Overview

File 0002-main-script-support-IPv6-in-FW_TRUSTED_NETS-bnc-841046.patch of Package SuSEfirewall2.5243

From 7bc45372915ab4ae24ae4677749f430e7c03e226 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Fri, 3 Mar 2017 13:50:47 +0100
Subject: [PATCH] main script: support IPv6 in FW_TRUSTED_NETS (bnc#841046)

---
 SuSEfirewall2           | 26 +++++++++++++++++++++++---
 SuSEfirewall2.sysconfig |  4 +++-
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 3f33900..7753c5b 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -436,6 +436,9 @@ else
     fi
 fi
 
+# list of the IPv4 and IPv6 tables commands to be used
+IPTABLES_LIST="$IPTABLES $IP6TABLES"
+
 ### jump targets
 ACCEPT="ACCEPT"
 DROP="DROP"
@@ -560,6 +563,18 @@ function setproc()
     fi
 }
 
+# returns the correct iptables binary for the given IPv4/6 address
+function get_iptables()
+{
+	local ip=$1
+
+	case "$ip" in
+		*:*) echo $IP6TABLES;;
+		# assume IPv4 for anything else
+		*) echo $IPTABLES ;;
+	esac
+}
+
 # parameters: protocol port variable
 # check whether $1 and $2/$3 are a valid protocol/port combination and sets global
 # variables $proto, $port ($rport) and $sport ($rsport) in iptables syntax
@@ -1743,6 +1758,11 @@ process_trusted_nets()
 	net="$1"
 	proto="$2"
 	port="$3"
+
+	# choose the ipv4/6 tables depending on the kind of subnet address
+	# encountered
+	ipxtables=`get_iptables $net`
+
 	if [ -n "$4" ]; then
 	    error "Too many arguments in FW_TRUSTED_NETS -> $nets"
 	elif [ -z "$net" ]; then
@@ -1752,9 +1772,9 @@ process_trusted_nets()
 	elif check_proto_port "$proto" "$port" "" 'FW_TRUSTED_NETS'; then
 	    for chain in $input_zones; do # trusted networks can be on any interface ...
 		chain=input_$chain
-		$LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-TRUST " -m conntrack --ctstate NEW -s $net $proto $port
-		$LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-TRUST " -s $net $proto $port
-		$IPTABLES -A $chain -j "$ACCEPT"  -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net $proto $port
+		$LAC $ipxtables -A $chain ${LOG}"-`rulelog $chain`-ACC-TRUST " -m conntrack --ctstate NEW -s $net $proto $port
+		$LAA $ipxtables -A $chain ${LOG}"-`rulelog $chain`-ACC-TRUST " -s $net $proto $port
+		$ipxtables -A $chain -j "$ACCEPT"  -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net $proto $port
 	    done
 	fi
     done
diff --git a/SuSEfirewall2.sysconfig b/SuSEfirewall2.sysconfig
index e9d2a4c..df874eb 100644
--- a/SuSEfirewall2.sysconfig
+++ b/SuSEfirewall2.sysconfig
@@ -507,7 +507,9 @@ FW_SERVICES_ACCEPT_RELATED_INT=""
 # Format: space separated list of network[,protocol[,port]]
 # in case of icmp, port means the icmp type
 #
-# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
+# if network has IPv6 address format then an ip6tables rule will be assumed.
+#
+# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22 2620:113:80c0:8080:10:160:68:136/64,rsync"
 #
 FW_TRUSTED_NETS=""
 
-- 
2.10.2
openSUSE Build Service is sponsored by
Places