Class: Yast::SuSEFirewall2Class

Inherits:
SuSEFirewallClass show all
Includes:
Logger
Defined in:
library/network/src/lib/network/susefirewall2.rb

Overview


SuSEFirewall2/SF2 Class. The original, simply created from the Firewall factory class.

Constant Summary collapse

CONFIG_FILE =
"/etc/sysconfig/SuSEfirewall2".freeze

Instance Attribute Summary

Attributes inherited from SuSEFirewallClass

#firewall_service

Instance Method Summary collapse

Methods inherited from SuSEFirewallClass

#AddService, #AddXenSupport, #ArePortsOrServicesAllowed, #DisableServices, #EnableServices, #GetAllKnownInterfaces, #GetEnableService, #GetKnownFirewallZones, #GetListOfKnownInterfaces, #GetModified, #GetServices, #GetServicesInZones, #GetStartService, #GetZoneFullName, #GetZonesOfInterfaces, #HaveService, #IsEnabled, #IsKnownZone, #IsOtherFirewallRunning, #IsStarted, #IsSupportedProtocol, #RemoveAllowedPortsOrServices, #RemoveService, #ResetModified, #SaveAndRestartService, #SetAdditionalServices, #SetEnableService, #SetInstallPackagesIfMissing, #SetModified, #SetServices, #SetStartService, #StartServices, #StopServices, #SuSEFirewallIsInstalled, #SuSEFirewallIsSelectedOrInstalled, #initialize

Constructor Details

This class inherits a constructor from Yast::SuSEFirewallClass

Instance Method Details

#ActivateConfigurationBoolean

Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

Returns:

  • (Boolean)

    if successful


1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
# File 'library/network/src/lib/network/susefirewall2.rb', line 1617

def ActivateConfiguration
  # just disabled
  return true if !SuSEFirewallIsInstalled()

  # starting firewall during second stage can cause deadlock in systemd - bnc#798620
  # Moreover, it is not needed. Firewall gets started via dependency on multi-user.target
  # when second stage is over.
  if Mode.installation && !Mode.autoinst
    Builtins.y2milestone("Do not touch firewall services during installation")

    return true
  end

  # Firewall should start after Write()
  if GetStartService()
    # Not started - start it
    if !IsStarted()
      Builtins.y2milestone("Starting firewall services")
      return StartServices()
    # Started - restart it
    # modified - restart it, or ...
    # bugzilla #186186
    # If any RPC service is configured to be allowed, always restart the firewall
    # Some of these service's ports might have been reallocated (when SuSEFirewall
    # is used from outside, e.g., yast2-nfs-server)
    elsif GetModified() || AnyRPCServiceInConfiguration()
      Builtins.y2milestone("Stopping firewall services")
      StopServices()
      Builtins.y2milestone("Starting firewall services")
      return StartServices()
    # not modified - skip restart
    else
      Builtins.y2milestone(
        "Configuration hasn't modified, skipping restarting services"
      )
      return true
    end
  # Firewall should stop after Write()
  # started - stop
  elsif IsStarted()
    Builtins.y2milestone("Stopping firewall services")
    return StopServices()
    # stopped - skip stopping
  else
    Builtins.y2milestone("Firewall has been stopped already")
    return true
  end
end

#AddAllowedBroadcast(needed_ports, zone) ⇒ Object

Local function adds list of ports to ports accepting broadcast

Parameters:


643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
# File 'library/network/src/lib/network/susefirewall2.rb', line 643

def AddAllowedBroadcast(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  # changing only if ports are not allowed
  if !IsBroadcastAllowed(needed_ports, zone)
    SetModified()

    allowed_ports = GetBroadcastAllowedPorts()
    list_ports_allowed = Ops.get(allowed_ports, zone, [])

    # ports to be allowed one by one
    Builtins.foreach(needed_ports) do |allow_this_port|
      # at first: remove all aliases of ports yet mentioned in zone
      aliases_of_port = PortAliases.GetListOfServiceAliases(allow_this_port)
      list_ports_allowed = Builtins.filter(list_ports_allowed) do |just_allowed|
        !Builtins.contains(aliases_of_port, just_allowed)
      end
      # at second: add only one
      list_ports_allowed = Builtins.add(list_ports_allowed, allow_this_port)
    end
    Ops.set(allowed_ports, zone, list_ports_allowed)

    # save it using function
    SetBroadcastAllowedPorts(allowed_ports)
  end

  nil
end

#AddAllowedPortsOrServices(add_ports, protocol, zone) ⇒ Object

Local function allows ports for requested protocol and zone.

Parameters:

  • add_ports (Array<string>)

    ports to be added

  • protocol (String)
  • zone (String)

2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
# File 'library/network/src/lib/network/susefirewall2.rb', line 2641

def AddAllowedPortsOrServices(add_ports, protocol, zone)
  add_ports = deep_copy(add_ports)
  if Ops.less_than(Builtins.size(add_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return
  end

  SetModified()

  # all allowed ports
  allowed_services = GetAllowedServicesForZoneProto(zone, protocol)

  allowed_services = Convert.convert(
    Builtins.union(allowed_services, add_ports),
    from: "list",
    to:   "list <string>"
  )
  allowed_services = PortRanges.FlattenServices(allowed_services, protocol)

  SetAllowedServicesForZoneProto(allowed_services, zone, protocol)

  nil
end

#AddForwardIntoMasqueradeRule(source_net, forward_to_ip, protocol, req_port, redirect_to_port, requested_ip) ⇒ Object

Adds forward into masquerade rule.

Examples:

AddForwardIntoMasqueradeRule ("0/0", "192.168.32.1", "TCP", "80", "8080", "10.0.0.1")

Parameters:


2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
# File 'library/network/src/lib/network/susefirewall2.rb', line 2093

def AddForwardIntoMasqueradeRule(source_net, forward_to_ip, protocol, req_port, redirect_to_port, requested_ip)
  SetModified()

  masquerade_rules = Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", "")

  masquerade_rules = Ops.add(
    Ops.add(
      Ops.add(
        Ops.add(
          Ops.add(
            Ops.add(
              Ops.add(
                Ops.add(masquerade_rules, (masquerade_rules != "") ? " " : ""),
                source_net
              ),
              ","
            ),
            forward_to_ip
          ),
          ","
        ),
        protocol
      ),
      ","
    ),
    req_port
  )

  if redirect_to_port != "" || requested_ip != ""
    if requested_ip != ""
      masquerade_rules = Ops.add(
        Ops.add(
          Ops.add(Ops.add(masquerade_rules, ","), redirect_to_port),
          ","
        ),
        requested_ip
      )
      # port1 -> port2 are same
    elsif redirect_to_port != req_port
      masquerade_rules = Ops.add(
        Ops.add(masquerade_rules, ","),
        redirect_to_port
      )
    end
  end

  Ops.set(@SETTINGS, "FW_FORWARD_MASQ", masquerade_rules)

  nil
end

#AddInterfaceIntoZone(interface, zone) ⇒ Object

Functions adds interface into defined zone. All appearances of interface in other zones are removed.

Examples:

AddInterfaceIntoZone ("eth5", "DMZ")

Parameters:


1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
# File 'library/network/src/lib/network/susefirewall2.rb', line 1164

def AddInterfaceIntoZone(interface, zone)
  SetModified()

  current_zone = GetZoneOfInterface(interface)

  DecreaseVerbosity()
  # removing all appearances of interface in zones, excepting current_zone==new_zone
  while !current_zone.nil? && current_zone != zone
    # interface is in any zone already, removing it at first
    RemoveInterfaceFromZone(interface, current_zone) if current_zone != zone
    current_zone = GetZoneOfInterface(interface)
  end
  IncreaseVerbosity()

  Builtins.y2milestone(
    "Adding interface '%1' into '%2' zone.",
    interface,
    zone
  )
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.toset(
    Builtins.add(interfaces_in_zone, interface)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#AddServiceDefinedByPackageIntoZone(service, zone) ⇒ Object

Adds service defined by package (FATE #300687) into list of enabled services.

Examples:

AddServiceDefinedByPackageIntoZone ("service:irc-server", "EXT");

Parameters:


742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
# File 'library/network/src/lib/network/susefirewall2.rb', line 742

def AddServiceDefinedByPackageIntoZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  # Adding the service
  supported_services = Builtins.toset(
    Builtins.add(supported_services, service)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_CONFIGURATIONS_", zone),
    Builtins.mergestring(supported_services, " ")
  )

  SetModified()

  nil
end

#AddServiceSupportIntoZone(service, zone) ⇒ Object

Local function adds well-known service's support into zone. It first of all removes the current support for service with port-aliases.

Parameters:


825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
# File 'library/network/src/lib/network/susefirewall2.rb', line 825

def AddServiceSupportIntoZone(service, zone)
  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)
  # unknown service
  if needed.nil?
    Builtins.y2error("Undefined service '%1'", service)
    return nil
  end

  SetModified()

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    AddServiceDefinedByPackageIntoZone(service, zone)

    return nil
  end

  # Removing service ports first (and also port aliases for TCP and UDP)
  RemoveServiceSupportFromZone(service, zone) if IsServiceSupportedInZone(service, zone) == true

  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []

    if key == "tcp_ports"
      AddAllowedPortsOrServices(needed_ports, "TCP", zone)
    elsif key == "udp_ports"
      AddAllowedPortsOrServices(needed_ports, "UDP", zone)
    elsif key == "rpc_ports"
      AddAllowedPortsOrServices(needed_ports, "RPC", zone)
    elsif key == "ip_protocols"
      AddAllowedPortsOrServices(needed_ports, "IP", zone)
    elsif "broadcast_ports" == key
      AddAllowedBroadcast(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
  end

  nil
end

#AddSpecialInterfaceIntoZone(interface, zone) ⇒ Object

Function adds special string into defined zone.

Parameters:


1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
# File 'library/network/src/lib/network/susefirewall2.rb', line 1940

def AddSpecialInterfaceIntoZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Adding special string '%1' into '%2' zone.",
    interface,
    zone
  )
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.toset(
    Builtins.add(interfaces_in_zone, interface)
  )
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#AnyRPCServiceInConfigurationBoolean

Function returns whether some RPC service is allowed in the configuration. These services reallocate their ports when restarted. See details in bugzilla bug #186186.

Returns:

  • (Boolean)

    some_RPC_service_used


1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
# File 'library/network/src/lib/network/susefirewall2.rb', line 1587

def AnyRPCServiceInConfiguration
  ret = false

  Builtins.foreach(GetKnownFirewallZones()) do |fw_zone|
    fw_rule = Builtins.sformat("FW_SERVICES_%1_RPC", fw_zone)
    listed_services = Ops.get_string(@SETTINGS, fw_rule) do
      GetDefaultValue(fw_rule)
    end
    # easy case
    next if listed_services.nil? || listed_services == ""

    # something listed but it still might be empty definition
    services_list = Builtins.splitstring(listed_services, " \n\t")
    services_list = Builtins.filter(services_list) do |service|
      service != ""
    end
    if Ops.greater_than(Builtins.size(services_list), 0)
      ret = true
      raise Break
    end
  end

  Builtins.y2milestone("Some RPC service found: %1", ret)
  ret
end

#CheckKernelModulesObject


2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
# File 'library/network/src/lib/network/susefirewall2.rb', line 2434

def CheckKernelModules
  needs_additional_module = false

  Builtins.foreach(GetKnownFirewallZones()) do |one_zone|
    if Ops.greater_or_equal(
      Builtins.size(GetServicesAcceptRelated(one_zone)),
      0
    )
      Builtins.y2milestone("Some ServicesAcceptRelated are defined")
      needs_additional_module = true
      raise Break
    end
  end

  if needs_additional_module
    k_modules = Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_LOAD_MODULES", ""),
      " "
    )

    if !Builtins.contains(k_modules, @broadcast_related_module)
      Builtins.y2warning(
        "FW_LOAD_MODULES doesn't contain %1, adding",
        @broadcast_related_module
      )
      k_modules = Builtins.add(k_modules, @broadcast_related_module)
      Ops.set(
        @SETTINGS,
        "FW_LOAD_MODULES",
        Builtins.mergestring(k_modules, " ")
      )
      SetModified()
    end
  end

  nil
end

#ConvertToServicesDefinedByPackagesObject

Converts old built-in service definitions to services defined by packages.

See Also:

  • 399217

2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
# File 'library/network/src/lib/network/susefirewall2.rb', line 2521

def ConvertToServicesDefinedByPackages
  return if @already_converted

  if FileUtils.Exists(@converted_to_services_dbp_file)
    @already_converted = true
    return
  end

  # $[ zone : $[ protocol : [ list of ports ] ] ]
  current_conf = {}

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Ops.set(current_conf, zone, {})
    Builtins.foreach(@supported_protocols) do |protocol|
      Ops.set(
        current_conf,
        [zone, protocol],
        GetAllowedServicesForZoneProto(zone, protocol)
      )
      Ops.set(
        current_conf,
        [zone, "broadcast"],
        Builtins.splitstring(GetBroadcastConfiguration(zone), " \n")
      )
    end
  end

  Builtins.y2milestone("Current conf: %1", current_conf)

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Builtins.foreach(SuSEFirewallServices.OLD_SERVICES) do |old_service_id, old_service_def|
      Builtins.y2milestone("Checking %1 in %2 zone", old_service_id, zone)
      if Ops.get_list(old_service_def, "tcp_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "tcp_ports", []),
            "TCP",
            zone,
            true
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "udp_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "udp_ports", []),
            "UDP",
            zone,
            true
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "rpc_ports", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "rpc_ports", []),
            "RPC",
            zone,
            false
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "ip_protocols", []) != [] &&
          ArePortsOrServicesAllowed(
            Ops.get_list(old_service_def, "ip_protocols", []),
            "IP",
            zone,
            false
          ) != true
        next
      end
      if Ops.get_list(old_service_def, "broadcast_ports", []) != [] &&
          IsBroadcastAllowed(
            Ops.get_list(old_service_def, "broadcast_ports", []),
            zone
          ) != true
        next
      end

      if Ops.get_list(old_service_def, "convert_to", []) == []
        Builtins.y2milestone(
          "Service %1 supported, but it doesn't have any replacement",
          old_service_id
        )
        next
      end
      replaced = false
      Builtins.foreach(Ops.get_list(old_service_def, "convert_to", [])) do |replacement|
        if SuSEFirewallServices.IsKnownService(replacement)
          Builtins.y2milestone(
            "Old service %1 matches %2",
            old_service_id,
            replacement
          )
          RemoveOldAllowedServiceFromZone(old_service_def, zone)
          SetServicesForZones([replacement], [zone], true)
          replaced = true
          raise Break
        end
      end
      if !replaced
        Builtins.y2warning(
          "Old service %1 matches %2 but none are installed",
          old_service_id,
          Ops.get_list(old_service_def, "convert_to", [])
        )
      end
    end
  end

  Builtins.y2milestone("Converting done")
  @already_converted = true

  nil
end

#DecreaseVerbosityObject

Local function for decreasing the verbosity level.


303
304
305
306
307
# File 'library/network/src/lib/network/susefirewall2.rb', line 303

def DecreaseVerbosity
  @verbose_level = Ops.subtract(@verbose_level, 1)

  nil
end

#ExportHash{String => Object}

Function for getting exported SuSEFirewall configuration

Returns:

  • (Hash{String => Object})

    with configuration


986
987
988
# File 'library/network/src/lib/network/susefirewall2.rb', line 986

def Export
  deep_copy(@SETTINGS)
end

#FillUpEmptyConfigObject

Fills the configuration with default settings, adjusts internal variables that firewall cannot be configured.


1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
# File 'library/network/src/lib/network/susefirewall2.rb', line 1477

def FillUpEmptyConfig
  # do not call it again
  @configuration_has_been_read = true

  # Default settings, services are disabled
  @SETTINGS = deep_copy(@DEFAULT_SETTINGS)
  Ops.set(@SETTINGS, "enable_firewall", false)
  Ops.set(@SETTINGS, "start_firewall", false)

  # Cannot be configured, packages weren't installed
  @fw_service_can_be_configured = false

  nil
end

#full_init_on_boot(new_state) ⇒ Boolean

Sets whether ports need to be open already during boot bsc#916376

Parameters:

  • new_state (Boolean)

Returns:

  • (Boolean)

    current state


2673
2674
2675
2676
2677
# File 'library/network/src/lib/network/susefirewall2.rb', line 2673

def full_init_on_boot(new_state)
  @SETTINGS["FW_BOOT_FULL_INIT"] = new_state ? "yes" : "no"
  SetModified()
  @SETTINGS["FW_BOOT_FULL_INIT"] == "yes"
end

#GetAcceptExpertRules(zone) ⇒ String

Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.

Parameters:

Returns:


2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
# File 'library/network/src/lib/network/susefirewall2.rb', line 2264

def GetAcceptExpertRules(zone)
  zone = Builtins.toupper(zone)

  # Check for zone
  if !Builtins.contains(GetKnownFirewallZones(), zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return nil
  end

  Ops.get_string(@SETTINGS, Ops.add("FW_SERVICES_ACCEPT_", zone), "")
end

#GetAdditionalServices(protocol, zone) ⇒ Array<String>

This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different method.

Examples:

GetAdditionalServices("TCP", "EXT") -> ["53", "128"]

Returns:

  • (Array<String>)

    of additional (unassigned) services


1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
# File 'library/network/src/lib/network/susefirewall2.rb', line 1792

def GetAdditionalServices(protocol, zone)
  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol '%1'", protocol)
    return nil
  end
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  # all ports or services allowed in zone for protocol
  all_allowed_services = GetAllowedServicesForZoneProto(zone, protocol)

  # all ports or services used by known service
  all_used_services = []

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  # trying all possible (known) services
  Builtins.foreach(SuSEFirewallServices.GetSupportedServices) do |service_id, _service_name|
    # only when the service is allowed in zone - remove all its needed ports
    if IsServiceSupportedInZone(service_id, zone) == true
      # all needed ports etc for service/protocol
      needed_all = []
      if protocol == "TCP"
        needed_all = SuSEFirewallServices.GetNeededTCPPorts(service_id)
      elsif protocol == "UDP"
        needed_all = SuSEFirewallServices.GetNeededUDPPorts(service_id)
      elsif protocol == "RPC"
        needed_all = SuSEFirewallServices.GetNeededRPCPorts(service_id)
      elsif protocol == "IP"
        needed_all = SuSEFirewallServices.GetNeededIPProtocols(service_id)
      end
      Builtins.foreach(needed_all) do |remove_port|
        # all used services and their aliases
        all_used_services = Convert.convert(
          Builtins.union(
            all_used_services,
            PortAliases.GetListOfServiceAliases(remove_port)
          ),
          from: "list",
          to:   "list <string>"
        )
      end
    end
  end

  # some services are used by known defined-services
  if Ops.greater_than(Builtins.size(all_used_services), 0)
    all_used_services = Builtins.toset(all_used_services)
    # removing all used services from all allowed
    all_allowed_services = Builtins.filter(all_allowed_services) do |port|
      !Builtins.contains(all_used_services, port)
    end
  end

  # well, actually it returns list of services not-assigned to any well-known service
  deep_copy(all_allowed_services)
end

#GetAllDialUpInterfacesArray<String>

Function returns list of dial-up interfaces.

Examples:

GetAllDialUpInterfaces() -> ["modem0", "dsl5"]

Returns:

  • (Array<String>)

    of dial-up interface names


1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
# File 'library/network/src/lib/network/susefirewall2.rb', line 1114

def GetAllDialUpInterfaces
  dial_up_interfaces = []
  Builtins.foreach(GetAllKnownInterfaces()) do |interface|
    if Ops.get(interface, "type") == "dial_up"
      dial_up_interfaces = Builtins.add(
        dial_up_interfaces,
        Ops.get(interface, "id", "")
      )
    end
  end

  deep_copy(dial_up_interfaces)
end

#GetAllNonDialUpInterfacesArray<String>

Function returns list of non-dial-up interfaces.

Examples:

GetAllNonDialUpInterfaces() -> ["eth1", "eth2"]

Returns:

  • (Array<String>)

    of non-dial-up interface names


1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
# File 'library/network/src/lib/network/susefirewall2.rb', line 1096

def GetAllNonDialUpInterfaces
  non_dial_up_interfaces = []
  Builtins.foreach(GetAllKnownInterfaces()) do |interface|
    if Ops.get(interface, "type") != "dial_up"
      non_dial_up_interfaces = Builtins.add(
        non_dial_up_interfaces,
        Ops.get(interface, "id", "")
      )
    end
  end

  deep_copy(non_dial_up_interfaces)
end

#GetAllowedServicesForZoneProto(zone, protocol) ⇒ Array<String>

Function returns list of allowed services for zone and protocol

Parameters:

Returns:

  • (Array<String>)

    of allowed services/ports


439
440
441
442
443
444
445
446
447
448
# File 'library/network/src/lib/network/susefirewall2.rb', line 439

def GetAllowedServicesForZoneProto(zone, protocol)
  Builtins.splitstring(
    Ops.get_string(
      @SETTINGS,
      Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol),
      ""
    ),
    " "
  )
end

#GetBroadcastAllowedPortsHash{String => Array<String>}

Local function returns map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.

Structure:

$[
   "ZONE1" : [ "port1", "port2" ],
   "ZONE2" : [ "port3", "port4" ],
   "ZONE3" : [ ]
 ]
 or
 $[
   "ZONE1" : [ "yes" ],  // will work for all ports automatically
   "ZONE3" : [ ],
   "ZONE3" : [ ]
 ]

Returns:

  • (Hash{String => Array<String>})

    strings are allowed ports or port ranges


514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
# File 'library/network/src/lib/network/susefirewall2.rb', line 514

def GetBroadcastAllowedPorts
  allowed_ports = {}

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    broadcast = GetBroadcastConfiguration(zone)
    # no broadcast allowed for this zone
    if broadcast == "no"
      Ops.set(allowed_ports, zone, [])
      # BNC #694782: "yes" is automatically translated by SuSEfirewall2
    elsif broadcast == "yes"
      Ops.set(allowed_ports, zone, ["yes"])
      # only listed ports allow broadcast
    else
      Ops.set(allowed_ports, zone, Builtins.splitstring(broadcast, " "))
      Ops.set(
        allowed_ports,
        zone,
        Builtins.filter(Builtins.splitstring(broadcast, " ")) do |not_space|
          not_space != ""
        end
      )
    end
  end

  Builtins.y2debug("Allowed Broadcast Ports: %1", allowed_ports)

  deep_copy(allowed_ports)
end

#GetBroadcastConfiguration(zone) ⇒ String

Local function returns configuration string for broadcast packets.

Returns:

  • (String)

    with broadcast configuration


471
472
473
# File 'library/network/src/lib/network/susefirewall2.rb', line 471

def GetBroadcastConfiguration(zone)
  Ops.get_string(@SETTINGS, Ops.add("FW_ALLOW_FW_BROADCAST_", zone), "no")
end

#GetConfigurationStringZone(zone_string) ⇒ String

Local function returns zone name (shortname) for configuration string. For instance "EXT" for "ext" zone.

Parameters:

  • zone_string (String)

    configuration string

Returns:


425
426
427
428
429
430
431
432
# File 'library/network/src/lib/network/susefirewall2.rb', line 425

def GetConfigurationStringZone(zone_string)
  if IsKnownZone(Builtins.toupper(zone_string))
    # zones in SuSEFirewall configuration are identified by lowercased zone shorters
    return Builtins.toupper(zone_string)
  end

  nil
end

#GetDefaultValue(variable) ⇒ String

Local function for returning default values (if defined) for sysconfig variables.

Parameters:

  • variable (String)

    sysconfig variable

Returns:


322
323
324
# File 'library/network/src/lib/network/susefirewall2.rb', line 322

def GetDefaultValue(variable)
  Ops.get(@DEFAULT_SETTINGS, variable, "")
end

#GetFirewallInterfacesArray<String>

Function returns all interfaces already configured in firewall.

Returns:

  • (Array<String>)

    of configured interfaces


1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
# File 'library/network/src/lib/network/susefirewall2.rb', line 1224

def GetFirewallInterfaces
  firewall_configured_devices = []

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    firewall_configured_devices = Convert.convert(
      Builtins.union(firewall_configured_devices, GetInterfacesInZone(zone)),
      from: "list",
      to:   "list <string>"
    )
  end

  Builtins.toset(firewall_configured_devices)
end

#GetFirewallInterfacesMapHash{String => Array<String>}

Function returns map of interfaces in zones.

Structure:

   map $[zone : [list of interfaces]]

Examples:

GetFirewallInterfacesMap() -> $["DMZ":[], "EXT":["dsl0"], "INT":["eth1", "eth2"]]

Returns:


1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
# File 'library/network/src/lib/network/susefirewall2.rb', line 1863

def GetFirewallInterfacesMap
  firewall_interfaces_now = {}

  # list of all known interfaces
  known_interfaces = GetListOfKnownInterfaces()

  # searching each zone
  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    # filtering non-existing interfaces
    Ops.set(
      firewall_interfaces_now,
      zone,
      Builtins.filter(GetInterfacesInZone(zone)) do |interface|
        Builtins.contains(known_interfaces, interface)
      end
    )
  end

  deep_copy(firewall_interfaces_now)
end

#GetFirewallKernelModulesArray<String>

Returns list of additional kernel modules, that are loaded by firewall on startup. For instance "ip_conntrack_ftp" and "ip_nat_ftp" for FTP service.

Returns:

  • (Array<String>)

    of kernel modules

See Also:

  • option nr. 32 (FW_LOAD_MODULES)

2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
# File 'library/network/src/lib/network/susefirewall2.rb', line 2302

def GetFirewallKernelModules
  k_modules = Builtins.splitstring(
    Ops.get_string(@SETTINGS, "FW_LOAD_MODULES", ""),
    " \t\n"
  )

  k_modules = Builtins.filter(k_modules) { |one_module| one_module != "" }

  Builtins.toset(k_modules)
end

#GetIgnoreLoggingBroadcast(zone) ⇒ String

Function returns yes/no - ignoring broadcast for zone

Examples:

# Does not log ignored broadcast packets
GetIgnoreLoggingBroadcast ("EXT") -> "yes"

Parameters:

Returns:


2226
2227
2228
2229
2230
2231
2232
2233
# File 'library/network/src/lib/network/susefirewall2.rb', line 2226

def GetIgnoreLoggingBroadcast(zone)
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  Ops.get_string(@SETTINGS, Ops.add("FW_IGNORE_FW_BROADCAST_", zone), "no")
end

#GetInterfacesInZone(zone) ⇒ Array<String>

Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

Examples:

GetInterfacesInZone ("DMZ") -> ["eth4", "eth5"]

Parameters:

Returns:

  • (Array<String>)

    of interfaces


1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
# File 'library/network/src/lib/network/susefirewall2.rb', line 1205

def GetInterfacesInZone(zone)
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )

  known_interfaces_now = GetListOfKnownInterfaces()

  # filtering special strings
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |interface|
    interface != "" && Builtins.contains(known_interfaces_now, interface)
  end

  deep_copy(interfaces_in_zone)
end

#GetInterfacesInZoneSupportingAnyFeature(zone) ⇒ Array<String>

Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

Parameters:

Returns:

  • (Array<String>)

    of interfaces


1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
# File 'library/network/src/lib/network/susefirewall2.rb', line 1273

def GetInterfacesInZoneSupportingAnyFeature(zone)
  interfaces_in_zone = GetInterfacesInZone(zone)

  # 'any' in EXT zone, add all interfaces without zone to this one
  interfaces_covered_by_any = InterfacesSupportedByAnyFeature(zone)
  if Ops.greater_than(Builtins.size(interfaces_covered_by_any), 0)
    interfaces_in_zone = Convert.convert(
      Builtins.union(interfaces_in_zone, interfaces_covered_by_any),
      from: "list",
      to:   "list <string>"
    )
  end

  deep_copy(interfaces_in_zone)
end

#GetListOfForwardsIntoMasqueradeArray<Hash{String => String>}

Function returns list of rules of forwarding ports to masqueraded IPs.

Structure:

list [$[ key: value ]]

$[ "forward_to":"172.24.233.1", "protocol":"tcp", "req_ip":"192.168.0.3", "req_port":"355", "source_net":"192.168.0.0/20", "to_port":"533"], ... ]

Examples:

GetListOfForwardsIntoMasquerade() -> [

Returns:


2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
# File 'library/network/src/lib/network/susefirewall2.rb', line 2009

def GetListOfForwardsIntoMasquerade
  list_of_rules = []

  Builtins.foreach(
    Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", ""),
      " "
    )
  ) do |forward_rule|
    next if forward_rule == ""

    # Format: <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
    fw_rul = Builtins.splitstring(forward_rule, ",")
    # first four parameters has to be defined
    if Ops.get(fw_rul, 0, "") == "" || Ops.get(fw_rul, 1, "") == "" ||
        Ops.get(fw_rul, 2, "") == "" ||
        Ops.get(fw_rul, 3, "") == ""
      Builtins.y2warning(
        "Wrong definition of redirect rule: '%1', part of '%2'",
        forward_rule,
        Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", "")
      )
    end
    list_of_rules = Builtins.add(
      list_of_rules,
      "source_net" => Ops.get(fw_rul, 0, ""),
      "forward_to" => Ops.get(fw_rul, 1, ""),
      "protocol"   => Builtins.tolower(Ops.get(fw_rul, 2, "")),
      "req_port"   => Builtins.tolower(Ops.get(fw_rul, 3, "")),
      # to_port is req_port when undefined
      "to_port"    => Builtins.tolower(
        Ops.get(fw_rul, 4, Ops.get(fw_rul, 3, ""))
      ),
      "req_ip"     => Builtins.tolower(Ops.get(fw_rul, 5, ""))
    )
  end

  deep_copy(list_of_rules)
end

#GetListOfSuSEFirewallVariablesArray<String>

Function return list of variables needed for SuSEFirewall's settings.

Returns:

  • (Array<String>)

    of names of variables


291
292
293
# File 'library/network/src/lib/network/susefirewall2.rb', line 291

def GetListOfSuSEFirewallVariables
  deep_copy(@SuSEFirewall_variables)
end

#GetLoggingSettings(rule) ⇒ String

Function returns actual state of logging for rule taken as parameter.

Examples:

GetLoggingSettings("ACCEPT") -> "CRIT"
GetLoggingSettings("DROP") -> "CRIT"

Parameters:

  • rule (String)

    definition 'ACCEPT' or 'DROP'

Returns:

  • (String)

    'ALL', 'CRIT', or 'NONE'


2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
# File 'library/network/src/lib/network/susefirewall2.rb', line 2152

def GetLoggingSettings(rule)
  ret_val = nil

  if rule == "ACCEPT"
    ret_val = if Ops.get_string(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no") == "yes"
      "ALL"
    elsif Ops.get_string(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes") == "yes"
      "CRIT"
    else
      "NONE"
    end
  elsif rule == "DROP"
    ret_val = if Ops.get_string(@SETTINGS, "FW_LOG_DROP_ALL", "no") == "yes"
      "ALL"
    elsif Ops.get_string(@SETTINGS, "FW_LOG_DROP_CRIT", "yes") == "yes"
      "CRIT"
    else
      "NONE"
    end
  else
    Builtins.y2error("Possible rules are only 'ACCEPT' or 'DROP'")
  end

  ret_val
end

#GetMasquerade(_zone = nil) ⇒ Boolean

Function returns actual state of Masquerading support.

Parameters:

  • _zone (defaults to: nil)

    Ignored

Returns:

  • (Boolean)

    if supported


1968
1969
1970
1971
# File 'library/network/src/lib/network/susefirewall2.rb', line 1968

def GetMasquerade(_zone = nil)
  Ops.get_string(@SETTINGS, "FW_MASQUERADE", "no") == "yes" &&
    Ops.get_string(@SETTINGS, "FW_ROUTE", "no") == "yes"
end

#GetProtectFromInternalZoneBoolean

Function returns if firewall is protected from internal zone.

Returns:

  • (Boolean)

    if protected from internal


896
897
898
# File 'library/network/src/lib/network/susefirewall2.rb', line 896

def GetProtectFromInternalZone
  Ops.get_string(@SETTINGS, "FW_PROTECT_FROM_INT", "no") == "yes"
end

#GetProtocolTranslatedName(protocol) ⇒ String

Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.

Parameters:

  • protocol (String)

    from sysconfig (e.g., rpc)

Returns:

  • (String)

    translated string (e.g., RPC)


2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
# File 'library/network/src/lib/network/susefirewall2.rb', line 2362

def GetProtocolTranslatedName(protocol)
  protocol = Builtins.tolower(protocol)

  if protocol == ""
    ""
  elsif Ops.get(@protocol_translations, protocol).nil?
    Builtins.y2error("Unknown protocol: %1", protocol)
    # table item, %1 stands for the buggy protocol name
    Builtins.sformat(_("Unknown protocol (%1)"), protocol)
  else
    Ops.get(@protocol_translations, protocol, "")
  end
end

#GetServicesAcceptRelated(zone) ⇒ Array<String>

Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Examples:

GetServicesAcceptRelated ("EXT") -> ["0/0,udp,427", "0/0,udp,137"]

Parameters:

Returns:

  • (Array<String>)

    list of definitions

See Also:

  • #SetServicesAcceptRelated()

2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
# File 'library/network/src/lib/network/susefirewall2.rb', line 2387

def GetServicesAcceptRelated(zone)
  if !IsKnownZone(zone)
    Builtins.y2error("Uknown zone '%1'", zone)
    return []
  end

  Builtins.splitstring(
    Ops.get_string(
      @SETTINGS,
      Ops.add("FW_SERVICES_ACCEPT_RELATED_", zone),
      ""
    ),
    " \t\n"
  )
end

#GetSpecialInterfacesInZone(zone) ⇒ Array<String>

Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

Examples:

GetSpecialInterfacesInZone("EXT") -> ["any", "unknown-1", "wrong-3"]

Parameters:

Returns:

  • (Array<String>)

    special strings or unknown interfaces


1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
# File 'library/network/src/lib/network/susefirewall2.rb', line 1891

def GetSpecialInterfacesInZone(zone)
  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )

  known_interfaces_now = GetInterfacesInZone(zone)

  # filtering known interfaces and spaces
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |interface|
    interface != "" && !Builtins.contains(known_interfaces_now, interface)
  end

  deep_copy(interfaces_in_zone)
end

#GetSupportRouteBoolean

Function returns if firewall supports routing.

Returns:

  • (Boolean)

    if route is supported


920
921
922
# File 'library/network/src/lib/network/susefirewall2.rb', line 920

def GetSupportRoute
  Ops.get_string(@SETTINGS, "FW_ROUTE", "no") == "yes"
end

#GetTrustIPsecAsString

Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

Returns:


957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
# File 'library/network/src/lib/network/susefirewall2.rb', line 957

def GetTrustIPsecAs
  # do not trust
  return "no" if Ops.get(@SETTINGS, "FW_IPSEC_TRUST") == "no"

  # default value for 'yes" ~= "INT"
  return "INT" if Ops.get(@SETTINGS, "FW_IPSEC_TRUST") == "yes"

  zone = GetConfigurationStringZone(
    Ops.get_string(@SETTINGS, "FW_IPSEC_TRUST", "")
  )

  # trust as named zone (if known)
  return zone if IsKnownZone(zone)

  # unknown zone, change to default value
  SetModified()
  defaultv = GetDefaultValue("FW_IPSEC_TRUST")
  Builtins.y2warning(
    "Trust IPsec as '%1' (unknown zone) changed to '%2'",
    Ops.get_string(@SETTINGS, "FW_IPSEC_TRUST", ""),
    defaultv
  )
  SetTrustIPsecAs(defaultv)
  "no"
end

#GetZoneConfigurationString(zone) ⇒ String

Local function returns configuration string used in configuration for zone. For instance "ext" for "EXT" zone.

Parameters:

Returns:

  • (String)

    zone configuration string


411
412
413
414
415
416
417
418
# File 'library/network/src/lib/network/susefirewall2.rb', line 411

def GetZoneConfigurationString(zone)
  if IsKnownZone(zone)
    # zones in SuSEFirewall configuration are identified by lowercased zone shorters
    return Builtins.tolower(zone)
  end

  nil
end

#GetZoneOfInterface(interface) ⇒ String

Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

Examples:

GetZoneOfInterface ("eth-id-01:11:DA:9C:8A:2F") -> "DMZ"

Parameters:

Returns:


1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
# File 'library/network/src/lib/network/susefirewall2.rb', line 1026

def GetZoneOfInterface(interface)
  interface_zone = []

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    interface_zone = Builtins.add(interface_zone, zone) if IsInterfaceInZone(interface, zone)
  end

  # Fallback handling for 'any' in the FW_DEV_* configuration
  if interface == @special_all_interface_string &&
      Builtins.size(interface_zone) == 0
    interface_zone = [@special_all_interface_zone]
  end

  if IsVerbose() && Ops.greater_than(Builtins.size(interface_zone), 1)
    # TRANSLATORS: Error message, %1 = interface name (like eth0)
    Report.Error(
      Builtins.sformat(
        _(
          "Interface '%1' is included in multiple firewall zones.\n" \
            "Continuing with configuration can produce errors.\n" \
            "\n" \
            "It is recommended to leave the configuration and repair it manually in\n" \
            "the file '/etc/sysconfig/SuSEFirewall'."
        ),
        interface
      )
    )
  end

  # return the first existence of interface in zones
  # if it is not presented anywhere, nil is returned
  Ops.get_string(interface_zone, 0)
end

#GetZonesOfInterfacesWithAnyFeatureSupported(interfaces) ⇒ Array<String>

Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

Examples:

GetZonesOfInterfaces (["eth1","eth4"]) -> ["EXT"]

Parameters:

Returns:

  • (Array<String>)

    firewall zones


1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
# File 'library/network/src/lib/network/susefirewall2.rb', line 1068

def GetZonesOfInterfacesWithAnyFeatureSupported(interfaces)
  interfaces = deep_copy(interfaces)
  zones = []
  zone = ""

  # 'any' in 'EXT'
  interfaces_covered_by_any = GetInterfacesInZoneSupportingAnyFeature(
    @special_all_interface_zone
  )

  Builtins.foreach(interfaces) do |interface|
    # interface is covered by 'any' in 'EXT'
    zone = if Builtins.contains(interfaces_covered_by_any, interface)
      @special_all_interface_zone
    else
      # interface is explicitely mentioned in some zone
      GetZoneOfInterface(interface)
    end
    zones = Builtins.add(zones, zone) if !zone.nil?
  end

  Builtins.toset(zones)
end

#Import(import_settings) ⇒ Object

Function for setting SuSEFirewall configuration from input

Parameters:

  • import_settings (Hash<String, Object>)

    with configuration


993
994
995
996
997
998
999
1000
1001
# File 'library/network/src/lib/network/susefirewall2.rb', line 993

def Import(import_settings)
  Read()
  @SETTINGS.merge!(import_settings || {})
  @configuration_has_been_read = true

  SetModified()

  nil
end

#IncreaseVerbosityObject

Local function for increasing the verbosity level.


296
297
298
299
300
# File 'library/network/src/lib/network/susefirewall2.rb', line 296

def IncreaseVerbosity
  @verbose_level = Ops.add(@verbose_level, 1)

  nil
end

#InterfacesSupportedByAnyFeature(zone) ⇒ Array<String>

Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.

Parameters:

Returns:

  • (Array<String>)

    of interfaces covered by special string 'any'

See Also:

  • #IsAnyNetworkInterfaceSupported()

1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
# File 'library/network/src/lib/network/susefirewall2.rb', line 1245

def InterfacesSupportedByAnyFeature(zone)
  result = []

  if zone == @special_all_interface_zone && IsAnyNetworkInterfaceSupported()
    known_interfaces_now = GetListOfKnownInterfaces()
    configured_interfaces = GetFirewallInterfaces()
    Builtins.foreach(known_interfaces_now) do |one_interface|
      if !Builtins.contains(configured_interfaces, one_interface)
        Builtins.y2milestone(
          "Interface '%1' supported by special string '%2' in zone '%3'",
          one_interface,
          @special_all_interface_string,
          @special_all_interface_zone
        )
        result = Builtins.add(result, one_interface)
      end
    end
  end

  deep_copy(result)
end

#IsAnyNetworkInterfaceSupportedBoolean

Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone. Updated: Currently returns only 'true' as every unassigned interface is automatically assigned to the EXT zone by SuSEfirewall2.

Returns:

  • (Boolean)

    is_supported whether the feature is supported or not


283
284
285
286
# File 'library/network/src/lib/network/susefirewall2.rb', line 283

def IsAnyNetworkInterfaceSupported
  # Currently unassigned interfaces belong to the EXT zone by dafault
  true
end

#IsBroadcastAllowed(needed_ports, zone) ⇒ Boolean

Function returns if broadcast is allowed for needed ports in zone.

Examples:

IsBroadcastAllowed (["port-xyz", "53"], "EXT") -> true

Parameters:

Returns:

  • (Boolean)

    if is allowed


570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
# File 'library/network/src/lib/network/susefirewall2.rb', line 570

def IsBroadcastAllowed(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  if Builtins.size(needed_ports) == 0
    Builtins.y2warning("Unknown service with no needed ports!")
    return nil
  end

  # getting broadcast allowed ports
  allowed_ports_map = GetBroadcastAllowedPorts()

  # Divide allowed port ranges and aliases (also with their port aliases)
  allowed_ports_divided = PortRanges.DividePortsAndPortRanges(
    Ops.get(allowed_ports_map, zone, []),
    true
  )

  # If there are no allowed ports at all
  if Ops.get(allowed_ports_divided, "ports", []) == [] &&
      Ops.get(allowed_ports_divided, "port_ranges", []) == []
    return false
  end

  is_allowed = true
  # checking all needed ports;
  Builtins.foreach(needed_ports) do |needed_port|
    # allowed ports don't contain the needed one and also portranges don't
    if !Builtins.contains(
      Ops.get(allowed_ports_divided, "ports", []),
      needed_port
    ) &&
        !PortRanges.PortIsInPortranges(
          needed_port,
          Ops.get(allowed_ports_divided, "port_ranges", [])
        )
      is_allowed = false
      raise Break
    end
  end

  is_allowed
end

#IsInterfaceInZone(interface, zone) ⇒ Boolean

Function returns if the interface is in zone.

Examples:

IsInterfaceInZone ("eth-id-01:11:DA:9C:8A:2F", "INT") -> false

Parameters:

Returns:

  • (Boolean)

    is in zone


1010
1011
1012
1013
1014
1015
1016
# File 'library/network/src/lib/network/susefirewall2.rb', line 1010

def IsInterfaceInZone(interface, zone)
  interfaces = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  Builtins.contains(interfaces, interface)
end

#IsServiceDefinedByPackageSupportedInZone(service, zone) ⇒ Boolean

Returns whether a service is mentioned in FW_CONFIGURATIONS_[EXT|INT|DMZ]. These services are defined by random packages.

Examples:

IsServiceDefinedByPackageSupportedInZone ("service:sshd", "EXT") -> true

Parameters:

  • service (String)

    e.g., "service:sshd"

  • zone (String)

    e.g., "EXT"

Returns:

  • (Boolean)

    if service is supported in zone


1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
# File 'library/network/src/lib/network/susefirewall2.rb', line 1298

def IsServiceDefinedByPackageSupportedInZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  Builtins.contains(supported_services, service)
end

#IsServiceSupportedInZone(service, zone) ⇒ Boolean

Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with "service:" prefix.

// irc-server definition exists on the system and the irc-server // is mentioned in FW_CONFIGURATIONS_EXT variable of SuSEfirewall2 IsServiceSupportedInZone ("service:irc-server", "EXT") -> true

Examples:

// All ports defined by dns-server service in SuSEFirewallServices module
// are enabled in the respective zone
IsServiceSupportedInZone ("dns-server", "EXT") -> true

Parameters:

Returns:

  • (Boolean)

    if supported

See Also:

  • Module SuSEFirewallServices

1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
# File 'library/network/src/lib/network/susefirewall2.rb', line 1333

def IsServiceSupportedInZone(service, zone)
  return nil if !IsKnownZone(zone)

  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)

  # SuSEFirewall feature FW_PROTECT_FROM_INT
  # should not be protected and searched zones include also internal (or the zone IS internal, sure)
  if zone == @int_zone_shortname && !GetProtectFromInternalZone()
    Builtins.y2milestone(
      "Checking for service '%1', in '%2', PROTECT_FROM_INTERNAL='no' => allowed",
      service,
      zone
    )
    return true
  end

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    supported = IsServiceDefinedByPackageSupportedInZone(service, zone)
    return supported
  end

  # starting with nil value, any false means that the service is not supported
  service_is_supported = nil
  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []

    if key == "tcp_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "TCP",
        zone,
        true
      )
    elsif key == "udp_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "UDP",
        zone,
        true
      )
    elsif key == "rpc_ports"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "RPC",
        zone,
        false
      )
    elsif key == "ip_protocols"
      service_is_supported = ArePortsOrServicesAllowed(
        needed_ports,
        "IP",
        zone,
        false
      )
    elsif "broadcast_ports" == key
      # testing for allowed broadcast ports
      service_is_supported = IsBroadcastAllowed(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
    # service is not supported, we don't have to do more tests
    raise Break if service_is_supported == false
  end

  service_is_supported
end

#IsVerboseBoolean

Local function returns if other functions should produce verbose output. like popups, reporting errors, etc.

Returns:

  • (Boolean)

    is_verbose


313
314
315
316
# File 'library/network/src/lib/network/susefirewall2.rb', line 313

def IsVerbose
  # verbose level must be above zero to be verbose
  Ops.greater_than(@verbose_level, 0)
end

#mainObject


43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# File 'library/network/src/lib/network/susefirewall2.rb', line 43

def main
  textdomain "base"

  Yast.import "Mode"
  Yast.import "Service"
  Yast.import "NetworkInterfaces"
  Yast.import "PortAliases"
  Yast.import "Report"
  Yast.import "Message"
  Yast.import "Progress"
  Yast.import "PortRanges"
  Yast.import "PackageSystem"
  Yast.import "FileUtils"
  Yast.import "Directory"
  Yast.import "Stage"
  Yast.import "Pkg"

  # <!-- SuSEFirewall VARIABLES //-->

  @FIREWALL_PACKAGE = "SuSEfirewall2"

  # configuration hasn't been read for the default
  # this should reduce the readings to only ONE
  @configuration_has_been_read = false

  # String which includes all interfaces not-defined in any zone
  @special_all_interface_string = "any"

  # Maximal number of port number, they are in the interval 1-65535 included
  @max_port_number = PortRanges.max_port_number

  # Zone which works with the special_all_interface_string string
  @special_all_interface_zone = "EXT"

  # firewall settings map
  @SETTINGS = {}

  # configuration was modified when true
  @modified = false

  # defines if SuSEFirewall is running
  @is_running = false

  # default settings for SuSEFirewall
  @DEFAULT_SETTINGS = {
    "FW_LOG_ACCEPT_ALL"          => "no",
    "FW_LOG_ACCEPT_CRIT"         => "yes",
    "FW_LOG_DROP_ALL"            => "no",
    "FW_LOG_DROP_CRIT"           => "yes",
    "FW_PROTECT_FROM_INT"        => "no",
    "FW_ROUTE"                   => "no",
    "FW_STOP_KEEP_ROUTING_STATE" => "no",
    "FW_MASQUERADE"              => "no",
    "FW_ALLOW_FW_TRACEROUTE"     => "yes",
    "FW_ALLOW_PING_FW"           => "yes",
    "FW_ALLOW_FW_BROADCAST_EXT"  => "no",
    "FW_ALLOW_FW_BROADCAST_INT"  => "no",
    "FW_ALLOW_FW_BROADCAST_DMZ"  => "no",
    "FW_IGNORE_FW_BROADCAST_EXT" => "yes",
    "FW_IGNORE_FW_BROADCAST_INT" => "no",
    "FW_IGNORE_FW_BROADCAST_DMZ" => "no",
    "FW_IPSEC_TRUST"             => "no",
    "FW_BOOT_FULL_INIT"          => "no"
  }

  # verbose_level -> if verbosity is more than 0, be verbose, starting in verbose mode
  @verbose_level = 1

  # list of known firewall zones
  @known_firewall_zones = ["INT", "DMZ", "EXT"]

  # map defines zone name for all known firewall zones
  @zone_names = {
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "EXT" => _(
      "External Zone"
    ),
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "INT" => _(
      "Internal Zone"
    ),
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "DMZ" => _(
      "Demilitarized Zone"
    )
  }

  # internal zone identification - useful for protect-from-internal
  @int_zone_shortname = "INT"

  # list of protocols supported in firewall, use only upper-cases
  @supported_protocols = ["TCP", "UDP", "RPC", "IP"]

  # list of keys in map of definition well-known services
  @service_defined_by = [
    "tcp_ports",
    "udp_ports",
    "rpc_ports",
    "ip_protocols",
    "broadcast_ports"
  ]

  # list of services currently allowed, which share ports (for instance RPC services)
  @allowed_conflict_services = {}

  @firewall_service = "SuSEfirewall2"

  @SuSEFirewall_variables = [
    # zones and interfaces
    "FW_DEV_INT",
    "FW_DEV_DMZ",
    "FW_DEV_EXT",
    # services in zones
    "FW_SERVICES_INT_TCP",
    "FW_SERVICES_INT_UDP",
    "FW_SERVICES_INT_RPC",
    "FW_SERVICES_INT_IP",
    "FW_SERVICES_DMZ_TCP",
    "FW_SERVICES_DMZ_UDP",
    "FW_SERVICES_DMZ_RPC",
    "FW_SERVICES_DMZ_IP",
    "FW_SERVICES_EXT_TCP",
    "FW_SERVICES_EXT_UDP",
    "FW_SERVICES_EXT_RPC",
    "FW_SERVICES_EXT_IP",
    "FW_PROTECT_FROM_INT",
    # global routing, masquerading
    "FW_ROUTE",
    "FW_STOP_KEEP_ROUTING_STATE",
    "FW_MASQUERADE",
    "FW_FORWARD_MASQ",
    "FW_FORWARD_ALWAYS_INOUT_DEV",
    # broadcast packets
    "FW_ALLOW_FW_BROADCAST_EXT",
    "FW_ALLOW_FW_BROADCAST_INT",
    "FW_ALLOW_FW_BROADCAST_DMZ",
    "FW_IGNORE_FW_BROADCAST_EXT",
    "FW_IGNORE_FW_BROADCAST_INT",
    "FW_IGNORE_FW_BROADCAST_DMZ",
    # FATE #300970: Support for 'Samba & friends' browsing
    "FW_SERVICES_ACCEPT_RELATED_EXT",
    "FW_SERVICES_ACCEPT_RELATED_INT",
    "FW_SERVICES_ACCEPT_RELATED_DMZ",
    # logging
    "FW_LOG_DROP_CRIT",
    "FW_LOG_DROP_ALL",
    "FW_LOG_ACCEPT_CRIT",
    "FW_LOG_ACCEPT_ALL",
    # IPsec support
    "FW_IPSEC_TRUST",
    # Custom rulezz
    #     net,protocol[,dport][,sport]
    "FW_SERVICES_ACCEPT_EXT",
    "FW_SERVICES_ACCEPT_INT",
    "FW_SERVICES_ACCEPT_DMZ",
    # Custom kernel modules, e.g., for FTP
    "FW_LOAD_MODULES",
    # Services defined in /usr/share/SuSEfirewall2/services/ directory
    # FATE #300687: Ports for SuSEfirewall added via packages
    "FW_CONFIGURATIONS_EXT",
    "FW_CONFIGURATIONS_INT",
    "FW_CONFIGURATIONS_DMZ",
    # bsc#916376: Ports need to be open already during boot
    "FW_BOOT_FULL_INIT"
  ]

  # FATE #300970: Firewall support for SMB browsing
  @broadcast_related_module = "nf_conntrack_netbios_ns"

  # Variable for ReportOnlyOnce() function
  @report_only_once = []

  # <!-- SuSEFirewall LOCAL FUNCTIONS //-->

  # <!-- SuSEFirewall GLOBAL FUNCTIONS //-->

  # bnc #388773
  # By default needed packages are just checked, not installed
  @check_and_install_package = false

  # Are needed packages (SuSEfirewall2) installed?
  @needed_packages_installed = nil

  # Configuration has been read and it's useful
  @fw_service_can_be_configured = false

  # old internal services definitions are converted to new services defined by packages
  # but only once
  @converted_to_services_dbp_file = Ops.add(
    Directory.vardir,
    "/yast2-firewall-already-converted-to-sdbp"
  )

  # services have been already converted
  @already_converted = false

  @protocol_translations = {
    # protocol name
    "tcp"   => _("TCP"),
    # protocol name
    "udp"   => _("UDP"),
    # protocol name
    "_rpc_" => _("RPC"),
    # protocol name
    "ip"    => _("IP")
  }
end

#ReadBoolean

Function for reading SuSEFirewall configuration. Fills internal variables only.

Returns:

  • (Boolean)

    if successful


1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
# File 'library/network/src/lib/network/susefirewall2.rb', line 1496

def Read
  # Do not read it again and again
  # to avoid rewriting changes already made
  if @configuration_has_been_read
    Builtins.y2milestone(
      "SuSEfirewall2 configuration has been read already."
    )
    return @fw_service_can_be_configured
  end

  # bnc #887406
  if !FileUtils.Exists(CONFIG_FILE) || !SuSEFirewallIsSelectedOrInstalled()
    log.warn "No firewall config -> firewall can't be read"
    FillUpEmptyConfig()
    return false
  end

  # Can be configured, packages were installed
  @fw_service_can_be_configured = true

  # Progress only for normal configuration
  have_progress = Mode.normal

  if have_progress
    # TRANSLATORS: Dialog caption
    read_caption = _("Initializing Firewall Configuration")

    Progress.New(
      read_caption,
      " ",
      3,
      [
        # TRANSLATORS: Progress step
        _("Check for network devices"),
        # TRANSLATORS: Progress step
        _("Read current configuration"),
        # TRANSLATORS: Progress step
        _("Check possibly conflicting services")
      ],
      [
        # TRANSLATORS: Progress step
        _("Checking for network devices..."),
        # TRANSLATORS: Progress step
        _("Reading current configuration..."),
        # TRANSLATORS: Progress step
        _("Checking possibly conflicting services..."),
        Message.Finished
      ],
      ""
    )

    Progress.NextStage
  end

  # Always call NI::Read, bnc #396646
  NetworkInterfaces.Read

  Progress.NextStage if have_progress

  ReadCurrentConfiguration()

  Progress.NextStage if have_progress

  # checking if any possibly conficting services were turned on in configuration
  # filling internal values for later checkings
  # CheckAllPossiblyConflictingServices();
  # -- Function has been turned off as we don't support services defined by YaST itself anymore --

  Builtins.y2milestone(
    "Firewall configuration has been read: %1.",
    @SETTINGS
  )
  # to read configuration only once
  @configuration_has_been_read = true

  Progress.NextStage if have_progress

  # bnc #399217
  # Converting built-in service definitions to services defined by packages
  ConvertToServicesDefinedByPackages()

  Progress.Finish if have_progress

  true
end

#ReadCurrentConfigurationObject

Local function reads current configuration and fills internal values.


1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
# File 'library/network/src/lib/network/susefirewall2.rb', line 1462

def ReadCurrentConfiguration
  @SETTINGS = {}

  # is firewall enabled in /etc/init.d/ ?
  Ops.set(@SETTINGS, "enable_firewall", IsEnabled())
  # is firewall started now?
  Ops.set(@SETTINGS, "start_firewall", IsStarted())

  ReadSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())

  nil
end

#ReadDefaultConfigurationObject

Local function sets the default configuration and fills internal values.


1453
1454
1455
1456
1457
1458
1459
# File 'library/network/src/lib/network/susefirewall2.rb', line 1453

def ReadDefaultConfiguration
  @SETTINGS = {}

  ResetSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())

  nil
end

#ReadSysconfigSuSEFirewall(variables) ⇒ Object

Local function for reading list of sysconfig variables into internal variables.

Parameters:

  • variables (Array<String>)

    of sysconfig variables


329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
# File 'library/network/src/lib/network/susefirewall2.rb', line 329

def ReadSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  Builtins.foreach(variables) do |variable|
    value = Convert.to_string(
      SCR.Read(Builtins.add(path(".sysconfig.SuSEfirewall2"), variable))
    )
    # if value is undefined, get default value
    value = GetDefaultValue(variable) if value.nil? || value == ""
    # BNC #426000
    # backslash at the end
    if Builtins.regexpmatch(value, "[ \t]*\\\\[ \t]*\n")
      rules = Builtins.splitstring(value, "\\ \t\n")
      rules = Builtins.filter(rules) do |one_rule|
        !one_rule.nil? && one_rule != ""
      end
      value = Builtins.mergestring(rules, " ")
    end
    # BNC #194419
    # replace all "\n" with " " in variables
    value = Builtins.mergestring(Builtins.splitstring(value, "\n"), " ") if Builtins.regexpmatch(value, "\n")
    # replace all "\t" with " " in variables
    value = Builtins.mergestring(Builtins.splitstring(value, "\t"), " ") if Builtins.regexpmatch(value, "\t")
    Ops.set(@SETTINGS, variable, value)
  end

  nil
end

#RemoveAllowedBroadcast(needed_ports, zone) ⇒ Object

Local function removes list of ports from port allowing broadcast packets in zone.

Parameters:

  • needed_ports (Array<String>)

    to be removed

  • zone (String)

616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
# File 'library/network/src/lib/network/susefirewall2.rb', line 616

def RemoveAllowedBroadcast(needed_ports, zone)
  needed_ports = deep_copy(needed_ports)
  SetModified()

  allowed_ports = GetBroadcastAllowedPorts()
  list_ports_allowed = Ops.get(allowed_ports, zone, [])

  # ports to be allowed one by one
  Builtins.foreach(needed_ports) do |allow_this_port|
    # remove all aliases of ports yet mentioned in zone
    aliases_of_port = PortAliases.GetListOfServiceAliases(allow_this_port)
    list_ports_allowed = Builtins.filter(list_ports_allowed) do |just_allowed|
      !Builtins.contains(aliases_of_port, just_allowed)
    end
  end
  Ops.set(allowed_ports, zone, list_ports_allowed)

  # save it using function
  SetBroadcastAllowedPorts(allowed_ports)

  nil
end

#RemoveForwardIntoMasqueradeRule(remove_item) ⇒ Object

Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().

Parameters:

  • remove_item (Integer)

    item number

See Also:

  • #GetListOfForwardsIntoMasquerade()

2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
# File 'library/network/src/lib/network/susefirewall2.rb', line 2055

def RemoveForwardIntoMasqueradeRule(remove_item)
  SetModified()

  forward_rules = []

  row_counter = 0
  Builtins.foreach(
    Builtins.splitstring(
      Ops.get_string(@SETTINGS, "FW_FORWARD_MASQ", ""),
      " "
    )
  ) do |forward_rule|
    next if forward_rule == ""

    forward_rules = Builtins.add(forward_rules, forward_rule) if row_counter != remove_item
    row_counter = Ops.add(row_counter, 1)
  end

  Ops.set(
    @SETTINGS,
    "FW_FORWARD_MASQ",
    Builtins.mergestring(forward_rules, " ")
  )

  nil
end

#RemoveInterfaceFromZone(interface, zone) ⇒ Object

Function removes interface from defined zone.

Examples:

RemoveInterfaceFromZone ("modem0", "EXT")

Parameters:


1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
# File 'library/network/src/lib/network/susefirewall2.rb', line 1133

def RemoveInterfaceFromZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Removing interface '%1' from '%2' zone.",
    interface,
    zone
  )

  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |single_interface|
    single_interface != "" && single_interface != interface
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#RemoveOldAllowedServiceFromZone(old_service_def, zone) ⇒ Object

Removes old-service definitions before they are added as services defined by packages.


2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
# File 'library/network/src/lib/network/susefirewall2.rb', line 2474

def RemoveOldAllowedServiceFromZone(old_service_def, zone)
  old_service_def = deep_copy(old_service_def)
  Builtins.y2milestone("Removing: %1 from zone %2", old_service_def, zone)

  if Ops.get_list(old_service_def, "tcp_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "tcp_ports", [])) do |one_service|
      RemoveService(one_service, "TCP", zone)
    end
  end

  if Ops.get_list(old_service_def, "udp_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "udp_ports", [])) do |one_service|
      RemoveService(one_service, "UDP", zone)
    end
  end

  if Ops.get_list(old_service_def, "rpc_ports", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "rpc_ports", [])) do |one_service|
      RemoveService(one_service, "RPC", zone)
    end
  end

  if Ops.get_list(old_service_def, "ip_protocols", []) != []
    Builtins.foreach(Ops.get_list(old_service_def, "ip_protocols", [])) do |one_service|
      RemoveService(one_service, "IP", zone)
    end
  end

  if Ops.get_list(old_service_def, "broadcast_ports", []) != []
    broadcast = GetBroadcastAllowedPorts()

    Ops.set(broadcast, zone, Builtins.filter(Ops.get(broadcast, zone, [])) do |one_port|
      !Builtins.contains(
        Ops.get_list(old_service_def, "broadcast_ports", []),
        one_port
      )
    end)

    SetBroadcastAllowedPorts(broadcast)
  end

  nil
end

#RemoveServiceDefinedByPackageFromZone(service, zone) ⇒ Object

Removes service defined by package (FATE #300687) from enabled services.

Examples:

RemoveServiceDefinedByPackageFromZone ("service:irc-server", "EXT");

Parameters:


704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
# File 'library/network/src/lib/network/susefirewall2.rb', line 704

def RemoveServiceDefinedByPackageFromZone(service, zone)
  return nil if !IsKnownZone(zone)

  if service.nil?
    Builtins.y2error("Service Id can't be nil!")
    return nil
  elsif Builtins.regexpmatch(service, "^service:.*")
    service = Builtins.regexpsub(service, "^service:(.*)", "\\1")
  end

  # services defined by package are listed without "service:" which is here
  # just to distinguish between dynamic and static definitions
  supported_services = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_CONFIGURATIONS_", zone), ""),
    " "
  )
  # Removing the service
  supported_services = Builtins.filter(supported_services) do |one_service|
    one_service != service
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_CONFIGURATIONS_", zone),
    Builtins.mergestring(supported_services, " ")
  )

  SetModified()

  nil
end

#RemoveServiceFromProtocolZone(remove_service, protocol, zone) ⇒ Boolean

Local function for removing (disallowing) single service/port for defined protocol and zone. Functions doesn't take care of port-aliases.

Parameters:

Returns:

  • (Boolean)

    success


679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
# File 'library/network/src/lib/network/susefirewall2.rb', line 679

def RemoveServiceFromProtocolZone(remove_service, protocol, zone)
  SetModified()

  key = Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol)

  allowed = Builtins.splitstring(Ops.get_string(@SETTINGS, key, ""), " ")
  allowed = Builtins.filter(allowed) do |single_service|
    single_service != "" && single_service != remove_service
  end
  Ops.set(
    @SETTINGS,
    key,
    Builtins.mergestring(Builtins.toset(allowed), " ")
  )

  true
end

#RemoveServiceSupportFromZone(service, zone) ⇒ Object

Local function removes well-known service's support from zone. Allowed ports are removed with all of their port-aliases.

Parameters:


778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
# File 'library/network/src/lib/network/susefirewall2.rb', line 778

def RemoveServiceSupportFromZone(service, zone)
  Yast.import "SuSEFirewallServices" # lazy import due to circular dependencies

  needed = SuSEFirewallServices.GetNeededPortsAndProtocols(service)
  # unknown service
  if needed.nil?
    Builtins.y2error("Undefined service '%1'", service)
    return nil
  end

  # FATE #300687: Ports for SuSEfirewall added via packages
  if SuSEFirewallServices.ServiceDefinedByPackage(service)
    RemoveServiceDefinedByPackageFromZone(service, zone) if IsServiceSupportedInZone(service, zone) == true

    return nil
  end

  SetModified()

  # Removing service ports (and also port aliases for TCP and UDP)
  Builtins.foreach(@service_defined_by) do |key|
    needed_ports = Ops.get(needed, key, [])
    next if needed_ports == []

    if key == "tcp_ports"
      RemoveAllowedPortsOrServices(needed_ports, "TCP", zone, true)
    elsif key == "udp_ports"
      RemoveAllowedPortsOrServices(needed_ports, "UDP", zone, true)
    elsif key == "rpc_ports"
      RemoveAllowedPortsOrServices(needed_ports, "RPC", zone, false)
    elsif key == "ip_protocols"
      RemoveAllowedPortsOrServices(needed_ports, "IP", zone, false)
    elsif "broadcast_ports" == key
      RemoveAllowedBroadcast(needed_ports, zone)
    else
      Builtins.y2error("Unknown key '%1'", key)
    end
  end

  nil
end

#RemoveSpecialInterfaceFromZone(interface, zone) ⇒ Object

Function removes special string from defined zone.

Parameters:


1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
# File 'library/network/src/lib/network/susefirewall2.rb', line 1911

def RemoveSpecialInterfaceFromZone(interface, zone)
  SetModified()

  Builtins.y2milestone(
    "Removing special string '%1' from '%2' zone.",
    interface,
    zone
  )

  interfaces_in_zone = Builtins.splitstring(
    Ops.get_string(@SETTINGS, Ops.add("FW_DEV_", zone), ""),
    " "
  )
  interfaces_in_zone = Builtins.filter(interfaces_in_zone) do |single_interface|
    single_interface != "" && single_interface != interface
  end
  Ops.set(
    @SETTINGS,
    Ops.add("FW_DEV_", zone),
    Builtins.mergestring(interfaces_in_zone, " ")
  )

  nil
end

#ReportOnlyOnce(what_to_report) ⇒ Boolean

Report the error, warning, message only once. Stores the error, warning, message in memory. This is just a helper function that could avoid from filling y2log up with a lot of the very same messages - 'foreach()' is a very powerful builtin.

Examples:

string error = sformat("Port number %1 is invalid.", port_nr);
if (ReportOnlyOnce(error)) y2error(error);

Parameters:

  • what_to_report (String)

    error, warning or message

Returns:

  • (Boolean)

    whether the message should be reported or not


266
267
268
269
270
271
# File 'library/network/src/lib/network/susefirewall2.rb', line 266

def ReportOnlyOnce(what_to_report)
  return false if Builtins.contains(@report_only_once, what_to_report)

  @report_only_once = Builtins.add(@report_only_once, what_to_report)
  true
end

#ResetReadFlagObject

Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.


872
873
874
875
876
# File 'library/network/src/lib/network/susefirewall2.rb', line 872

def ResetReadFlag
  @configuration_has_been_read = false

  nil
end

#ResetSysconfigSuSEFirewall(variables) ⇒ Object

Local function for resetting list of sysconfig variables in internal variables.

Parameters:

  • variables (Array<String>)

    of sysconfig variables


360
361
362
363
364
365
366
367
368
# File 'library/network/src/lib/network/susefirewall2.rb', line 360

def ResetSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  Builtins.foreach(variables) do |variable|
    # reseting means getting default variables
    Ops.set(@SETTINGS, variable, GetDefaultValue(variable))
  end

  nil
end

#SetAcceptExpertRules(zone, expert_rules) ⇒ Boolean

Sets expert allow rules for zone.

Parameters:

  • zone (String)
  • expert_rules (String)

    whitespace-separated expert_rules

Returns:

  • (Boolean)

    if successful


2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
# File 'library/network/src/lib/network/susefirewall2.rb', line 2281

def SetAcceptExpertRules(zone, expert_rules)
  zone = Builtins.toupper(zone)

  # Check for zone
  if !Builtins.contains(GetKnownFirewallZones(), zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return false
  end

  Ops.set(@SETTINGS, Ops.add("FW_SERVICES_ACCEPT_", zone), expert_rules)
  SetModified()

  true
end

#SetAllowedServicesForZoneProto(allowed_services, zone, protocol) ⇒ Object

Function sets list of services as allowed ports for zone and protocol

Parameters:

  • allowed_services (Array<String>)

    of allowed ports/services

  • zone (String)
  • protocol (String)

455
456
457
458
459
460
461
462
463
464
465
466
# File 'library/network/src/lib/network/susefirewall2.rb', line 455

def SetAllowedServicesForZoneProto(allowed_services, zone, protocol)
  allowed_services = deep_copy(allowed_services)
  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add(Ops.add(Ops.add("FW_SERVICES_", zone), "_"), protocol),
    Builtins.mergestring(Builtins.toset(allowed_services), " ")
  )

  nil
end

#SetBroadcastAllowedPorts(broadcast) ⇒ Object

Function creates allowed-broadcast-ports string from broadcast map and saves it.

Parameters:

  • broadcast (Hash<String,Array<String>>)

    strings are allowed ports or port ranges

See Also:

  • for an example of data

547
548
549
550
551
552
553
554
555
556
557
558
559
560
# File 'library/network/src/lib/network/susefirewall2.rb', line 547

def SetBroadcastAllowedPorts(broadcast)
  broadcast = deep_copy(broadcast)
  SetModified()

  Builtins.foreach(GetKnownFirewallZones()) do |zone|
    Ops.set(broadcast, zone, ["no"]) if Ops.get(broadcast, zone, []) == []
    SetBroadcastConfiguration(
      zone,
      Builtins.mergestring(Ops.get(broadcast, zone, []), " ")
    )
  end

  nil
end

#SetBroadcastConfiguration(zone, broadcast_configuration) ⇒ Object

Local function saves configuration string for broadcast packets.

Parameters:

  • zone (String)
  • broadcast_configuration (String)

    with broadcast configuration


479
480
481
482
483
484
485
486
487
488
489
# File 'library/network/src/lib/network/susefirewall2.rb', line 479

def SetBroadcastConfiguration(zone, broadcast_configuration)
  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add("FW_ALLOW_FW_BROADCAST_", zone),
    broadcast_configuration
  )

  nil
end

#SetFirewallKernelModules(k_modules) ⇒ Object

Sets list of additional kernel modules to be loaded by firewall on startup.

Examples:

SuSEFirewall::SetFirewallKernelModules (["ip_conntrack_ftp","ip_nat_ftp"]);

Parameters:

  • k_modules (Array<String>)

    list of kernel modules

See Also:

  • option nr. 32

2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
# File 'library/network/src/lib/network/susefirewall2.rb', line 2321

def SetFirewallKernelModules(k_modules)
  k_modules = deep_copy(k_modules)
  k_modules = Builtins.filter(k_modules) do |one_module|
    if one_module.nil?
      Builtins.y2error(
        "List of modules %1 contains 'nil'! It will be ignored.",
        k_modules
      )
      next false
    elsif one_module == ""
      Builtins.y2warning(
        "List of modules %1 contains an empty string, it will be ignored.",
        k_modules
      )
      next false
    end
    if Builtins.regexpmatch(one_module, " ") ||
        Builtins.regexpmatch(one_module, "\t")
      Builtins.y2warning(
        "Additional module '%1' contains spaces. They will be evaluated as two or more modules later.",
        one_module
      )
    end
    true
  end

  Ops.set(
    @SETTINGS,
    "FW_LOAD_MODULES",
    Builtins.mergestring(k_modules, " ")
  )
  SetModified()

  nil
end

#SetIgnoreLoggingBroadcast(zone, bcast) ⇒ Object

Function sets yes/no - ignoring broadcast for zone

Examples:

# Does not log broadcast packets from DMZ
SetIgnoreLoggingBroadcast ("DMZ", "yes")

Parameters:


2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
# File 'library/network/src/lib/network/susefirewall2.rb', line 2243

def SetIgnoreLoggingBroadcast(zone, bcast)
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  SetModified()

  Ops.set(@SETTINGS, Ops.add("FW_IGNORE_FW_BROADCAST_", zone), bcast)

  nil
end

#SetLoggingSettings(rule, state) ⇒ Object

Function sets state of logging for rule taken as parameter.

Examples:

SetLoggingSettings ("ACCEPT", "ALL")
SetLoggingSettings ("DROP", "NONE")

Parameters:

  • rule (String)

    definition 'ACCEPT' or 'DROP'

  • state (String)

    new logging state 'ALL', 'CRIT', or 'NONE'


2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
# File 'library/network/src/lib/network/susefirewall2.rb', line 2186

def SetLoggingSettings(rule, state)
  SetModified()

  if rule == "ACCEPT"
    if state == "ALL"
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "yes")
    elsif state == "CRIT"
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no")
    else
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_CRIT", "no")
      Ops.set(@SETTINGS, "FW_LOG_ACCEPT_ALL", "no")
    end
  elsif rule == "DROP"
    if state == "ALL"
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "yes")
    elsif state == "CRIT"
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "yes")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "no")
    else
      Ops.set(@SETTINGS, "FW_LOG_DROP_CRIT", "no")
      Ops.set(@SETTINGS, "FW_LOG_DROP_ALL", "no")
    end
  else
    Builtins.y2error("Possible rules are only 'ACCEPT' or 'DROP'")
  end

  nil
end

#SetMasquerade(enable, _zone = nil) ⇒ Object

Function sets Masquerade support.

Parameters:

  • enable (Boolean)

    to support or not to support it

  • _zone (defaults to: nil)

    ignored


1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
# File 'library/network/src/lib/network/susefirewall2.rb', line 1977

def SetMasquerade(enable, _zone = nil)
  SetModified()

  Ops.set(@SETTINGS, "FW_MASQUERADE", enable ? "yes" : "no")

  # routing is needed for masquerading, but we can't switch it off when disabling masquerading
  Ops.set(@SETTINGS, "FW_ROUTE", "yes") if enable

  nil
end

#SetProtectFromInternalZone(set_protect) ⇒ Object

Function sets if firewall should be protected from internal zone.

Parameters:

  • set_protect (Boolean)

    set to be protected from internal zone


881
882
883
884
885
886
887
888
889
890
891
# File 'library/network/src/lib/network/susefirewall2.rb', line 881

def SetProtectFromInternalZone(set_protect)
  SetModified()

  if set_protect
    Ops.set(@SETTINGS, "FW_PROTECT_FROM_INT", "yes")
  else
    Ops.set(@SETTINGS, "FW_PROTECT_FROM_INT", "no")
  end

  nil
end

#SetServicesAcceptRelated(zone, ruleset) ⇒ Object

Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Examples:

SetServicesAcceptRelated ("EXT", ["0/0,udp,427", "0/0,udp,137"])

Parameters:

See Also:

  • #GetServicesAcceptRelated()

2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
# File 'library/network/src/lib/network/susefirewall2.rb', line 2414

def SetServicesAcceptRelated(zone, ruleset)
  ruleset = deep_copy(ruleset)
  if !IsKnownZone(zone)
    Builtins.y2error("Uknown zone '%1'", zone)
    return
  end

  ruleset = Builtins.filter(ruleset) { |one_rule| !one_rule.nil? }

  SetModified()

  Ops.set(
    @SETTINGS,
    Ops.add("FW_SERVICES_ACCEPT_RELATED_", zone),
    Builtins.mergestring(ruleset, "\n")
  )

  nil
end

#SetServicesForZones(services_ids, firewall_zones, new_status) ⇒ Object

Function sets status for several services in several firewall zones.

Examples:

SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false);
SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);

Parameters:

  • services_ids (Array<String>)
  • firewall_zones (Array<String>)

    (EXT|INT|DMZ...)

  • new_status (Boolean)

    of services

Returns:

  • nil

See Also:

  • #GetServicesInZones()
  • #GetServices()

1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
# File 'library/network/src/lib/network/susefirewall2.rb', line 1417

def SetServicesForZones(services_ids, firewall_zones, new_status)
  # setting for each service
  Builtins.foreach(services_ids) do |service_id|
    Builtins.foreach(firewall_zones) do |firewall_zone|
      # zone must be known one
      if !IsKnownZone(firewall_zone)
        Builtins.y2error(
          "Zone '%1' is unknown firewall zone, skipping...",
          firewall_zone
        )
        next
      end
      SetModified()
      # setting new status
      if new_status == true
        Builtins.y2milestone(
          "Adding '%1' into '%2' zone",
          service_id,
          firewall_zone
        )
        AddServiceSupportIntoZone(service_id, firewall_zone)
      else
        Builtins.y2milestone(
          "Removing '%1' from '%2' zone",
          service_id,
          firewall_zone
        )
        RemoveServiceSupportFromZone(service_id, firewall_zone)
      end
    end
  end

  nil
end

#SetSupportRoute(set_route) ⇒ Object

Function sets if firewall should support routing.

Parameters:

  • set_route (Boolean)

    set to support route or not


903
904
905
906
907
908
909
910
911
912
913
914
915
# File 'library/network/src/lib/network/susefirewall2.rb', line 903

def SetSupportRoute(set_route)
  SetModified()

  if set_route
    Ops.set(@SETTINGS, "FW_STOP_KEEP_ROUTING_STATE", "yes")
    Ops.set(@SETTINGS, "FW_ROUTE", "yes")
  else
    Ops.set(@SETTINGS, "FW_STOP_KEEP_ROUTING_STATE", "no")
    Ops.set(@SETTINGS, "FW_ROUTE", "no")
  end

  nil
end

#SetTrustIPsecAs(zone) ⇒ Object

Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

Parameters:


929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
# File 'library/network/src/lib/network/susefirewall2.rb', line 929

def SetTrustIPsecAs(zone)
  SetModified()

  # do not trust
  if zone == "no"
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", "no")
  # trust IPsec is a known zone
  elsif IsKnownZone(zone)
    zone = GetZoneConfigurationString(zone)
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", zone)
    # unknown zone, changing to default value
  else
    defaultv = GetDefaultValue("FW_IPSEC_TRUST")
    Builtins.y2warning(
      "Trust IPsec as '%1' (unknown zone) changed to '%2'",
      zone,
      defaultv
    )
    Ops.set(@SETTINGS, "FW_IPSEC_TRUST", defaultv)
  end

  nil
end

#WriteBoolean

Function for writing and enabling configuration, it is a union of WriteConfiguration() and ActivateConfiguration().

Returns:

  • (Boolean)

    if succesfull


1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
# File 'library/network/src/lib/network/susefirewall2.rb', line 1770

def Write
  CheckKernelModules()

  # just disabled
  return true if !SuSEFirewallIsInstalled()

  return false if !WriteConfiguration()

  return false if !ActivateConfiguration()

  true
end

#WriteConfigurationBoolean

Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

Returns:

  • (Boolean)

    if successful


1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
# File 'library/network/src/lib/network/susefirewall2.rb', line 1672

def WriteConfiguration
  # just disabled
  return true if !SuSEFirewallIsInstalled()

  # Progress only for normal configuration and command line
  have_progress = Mode.normal

  if have_progress
    # TRANSLATORS: Dialog caption
    write_caption = _("Writing Firewall Configuration")

    Progress.New(
      write_caption,
      " ",
      2,
      [
        # TRANSLATORS: Progress step
        _("Write firewall settings"),
        # TRANSLATORS: Progress step
        _("Adjust firewall service")
      ],
      [
        # TRANSLATORS: Progress step
        _("Writing firewall settings..."),
        # TRANSLATORS: Progress step
        _("Adjusting firewall service..."),
        # TRANSLATORS: Progress step
        Message.Finished
      ],
      ""
    )

    Progress.NextStage
  end

  # only modified configuration is written
  if GetModified()
    Builtins.y2milestone(
      "Firewall configuration has been changed. Writing: %1.",
      @SETTINGS
    )

    if !WriteSysconfigSuSEFirewall(GetListOfSuSEFirewallVariables())
      # TRANSLATORS: a popup error message
      Report.Error(_("Writing settings failed"))
      return false
    end
  else
    Builtins.y2milestone("Firewall settings weren't modified, skipping...")
  end

  Progress.NextStage if have_progress

  # Adjusting services
  if GetModified()
    # enabling firewall in /etc/init.d/
    if Ops.get_boolean(@SETTINGS, "enable_firewall", false)
      Builtins.y2milestone("Enabling firewall services")
      return false if !EnableServices()
      # disabling firewall in /etc/init.d/
    else
      Builtins.y2milestone("Disabling firewall services")
      return false if !DisableServices()
    end
  else
    Builtins.y2milestone(
      "Firewall enable/disable wasn't modified, skipping..."
    )
  end

  Progress.NextStage if have_progress

  if @already_converted &&
      !FileUtils.Exists(@converted_to_services_dbp_file)
    Builtins.y2milestone(
      "Writing %1: %2",
      @converted_to_services_dbp_file,
      SCR.Write(path(".target.string"), @converted_to_services_dbp_file, "")
    )
  end

  Progress.Finish if have_progress

  true
end

#WriteOnlyBoolean

Helper function for backward compatibility. See WriteConfiguration(). Remove from code ASAP.

Returns:

  • (Boolean)

    if succesful


1762
1763
1764
# File 'library/network/src/lib/network/susefirewall2.rb', line 1762

def WriteOnly
  WriteConfiguration()
end

#WriteSysconfigSuSEFirewall(variables) ⇒ Boolean

Local function for writing the list of internal variables into sysconfig. List of variables is list of keys in SETTINGS map, to sync configuration into the disk, use nil as the last list item.

Parameters:

  • variables (Array<String>)

    of sysconfig variables

Returns:

  • (Boolean)

    if successful


376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
# File 'library/network/src/lib/network/susefirewall2.rb', line 376

def WriteSysconfigSuSEFirewall(variables)
  variables = deep_copy(variables)
  write_status = true
  value = ""

  Builtins.foreach(variables) do |variable|
    # if variable is undefined, get default value
    value = Ops.get_string(@SETTINGS, variable) { GetDefaultValue(variable) }
    write_status = SCR.Write(
      Builtins.add(path(".sysconfig.SuSEfirewall2"), variable),
      value
    )
    if !write_status
      Report.Error(
        Message.CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2")
      )
      raise Break
    end
  end

  write_status = SCR.Write(path(".sysconfig.SuSEfirewall2"), nil)
  if !write_status
    Report.Error(
      Message.CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall2")
    )
  end

  write_status
end