File 0001-ignore-bootlock-for-virtual-and-hotplugged-devices-bnc-785299.patch of Package SuSEfirewall2.6458
From e0f355177eaaaf55f498d63fe1e3d93662bab83b Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 8 Mar 2017 15:28:25 +0100
Subject: [PATCH] ignore bootlock for virtual and hotplugged devices (bsc#785299)
---
SuSEfirewall2 | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++---
SuSEfirewall2_ifup | 2 +-
2 files changed, 73 insertions(+), 4 deletions(-)
diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 995d89a..3f33900 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -174,6 +174,67 @@ set_defaults()
done
}
+
+function get_device_path()
+{
+ local iface="$1"
+ /usr/bin/readlink "/sys/class/net/$iface"
+}
+
+function match_device_path()
+{
+ local iface="$1"
+ local match="$2"
+
+ link=`get_device_path $iface`
+ if [[ "$link" == *"$match"* ]]; then
+ return 0
+ fi
+
+ return 1
+}
+
+# gets a network device name as input and returns zero if it is a virtual
+# device like tap/tun/bond or a physical device, non-zero otherwise
+function is_virtual_device()
+{
+ local iface="$1"
+ match_device_path $iface "virtual"
+ return $?
+}
+
+# like is_virtual_device() but checks whether the device is a removable,
+# hot-plugged device
+function is_hotplugged_device()
+{
+ local iface="$1"
+ # difficult to generically determine whether a network device is
+ # removable, go for USB ...
+ match_device_path $iface "usb"
+ return $?
+}
+
+# takes a network device name as input and returns zero if we should ignore an
+# active bootlock for changes on this device, otherwise non-zero
+function allow_bootlock_ignore()
+{
+ local iface="$1"
+
+ # skip the loopback by default
+ if [[ "$iface" = "lo" ]]; then
+ return 1
+ fi
+
+ # respect virtual or hotplugged evices
+ if is_virtual_device "$iface" || is_hotplugged_device "$iface"; then
+ return 0
+ fi
+
+ # anything else has to wait until boot finish
+ return 1
+}
+
+
CONFIGURATIONSDIR_0="/etc/sysconfig/SuSEfirewall2.d/services"
CONFIGURATIONSDIR_1="/usr/share/SuSEfirewall2/services"
DEFAULTSDIR=("/etc/sysconfig/SuSEfirewall2.d/defaults" "/usr/share/SuSEfirewall2/defaults")
@@ -206,7 +267,7 @@ if test -x /usr/bin/tty && ! /usr/bin/tty -s; then
quiet=1
fi
-getopttmp=`/usr/bin/getopt -o hq --long help,scriptsdir:,batch,nobatch,file:,debug,test,bootlock,bootunlock,quiet \
+getopttmp=`/usr/bin/getopt -o hqi: --long help,scriptsdir:,batch,nobatch,file:,debug,test,bootlock,bootunlock,quiet,interface: \
-n 'SuSEfirewall2' -- "$@"`
[ $? != 0 ] && die 1 "getopt error"
@@ -225,6 +286,9 @@ while true ; do
--bootunlock) remove_bootlock=1 ; shift ;;
-h|--help) help ; shift ;;
-q|--quiet) quiet=1 ; shift ;;
+ # only used by if-{up,down} scripts to indicate the interface
+ # that changed
+ -i|--interface) up_down_iface="$2"; shift 2 ;;
--) shift ; break ;;
*) die 1 "getopt error"; ;;
esac
@@ -831,8 +895,13 @@ setlock()
fi
### Locking mechanism
if [ "$needlock" -ne 0 ]; then
- if [ -e "$BOOTLOCKFILE" ]; then
- die 0 "$BOOTLOCKFILE exists which means system boot in progress, exit."
+ if [ -e "$BOOTLOCKFILE" ] ; then
+ # ignore the bootlock, which is only a performance shortcut, in
+ # case a virtual or hotplugged interface has just been configured
+ # (bsc#785299)
+ if [ -z "$up_down_iface" ] || ! allow_bootlock_ignore "$up_down_iface"; then
+ die 0 "$BOOTLOCKFILE exists which means system boot in progress, exit."
+ fi
fi
if [ -e "$LOCKFILE" ]; then
read PID < $LOCKFILE
diff --git a/SuSEfirewall2_ifup b/SuSEfirewall2_ifup
index 3a4d766..ef3210d 100755
--- a/SuSEfirewall2_ifup
+++ b/SuSEfirewall2_ifup
@@ -101,7 +101,7 @@ case "$0" in
[ "$FIREWALL" = 'yes' ] || exit 0
if sfw2_active; then
- /sbin/SuSEfirewall2 -q start
+ /sbin/SuSEfirewall2 -q -i "$iface" start
fi
;;
*) echo "don't know what to do" >&2 ;;
--
2.10.2
