Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
SuSEfirewall2.6018
0004-Allow-admin-override-of-proc-settings-bnc-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0004-Allow-admin-override-of-proc-settings-bnc-906136.patch of Package SuSEfirewall2.6018
From 51e499fef8705b5e2d61b51353298bd8f57efa62 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Tue, 21 Mar 2017 12:51:23 +0100 Subject: [PATCH] Allow admin override of proc settings (bnc#906136) --- SuSEfirewall2 | 45 ++++++++++++++++++++++++++++++++++++++++++--- SuSEfirewall2.sysconfig | 10 +++++----- 2 files changed, 47 insertions(+), 8 deletions(-) diff --git a/SuSEfirewall2 b/SuSEfirewall2 index d82875e..04bc6be 100755 --- a/SuSEfirewall2 +++ b/SuSEfirewall2 @@ -125,6 +125,13 @@ warning() syslog -1 "Warning:" "$*" } +dbgmessage() +{ + [ "$MODE" != "debug" ] && return + + message $* +} + deprecated() { warning "$@ is deprecated and will likely be removed in the future." @@ -553,13 +560,45 @@ parse_logging() } ### Functions + +function is_in_sysctl() +{ + local path="$1" + local sysctl="/etc/sysctl.conf" + + # translate the proc path to a sysctl path + syspath=`echo "$path" | /usr/bin/cut -d '/' -f 4- | /usr/bin/tr '/' '.'` + grep -q "^[^#]*$syspath" $sysctl && return 0 + + # special case for the all / interface specific value in ipv4/conf/* + # if we're about to change an interface specific value also check if + # the global value is configured in sysctl in which case we shouldn't + # touch the interface specific one, too + syspath_all="`echo $syspath | /usr/bin/sed 's/ipv4\.conf\.[^\.]\+/ipv4\.conf\.all/'`" + + if [ "$syspath" != "$syspath_all" ]; then + grep -q "^[^#]*$syspath_all" $sysctl && return 0 + fi + + return 1 +} + +# change value of a file in /proc/sys +# $1: value to set the proc file to +# $2: path of the file in proc function setproc() { - [ -z "$2" -o ! -w "$2" ] && return + local value="$1" + local path="$2" + + [ -z "$path" -o ! -w "$path" ] && return + + is_in_sysctl $path && dbgmessage "$path override in sysctl.conf, not setting it" && return + if [ "$MODE" != "debug" ]; then - echo "$1" > "$2" + echo "$value" > "$path" else - echo "echo \"$1\" > \"$2\"" + echo "echo \"$value\" > \"$path\"" fi } diff --git a/SuSEfirewall2.sysconfig b/SuSEfirewall2.sysconfig index 8e8f565..89b588e 100644 --- a/SuSEfirewall2.sysconfig +++ b/SuSEfirewall2.sysconfig @@ -708,11 +708,11 @@ FW_LOG="" # # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. -# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, -# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, -# ip_local_port_range, log_martians, rp_filter, routing flush, -# bootp_relay, proxy_arp, secure_redirects, accept_source_route -# icmp_echo_ignore_broadcasts, ipfrag_time) +# (log_martians, rp_filter, routing flush, accept_source_route) +# +# If you have configured one of these settings in /etc/sysctl.conf then +# SuSEfirewall2 won't apply any different value to allow you to override some +# of these settings to your liking. # # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it -- 2.10.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor