File 0006-backport-of-sysctl.d-feature-from-master-bnc-1044523.patch of Package SuSEfirewall2.5243
From 730b42ff5fcf16cbdb8747a24fa790b2def32e7d Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Mon, 17 Jul 2017 15:37:49 +0200
Subject: [PATCH] backport of sysctl.d feature from master
this is a manual backport of commits
b123d46b2737e43ea14a33749f728a56bcfcb60f
4842cf662ed523a9426153f738d9e3f7969d7ba5
842ef939c43e7766faf6c55db4637402de28beed
dfe8ad9a8b4ae9f715bf2e6c03427b17b0cb1dbc
branches have diverged too much for a real git merge, would have been
more work than this way.
cherry-picked from SLE-12
---
SuSEfirewall2 | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
SuSEfirewall2.sysconfig | 14 +++++++++++++-
2 files changed, 59 insertions(+), 3 deletions(-)
diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 04bc6be..481eb71 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -561,10 +561,54 @@ parse_logging()
### Functions
+# checks multiple sysctl.d config locations for configure values
+function is_in_any_sysctl()
+{
+ local value="$1"
+
+ if [ -z "$FW_SYSCTL_PATHS" ]; then
+ # don't check all available sysctl.d directories for the
+ # reason discussed in bnc#1044523
+ FW_SYSCTL_PATHS="/etc/sysctl.conf /etc/sysctl.d /usr/local/lib/sysctl.d"
+ fi
+
+ local path
+ for path in $FW_SYSCTL_PATHS; do
+ dbgmessage "Checking for sysctl value $value in path $path"
+
+ if [ -d "$path" ]; then
+ # expand to any config files found in the sysctl.d
+ # style directory
+ paths=$path/*.conf
+ dbgmessage "Expanded $path to $paths"
+ else
+ paths=$path
+ fi
+
+ for file in $paths; do
+ # check for existence, because the wildcard match
+ # above might yield no matches, which would result in
+ # error messages otherwise
+ if [ -r "$file" ]; then
+ dbgmessage "Checking in file $file"
+ is_in_sysctl "$value" "$file" && sysctl_file="$file" && return 0
+ dbgmessage "no match"
+ fi
+ done
+
+ done
+
+ sysctl_file=""
+ return 1
+}
+
+# returns whether the given sysctl setting passed as $1 is found in the sysctl
+# style configuration file $2.
+# return code of 0 if a value was found, 1 if none was found
function is_in_sysctl()
{
local path="$1"
- local sysctl="/etc/sysctl.conf"
+ local sysctl="$2"
# translate the proc path to a sysctl path
syspath=`echo "$path" | /usr/bin/cut -d '/' -f 4- | /usr/bin/tr '/' '.'`
@@ -593,7 +637,7 @@ function setproc()
[ -z "$path" -o ! -w "$path" ] && return
- is_in_sysctl $path && dbgmessage "$path override in sysctl.conf, not setting it" && return
+ is_in_any_sysctl $path && message "$path override in $sysctl_file, not setting it" && return
if [ "$MODE" != "debug" ]; then
echo "$value" > "$path"
diff --git a/SuSEfirewall2.sysconfig b/SuSEfirewall2.sysconfig
index 89b588e..9c17ddd 100644
--- a/SuSEfirewall2.sysconfig
+++ b/SuSEfirewall2.sysconfig
@@ -712,7 +712,7 @@ FW_LOG=""
#
# If you have configured one of these settings in /etc/sysctl.conf then
# SuSEfirewall2 won't apply any different value to allow you to override some
-# of these settings to your liking.
+# of these settings to your liking. Also see FW_SYSCTL_DIRS.
#
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
@@ -722,6 +722,18 @@ FW_LOG=""
#
FW_KERNEL_SECURITY=""
+## Type: string
+#
+# Consider the following sysctl.d style directories and sysctl.conf style
+# files before modifying any sysctl values during runtime. If a value is
+# already configured in one of these dirs/files then it won't be changed by
+# SuSEFirewall any more.
+#
+# This affects FW_KERNEL_SECURITY settings and forwarding settings for
+# FW_ROUTE. If empty this defaults to /etc/sysctl.conf, /etc/sysctl.d,
+# /usr/local/lib/sysctl.d.conf.
+FW_SYSCTL_PATHS=""
+
## Type: yesno
#
# Whether ip routing should be disabled when the firewall is shut
--
2.12.3
