File 0007-Set-RPC-related-rules-also-for-IPv6-bnc-1074933.patch of Package SuSEfirewall2.7765

From 2b4c5fa7214cacec1c5d354da254bcfa0f9879a3 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Tue, 9 Jan 2018 16:55:32 +0100
Subject: [PATCH] Set RPC related rules also for IPv6 (bnc#1074933)

The dynamic rpcinfo based rules are not applied to ip6tables. This
commit changes the behaviour to apply rules with IP specific src/dst net
restriction only to those ipXtables, all other rules to both.
---
 SuSEfirewall2 | 48 +++++++++++++++++++++++++++---------------------
 1 file changed, 27 insertions(+), 21 deletions(-)

diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 6cc019e..6134323 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -2098,10 +2098,10 @@ reject_or_drop_services()
 	    port="$3"
 	    sport="$4"
 
-	    iptables="$IPTABLES $IP6TABLES"
+	    iptables_list=$IPTABLES_LIST
 	    case "$net" in
-		*:*) iptables="$IP6TABLES" ;;
-		[0-9]*.*.*.*) iptables="$IPTABLES" ;;
+		*:*) iptables_list="$IP6TABLES" ;;
+		[0-9]*.*.*.*) iptables_list="$IPTABLES" ;;
 	    esac
 
 	    if [ "$proto" = "_rpc_" ]; then
@@ -2109,14 +2109,16 @@ reject_or_drop_services()
 		local comment
 		comment_pars "rpc.$port"
 		rpcservicerules $service | while read ARG; do
-		    $LDC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG
-		    $IPTABLES $rpc_insert $comment -j "$target" $ARG
+			for iptables in $iptables_list; do
+			    $LDC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG
+			    $iptables $rpc_insert $comment -j "$target" $ARG
+			done
 		done
 	    elif $update_rpc; then
 	        # don't add any other rules in update rpc mode
 	    	continue
 	    elif check_proto_port "$proto" "$port" "$sport" "$var"; then
-		for iptables in $iptables; do
+		for iptables in $iptables_list; do
 		    $LDA $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW ${LOG}"-`rulelog $chain`-$action "
 		    $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW -j "$target"
 		done
@@ -2182,10 +2184,10 @@ accept_services()
 		ipt_recent_set="-m recent --set$ipt_recent_set"
 	    fi
 
-	    iptables="$IPTABLES $IP6TABLES"
+	    iptables_list=$IPTABLES_LIST
 	    case "$net" in
-		*:*) iptables="$IP6TABLES" ;;
-		[0-9]*.*.*.*) iptables="$IPTABLES" ;;
+		*:*) iptables_list="$IP6TABLES" ;;
+		[0-9]*.*.*.*) iptables_list="$IPTABLES" ;;
 	    esac
 
 	    if [ "$proto" = "_rpc_" ]; then
@@ -2193,20 +2195,22 @@ accept_services()
 		local comment
 		comment_pars "rpc.$port"
 		rpcservicerules $service | while read ARG; do
-		    if [ -n "$ipt_recent_set" ]; then
-			$LDC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck
-			$IPTABLES $rpc_insert $comment -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update
-		    fi
-		    $LAC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG
-		    $LAA $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " $ARG
-		    [ -n "$ipt_recent_set" ] && $IPTABLES $rpc_insert $comment -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set
-		    $IPTABLES $rpc_insert $comment -j ACCEPT $ARG
+			for iptables in $iptables_list; do
+			    if [ -n "$ipt_recent_set" ]; then
+				$LDC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck
+				$iptables $rpc_insert $comment -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update
+			    fi
+			    $LAC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG
+			    $LAA $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " $ARG
+			    [ -n "$ipt_recent_set" ] && $iptables $rpc_insert $comment -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set
+			    $iptables $rpc_insert $comment -j ACCEPT $ARG
+			done
 		done
 	    elif $update_rpc; then
 	        # don't add any other rules in update rpc mode
 	    	continue
 	    elif check_proto_port "$proto" "$port" "$sport" "$var"; then
-		for iptables in $iptables; do
+		for iptables in $iptables_list; do
 		    if [ -n "$ipt_recent_set" ]; then
 			$LDC $iptables -A $chain ${LOG}"-`rulelog $chain`-DROPr " -s $net $proto $port $sport -m conntrack --ctstate NEW $ipt_recent_rcheck
 			$iptables -A $chain -j "$DROP" -s $net $proto $port $sport -m conntrack --ctstate NEW $ipt_recent_update
@@ -2253,9 +2257,11 @@ allow_rpc_services()
 			[ -n "$selected" -a "$selected" != "$service" -a "$service" != "portmapper" ] && continue
 			comment_pars "rpc.$service"
 			rpcservicerules $service | while read ARG; do
-				$LAC $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG
-				$LAA $IPTABLES $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG
-				$IPTABLES $rpc_insert $comment -j "$ACCEPT" $ARG
+				for iptables in $IPTABLES_LIST; do
+					$LAC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG
+					$LAA $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG
+					$iptables $rpc_insert $comment -j "$ACCEPT" $ARG
+				done
 			done
 		done
 	done
-- 
2.13.6