Overview

File 0004-Allow-admin-override-of-proc-settings-bnc-906136.patch of Package SuSEfirewall2.6018

From 51e499fef8705b5e2d61b51353298bd8f57efa62 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Tue, 21 Mar 2017 12:51:23 +0100
Subject: [PATCH] Allow admin override of proc settings (bnc#906136)

---
 SuSEfirewall2           | 45 ++++++++++++++++++++++++++++++++++++++++++---
 SuSEfirewall2.sysconfig | 10 +++++-----
 2 files changed, 47 insertions(+), 8 deletions(-)

diff --git a/SuSEfirewall2 b/SuSEfirewall2
index d82875e..04bc6be 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -125,6 +125,13 @@ warning()
     syslog -1 "Warning:" "$*"
 }
 
+dbgmessage()
+{
+    [ "$MODE" != "debug" ] && return
+
+    message $*
+}
+
 deprecated()
 {
     warning "$@ is deprecated and will likely be removed in the future."
@@ -553,13 +560,45 @@ parse_logging()
 }
 
 ### Functions
+
+function is_in_sysctl()
+{
+	local path="$1"
+	local sysctl="/etc/sysctl.conf"
+
+	# translate the proc path to a sysctl path
+	syspath=`echo "$path" | /usr/bin/cut -d '/' -f 4- | /usr/bin/tr '/' '.'`
+	grep -q "^[^#]*$syspath" $sysctl && return 0
+
+	# special case for the all / interface specific value in ipv4/conf/*
+	# if we're about to change an interface specific value also check if
+	# the global value is configured in sysctl in which case we shouldn't
+	# touch the interface specific one, too
+	syspath_all="`echo $syspath | /usr/bin/sed 's/ipv4\.conf\.[^\.]\+/ipv4\.conf\.all/'`"
+
+	if [ "$syspath" != "$syspath_all" ]; then
+	    grep -q "^[^#]*$syspath_all" $sysctl && return 0
+	fi
+
+	return 1
+}
+
+# change value of a file in /proc/sys
+# $1: value to set the proc file to
+# $2: path of the file in proc
 function setproc()
 {
-    [ -z "$2" -o ! -w "$2" ] && return
+    local value="$1"
+    local path="$2"
+
+    [ -z "$path" -o ! -w "$path" ] && return
+
+    is_in_sysctl $path && dbgmessage "$path override in sysctl.conf, not setting it" && return
+
     if [ "$MODE" != "debug" ]; then
-	echo "$1" > "$2"
+	echo "$value" > "$path"
     else
-	echo "echo \"$1\" > \"$2\""
+	echo "echo \"$value\" > \"$path\""
     fi
 }
 
diff --git a/SuSEfirewall2.sysconfig b/SuSEfirewall2.sysconfig
index 8e8f565..89b588e 100644
--- a/SuSEfirewall2.sysconfig
+++ b/SuSEfirewall2.sysconfig
@@ -708,11 +708,11 @@ FW_LOG=""
 #
 # Do you want to enable additional kernel TCP/IP security features?
 # If set to yes, some obscure kernel options are set.
-# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
-#  icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
-#  ip_local_port_range, log_martians, rp_filter, routing flush,
-#  bootp_relay, proxy_arp, secure_redirects, accept_source_route
-#  icmp_echo_ignore_broadcasts, ipfrag_time)
+# (log_martians, rp_filter, routing flush, accept_source_route)
+#
+# If you have configured one of these settings in /etc/sysctl.conf then
+# SuSEfirewall2 won't apply any different value to allow you to override some
+# of these settings to your liking.
 #
 # Tip: Set this to "no" until you have verified that you have got a
 # configuration which works for you. Then set this to "yes" and keep it
-- 
2.10.2
openSUSE Build Service is sponsored by
Places