Class: Yast::SuSEFirewallClass

Inherits:
Module
  • Object
show all
Includes:
Logger
Defined in:
library/network/src/lib/network/susefirewall.rb

Overview

Factory for construction of appropriate firewall object based on desired backend.

Direct Known Subclasses

SuSEFirewall2Class, SuSEFirewalldClass

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeSuSEFirewallClass

Returns a new instance of SuSEFirewallClass



47
48
49
# File 'library/network/src/lib/network/susefirewall.rb', line 47

def initialize
  textdomain "base"
end

Instance Attribute Details

#firewall_serviceString (readonly)

Returns the systemd service name: “firewalld” or “SuSEfirewall2”

Returns:

  • (String)

    the systemd service name: “firewalld” or “SuSEfirewall2”



37
38
39
# File 'library/network/src/lib/network/susefirewall.rb', line 37

def firewall_service
  @firewall_service
end

Instance Method Details

#AddService(service, protocol, interface) ⇒ Boolean

Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

AddService (“ssh”, “TCP”, “EXT”) AddService (“ssh”, “TCP”, “dsl0”)

Parameters:

  • service/port (String)
  • protocol (String)

    TCP, UDP, RPC, IP

  • string

    zone name or interface name

Returns:

  • (Boolean)

    success



927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
# File 'library/network/src/lib/network/susefirewall.rb', line 927

def AddService(service, protocol, interface)
  Builtins.y2milestone(
    "Adding service %1, protocol %2 to %3",
    service,
    protocol,
    interface
  )

  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return false
  end

  zones_affected = []

  # "all" means for all known zones
  if interface == "all"
    zones_affected = GetKnownFirewallZones()

    # zone or interface name
  else
    # is probably an interface name
    if !IsKnownZone(interface)
      # interface is probably interface-name, checking for respective zone
      interface = GetZoneOfInterface(interface)
      # interface is not assigned to any zone
      if interface.nil?
        # TRANSLATORS: Error message, %1 = interface name (like eth0)
        Report.Error(
          Builtins.sformat(
            _(
              "Interface '%1' is not assigned to any firewall zone.\nRun YaST2 Firewall and assign it.\n"
            ),
            interface
          )
        )
        Builtins.y2warning(
          "Interface '%1' is not assigned to any firewall zone",
          interface
        )
        return false
      end
    end
    zones_affected = [interface]
  end

  SetModified()

  # Adding service support into each mentioned zone
  Builtins.foreach(zones_affected) do |zone|
    # If there isn't already
    if !ArePortsOrServicesAllowed([service], protocol, zone, true)
      AddAllowedPortsOrServices([service], protocol, zone)
    else
      Builtins.y2milestone(
        "Port %1 has been already allowed in %2",
        service,
        zone
      )
    end
  end

  true
end

#AddXenSupportObject

Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.



1073
1074
1075
1076
1077
1078
1079
# File 'library/network/src/lib/network/susefirewall.rb', line 1073

def AddXenSupport
  Builtins.y2milestone(
    "The whole functionality is currently handled by SuSEfirewall2 itself"
  )

  nil
end

#ArePortsOrServicesAllowed(needed_ports, protocol, zone, check_for_aliases) ⇒ Object



816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
# File 'library/network/src/lib/network/susefirewall.rb', line 816

def ArePortsOrServicesAllowed(needed_ports, protocol, zone, check_for_aliases)
  needed_ports = deep_copy(needed_ports)
  are_allowed = true

  if Ops.less_than(Builtins.size(needed_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return true
  end

  allowed_ports = {}
  # BTW: only TCP and UDP ports can have aliases and only TCP and UDP ports can have port ranges
  if check_for_aliases
    allowed_ports = PortRanges.DividePortsAndPortRanges(
      GetAllowedServicesForZoneProto(zone, protocol),
      true
    )
  else
    Ops.set(
      allowed_ports,
      "ports",
      GetAllowedServicesForZoneProto(zone, protocol)
    )
  end

  Builtins.foreach(needed_ports) do |needed_port|
    if !Builtins.contains(Ops.get(allowed_ports, "ports", []), needed_port) &&
        !PortRanges.PortIsInPortranges(
          needed_port,
          Ops.get(allowed_ports, "port_ranges", [])
        )
      are_allowed = false
      raise Break
    end
  end

  are_allowed
end

#DisableServicesBoolean

Functions disables services needed for SuSEFirewall in /etc/inet.d/

Returns:

  • (Boolean)

    result



177
178
179
180
181
182
183
184
# File 'library/network/src/lib/network/susefirewall.rb', line 177

def DisableServices
  return false if !SuSEFirewallIsInstalled()

  return true if Service.Disable(@firewall_service)

  Report.LongError(Service.Error)
  false
end

#EnableServicesBoolean

Functions enables services needed for SuSEFirewall in /etc/inet.d/

Returns:

  • (Boolean)

    result



160
161
162
163
164
165
166
167
168
169
170
171
172
# File 'library/network/src/lib/network/susefirewall.rb', line 160

def EnableServices
  all_ok = true

  return false if !SuSEFirewallIsInstalled()

  if !Service.Enable(@firewall_service)
    all_ok = true
    # TRANSLATORS: a popup error message
    Report.LongError(Service.Error)
  end

  all_ok
end

#GetAllKnownInterfacesArray<Hash{String => String>}

Function returns list of maps of known interfaces.

*Structure:*

[ $[ "id":"modem1", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]

Returns:



403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
# File 'library/network/src/lib/network/susefirewall.rb', line 403

def GetAllKnownInterfaces
  known_interfaces = []

  # All dial-up interfaces
  dialup_interfaces = NetworkInterfaces.List("dialup")
  dialup_interfaces = [] if dialup_interfaces.nil?

  # bugzilla #303858 - wrong values from NetworkInterfaces
  dialup_interfaces = Builtins.filter(dialup_interfaces) do |one_iface|
    if one_iface.nil? || one_iface == ""
      Builtins.y2error("Wrong interface definition '%1'", one_iface)
      next false
    end
    true
  end

  dialup_interfaces = Builtins.filter(dialup_interfaces) do |interface|
    interface != "" && !Builtins.issubstring(interface, "lo") &&
      !Builtins.issubstring(interface, "sit")
  end

  # All non-dial-up interfaces
  non_dialup_interfaces = NetworkInterfaces.List("")
  non_dialup_interfaces = [] if non_dialup_interfaces.nil?

  # bugzilla #303858 - wrong values from NetworkInterfaces
  non_dialup_interfaces = Builtins.filter(non_dialup_interfaces) do |one_iface|
    if one_iface.nil? || one_iface == ""
      Builtins.y2error("Wrong interface definition '%1'", one_iface)
      next false
    end
    true
  end

  non_dialup_interfaces = Builtins.filter(non_dialup_interfaces) do |interface|
    interface != "" && !Builtins.issubstring(interface, "lo") &&
      !Builtins.issubstring(interface, "sit") &&
      !Builtins.contains(dialup_interfaces, interface)
  end

  Builtins.foreach(dialup_interfaces) do |interface|
    known_interfaces = Builtins.add(
      known_interfaces,

      "id"   => interface,
      "type" => "dialup",
      # using function to get name
      "name" => NetworkInterfaces.GetValue(
        interface,
        "NAME"
      ),
      "zone" => GetZoneOfInterface(interface)

    )
  end

  Builtins.foreach(non_dialup_interfaces) do |interface|
    known_interfaces = Builtins.add(
      known_interfaces,

      "id"   => interface,
      # using function to get name
      "name" => NetworkInterfaces.GetValue(
        interface,
        "NAME"
      ),
      "zone" => GetZoneOfInterface(interface)

    )
  end

  deep_copy(known_interfaces)
end

#GetEnableServiceBoolean

Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

Returns:

  • (Boolean)

    if the firewall should start

See Also:

  • #Write()
  • #EnableServices()


93
94
95
# File 'library/network/src/lib/network/susefirewall.rb', line 93

def GetEnableService
  Ops.get_boolean(@SETTINGS, "enable_firewall", false)
end

#GetKnownFirewallZonesArray<String>

Function returns list of known firewall zones (shortnames)

Examples:

GetKnownFirewallZones() -> [“DMZ”, “EXT”, “INT”]

Returns:

  • (Array<String>)

    of firewall zones



227
228
229
# File 'library/network/src/lib/network/susefirewall.rb', line 227

def GetKnownFirewallZones
  deep_copy(@known_firewall_zones)
end

#GetListOfKnownInterfacesArray<String>

Function returns list of all known interfaces.

Examples:

GetListOfKnownInterfaces() -> [“eth1”, “eth2”, “modem0”, “dsl5”]

Returns:

  • (Array<String>)

    of interfaces



481
482
483
# File 'library/network/src/lib/network/susefirewall.rb', line 481

def GetListOfKnownInterfaces
  GetAllKnownInterfaces().map { |i| i["id"] }
end

#GetModifiedBoolean

Functions returns whether any firewall's configuration was modified.

Returns:

  • (Boolean)

    if the configuration was modified



364
365
366
367
368
369
# File 'library/network/src/lib/network/susefirewall.rb', line 364

def GetModified
  Yast.import "SuSEFirewallServices"
  # Changed SuSEFirewall or
  # Changed SuSEFirewallServices (needs resatrting as well)
  @modified || SuSEFirewallServices.GetModified
end

#GetServices(services) ⇒ Hash <String, Hash{String => Boolean>}

Function returns map of supported services in all firewall zones.

*Structure:*

	Returns $[service : $[ zone_name : supported_status]]

Examples:

// Firewall in not protected from internal zone, that's why
// all services report that they are enabled in INT zone
GetServices (["samba-server", "service:irc-server"]) -> $[
  "samba-server" : $["DMZ":false, "EXT":false, "INT":true],
  "service:irc-server" : $["DMZ":false, "EXT":true, "INT":true]
]

Parameters:

  • list (string)

    of services

Returns:



248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
# File 'library/network/src/lib/network/susefirewall.rb', line 248

def GetServices(services)
  services = deep_copy(services)
  # $[ service : $[ firewall_zone : status ]]
  services_status = {}

  # for all services requested
  Builtins.foreach(services) do |service|
    Ops.set(services_status, service, {})
    # for all zones in configuration
    Builtins.foreach(GetKnownFirewallZones()) do |zone|
      Ops.set(
        services_status,
        [service, zone],
        IsServiceSupportedInZone(service, zone)
      )
    end
  end

  deep_copy(services_status)
end

#GetServicesInZones(services) ⇒ Hash <String, Hash{String => Boolean} >

Function returns map of supported services all network interfaces.

*Structure:*

	Returns $[service : $[ interface : supported_status ]]

GetServicesInZones ([“service:irc-server”]) -> $[“service:irc-server”:$]

// No such service "something"

GetServicesInZones ([“something”])) -> $[“something”:$]

GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]

Parameters:

  • list (string)

    of services

Returns:



284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
# File 'library/network/src/lib/network/susefirewall.rb', line 284

def GetServicesInZones(services)
  services = deep_copy(services)
  # list of interfaces for each zone
  interfaces_in_zone = {}

  GetListOfKnownInterfaces().each do |i|
    z = GetZoneOfInterface(i)
    next if z.nil? || z.empty?
    interfaces_in_zone[z] ||= []
    interfaces_in_zone[z] << i
  end

  # $[ service : $[ network_interface : status ]]
  services_status = {}

  # for all services requested
  Builtins.foreach(services) do |service|
    Ops.set(services_status, service, {})
    # for all zones in configuration
    Builtins.foreach(interfaces_in_zone) do |zone, interfaces|
      status = IsServiceSupportedInZone(service, zone)
      # for all interfaces in zone
      Builtins.foreach(interfaces) do |interface|
        Ops.set(services_status, [service, interface], status)
      end
    end
  end

  deep_copy(services_status)
end

#GetStartServiceBoolean

Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.

Returns:

  • (Boolean)

    if the firewall should start



55
56
57
# File 'library/network/src/lib/network/susefirewall.rb', line 55

def GetStartService
  Ops.get_boolean(@SETTINGS, "start_firewall", false)
end

#GetZoneFullName(zone) ⇒ String

Function returns localized name of the zone identified by zone shortname.

Examples:

LANG=en_US GetZoneFullName ("EXT") -> "External Zone"
LANG=cs_CZ GetZoneFullName ("EXT") -> "Externí Zóna"

Parameters:

  • string

    short name

Returns:



513
514
515
516
# File 'library/network/src/lib/network/susefirewall.rb', line 513

def GetZoneFullName(zone)
  # TRANSLATORS: Firewall zone full-name, used as combo box item or dialog title
  Ops.get(@zone_names, zone, _("Unknown Zone"))
end

#GetZonesOfInterfaces(interfaces) ⇒ Array<String>

Function returns list of zones of requested interfaces

GetZonesOfInterfaces ([“eth1”,“eth4”]) -> [“DMZ”, “EXT”]

Parameters:

Returns:

  • (Array<String>)

    firewall zones



492
493
494
495
496
497
498
499
500
501
502
503
# File 'library/network/src/lib/network/susefirewall.rb', line 492

def GetZonesOfInterfaces(interfaces)
  interfaces = deep_copy(interfaces)
  zones = []
  zone = ""

  Builtins.foreach(interfaces) do |interface|
    zone = GetZoneOfInterface(interface)
    zones = Builtins.add(zones, zone) if !zone.nil?
  end

  Builtins.toset(zones)
end

#HaveService(service, protocol, interface) ⇒ Boolean

Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.

HaveService (“ssh”, “TCP”, “EXT”) -> true HaveService (“ssh”, “TCP”, “modem0”) -> false HaveService (“53”, “UDP”, “dsl”) -> false

Parameters:

  • service (String)

    (service name, port name, port alias or port number)

  • protocol (String)

    TCP, UDP, RCP or IP

  • interface (String)

    name (like modem0), firewall zone (like “EXT”) or “any” for all zones.

Returns:

  • (Boolean)

    if service is allowed



870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
# File 'library/network/src/lib/network/susefirewall.rb', line 870

def HaveService(service, protocol, interface)
  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return nil
  end

  # definition of searched zones
  zones = []

  # "any" for all zones, this is ugly
  if interface == "any"
    zones = GetKnownFirewallZones()
    # string interface is the zone name
  elsif IsKnownZone(interface)
    zones = Builtins.add(zones, interface)
    # interface is the interface name
  else
    interface = GetZoneOfInterface(interface)
    zones = Builtins.add(zones, interface) if !interface.nil?
  end

  # SuSEFirewall feature FW_PROTECT_FROM_INT
  # should not be protected and searched zones include also internal (or the zone IS internal, sure)
  if !GetProtectFromInternalZone() &&
      Builtins.contains(zones, @int_zone_shortname)
    Builtins.y2milestone(
      "Checking for service '%1', in '%2', PROTECT_FROM_INTERNAL='no' => allowed",
      service,
      interface
    )
    return true
  end

  # Check and return whether the service (port) is supported anywhere
  ret = false
  Builtins.foreach(zones) do |zone|
    # This function can also handle port ranges
    if ArePortsOrServicesAllowed([service], protocol, zone, true)
      ret = true
      raise Break
    end
  end

  ret
end

#IsEnabledBoolean

Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration “enabled” status use GetEnableService().

Returns:

  • (Boolean)

    if enabled



191
192
193
194
195
196
197
198
199
200
201
# File 'library/network/src/lib/network/susefirewall.rb', line 191

def IsEnabled
  return false if !SuSEFirewallIsInstalled()

  if Service.Enabled(@firewall_service)
    Builtins.y2milestone("Firewall service is enabled")
    return true
  else
    Builtins.y2milestone("Firewall service is not enabled")
    return false
  end
end

#IsKnownZone(zone) ⇒ Boolean

Function returns if zone (shortname like “EXT”) is supported by firewall. Undefined zones are, for sure, unsupported.

Parameters:

Returns:

  • (Boolean)

    if zone is known and supported.



523
524
525
526
527
528
529
530
531
532
533
534
# File 'library/network/src/lib/network/susefirewall.rb', line 523

def IsKnownZone(zone)
  is_zone = false

  Builtins.foreach(GetKnownFirewallZones()) do |known_zone|
    if known_zone == zone
      is_zone = true
      raise Break
    end
  end

  is_zone
end

#IsOtherFirewallRunningBoolean

Function returns if another firewall is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of the selected firewall backend

Returns:

  • (Boolean)

    if other firewall is running



771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
# File 'library/network/src/lib/network/susefirewall.rb', line 771

def IsOtherFirewallRunning
  any_firewall_running = true

  # grep must return at least blank lines, else it returns 'exit 1' instead of 'exit 0'
  command = "LANG=C iptables -L -n | grep -v \"^\\(Chain\\|target\\)\""

  iptables = Convert.to_map(
    SCR.Execute(path(".target.bash_output"), command)
  )
  if Ops.get_integer(iptables, "exit", 0) == 0
    iptables_list = Builtins.splitstring(
      Ops.get_string(iptables, "stdout", ""),
      "\n"
    )
    iptables_list = Builtins.filter(iptables_list) do |iptable_rule|
      iptable_rule != ""
    end

    Builtins.y2milestone(
      "Count of active iptables now: %1",
      Builtins.size(iptables_list)
    )

    # any iptables rule exist?
    any_firewall_running = Ops.greater_than(Builtins.size(iptables_list), 0)
  else
    # error running command
    Builtins.y2error(
      "Services Command: %1 (Exit %2) -> %3",
      command,
      Ops.get(iptables, "exit"),
      Ops.get(iptables, "stderr")
    )
    return nil
  end

  # any firewall is running but it is not desired one
  if any_firewall_running && !IsStarted()
    Builtins.y2warning("Any other firewall is running...")
    return true
  end
  # no firewall is running or the running firewall the desired one
  false
end

#IsStartedBoolean

Function determines if at least one SuSEFirewall script is started now. For configuration “started” status use GetStartService().

Returns:

  • (Boolean)

    if started



207
208
209
210
211
212
213
214
215
216
217
218
219
220
# File 'library/network/src/lib/network/susefirewall.rb', line 207

def IsStarted
  return false if !SuSEFirewallIsInstalled()

  return true if Mode.testsuite

  Builtins.y2milestone("Checking firewall status...")
  if Service.Status(@firewall_service) == 0
    Builtins.y2milestone("Firewall service is started")
    return true
  else
    Builtins.y2milestone("Firewall service is stopped")
    return false
  end
end

#IsSupportedProtocol(protocol) ⇒ Boolean

Local function returns if protocol is supported by firewall. Protocol name must be in upper-cases.

Parameters:

Returns:

  • (Boolean)

    whether protocol is supported, that is, one of TCP, UDP, IP



590
591
592
# File 'library/network/src/lib/network/susefirewall.rb', line 590

def IsSupportedProtocol(protocol)
  @supported_protocols.include?(protocol)
end

#RemoveAllowedPortsOrServices(remove_ports, protocol, zone, check_for_aliases) ⇒ Object

Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.

Parameters:

  • list (string)

    ports to be removed

  • protocol (String)
  • zone (String)
  • boolean

    check for port-aliases



660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
# File 'library/network/src/lib/network/susefirewall.rb', line 660

def RemoveAllowedPortsOrServices(remove_ports, protocol, zone, check_for_aliases)
  remove_ports = deep_copy(remove_ports)
  if Ops.less_than(Builtins.size(remove_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return
  end

  SetModified()

  # all allowed ports
  allowed_services = PortRanges.DividePortsAndPortRanges(
    GetAllowedServicesForZoneProto(zone, protocol),
    false
  )

  # removing all aliases of ports too, adding aliases into
  if check_for_aliases
    remove_ports_with_aliases = []
    Builtins.foreach(remove_ports) do |remove_port|
      # skip port ranges, they cannot have any port-alias
      if PortRanges.IsPortRange(remove_port)
        remove_ports_with_aliases = Builtins.add(
          remove_ports_with_aliases,
          remove_port
        )
        next
      end
      remove_these_ports = PortAliases.GetListOfServiceAliases(remove_port)
      remove_these_ports = [remove_port] if remove_these_ports.nil?
      remove_ports_with_aliases = Convert.convert(
        Builtins.union(remove_ports_with_aliases, remove_these_ports),
        from: "list",
        to:   "list <string>"
      )
    end
    remove_ports = deep_copy(remove_ports_with_aliases)
  end
  remove_ports = Builtins.toset(remove_ports)

  # Remove ports only once (because of port aliases), any => integers and strings
  already_removed = []

  Builtins.foreach(remove_ports) do |remove_port|
    # Removing from normal ports
    Ops.set(
      allowed_services,
      "ports",
      Builtins.filter(Ops.get(allowed_services, "ports", [])) do |allowed_port|
        allowed_port != "" && allowed_port != remove_port
      end
    )
    # Removing also from port ranges
    if Ops.get(allowed_services, "port_ranges", []) != []
      # Removing a real port from port ranges
      if !PortRanges.IsPortRange(remove_port)
        remove_port_nr = PortAliases.GetPortNumber(remove_port)
        # Because of all port aliases
        if !Builtins.contains(already_removed, remove_port_nr)
          already_removed = Builtins.add(already_removed, remove_port_nr)
          Ops.set(
            allowed_services,
            "port_ranges",
            PortRanges.RemovePortFromPortRanges(
              remove_port_nr,
              Ops.get(allowed_services, "port_ranges", [])
            )
          )
        end
      # Removing a port range from port ranges
      elsif !Builtins.contains(already_removed, remove_port)
        # Just filtering the exact port range
        Ops.set(
          allowed_services,
          "port_ranges",
          Builtins.filter(Ops.get(allowed_services, "port_ranges", [])) do |one_port_range|
            one_port_range != remove_port
          end
        )
        already_removed = Builtins.add(already_removed, remove_port)
      end
    end
  end

  allowed_services_all = Convert.convert(
    Builtins.union(
      Ops.get(allowed_services, "ports", []),
      Ops.get(allowed_services, "port_ranges", [])
    ),
    from: "list",
    to:   "list <string>"
  )

  allowed_services_all = PortRanges.FlattenServices(
    allowed_services_all,
    protocol
  )

  SetAllowedServicesForZoneProto(allowed_services_all, zone, protocol)

  nil
end

#RemoveService(service, protocol, interface) ⇒ Boolean

Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.

RemoveService (“22”, “TCP”, “DMZ”) -> true

is the same as

RemoveService (“ssh”, “TCP”, “DMZ”) -> true

Parameters:

  • service/port (String)
  • protocol (String)

    TCP, UDP, RPC, IP

  • string

    zone name or interface name

Returns:

  • (Boolean)

    success



1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
# File 'library/network/src/lib/network/susefirewall.rb', line 1004

def RemoveService(service, protocol, interface)
  Builtins.y2milestone(
    "Removing service %1, protocol %2 from %3",
    service,
    protocol,
    interface
  )

  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return false
  end

  zones_affected = []

  # "all" means for all known zones
  if interface == "all"
    zones_affected = GetKnownFirewallZones()

    # zone or interface name
  else
    if !IsKnownZone(interface)
      # interface is probably interface-name, checking for respective zone
      interface = GetZoneOfInterface(interface)
      # interface is not assigned to any zone
      if interface.nil?
        # TRANSLATORS: Error message, %1 = interface name (like eth0)
        Report.Error(
          Builtins.sformat(
            _(
              "Interface '%1' is not assigned to any firewall zone.\nRun YaST2 Firewall and assign it.\n"
            ),
            interface
          )
        )
        Builtins.y2warning(
          "Interface '%1' is not assigned to any firewall zone",
          interface
        )
        return false
      end
    end
    zones_affected = [interface]
  end

  SetModified()

  # Adding service support into each mentioned zone
  Builtins.foreach(zones_affected) do |zone|
    # if the service is allowed
    if ArePortsOrServicesAllowed([service], protocol, zone, true)
      RemoveAllowedPortsOrServices([service], protocol, zone, true)
    else
      Builtins.y2milestone(
        "Port %1 has been already removed from %2",
        service,
        zone
      )
    end
  end

  true
end

#ResetModifiedObject

Do not use this function. Only for firewall installation proposal.



354
355
356
357
358
359
# File 'library/network/src/lib/network/susefirewall.rb', line 354

def ResetModified
  Builtins.y2milestone("Reseting firewall-modified to 'false'")
  @modified = false

  nil
end

#SaveAndRestartServiceBoolean

Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

Returns:

  • (Boolean)

    if successful



574
575
576
577
578
579
580
581
582
583
# File 'library/network/src/lib/network/susefirewall.rb', line 574

def SaveAndRestartService
  Builtins.y2milestone("Forced save and restart")
  SetModified()

  SetStartService(true)

  return false if !Write()

  true
end

#SetAdditionalServices(protocol, zone, new_list_services) ⇒ Object

Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.

SetAdditionalServices (“TCP”, “EXT”, [“53”, “128”])

Parameters:

  • protocol (String)
  • zone (String)
  • list (string)

    list of ports/protocols

See Also:

  • #GetAdditionalServices()


606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
# File 'library/network/src/lib/network/susefirewall.rb', line 606

def SetAdditionalServices(protocol, zone, new_list_services)
  new_list_services = deep_copy(new_list_services)
  old_list_services = Builtins.toset(GetAdditionalServices(protocol, zone))
  new_list_services = Builtins.toset(new_list_services)

  if new_list_services != old_list_services
    SetModified()

    add_services = []
    remove_services = []

    # Add these services
    Builtins.foreach(new_list_services) do |service|
      if !Builtins.contains(old_list_services, service)
        add_services = Builtins.add(add_services, service)
      end
    end
    # Remove these services
    Builtins.foreach(old_list_services) do |service|
      if !Builtins.contains(new_list_services, service)
        remove_services = Builtins.add(remove_services, service)
      end
    end

    if Ops.greater_than(Builtins.size(remove_services), 0)
      Builtins.y2milestone(
        "Removing additional services %1/%2 from zone %3",
        remove_services,
        protocol,
        zone
      )
      RemoveAllowedPortsOrServices(remove_services, protocol, zone, true)
    end
    if Ops.greater_than(Builtins.size(add_services), 0)
      Builtins.y2milestone(
        "Adding additional services %1/%2 into zone %3",
        add_services,
        protocol,
        zone
      )
      AddAllowedPortsOrServices(add_services, protocol, zone)
    end
  end

  nil
end

#SetEnableService(enable_service) ⇒ Object

Function which sets if SuSEfirewall should start in Write process

Parameters:

  • boolean

    start_service at Write() process



100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# File 'library/network/src/lib/network/susefirewall.rb', line 100

def SetEnableService(enable_service)
  if !SuSEFirewallIsSelectedOrInstalled()
    Builtins.y2warning("Cannot set SetEnableService")
    return nil
  end

  if GetEnableService() != enable_service
    SetModified()

    Builtins.y2milestone("Setting enable-firewall to %1", enable_service)
  else
    # without set modified
    Builtins.y2milestone(
      "enable-firewall has been already set to %1",
      enable_service
    )
  end

  Ops.set(@SETTINGS, "enable_firewall", enable_service)

  nil
end

#SetInstallPackagesIfMissing(new_status) ⇒ Object

By default Firewall packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.

Parameters:

  • new_status, (Boolean)

    'true' if packages should be offered for installation



376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
# File 'library/network/src/lib/network/susefirewall.rb', line 376

def SetInstallPackagesIfMissing(new_status)
  if new_status.nil?
    Builtins.y2error("Wrong value: %1", new_status)
    return
  end

  @check_and_install_package = new_status

  if @check_and_install_package
    Builtins.y2milestone("Firewall packages will installed if missing")
  else
    Builtins.y2milestone(
      "Firewall packages will not be installed even if missing"
    )
  end

  nil
end

#SetModifiedObject

Function sets internal variable, which indicates, that any “firewall settings were modified”, to “true”.



346
347
348
349
350
# File 'library/network/src/lib/network/susefirewall.rb', line 346

def SetModified
  @modified = true

  nil
end

#SetServices(services_ids, interfaces, new_status) ⇒ Boolean

Function sets status for several services on several network interfaces.

SetServices ([“samba-server”, “service:irc-server”], [“eth1”, “modem0”], false)

// Enabling services
SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], true)

Examples:

// Disabling services

Parameters:

  • list (string)

    service ids

  • list (string)

    network interfaces

  • boolean

    new status of services

Returns:

  • (Boolean)

    if successfull

See Also:

  • #SetServicesForZones()


329
330
331
332
333
334
335
336
337
338
339
340
341
342
# File 'library/network/src/lib/network/susefirewall.rb', line 329

def SetServices(services_ids, interfaces, new_status)
  firewall_zones = GetZonesOfInterfacesWithAnyFeatureSupported(interfaces)
  if Builtins.size(firewall_zones) == 0
    Builtins.y2error(
      "Interfaces '%1' are not in any group of interfaces",
      interfaces
    )
    return false
  end

  SetModified()

  SetServicesForZones(services_ids, firewall_zones, new_status)
end

#SetStartService(start_service) ⇒ Object

Function which sets if SuSEfirewall should start in Write process.

Parameters:

  • start_service (Boolean)

    at Write() process

See Also:

  • #GetStartService()


63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
# File 'library/network/src/lib/network/susefirewall.rb', line 63

def SetStartService(start_service)
  if !SuSEFirewallIsSelectedOrInstalled()
    Builtins.y2warning("Cannot set SetStartService")
    return nil
  end

  if GetStartService() != start_service
    SetModified()

    Builtins.y2milestone("Setting start-firewall to %1", start_service)
  else
    # without set modified!
    Builtins.y2milestone(
      "start-firewall has been already set to %1",
      start_service
    )
  end

  Ops.set(@SETTINGS, "start_firewall", start_service)

  nil
end

#StartServicesBoolean

Functions starts services needed for SuSEFirewall

Returns:

  • (Boolean)

    result



126
127
128
129
130
131
132
133
134
135
136
137
138
# File 'library/network/src/lib/network/susefirewall.rb', line 126

def StartServices
  return true if Mode.testsuite

  return false if !SuSEFirewallIsInstalled()

  if Service.Start(@firewall_service)
    Builtins.y2milestone("Started")
    return true
  else
    Builtins.y2error("Cannot start service %1", @firewall_service)
    return false
  end
end

#StopServicesBoolean

Functions stops services needed for SuSEFirewall

Returns:

  • (Boolean)

    result



143
144
145
146
147
148
149
150
151
152
153
154
155
# File 'library/network/src/lib/network/susefirewall.rb', line 143

def StopServices
  return true if Mode.testsuite

  return false if !SuSEFirewallIsInstalled()

  if Service.Stop(@firewall_service)
    Builtins.y2milestone("Stopped")
    return true
  else
    Builtins.y2error("Could not stop service %1", @firewall_service)
    return false
  end
end

#SuSEFirewallIsInstalledBoolean

Returns whether all needed packages are installed

Returns:

  • (Boolean)

    whether the selected firewall backend is installed



556
557
558
559
560
561
562
563
564
565
566
567
568
# File 'library/network/src/lib/network/susefirewall.rb', line 556

def SuSEFirewallIsInstalled
  return true if @needed_packages_installed

  if Mode.normal
    @needed_packages_installed = PackageSystem.CheckAndInstallPackages([@FIREWALL_PACKAGE])
    log.info "CheckAndInstallPackages -> #{@needed_packages_installed}"
  else
    @needed_packages_installed = PackageSystem.Installed(@FIREWALL_PACKAGE)
    log.info "Installed -> #{@needed_packages_installed}"
  end

  @needed_packages_installed
end

#SuSEFirewallIsSelectedOrInstalledBoolean

Returns whether all needed packages are installed (or selected for installation)

Returns:

  • (Boolean)

    whether the selected firewall backend is installed



540
541
542
543
544
545
546
547
548
549
550
551
# File 'library/network/src/lib/network/susefirewall.rb', line 540

def SuSEFirewallIsSelectedOrInstalled
  return true if @needed_packages_installed

  if Stage.initial
    packages_selected = Pkg.IsSelected(@FIREWALL_PACKAGE)
    log.info "Selected for installation -> #{packages_selected}"

    return true if packages_selected
  end

  SuSEFirewallIsInstalled()
end