServiceSupportFromZone(service, zone) ⇒ Object

Local function removes well-known service's support from zone. Allowed ports are removed with all of their port-aliases.



782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
# File 'library/network/src/lib/network/susefirewall2.rb', line 782

def RemoveServiceSupportFromZone(service, zone)
  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)
  # unknown service
  if needed.nil?
    Builtins.y2error("Undefined service '%1'", service)
    return nil
  end

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    if IsServiceSupportedInZone(service, zone) == true
      RemoveServiceDefinedByPackageFromZone(service, zone)
    end

    return nil
  end

  SetModified()

  # Removing service ports (and also port aliases for TCP and UDP)
  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []
    if key == "tcp_ports"
      RemoveAllowedPortsOrServices(needed_ports, "TCP", zone, true)
    elsif key == "udp_ports"
      RemoveAllowedPortsOrServices(needed_ports, "UDP", zone, true)
    elsif key == "rpc_ports"
      RemoveAllowedPortsOrServices(needed_ports, "RPC", zone, false)
    elsif key == "ip_protocols"
      RemoveAllowedPortsOrServices(needed_ports, "IP", zone, false)
    elsif "broadcast_ports" == key
      RemoveAllowedBroadcast(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
  end

  nil
end

#RemoveSpecialInterfaceFromZone(interface, zone) ⇒ Object

Function removes special string from defined zone.



1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
# File 'library/network/src/lib/network/susefirewall2.rb', line 1917

def RemoveSpecialInterfaceFromZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Removing special string '%1' from '%2' zone.",
    interface,
    zone
  )

  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |single_interface|
    single_interface != "" && single_interface != interface
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#ReportOnlyOnce(what_to_report) ⇒ Boolean

Report the error, warning, message only once. Stores the error, warning, message in memory. This is just a helper function that could avoid from filling y2log up with a lot of the very same messages - 'foreach()' is a very powerful builtin.

Examples:

string error = sformat("Port number %1 is invalid.", port_nr);
if (ReportOnlyOnce(error)) y2error(error);


268
269
270
271
272
273
# File 'library/network/src/lib/network/susefirewall2.rb', line 268

def ReportOnlyOnce(what_to_report)
  return false if Builtins.contains(@report_only_once, what_to_report)

  @report_only_once = Builtins.add(@report_only_once, what_to_report)
  true
end

#ResetReadFlagObject

Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.



878
879
880
881
882
# File 'library/network/src/lib/network/susefirewall2.rb', line 878

def ResetReadFlag
  @configuration_has_been_read = false

  nil
end

#ResetSysconfigSuSEFirewall(variables) ⇒ Object

Local function for reseting list of sysconfig variables in internal variables.



366
367
368
369
370
371
372
373
374
# File 'library/network/src/lib/network/susefirewall2.rb', line 366

def ResetSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  Builtins.foreach(variables) do |variable|
    # reseting means getting default variables
    Ops.set(@SETTINGS, variable, GetDefaultValue(variable))
  end

  nil
end

#SetAcceptExpertRules(zone, expert_rules) ⇒ Boolean

Sets expert allow rules for zone.



2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
# File 'library/network/src/lib/network/susefirewall2.rb', line 2289

def SetAcceptExpertRules(zone, expert_rules)
  zone = Builtins.toupper(zone)

  # Check for zone
  if !Builtins.contains(GetKnownFirewallZones(), zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return false
  end

  Ops.set(@SETTINGS, Ops.add("FW_SERVICES_ACCEPT_", zone), expert_rules)
  SetModified()

  true
end

#SetAllowedServicesForZoneProto(allowed_services, zone, protocol) ⇒ Object

Function sets list of services as allowed ports for zone and protocol



459
460
461
462
463
464
465
466
467
468
469
470
# File 'library/network/src/lib/network/susefirewall2.rb', line 459

def SetAllowedServicesForZoneProto(allowed_services, zone, protocol)
  allowed_services = deep_copy(allowed_services)
  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol),
    Builtins.mergestring(Builtins.toset(allowed_services), " ")
  )

  nil
end

#SetBroadcastAllowedPorts(broadcast) ⇒ Object

Function creates allowed-broadcast-ports string from broadcast map and saves it.

See Also:

  • for an example of data


551
552
553
554
555
556
557
558
559
560
561
562
563
564
# File 'library/network/src/lib/network/susefirewall2.rb', line 551

def SetBroadcastAllowedPorts(broadcast)
  broadcast = deep_copy(broadcast)
  SetModified()

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Ops.set(broadcast, zone, ["no"]) if Ops.get(broadcast, zone, []) == []
    SetBroadcastConfiguration(
      zone,
      Builtins.mergestring(Ops.get(broadcast, zone, []), " ")
    )
  end

  nil
end

#SetBroadcastConfiguration(zone, broadcast_configuration) ⇒ Object

Local function saves configuration string for broadcast packets.



483
484
485
486
487
488
489
490
491
492
493
# File 'library/network/src/lib/network/susefirewall2.rb', line 483

def SetBroadcastConfiguration(zone, broadcast_configuration)
  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add("FW_ALLOW_FW_BROADCAST_", zone),
    broadcast_configuration
  )

  nil
end

#SetFirewallKernelModules(k_modules) ⇒ Object

Sets list of additional kernel modules to be loaded by firewall on startup.

Examples:

SuSEFirewall::SetFirewallKernelModules (["ip_conntrack_ftp","ip_nat_ftp"]);

See Also:

  • option nr. 32


2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
# File 'library/network/src/lib/network/susefirewall2.rb', line 2329

def SetFirewallKernelModules(k_modules)
  k_modules = deep_copy(k_modules)
  k_modules = Builtins.filter(k_modules) do |one_module|
    if one_module.nil?
      Builtins.y2error(
        "List of modules %1 contains 'nil'! It will be ignored.",
        k_modules
      )
      next false
    elsif one_module == ""
      Builtins.y2warning(
        "List of modules %1 contains an empty string, it will be ignored.",
        k_modules
      )
      next false
    end
    if Builtins.regexpmatch(one_module, " ") ||
        Builtins.regexpmatch(one_module, "\t")
      Builtins.y2warning(
        "Additional module '%1' contains spaces. They will be evaluated as two or more modules later.",
        one_module
      )
    end
    true
  end

  Ops.set(
    @SETTINGS,
    "FW_LOAD_MODULES",
    Builtins.mergestring(k_modules, " ")
  )
  SetModified()

  nil
end

#SetIgnoreLoggingBroadcast(zone, bcast) ⇒ Object

Function sets yes/no - ingoring broadcast for zone

Examples:

# Does not log broadcast packets from DMZ
SetIgnoreLoggingBroadcast ("DMZ", "yes")


2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
# File 'library/network/src/lib/network/susefirewall2.rb', line 2251

def SetIgnoreLoggingBroadcast(zone, bcast)
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  SetModified()

  Ops.set(@SETTINGS, Ops.add("FW_IGNORE_FW_BROADCAST_", zone), bcast)

  nil
end

#SetLoggingSettings(rule, state) ⇒ Object

Function sets state of logging for rule taken as parameter.

Examples:

SetLoggingSettings ("ACCEPT", "ALL")
SetLoggingSettings ("DROP", "NONE")


2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
# File 'library/network/src/lib/network/susefirewall2.rb', line 2194

def SetLoggingSettings(rule, state)
  SetModified()

  if rule == "ACCEPT"
    if state == "ALL"
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "yes")
    elsif state == "CRIT"
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no")
    else
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "no")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no")
    end
  elsif rule == "DROP"
    if state == "ALL"
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "yes")
    elsif state == "CRIT"
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "no")
    else
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "no")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "no")
    end
  else
    Builtins.y2error("Possible rules are only 'ACCEPT' or 'DROP'")
  end

  nil
end

#SetMasquerade(enable, _zone = nil) ⇒ Object

Function sets Masquerade support.



1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
# File 'library/network/src/lib/network/susefirewall2.rb', line 1983

def SetMasquerade(enable, _zone = nil)
  SetModified()

  Ops.set(@SETTINGS, "FW_MASQUERADE", enable ? "yes" : "no")

  # routing is needed for masquerading, but we can't swithc it off when disabling masquerading
  Ops.set(@SETTINGS, "FW_ROUTE", "yes") if enable

  nil
end

#SetProtectFromInternalZone(set_protect) ⇒ Object

Function sets if firewall should be protected from internal zone.



887
888
889
890
891
892
893
894
895
896
897
# File 'library/network/src/lib/network/susefirewall2.rb', line 887

def SetProtectFromInternalZone(set_protect)
  SetModified()

  if set_protect
    Ops.set(@SETTINGS, "FW_PROTECT_FROM_INT", "yes")
  else
    Ops.set(@SETTINGS, "FW_PROTECT_FROM_INT", "no")
  end

  nil
end

#SetServicesAcceptRelated(zone, ruleset) ⇒ Object

Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Examples:

SetServicesAcceptRelated ("EXT", ["0/0,udp,427", "0/0,udp,137"])

See Also:

  • #GetServicesAcceptRelated()


2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
# File 'library/network/src/lib/network/susefirewall2.rb', line 2422

def SetServicesAcceptRelated(zone, ruleset)
  ruleset = deep_copy(ruleset)
  if !IsKnownZone(zone)
    Builtins.y2error("Uknown zone '%1'", zone)
    return
  end

  ruleset = Builtins.filter(ruleset) { |one_rule| !one_rule.nil? }

  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add("FW_SERVICES_ACCEPT_RELATED_", zone),
    Builtins.mergestring(ruleset, "\n")
  )

  nil
end

#SetServicesForZones(services_ids, firewall_zones, new_status) ⇒ Object

Function sets status for several services in several firewall zones.

Examples:

SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false);
SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);

See Also:

  • #GetServicesInZones()
  • #GetServices()


1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
# File 'library/network/src/lib/network/susefirewall2.rb', line 1424

def SetServicesForZones(services_ids, firewall_zones, new_status)
  # setting for each service
  Builtins.foreach(services_ids) do |service_id|
    Builtins.foreach(firewall_zones) do |firewall_zone|
      # zone must be known one
      if !IsKnownZone(firewall_zone)
        Builtins.y2error(
          "Zone '%1' is unknown firewall zone, skipping...",
          firewall_zone
        )
        next
      end
      SetModified()
      # setting new status
      if new_status == true
        Builtins.y2milestone(
          "Adding '%1' into '%2' zone",
          service_id,
          firewall_zone
        )
        AddServiceSupportIntoZone(service_id, firewall_zone)
      else
        Builtins.y2milestone(
          "Removing '%1' from '%2' zone",
          service_id,
          firewall_zone
        )
        RemoveServiceSupportFromZone(service_id, firewall_zone)
      end
    end
  end

  nil
end

#SetSupportRoute(set_route) ⇒ Object

Function sets if firewall should support routing.



909
910
911
912
913
914
915
916
917
918
919
920
921
# File 'library/network/src/lib/network/susefirewall2.rb', line 909

def SetSupportRoute(set_route)
  SetModified()

  if set_route
    Ops.set(@SETTINGS, "FW_STOP_KEEP_ROUTING_STATE", "yes")
    Ops.set(@SETTINGS, "FW_ROUTE", "yes")
  else
    Ops.set(@SETTINGS, "FW_STOP_KEEP_ROUTING_STATE", "no")
    Ops.set(@SETTINGS, "FW_ROUTE", "no")
  end

  nil
end

#SetTrustIPsecAs(zone) ⇒ Object

Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.



935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
# File 'library/network/src/lib/network/susefirewall2.rb', line 935

def SetTrustIPsecAs(zone)
  SetModified()

  # do not trust
  if zone == "no"
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", "no")
  # trust IPsec is a known zone
  elsif IsKnownZone(zone)
    zone = GetZoneConfigurationString(zone)
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", zone)
    # unknown zone, changing to default value
  else
    defaultv = GetDefaultValue("FW_IPSEC_TRUST")
    Builtins.y2warning(
      "Trust IPsec as '%1' (unknown zone) changed to '%2'",
      zone,
      defaultv
    )
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", defaultv)
  end

  nil
end

#WriteBoolean

Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().



1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
# File 'library/network/src/lib/network/susefirewall2.rb', line 1776

def Write
  CheckKernelModules()

  # just disabled
  return true if !SuSEFirewallIsInstalled()

  return false if !WriteConfiguration()

  return false if !ActivateConfiguration()

  true
end

#WriteConfigurationBoolean

Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.



1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
# File 'library/network/src/lib/network/susefirewall2.rb', line 1678

def WriteConfiguration
  # just disabled
  return true if !SuSEFirewallIsInstalled()

  # Progress only for normal configuration and command line
  have_progress = Mode.normal

  if have_progress
    # TRANSLATORS: Dialog caption
    write_caption = _("Writing Firewall Configuration")

    Progress.New(
      write_caption,
      " ",
      2,
      [
        # TRANSLATORS: Progress step
        _("Write firewall settings"),
        # TRANSLATORS: Progress step
        _("Adjust firewall service")
      ],
      [
        # TRANSLATORS: Progress step
        _("Writing firewall settings..."),
        # TRANSLATORS: Progress step
        _("Adjusting firewall service..."),
        # TRANSLATORS: Progress step
        Message.Finished
      ],
      ""
    )

    Progress.NextStage
  end

  # only modified configuration is written
  if GetModified()
    Builtins.y2milestone(
      "Firewall configuration has been changed. Writing: %1.",
      @SETTINGS
    )

    if !WriteSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())
      # TRANSLATORS: a popup error message
      Report.Error(_("Writing settings failed"))
      return false
    end
  else
    Builtins.y2milestone("Firewall settings weren't modified, skipping...")
  end

  Progress.NextStage if have_progress

  # Adjusting services
  if GetModified()
    # enabling firewall in /etc/init.d/
    if Ops.get_boolean(@SETTINGS, "enable_firewall", false)
      Builtins.y2milestone("Enabling firewall services")
      return false if !EnableServices()
      # disabling firewall in /etc/init.d/
    else
      Builtins.y2milestone("Disabling firewall services")
      return false if !DisableServices()
    end
  else
    Builtins.y2milestone(
      "Firewall enable/disable wasn't modified, skipping..."
    )
  end

  Progress.NextStage if have_progress

  if @already_converted &&
      !FileUtils.Exists(@converted_to_services_dbp_file)
    Builtins.y2milestone(
      "Writing %1: %2",
      @converted_to_services_dbp_file,
      SCR.Write(path(".target.string"), @converted_to_services_dbp_file, "")
    )
  end

  Progress.Finish if have_progress

  true
end

#WriteOnlyBoolean

Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.



1768
1769
1770
# File 'library/network/src/lib/network/susefirewall2.rb', line 1768

def WriteOnly
  WriteConfiguration()
end

#WriteSysconfigSuSEFirewall(variables) ⇒ Boolean

Local function for writing the list of internal variables into sysconfig. List of variables is list of keys in SETTINGS map, to sync configuration into the disk, use `nil` as the last list item.



382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
# File 'library/network/src/lib/network/susefirewall2.rb', line 382

def WriteSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  write_status = true
  value = ""

  Builtins.foreach(variables) do |variable|
    # if variable is undefined, get default value
    value = Ops.get_string(@SETTINGS, variable) { GetDefaultValue(variable) }
    write_status = SCR.Write(
      Builtins.add(path(".sysconfig.SuSEfirewall2"), variable),
      value
    )
    if !write_status
      Report.Error(
        Message.CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2")
      )
      raise Break
    end
  end

  write_status = SCR.Write(path(".sysconfig.SuSEfirewall2"), nil)
  if !write_status
    Report.Error(
      Message.CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2")
    )
  end

  write_status
end