File 0014-Set-RPC-related-rules-also-for-IPv6-bnc-10... of Package SuSEfirewall2

Overview Repositories Revisions Requests Users Attributes Meta

File 0014-Set-RPC-related-rules-also-for-IPv6-bnc-1074933.patch of Package SuSEfirewall2

From d5cdb9bab9cc750ae12492a4fff548ff7dd32d38 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Tue, 16 Jan 2018 13:26:26 +0100
Subject: [PATCH] Set RPC related rules also for IPv6 (bnc#1074933)

The dynamic rpcinfo based rules are not applied to ip6tables. This
commit changes the behaviour to apply rules with IP specific src/dst net
restriction only to those ipXtables, all other rules to both.

(cherry picked from commit ba922c27cf83aca77e3f5101f5a3af55f406776b)
---
 SuSEfirewall2 | 48 +++++++++++++++++++++++++++---------------------
 1 file changed, 27 insertions(+), 21 deletions(-)

diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 8d76ce1..637c08d 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -1909,19 +1909,21 @@ reject_or_drop_services()
 	    port="$3"
 	    sport="$4"
 
-	    iptables="$IPTABLES $IP6TABLES"
+	    iptables_list=$IPTABLES_LIST
 	    case "$net" in
-		*:*) iptables="$IP6TABLES" ;;
-		[0-9]*.*.*.*) iptables="$IPTABLES" ;;
+		*:*) iptables_list="$IP6TABLES" ;;
+		[0-9]*.*.*.*) iptables_list="$IPTABLES" ;;
 	    esac
 
 	    if [ "$proto" = "_rpc_" ]; then
 		rpcservicerules $service | while read ARG; do
-		    $LDC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG
-		    $IPTABLES -A $chain -j "$target" $ARG
+			for iptables in $iptables_list; do
+			    $LDC $iptables -A $chain ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG
+			    $iptables -A $chain -j "$target" $ARG
+			done
 		done
 	    elif check_proto_port "$proto" "$port" "$sport" "$var"; then
-		for iptables in $iptables; do
+		for iptables in $iptables_list; do
 		    $LDA $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW ${LOG}"-`rulelog $chain`-$action "
 		    $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW -j "$target"
 		done
@@ -1976,25 +1978,27 @@ accept_services()
 		ipt_recent_set="-m recent --set$ipt_recent_set"
 	    fi
 
-	    iptables="$IPTABLES $IP6TABLES"
+	    iptables_list=$IPTABLES_LIST
 	    case "$net" in
-		*:*) iptables="$IP6TABLES" ;;
-		[0-9]*.*.*.*) iptables="$IPTABLES" ;;
+		*:*) iptables_list="$IP6TABLES" ;;
+		[0-9]*.*.*.*) iptables_list="$IPTABLES" ;;
 	    esac
 
 	    if [ "$proto" = "_rpc_" ]; then
 		rpcservicerules $service | while read ARG; do
-		    if [ -n "$ipt_recent_set" ]; then
-			$LDC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck
-			$IPTABLES -A $chain -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update
-		    fi
-		    $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG
-		    $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC " $ARG
-		    [ -n "$ipt_recent_set" ] && $IPTABLES -A $chain -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set
-		    $IPTABLES -A $chain -j ACCEPT $ARG
+		    for iptables in $iptables_list; do
+			if [ -n "$ipt_recent_set" ]; then
+			    $LDC $iptables -A $chain ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck
+			    $iptables -A $chain -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update
+			fi
+			$LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG
+			$LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC " $ARG
+			[ -n "$ipt_recent_set" ] && $iptables -A $chain -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set
+			$iptables -A $chain -j ACCEPT $ARG
+		    done
 		done
 	    elif check_proto_port "$proto" "$port" "$sport" "$var"; then
-		for iptables in $iptables; do
+		for iptables in $iptables_list; do
 		    if [ -n "$ipt_recent_set" ]; then
 			$LDC $iptables -A $chain ${LOG}"-`rulelog $chain`-DROPr " -s $net $proto $port $sport -m conntrack --ctstate NEW $ipt_recent_rcheck
 			$iptables -A $chain -j "$DROP" -s $net $proto $port $sport -m conntrack --ctstate NEW $ipt_recent_update
@@ -2021,9 +2025,11 @@ allow_rpc_services()
 	$add_portmapper && [ ! -z "$ports" ] && ports="$ports portmapper"
 	[ -z "$ports" ] && continue
 	rpcservicerules $ports | while read ARG; do
-	    $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG
-	    $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG
-	    $IPTABLES -A $chain -j "$ACCEPT" $ARG
+	    for iptables in $IPTABLES_LIST; do
+		$LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG
+		$LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG
+		$iptables -A $chain -j "$ACCEPT" $ARG
+	    done
 	done
     done
 }
-- 
2.13.6

Places

File 0014-Set-RPC-related-rules-also-for-IPv6-bnc-1074933.patch of Package SuSEfirewall2

Places