Class: Yast::SuSEFirewallClass

Inherits:
Module
  • Object
show all
Includes:
Logger
Defined in:
library/network/src/lib/network/susefirewall.rb

Overview

Factory for construction of appropriate firewall object based on desired backend.

Direct Known Subclasses

SuSEFirewall2Class, SuSEFirewalldClass

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeSuSEFirewallClass

Returns a new instance of SuSEFirewallClass.


45
46
47
# File 'library/network/src/lib/network/susefirewall.rb', line 45

def initialize
  textdomain "base"
end

Instance Attribute Details

#firewall_serviceString (readonly)

Returns the systemd service name: "firewalld" or "SuSEfirewall2".

Returns:

  • (String)

    the systemd service name: "firewalld" or "SuSEfirewall2"


35
36
37
# File 'library/network/src/lib/network/susefirewall.rb', line 35

def firewall_service
  @firewall_service
end

Instance Method Details

#AddService(service, protocol, interface) ⇒ Boolean

Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

Examples:

AddService ("ssh", "TCP", "EXT")
AddService ("ssh", "TCP", "dsl0")

Parameters:

  • service/port (String)
  • protocol (String)

    TCP, UDP, RPC, IP

  • string

    zone name or interface name

Returns:

  • (Boolean)

    success


918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
# File 'library/network/src/lib/network/susefirewall.rb', line 918

def AddService(service, protocol, interface)
  Builtins.y2milestone(
    "Adding service %1, protocol %2 to %3",
    service,
    protocol,
    interface
  )

  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return false
  end

  zones_affected = []

  # "all" means for all known zones
  if interface == "all"
    zones_affected = GetKnownFirewallZones()

    # zone or interface name
  else
    # is probably an interface name
    if !IsKnownZone(interface)
      # interface is probably interface-name, checking for respective zone
      interface = GetZoneOfInterface(interface)
      # interface is not assigned to any zone
      if interface.nil?
        # TRANSLATORS: Error message, %1 = interface name (like eth0)
        Report.Error(
          Builtins.sformat(
            _(
              "Interface '%1' is not assigned to any firewall zone.\nRun YaST2 Firewall and assign it.\n"
            ),
            interface
          )
        )
        Builtins.y2warning(
          "Interface '%1' is not assigned to any firewall zone",
          interface
        )
        return false
      end
    end
    zones_affected = [interface]
  end

  SetModified()

  # Adding service support into each mentioned zone
  Builtins.foreach(zones_affected) do |zone|
    # If there isn't already
    if !ArePortsOrServicesAllowed([service], protocol, zone, true)
      AddAllowedPortsOrServices([service], protocol, zone)
    else
      Builtins.y2milestone(
        "Port %1 has been already allowed in %2",
        service,
        zone
      )
    end
  end

  true
end

#AddXenSupportObject

Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.


1064
1065
1066
1067
1068
1069
1070
# File 'library/network/src/lib/network/susefirewall.rb', line 1064

def AddXenSupport
  Builtins.y2milestone(
    "The whole functionality is currently handled by SuSEfirewall2 itself"
  )

  nil
end

#ArePortsOrServicesAllowed(needed_ports, protocol, zone, check_for_aliases) ⇒ Object


807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
# File 'library/network/src/lib/network/susefirewall.rb', line 807

def ArePortsOrServicesAllowed(needed_ports, protocol, zone, check_for_aliases)
  needed_ports = deep_copy(needed_ports)
  are_allowed = true

  if Ops.less_than(Builtins.size(needed_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return true
  end

  allowed_ports = {}
  # BTW: only TCP and UDP ports can have aliases and only TCP and UDP ports can have port ranges
  if check_for_aliases
    allowed_ports = PortRanges.DividePortsAndPortRanges(
      GetAllowedServicesForZoneProto(zone, protocol),
      true
    )
  else
    Ops.set(
      allowed_ports,
      "ports",
      GetAllowedServicesForZoneProto(zone, protocol)
    )
  end

  Builtins.foreach(needed_ports) do |needed_port|
    if !Builtins.contains(Ops.get(allowed_ports, "ports", []), needed_port) &&
        !PortRanges.PortIsInPortranges(
          needed_port,
          Ops.get(allowed_ports, "port_ranges", [])
        )
      are_allowed = false
      raise Break
    end
  end

  are_allowed
end

#DisableServicesBoolean

Functions disables services needed for SuSEFirewall in /etc/inet.d/

Returns:

  • (Boolean)

    result


175
176
177
178
179
180
181
182
# File 'library/network/src/lib/network/susefirewall.rb', line 175

def DisableServices
  return false if !SuSEFirewallIsInstalled()

  return true if Service.Disable(@firewall_service)

  Report.LongError(Service.Error)
  false
end

#EnableServicesBoolean

Functions enables services needed for SuSEFirewall in /etc/inet.d/

Returns:

  • (Boolean)

    result


158
159
160
161
162
163
164
165
166
167
168
169
170
# File 'library/network/src/lib/network/susefirewall.rb', line 158

def EnableServices
  all_ok = true

  return false if !SuSEFirewallIsInstalled()

  if !Service.Enable(@firewall_service)
    all_ok = true
    # TRANSLATORS: a popup error message
    Report.LongError(Service.Error)
  end

  all_ok
end

#GetAllKnownInterfacesArray<Hash{String => String>}

Function returns list of maps of known interfaces.

Structure:

[ $[ "id":"modem1", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]

Returns:


402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
# File 'library/network/src/lib/network/susefirewall.rb', line 402

def GetAllKnownInterfaces
  known_interfaces = []

  # All dial-up interfaces
  dialup_interfaces = NetworkInterfaces.List("dialup")
  dialup_interfaces = [] if dialup_interfaces.nil?

  # bugzilla #303858 - wrong values from NetworkInterfaces
  dialup_interfaces = Builtins.filter(dialup_interfaces) do |one_iface|
    if one_iface.nil? || one_iface == ""
      Builtins.y2error("Wrong interface definition '%1'", one_iface)
      next false
    end
    true
  end

  dialup_interfaces = Builtins.filter(dialup_interfaces) do |interface|
    interface != "" && !Builtins.issubstring(interface, "lo") &&
      !Builtins.issubstring(interface, "sit")
  end

  # All non-dial-up interfaces
  non_dialup_interfaces = NetworkInterfaces.List("")
  non_dialup_interfaces = [] if non_dialup_interfaces.nil?

  # bugzilla #303858 - wrong values from NetworkInterfaces
  non_dialup_interfaces = Builtins.filter(non_dialup_interfaces) do |one_iface|
    if one_iface.nil? || one_iface == ""
      Builtins.y2error("Wrong interface definition '%1'", one_iface)
      next false
    end
    true
  end

  non_dialup_interfaces = Builtins.filter(non_dialup_interfaces) do |interface|
    interface != "" && !Builtins.issubstring(interface, "lo") &&
      !Builtins.issubstring(interface, "sit") &&
      !Builtins.contains(dialup_interfaces, interface)
  end

  Builtins.foreach(dialup_interfaces) do |interface|
    known_interfaces = Builtins.add(
      known_interfaces,
      "id"   => interface,
      "type" => "dialup",
      # using function to get name
      "name" => NetworkInterfaces.GetValue(
        interface,
        "NAME"
      ),
      "zone" => GetZoneOfInterface(interface)
    )
  end

  Builtins.foreach(non_dialup_interfaces) do |interface|
    known_interfaces = Builtins.add(
      known_interfaces,
      "id"   => interface,
      # using function to get name
      "name" => NetworkInterfaces.GetValue(
        interface,
        "NAME"
      ),
      "zone" => GetZoneOfInterface(interface)
    )
  end

  deep_copy(known_interfaces)
end

#GetEnableServiceBoolean

Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

Returns:

  • (Boolean)

    if the firewall should start

See Also:

  • #Write()
  • #EnableServices()

91
92
93
# File 'library/network/src/lib/network/susefirewall.rb', line 91

def GetEnableService
  Ops.get_boolean(@SETTINGS, "enable_firewall", false)
end

#GetKnownFirewallZonesArray<String>

Function returns list of known firewall zones (shortnames)

Examples:

GetKnownFirewallZones() -> ["DMZ", "EXT", "INT"]

Returns:

  • (Array<String>)

    of firewall zones


225
226
227
# File 'library/network/src/lib/network/susefirewall.rb', line 225

def GetKnownFirewallZones
  deep_copy(@known_firewall_zones)
end

#GetListOfKnownInterfacesArray<String>

Function returns list of all known interfaces.

Examples:

GetListOfKnownInterfaces() -> ["eth1", "eth2", "modem0", "dsl5"]

Returns:

  • (Array<String>)

    of interfaces


476
477
478
# File 'library/network/src/lib/network/susefirewall.rb', line 476

def GetListOfKnownInterfaces
  GetAllKnownInterfaces().map { |i| i["id"] }
end

#GetModifiedBoolean

Functions returns whether any firewall's configuration was modified.

Returns:

  • (Boolean)

    if the configuration was modified


363
364
365
366
367
368
# File 'library/network/src/lib/network/susefirewall.rb', line 363

def GetModified
  Yast.import "SuSEFirewallServices"
  # Changed SuSEFirewall or
  # Changed SuSEFirewallServices (needs resatrting as well)
  @modified || SuSEFirewallServices.GetModified
end

#GetServices(services) ⇒ Hash <String, Hash{String => Boolean>}

Function returns map of supported services in all firewall zones.

Structure:

 Returns $[service : $[ zone_name : supported_status]]

Examples:

// Firewall in not protected from internal zone, that's why
// all services report that they are enabled in INT zone
GetServices (["samba-server", "service:irc-server"]) -> $[
  "samba-server" : $["DMZ":false, "EXT":false, "INT":true],
  "service:irc-server" : $["DMZ":false, "EXT":true, "INT":true]
]

Parameters:

  • list (string)

    of services

Returns:


246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
# File 'library/network/src/lib/network/susefirewall.rb', line 246

def GetServices(services)
  services = deep_copy(services)
  # $[ service : $[ firewall_zone : status ]]
  services_status = {}

  # for all services requested
  Builtins.foreach(services) do |service|
    Ops.set(services_status, service, {})
    # for all zones in configuration
    Builtins.foreach(GetKnownFirewallZones()) do |zone|
      Ops.set(
        services_status,
        [service, zone],
        IsServiceSupportedInZone(service, zone)
      )
    end
  end

  deep_copy(services_status)
end

#GetServicesInZones(services) ⇒ Hash <String, Hash{String => Boolean} >

Function returns map of supported services all network interfaces.

Structure:

 Returns $[service : $[ interface : supported_status ]]

Examples:

GetServicesInZones (["service:irc-server"]) -> $["service:irc-server":$["eth1":true]]
// No such service "something"
GetServicesInZones (["something"])) -> $["something":$["eth1":nil]]
GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]

Parameters:

  • list (string)

    of services

Returns:


282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
# File 'library/network/src/lib/network/susefirewall.rb', line 282

def GetServicesInZones(services)
  services = deep_copy(services)
  # list of interfaces for each zone
  interfaces_in_zone = {}

  GetListOfKnownInterfaces().each do |i|
    z = GetZoneOfInterface(i)
    next if z.nil? || z.empty?

    interfaces_in_zone[z] ||= []
    interfaces_in_zone[z] << i
  end

  # $[ service : $[ network_interface : status ]]
  services_status = {}

  # for all services requested
  Builtins.foreach(services) do |service|
    Ops.set(services_status, service, {})
    # for all zones in configuration
    Builtins.foreach(interfaces_in_zone) do |zone, interfaces|
      status = IsServiceSupportedInZone(service, zone)
      # for all interfaces in zone
      Builtins.foreach(interfaces) do |interface|
        Ops.set(services_status, [service, interface], status)
      end
    end
  end

  deep_copy(services_status)
end

#GetStartServiceBoolean

Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.

Returns:

  • (Boolean)

    if the firewall should start


53
54
55
# File 'library/network/src/lib/network/susefirewall.rb', line 53

def GetStartService
  Ops.get_boolean(@SETTINGS, "start_firewall", false)
end

#GetZoneFullName(zone) ⇒ String

Function returns localized name of the zone identified by zone shortname.

Examples:

LANG=en_US GetZoneFullName ("EXT") -> "External Zone"
LANG=cs_CZ GetZoneFullName ("EXT") -> "Externí Zóna"

Parameters:

  • string

    short name

Returns:


508
509
510
511
# File 'library/network/src/lib/network/susefirewall.rb', line 508

def GetZoneFullName(zone)
  # TRANSLATORS: Firewall zone full-name, used as combo box item or dialog title
  Ops.get(@zone_names, zone, _("Unknown Zone"))
end

#GetZonesOfInterfaces(interfaces) ⇒ Array<String>

Function returns list of zones of requested interfaces

Examples:

GetZonesOfInterfaces (["eth1","eth4"]) -> ["DMZ", "EXT"]

Parameters:

Returns:

  • (Array<String>)

    firewall zones


487
488
489
490
491
492
493
494
495
496
497
498
# File 'library/network/src/lib/network/susefirewall.rb', line 487

def GetZonesOfInterfaces(interfaces)
  interfaces = deep_copy(interfaces)
  zones = []
  zone = ""

  Builtins.foreach(interfaces) do |interface|
    zone = GetZoneOfInterface(interface)
    zones = Builtins.add(zones, zone) if !zone.nil?
  end

  Builtins.toset(zones)
end

#HaveService(service, protocol, interface) ⇒ Boolean

Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.

Examples:

HaveService ("ssh", "TCP", "EXT") -> true
HaveService ("ssh", "TCP", "modem0") -> false
HaveService ("53", "UDP", "dsl") -> false

Parameters:

  • service (String)

    (service name, port name, port alias or port number)

  • protocol (String)

    TCP, UDP, RCP or IP

  • interface (String)

    name (like modem0), firewall zone (like "EXT") or "any" for all zones.

Returns:

  • (Boolean)

    if service is allowed


861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
# File 'library/network/src/lib/network/susefirewall.rb', line 861

def HaveService(service, protocol, interface)
  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return nil
  end

  # definition of searched zones
  zones = []

  # "any" for all zones, this is ugly
  if interface == "any"
    zones = GetKnownFirewallZones()
    # string interface is the zone name
  elsif IsKnownZone(interface)
    zones = Builtins.add(zones, interface)
    # interface is the interface name
  else
    interface = GetZoneOfInterface(interface)
    zones = Builtins.add(zones, interface) if !interface.nil?
  end

  # SuSEFirewall feature FW_PROTECT_FROM_INT
  # should not be protected and searched zones include also internal (or the zone IS internal, sure)
  if !GetProtectFromInternalZone() &&
      Builtins.contains(zones, @int_zone_shortname)
    Builtins.y2milestone(
      "Checking for service '%1', in '%2', PROTECT_FROM_INTERNAL='no' => allowed",
      service,
      interface
    )
    return true
  end

  # Check and return whether the service (port) is supported anywhere
  ret = false
  Builtins.foreach(zones) do |zone|
    # This function can also handle port ranges
    if ArePortsOrServicesAllowed([service], protocol, zone, true)
      ret = true
      raise Break
    end
  end

  ret
end

#IsEnabledBoolean

Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

Returns:

  • (Boolean)

    if enabled


189
190
191
192
193
194
195
196
197
198
199
# File 'library/network/src/lib/network/susefirewall.rb', line 189

def IsEnabled
  return false if !SuSEFirewallIsInstalled()

  if Service.Enabled(@firewall_service)
    Builtins.y2milestone("Firewall service is enabled")
    return true
  else
    Builtins.y2milestone("Firewall service is not enabled")
    return false
  end
end

#IsKnownZone(zone) ⇒ Boolean

Function returns if zone (shortname like "EXT") is supported by firewall. Undefined zones are, for sure, unsupported.

Parameters:

Returns:

  • (Boolean)

    if zone is known and supported.


518
519
520
521
522
523
524
525
526
527
528
529
# File 'library/network/src/lib/network/susefirewall.rb', line 518

def IsKnownZone(zone)
  is_zone = false

  Builtins.foreach(GetKnownFirewallZones()) do |known_zone|
    if known_zone == zone
      is_zone = true
      raise Break
    end
  end

  is_zone
end

#IsOtherFirewallRunningBoolean

Function returns if another firewall is currently running on the system. It uses command iptables to get information about just active iptables rules and compares the output with current status of the selected firewall backend

Returns:

  • (Boolean)

    if other firewall is running


762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
# File 'library/network/src/lib/network/susefirewall.rb', line 762

def IsOtherFirewallRunning
  any_firewall_running = true

  # grep must return at least blank lines, else it returns 'exit 1' instead of 'exit 0'
  command = "LANG=C /usr/sbin/iptables -L -n | /usr/bin/grep -v \"^\\(Chain\\|target\\)\""

  iptables = Convert.to_map(
    SCR.Execute(path(".target.bash_output"), command)
  )
  if Ops.get_integer(iptables, "exit", 0) == 0
    iptables_list = Builtins.splitstring(
      Ops.get_string(iptables, "stdout", ""),
      "\n"
    )
    iptables_list = Builtins.filter(iptables_list) do |iptable_rule|
      iptable_rule != ""
    end

    Builtins.y2milestone(
      "Count of active iptables now: %1",
      Builtins.size(iptables_list)
    )

    # any iptables rule exist?
    any_firewall_running = Ops.greater_than(Builtins.size(iptables_list), 0)
  else
    # error running command
    Builtins.y2error(
      "Services Command: %1 (Exit %2) -> %3",
      command,
      Ops.get(iptables, "exit"),
      Ops.get(iptables, "stderr")
    )
    return nil
  end

  # any firewall is running but it is not desired one
  if any_firewall_running && !IsStarted()
    Builtins.y2warning("Any other firewall is running...")
    return true
  end
  # no firewall is running or the running firewall the desired one
  false
end

#IsStartedBoolean

Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

Returns:

  • (Boolean)

    if started


205
206
207
208
209
210
211
212
213
214
215
216
217
218
# File 'library/network/src/lib/network/susefirewall.rb', line 205

def IsStarted
  return false if !SuSEFirewallIsInstalled()

  return true if Mode.testsuite

  Builtins.y2milestone("Checking firewall status...")
  if Service.Status(@firewall_service) == 0
    Builtins.y2milestone("Firewall service is started")
    return true
  else
    Builtins.y2milestone("Firewall service is stopped")
    return false
  end
end

#IsSupportedProtocol(protocol) ⇒ Boolean

Local function returns if protocol is supported by firewall. Protocol name must be in upper-cases.

Parameters:

Returns:

  • (Boolean)

    whether protocol is supported, that is, one of TCP, UDP, IP


585
586
587
# File 'library/network/src/lib/network/susefirewall.rb', line 585

def IsSupportedProtocol(protocol)
  @supported_protocols.include?(protocol)
end

#RemoveAllowedPortsOrServices(remove_ports, protocol, zone, check_for_aliases) ⇒ Object

Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.

Parameters:

  • list (string)

    ports to be removed

  • protocol (String)
  • zone (String)
  • boolean

    check for port-aliases


651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
# File 'library/network/src/lib/network/susefirewall.rb', line 651

def RemoveAllowedPortsOrServices(remove_ports, protocol, zone, check_for_aliases)
  remove_ports = deep_copy(remove_ports)
  if Ops.less_than(Builtins.size(remove_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return
  end

  SetModified()

  # all allowed ports
  allowed_services = PortRanges.DividePortsAndPortRanges(
    GetAllowedServicesForZoneProto(zone, protocol),
    false
  )

  # removing all aliases of ports too, adding aliases into
  if check_for_aliases
    remove_ports_with_aliases = []
    Builtins.foreach(remove_ports) do |remove_port|
      # skip port ranges, they cannot have any port-alias
      if PortRanges.IsPortRange(remove_port)
        remove_ports_with_aliases = Builtins.add(
          remove_ports_with_aliases,
          remove_port
        )
        next
      end
      remove_these_ports = PortAliases.GetListOfServiceAliases(remove_port)
      remove_these_ports = [remove_port] if remove_these_ports.nil?
      remove_ports_with_aliases = Convert.convert(
        Builtins.union(remove_ports_with_aliases, remove_these_ports),
        from: "list",
        to:   "list <string>"
      )
    end
    remove_ports = deep_copy(remove_ports_with_aliases)
  end
  remove_ports = Builtins.toset(remove_ports)

  # Remove ports only once (because of port aliases), any => integers and strings
  already_removed = []

  Builtins.foreach(remove_ports) do |remove_port|
    # Removing from normal ports
    Ops.set(
      allowed_services,
      "ports",
      Builtins.filter(Ops.get(allowed_services, "ports", [])) do |allowed_port|
        allowed_port != "" && allowed_port != remove_port
      end
    )
    # Removing also from port ranges
    if Ops.get(allowed_services, "port_ranges", []) != []
      # Removing a real port from port ranges
      if !PortRanges.IsPortRange(remove_port)
        remove_port_nr = PortAliases.GetPortNumber(remove_port)
        # Because of all port aliases
        if !Builtins.contains(already_removed, remove_port_nr)
          already_removed = Builtins.add(already_removed, remove_port_nr)
          Ops.set(
            allowed_services,
            "port_ranges",
            PortRanges.RemovePortFromPortRanges(
              remove_port_nr,
              Ops.get(allowed_services, "port_ranges", [])
            )
          )
        end
      # Removing a port range from port ranges
      elsif !Builtins.contains(already_removed, remove_port)
        # Just filtering the exact port range
        Ops.set(
          allowed_services,
          "port_ranges",
          Builtins.filter(Ops.get(allowed_services, "port_ranges", [])) do |one_port_range|
            one_port_range != remove_port
          end
        )
        already_removed = Builtins.add(already_removed, remove_port)
      end
    end
  end

  allowed_services_all = Convert.convert(
    Builtins.union(
      Ops.get(allowed_services, "ports", []),
      Ops.get(allowed_services, "port_ranges", [])
    ),
    from: "list",
    to:   "list <string>"
  )

  allowed_services_all = PortRanges.FlattenServices(
    allowed_services_all,
    protocol
  )

  SetAllowedServicesForZoneProto(allowed_services_all, zone, protocol)

  nil
end

#RemoveService(service, protocol, interface) ⇒ Boolean

Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.

Examples:

RemoveService ("22", "TCP", "DMZ") -> true
is the same as
RemoveService ("ssh", "TCP", "DMZ") -> true

Parameters:

  • service/port (String)
  • protocol (String)

    TCP, UDP, RPC, IP

  • string

    zone name or interface name

Returns:

  • (Boolean)

    success


995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
# File 'library/network/src/lib/network/susefirewall.rb', line 995

def RemoveService(service, protocol, interface)
  Builtins.y2milestone(
    "Removing service %1, protocol %2 from %3",
    service,
    protocol,
    interface
  )

  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return false
  end

  zones_affected = []

  # "all" means for all known zones
  if interface == "all"
    zones_affected = GetKnownFirewallZones()

    # zone or interface name
  else
    if !IsKnownZone(interface)
      # interface is probably interface-name, checking for respective zone
      interface = GetZoneOfInterface(interface)
      # interface is not assigned to any zone
      if interface.nil?
        # TRANSLATORS: Error message, %1 = interface name (like eth0)
        Report.Error(
          Builtins.sformat(
            _(
              "Interface '%1' is not assigned to any firewall zone.\nRun YaST2 Firewall and assign it.\n"
            ),
            interface
          )
        )
        Builtins.y2warning(
          "Interface '%1' is not assigned to any firewall zone",
          interface
        )
        return false
      end
    end
    zones_affected = [interface]
  end

  SetModified()

  # Adding service support into each mentioned zone
  Builtins.foreach(zones_affected) do |zone|
    # if the service is allowed
    if ArePortsOrServicesAllowed([service], protocol, zone, true)
      RemoveAllowedPortsOrServices([service], protocol, zone, true)
    else
      Builtins.y2milestone(
        "Port %1 has been already removed from %2",
        service,
        zone
      )
    end
  end

  true
end

#ResetModifiedObject

Do not use this function. Only for firewall installation proposal.


353
354
355
356
357
358
# File 'library/network/src/lib/network/susefirewall.rb', line 353

def ResetModified
  Builtins.y2milestone("Reseting firewall-modified to 'false'")
  @modified = false

  nil
end

#SaveAndRestartServiceBoolean

Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

Returns:

  • (Boolean)

    if successful


569
570
571
572
573
574
575
576
577
578
# File 'library/network/src/lib/network/susefirewall.rb', line 569

def SaveAndRestartService
  Builtins.y2milestone("Forced save and restart")
  SetModified()

  SetStartService(true)

  return false if !Write()

  true
end

#SetAdditionalServices(protocol, zone, new_list_services) ⇒ Object

Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.

Examples:

SetAdditionalServices ("TCP", "EXT", ["53", "128"])

Parameters:

  • protocol (String)
  • zone (String)
  • list (string)

    list of ports/protocols

See Also:

  • #GetAdditionalServices()

601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
# File 'library/network/src/lib/network/susefirewall.rb', line 601

def SetAdditionalServices(protocol, zone, new_list_services)
  new_list_services = deep_copy(new_list_services)
  old_list_services = Builtins.toset(GetAdditionalServices(protocol, zone))
  new_list_services = Builtins.toset(new_list_services)

  if new_list_services != old_list_services
    SetModified()

    add_services = []
    remove_services = []

    # Add these services
    Builtins.foreach(new_list_services) do |service|
      add_services = Builtins.add(add_services, service) if !Builtins.contains(old_list_services, service)
    end
    # Remove these services
    Builtins.foreach(old_list_services) do |service|
      remove_services = Builtins.add(remove_services, service) if !Builtins.contains(new_list_services, service)
    end

    if Ops.greater_than(Builtins.size(remove_services), 0)
      Builtins.y2milestone(
        "Removing additional services %1/%2 from zone %3",
        remove_services,
        protocol,
        zone
      )
      RemoveAllowedPortsOrServices(remove_services, protocol, zone, true)
    end
    if Ops.greater_than(Builtins.size(add_services), 0)
      Builtins.y2milestone(
        "Adding additional services %1/%2 into zone %3",
        add_services,
        protocol,
        zone
      )
      AddAllowedPortsOrServices(add_services, protocol, zone)
    end
  end

  nil
end

#SetEnableService(enable_service) ⇒ Object

Function which sets if SuSEfirewall should start in Write process

Parameters:

  • boolean

    start_service at Write() process


98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# File 'library/network/src/lib/network/susefirewall.rb', line 98

def SetEnableService(enable_service)
  if !SuSEFirewallIsSelectedOrInstalled()
    Builtins.y2warning("Cannot set SetEnableService")
    return nil
  end

  if GetEnableService() != enable_service
    SetModified()

    Builtins.y2milestone("Setting enable-firewall to %1", enable_service)
  else
    # without set modified
    Builtins.y2milestone(
      "enable-firewall has been already set to %1",
      enable_service
    )
  end

  Ops.set(@SETTINGS, "enable_firewall", enable_service)

  nil
end

#SetInstallPackagesIfMissing(new_status) ⇒ Object

By default Firewall packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.

Parameters:

  • new_status, (Boolean)

    'true' if packages should be offered for installation


375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
# File 'library/network/src/lib/network/susefirewall.rb', line 375

def SetInstallPackagesIfMissing(new_status)
  if new_status.nil?
    Builtins.y2error("Wrong value: %1", new_status)
    return
  end

  @check_and_install_package = new_status

  if @check_and_install_package
    Builtins.y2milestone("Firewall packages will installed if missing")
  else
    Builtins.y2milestone(
      "Firewall packages will not be installed even if missing"
    )
  end

  nil
end

#SetModifiedObject

Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".


345
346
347
348
349
# File 'library/network/src/lib/network/susefirewall.rb', line 345

def SetModified
  @modified = true

  nil
end

#SetServices(services_ids, interfaces, new_status) ⇒ Boolean

Function sets status for several services on several network interfaces.

Examples:

// Disabling services
SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], false)
// Enabling services
SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], true)

Parameters:

  • list (string)

    service ids

  • list (string)

    network interfaces

  • boolean

    new status of services

Returns:

  • (Boolean)

    if successfull

See Also:

  • #SetServicesForZones()

328
329
330
331
332
333
334
335
336
337
338
339
340
341
# File 'library/network/src/lib/network/susefirewall.rb', line 328

def SetServices(services_ids, interfaces, new_status)
  firewall_zones = GetZonesOfInterfacesWithAnyFeatureSupported(interfaces)
  if Builtins.size(firewall_zones) == 0
    Builtins.y2error(
      "Interfaces '%1' are not in any group of interfaces",
      interfaces
    )
    return false
  end

  SetModified()

  SetServicesForZones(services_ids, firewall_zones, new_status)
end

#SetStartService(start_service) ⇒ Object

Function which sets if SuSEfirewall should start in Write process.

Parameters:

  • start_service (Boolean)

    at Write() process

See Also:

  • #GetStartService()

61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# File 'library/network/src/lib/network/susefirewall.rb', line 61

def SetStartService(start_service)
  if !SuSEFirewallIsSelectedOrInstalled()
    Builtins.y2warning("Cannot set SetStartService")
    return nil
  end

  if GetStartService() != start_service
    SetModified()

    Builtins.y2milestone("Setting start-firewall to %1", start_service)
  else
    # without set modified!
    Builtins.y2milestone(
      "start-firewall has been already set to %1",
      start_service
    )
  end

  Ops.set(@SETTINGS, "start_firewall", start_service)

  nil
end

#StartServicesBoolean

Functions starts services needed for SuSEFirewall

Returns:

  • (Boolean)

    result


124
125
126
127
128
129
130
131
132
133
134
135
136
# File 'library/network/src/lib/network/susefirewall.rb', line 124

def StartServices
  return true if Mode.testsuite

  return false if !SuSEFirewallIsInstalled()

  if Service.Start(@firewall_service)
    Builtins.y2milestone("Started")
    return true
  else
    Builtins.y2error("Cannot start service %1", @firewall_service)
    return false
  end
end

#StopServicesBoolean

Functions stops services needed for SuSEFirewall

Returns:

  • (Boolean)

    result


141
142
143
144
145
146
147
148
149
150
151
152
153
# File 'library/network/src/lib/network/susefirewall.rb', line 141

def StopServices
  return true if Mode.testsuite

  return false if !SuSEFirewallIsInstalled()

  if Service.Stop(@firewall_service)
    Builtins.y2milestone("Stopped")
    return true
  else
    Builtins.y2error("Could not stop service %1", @firewall_service)
    return false
  end
end

#SuSEFirewallIsInstalledBoolean

Returns whether all needed packages are installed

Returns:

  • (Boolean)

    whether the selected firewall backend is installed


551
552
553
554
555
556
557
558
559
560
561
562
563
# File 'library/network/src/lib/network/susefirewall.rb', line 551

def SuSEFirewallIsInstalled
  return true if @needed_packages_installed

  if Mode.normal
    @needed_packages_installed = PackageSystem.CheckAndInstallPackages([@FIREWALL_PACKAGE])
    log.info "CheckAndInstallPackages -> #{@needed_packages_installed}"
  else
    @needed_packages_installed = PackageSystem.Installed(@FIREWALL_PACKAGE)
    log.info "Installed -> #{@needed_packages_installed}"
  end

  @needed_packages_installed
end

#SuSEFirewallIsSelectedOrInstalledBoolean

Returns whether all needed packages are installed (or selected for installation)

Returns:

  • (Boolean)

    whether the selected firewall backend is installed


535
536
537
538
539
540
541
542
543
544
545
546
# File 'library/network/src/lib/network/susefirewall.rb', line 535

def SuSEFirewallIsSelectedOrInstalled
  return true if @needed_packages_installed

  if Stage.initial
    packages_selected = Pkg.IsSelected(@FIREWALL_PACKAGE)
    log.info "Selected for installation -> #{packages_selected}"

    return true if packages_selected
  end

  SuSEFirewallIsInstalled()
end