Overview

File 0009-rpcinfo-fix-regression.patch of Package SuSEfirewall2.6458

From b6f88ac4279e3ffcf88187f30b5ac1e873c953c5 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 8 Nov 2017 13:57:48 +0100
Subject: [PATCH] fixed a regression introduced by
 a720fa197f4d8e9680d7a6dc193ed01cfc9f09c1

The security bugfix caused a regression on SLE12:Update so that e.g.
FW_CONFIGURATIONS_EXT="nfs-kernel-server" no longer correctly opened up
ports for nfs, also portmapper port 111 might have not been opened up at
all any more.

The bugfix consists of two parts:

- pass $@ in rpcservicerules(), because multiple parameters are still
passed here on SLE12 (this is different on SLE12-SP3 and master)
- explicitly add "portmapper" service so the port 111 is correctly
opened

SuSEfirewall2 services files like
/etc/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server wrongly
specify "portmap" instead of "portmapper", therefore we have to add the
portmapper service for them under the hood.
---
 SuSEfirewall2 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/SuSEfirewall2 b/SuSEfirewall2
index f82e87b..9766814 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -1874,7 +1874,7 @@ rpcservicerules()
     # The -rpcinfo script by default implicitly adds extra rules for portmap
     # itself. This is because portmap needs to be reached in order for other
     # rpc services to work at all.
-    perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$1"
+    perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$@"
 }
 
 # parameters: REJECT|DROP
@@ -2003,9 +2003,13 @@ accept_services()
 allow_rpc_services()
 {
     local zone chain ports
+    [ -z "$add_portmapper" ] && local add_portmapper=true
     for zone in $input_zones; do
 	chain=input_$zone
 	eval ports="\$FW_SERVICES_`cibiz $zone`_RPC"
+	# explicitly add portmapper ourselves, otherwise -rpcinfo will
+	# add it each time, causing duplicate rules
+	$add_portmapper && [ ! -z "$ports" ] && ports="$ports portmapper"
 	rpcservicerules $ports | while read ARG; do
 	    $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG
 	    $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG
-- 
2.13.6
openSUSE Build Service is sponsored by
Places