Hello community, here is the log from the commit of package yast2-vpn for openSUSE:Factory checked in at 2016-10-13 11:30:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-vpn (Old) and /work/SRC/openSUSE:Factory/.yast2-vpn.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-vpn" Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-vpn/yast2-vpn.changes 2016-03-31 13:03:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-vpn.new/yast2-vpn.changes 2016-10-13 11:30:39.000000000 +0200 @@ -1,0 +2,12 @@ +Mon Oct 10 12:04:12 UTC 2016 - h...@suse.com + +- Instead of creating its own firewall custom-rules, put firewall + commands into user's own custom-rules file. + Bump version to 3.1.4 for bsc#1002744. + +------------------------------------------------------------------- +Mon Oct 3 12:00:46 UTC 2016 - igonzalezs...@suse.com + +- Fix translation in the connection status dialog (bsc#994349) + +------------------------------------------------------------------- Old: ---- yast2-vpn-3.1.3.tar.bz2 New: ---- yast2-vpn-3.1.4.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-vpn.spec ++++++ --- /var/tmp/diff_new_pack.ICfQws/_old 2016-10-13 11:30:41.000000000 +0200 +++ /var/tmp/diff_new_pack.ICfQws/_new 2016-10-13 11:30:41.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2-vpn -Version: 3.1.3 +Version: 3.1.4 Release: 0 Url: https://github.com/yast/yast-vpn Source0: %{name}-%{version}.tar.bz2 ++++++ yast2-vpn-3.1.3.tar.bz2 -> yast2-vpn-3.1.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.3/package/yast2-vpn.changes new/yast2-vpn-3.1.4/package/yast2-vpn.changes --- old/yast2-vpn-3.1.3/package/yast2-vpn.changes 2016-03-30 09:32:33.000000000 +0200 +++ new/yast2-vpn-3.1.4/package/yast2-vpn.changes 2016-10-10 14:06:38.000000000 +0200 @@ -1,4 +1,16 @@ ------------------------------------------------------------------- +Mon Oct 10 12:04:12 UTC 2016 - h...@suse.com + +- Instead of creating its own firewall custom-rules, put firewall + commands into user's own custom-rules file. + Bump version to 3.1.4 for bsc#1002744. + +------------------------------------------------------------------- +Mon Oct 3 12:00:46 UTC 2016 - igonzalezs...@suse.com + +- Fix translation in the connection status dialog (bsc#994349) + +------------------------------------------------------------------- Thu Mar 24 11:15:40 UTC 2016 - h...@suse.com - Fix several important issues: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.3/package/yast2-vpn.spec new/yast2-vpn-3.1.4/package/yast2-vpn.spec --- old/yast2-vpn-3.1.3/package/yast2-vpn.spec 2016-03-30 09:32:33.000000000 +0200 +++ new/yast2-vpn-3.1.4/package/yast2-vpn.spec 2016-10-10 14:04:11.000000000 +0200 @@ -16,7 +16,7 @@ # Name: yast2-vpn -Version: 3.1.3 +Version: 3.1.4 Release: 0 License: GPL-2.0 URL: https://github.com/yast/yast-vpn diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.3/src/lib/vpn/main_dialog.rb new/yast2-vpn-3.1.4/src/lib/vpn/main_dialog.rb --- old/yast2-vpn-3.1.3/src/lib/vpn/main_dialog.rb 2016-03-30 09:32:33.000000000 +0200 +++ new/yast2-vpn-3.1.4/src/lib/vpn/main_dialog.rb 2016-10-10 12:11:46.000000000 +0200 @@ -46,6 +46,8 @@ # When true, the Apply button will save configuration to this system. # When false, configuration will only be saved to SCR. @can_apply = can_apply + # When true, the user has already acknowledged to the "configuration success" prompt. + @success_acknowledged = false end def dialog_options @@ -82,7 +84,7 @@ # Right side: connection config editor HWeight(65, ReplacePoint(Id(:conn_conf), Empty())) ), - HBox( + ButtonBox( PushButton(Id(:ok), Yast::Label.OKButton), PushButton(Id(:cancel), Yast::Label.CancelButton) ) @@ -175,7 +177,8 @@ end if enable_daemon popup_msg += "\n" + _("Would you like to view daemon log and connection status?") - if Yast::Popup.YesNo(popup_msg) + if !@success_acknowledged && Yast::Popup.YesNo(popup_msg) + @success_acknowledged = true ViewLogDialog.new.run else finish_dialog(:finish) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.3/src/lib/vpn/view_log_dialog.rb new/yast2-vpn-3.1.4/src/lib/vpn/view_log_dialog.rb --- old/yast2-vpn-3.1.3/src/lib/vpn/view_log_dialog.rb 2016-03-30 09:32:33.000000000 +0200 +++ new/yast2-vpn-3.1.4/src/lib/vpn/view_log_dialog.rb 2016-10-07 10:11:44.000000000 +0200 @@ -44,8 +44,8 @@ def dialog_content VBox( - Left(LogView(Id(:daemon_status), "VPN daemon status", 8, 0)), - Left(LogView(Id(:conn_status), "All connection status", 8, 0)), + Left(LogView(Id(:daemon_status), _("VPN daemon status"), 8, 0)), + Left(LogView(Id(:conn_status), _("All connection status"), 8, 0)), Left(Label(Opt(:boldFont), _("The logs are refreshed automatically every 3 seconds."))), HBox( PushButton(Id(:restart_daemon), _("Restart VPN Daemon")), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.3/src/modules/IPSecConf.rb new/yast2-vpn-3.1.4/src/modules/IPSecConf.rb --- old/yast2-vpn-3.1.3/src/modules/IPSecConf.rb 2016-03-30 09:32:33.000000000 +0200 +++ new/yast2-vpn-3.1.4/src/modules/IPSecConf.rb 2016-10-10 13:20:56.000000000 +0200 @@ -27,8 +27,9 @@ module Yast class IPSecConfModule < Module + CUSTOMRULES_FILE = "/etc/YaST2/vpn_firewall_rules" + CUSTOMRULES_BAK_FILE = "/etc/YaST2/.vpn_firewall_rules_backup" include Yast::Logger - FW_CUSTOMRULES_FILE = "/etc/YaST2/vpn_firewall_rules" # If TCP MSS reduction is required, the new MSS will be this value. REDUCED_MSS = 1220 @@ -60,8 +61,8 @@ load_ipsec_secrets_ini # Read daemon settings @enable_ipsec = Service.Enabled("strongswan") - customrules_content = SCR.Read(path(".target.string"), FW_CUSTOMRULES_FILE) - @tcp_reduce_mss = !customrules_content.nil? && customrules_content.include?("--set-mss #{REDUCED_MSS}") + customrules_content = get_customrules_txt + @tcp_reduce_mss = customrules_content != nil && customrules_content.include?("--set-mss #{REDUCED_MSS}") @autoyast_modified = true end @@ -105,36 +106,31 @@ return @tcp_reduce_mss end - # Create a firewall configuration script for all VPN gateways. Return the script content - def GenFirewallScript + # Create a firewall configuration commands for all VPN gateways. Return the commands array. + def gen_firewall_commands + ret = [] # Find the gateway VPNs offering Internet connectivity, and collect the client's address pool. inet_access_networks = @ipsec_conns.select { |name, conf| leftsubnet = conf["leftsubnet"] leftsubnet != nil && (leftsubnet.include?("::/0") || leftsubnet.include?("0.0.0.0/0")) }.map{|name, conf| conf["rightsourceip"]} - - script = "# The file is automatically generated by YaST VPN module.\n" + - "# You may run the file using bourne-shell-compatible interpreter.\n" - func_template = "%{func_name}() {\n%{content}true\n}\n%{func_name}\n" # Open ports for IKE and allow ESP protocol - dport_accept_template = "%s -A INPUT -p udp --dport %d -j ACCEPT\n" - p_accept_template = "%s -A INPUT -p %d -j ACCEPT\n" + dport_accept_template = "%s -A INPUT -p udp --dport %d -j ACCEPT" + p_accept_template = "%s -A INPUT -p %d -j ACCEPT" open_prot = "" if @ipsec_conns.length > 0 - open_prot = dport_accept_template % ["iptables", 500] + - dport_accept_template % ["iptables", 4500] + - dport_accept_template % ["ip6tables", 500] + - dport_accept_template % ["ip6tables", 4500] + - p_accept_template % ["iptables", 50] + - p_accept_template % ["ip6tables", 50] + ret << dport_accept_template % ["iptables", 500] + ret << dport_accept_template % ["iptables", 4500] + ret << dport_accept_template % ["ip6tables", 500] + ret << dport_accept_template % ["ip6tables", 4500] + ret << p_accept_template % ["iptables", 50] + ret << p_accept_template % ["ip6tables", 50] end - script << func_template % {func_name: "fw_custom_after_chain_creation", content: open_prot} - script << func_template % {func_name: "fw_custom_before_port_handling", content: ""} # Reduce TCP MSS - if this has to be done, it must come before FORWARD and MASQUERADE inet_access = "" if @tcp_reduce_mss - inet_access += "iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss #{REDUCED_MSS+1}:65535 -j TCPMSS --set-mss #{REDUCED_MSS}\n" + - "ip6tables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss #{REDUCED_MSS+1}:65535 -j TCPMSS --set-mss #{REDUCED_MSS}\n" + ret << "iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss #{REDUCED_MSS+1}:65535 -j TCPMSS --set-mss #{REDUCED_MSS}" + ret << "ip6tables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss #{REDUCED_MSS+1}:65535 -j TCPMSS --set-mss #{REDUCED_MSS}" end # Forwarding for Internet access inet_access_networks.each { |cidr| @@ -142,25 +138,17 @@ if cidr.include?(":") iptables = "ip6tables" end - inet_access += "#{iptables} -A FORWARD -s #{cidr} -j ACCEPT\n#{iptables} -A FORWARD -d #{cidr} -j ACCEPT\n" - inet_access += "#{iptables} -t nat -A POSTROUTING -s #{cidr} -j MASQUERADE\n" + ret << "#{iptables} -A FORWARD -s #{cidr} -j ACCEPT" + ret << "#{iptables} -A FORWARD -d #{cidr} -j ACCEPT" + ret << "#{iptables} -t nat -A POSTROUTING -s #{cidr} -j MASQUERADE" } - script << func_template % {func_name: "fw_custom_before_masq", content: inet_access} - # Nothing in denyall or finished - script << func_template % {func_name: "fw_custom_before_denyall", content: ""} - script << func_template % {func_name: "fw_custom_after_finished", content: ""} - return script + return ret end # Apply IPSec configuration. def Write log.info("IPSecConf.Write is called, connections are: " + @ipsec_conns.keys.to_s) successful = true - # Write configuration files - SCR.Write(path(".etc.ipsec_conf.all"), makeIPSecConfINI) - SCR.Write(path(".etc.ipsec_conf"), nil) - SCR.Write(path(".etc.ipsec_secrets.all"), makeIPSecSecretsINI) - SCR.Write(path(".etc.ipsec_secrets"), nil) # Install packages install_pkgs = [] if !Package.Installed("strongswan-ipsec") @@ -172,9 +160,14 @@ if @enable_ipsec && install_pkgs.length > 0 if !Package.DoInstall(install_pkgs) Report.Error(_("Failed to install IPSec packages.")) - successful = false + return false end end + # Write configuration files only after having installed packages + SCR.Write(path(".etc.ipsec_conf.all"), makeIPSecConfINI) + SCR.Write(path(".etc.ipsec_conf"), nil) + SCR.Write(path(".etc.ipsec_secrets.all"), makeIPSecSecretsINI) + SCR.Write(path(".etc.ipsec_secrets"), nil) # Enable/disable daemon if @enable_ipsec Service.Enable("strongswan") @@ -190,7 +183,7 @@ sysctl_modified = false if @ipsec_conns.any? { |name, conf| leftsubnet = conf["leftsubnet"] - !leftsubnet.nil? && leftsubnet.include?("0.0.0.0/0") + !leftsubnet.nil? && leftsubnet.include?(".") } SCR.Write(path(".etc.sysctl_conf.\"net.ipv4.ip_forward\""), "1") SCR.Write(path(".etc.sysctl_conf.\"net.ipv4.conf.all.forwarding\""), "1") @@ -199,7 +192,7 @@ end if @ipsec_conns.any? { |name, conf| leftsubnet = conf["leftsubnet"] - !leftsubnet.nil? && leftsubnet.include?("::/0") + !leftsubnet.nil? && leftsubnet.include?(":") } SCR.Write(path(".etc.sysctl_conf.\"net.ipv6.conf.all.forwarding\""), "1") SCR.Write(path(".etc.sysctl_conf.\"net.ipv6.conf.default.forwarding\""), "1") @@ -214,12 +207,10 @@ end end # Configure/deconfigure firewall - SCR.Write(path(".target.string"), FW_CUSTOMRULES_FILE, IPSecConf.GenFirewallScript) - existing_rules = SCR.Read(path(".sysconfig.SuSEfirewall2.FW_CUSTOMRULES")).strip - if !existing_rules.include?(FW_CUSTOMRULES_FILE) - existing_rules << " " unless existing_rules.empty? - SCR.Write(path(".sysconfig.SuSEfirewall2.FW_CUSTOMRULES"), existing_rules + FW_CUSTOMRULES_FILE) - SCR.Write(path(".sysconfig.SuSEfirewall2"), nil) + if @enable_ipsec + install_customrules(gen_firewall_commands) + else + uninstall_customrules end SuSEFirewall.Read if SuSEFirewall.IsEnabled @@ -243,9 +234,7 @@ _("Both VPN gateway and clients require special SuSE firewall configuration.\n" + "SuSE firewall is not enabled, therefore you must manually run the configuration script " + "on every reboot. The script will be run now.\n" + - "The script is located at %s") % [FW_CUSTOMRULES_FILE]) - run_fw_script = SCR.Execute(Yast::Path.new(".target.bash_output"), "/bin/bash %s 2>&1" % [FW_CUSTOMRULES_FILE]) - log.info("run_fw_script: " + run_fw_script.to_s) + "The script is located at %s") % [CUSTOMRULES_FILE]) end @autoyast_modified = false return successful @@ -335,7 +324,6 @@ publish :function => :SetModified, :type => "void ()" publish :function => :GetModified, :type => "boolean ()" - private # Load ipsec.conf from INI agent. def load_ipsec_conf_ini @orig_conf = SCR.Read(path(".etc.ipsec_conf.all")) @@ -380,7 +368,6 @@ log.info "Unsupported secrets " + @unsupported_secrets.to_s end - def mkININode(kind, name, value, root = false) return { "comment" => "", @@ -415,6 +402,145 @@ } }.flatten, true) end + + # Return the latest file name of custom-rules script in firewall. + # If the file does not exist or not specified, return nil. + def get_susefw_customrules + attr_value = SCR.Read(path(".sysconfig.SuSEfirewall2.FW_CUSTOMRULES")).to_s.strip + if attr_value == '' + return nil + end + if !::File.exist?(attr_value) + return nil + end + return attr_value + end + + # Read the latest content of custom rules script defined in firewall. + # Return nil if no such script is being used. + def get_customrules_txt + filename = get_susefw_customrules + if filename == nil + return nil + end + return IO.readlines(filename).join('') + end + + # Return true only if the + def customrules_contain_all(existing_txt, cmds) + new_txt = merge_into_customrules(existing_txt, cmds) + return new_txt.strip == existing_txt.strip + end + + # Merge the firewall commands into the specified section of custom rules text and return the whole text. + def merge_into_customrules_section(existing_txt, cmds, section) + # Split text into lines, because each iptable command occupies exactly one line. + lines = existing_txt.split("\n") + # Find the line number of the section for new iptable commands to be placed + lineno_chain = -1 + lines.each_with_index {|line, lineno| + if line.match(section) != nil + lineno_chain = lineno + break + end + } + # Figure out new commands to merge + insert_cmds = [] + cmds.each { |cmd| + cmd = cmd.strip + if lines.none?{|line| line.index(cmd) != nil} + insert_cmds << cmd + end + } + # Put new commands into the lines immediately following the section declaration + if insert_cmds.length > 0 + lines.insert(lineno_chain+1, *insert_cmds) + end + return lines.join("\n") + end + + # Merge the firewall commands into appropriate sections of the custom rules text and return the whole text. + def merge_into_customrules(existing_txt, cmds) + # Categorise the firewall commands + open_port = [] + forward_route = [] + cmds.each {|cmd| + # Open port/allow protocol commands are in -A INPUT, i.e. "chian_creation". + if cmd.index('-A INPUT') != nil + open_port << cmd + else + # All other commands deal with changing MSS or enable NAT, they go into "befor_masq". + forward_route << cmd + end + } + txt = merge_into_customrules_section(existing_txt, open_port, /fw_custom_after_chain_creation.*{/) + return merge_into_customrules_section(txt, forward_route, /fw_custom_before_masq.*{/) + "\n" + end + + # Remove some iptable commands from custom rules text. Return the new text. + def remove_from_customrules(existing_txt, cmds) + # Split text into lines, because each iptable command occupies exactly one line. + lines = existing_txt.split("\n") + ret = [] + lines.each {|line| + if cmds.none?{|cmd| line.index(cmd.strip) != nil} + ret << line + end + } + return ret.join("\n") + "\n" + end + + # If firewall does not yet use a custom rules script, create it and give it to firewall. + # Then no matter what, merge the firewall commands into the effective custom rules script. + def install_customrules(cmds) + template = ' +#/bin/bash +fw_custom_after_chain_creation() { +true +} +fw_custom_after_chain_creation +fw_custom_before_port_handling() { +true +} +fw_custom_before_port_handling +fw_custom_before_masq() { +true +} +fw_custom_before_masq +fw_custom_before_denyall() { +true +} +fw_custom_before_denyall +fw_custom_after_finished() { +true +} +fw_custom_after_finished +' + # Always save a copy to the default location so that user can run it manually + IO.write(CUSTOMRULES_FILE, merge_into_customrules(template, cmds)) + customrules_file = get_susefw_customrules() + if customrules_file == nil + # If user is not already using custom rules script, set custom rules script to the default location. + SCR.Write(path(".sysconfig.SuSEfirewall2.FW_CUSTOMRULES"), CUSTOMRULES_FILE) + SCR.Write(path(".sysconfig.SuSEfirewall2"), nil) + else + # Merge commands into the existing custom rules script. + file_name = get_susefw_customrules + txt = merge_into_customrules(get_customrules_txt, cmds) + IO.write(customrules_file, txt) + end + # Keep a copy of the applied firewall commands so they may be reverted later on + IO.write(CUSTOMRULES_BAK_FILE, cmds.join("\n")) + end + + def uninstall_customrules + file_name = get_susefw_customrules + if file_name == nil + return + end + # Remove firewall commands from the file + IO.write(file_name, remove_from_customrules(IO.read(file_name), IO.readlines(CUSTOMRULES_BAK_FILE))) + end end IPSecConf = IPSecConfModule.new IPSecConf.main diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-vpn-3.1.3/test/ipsecconf_test.rb new/yast2-vpn-3.1.4/test/ipsecconf_test.rb --- old/yast2-vpn-3.1.3/test/ipsecconf_test.rb 2016-03-30 09:32:33.000000000 +0200 +++ new/yast2-vpn-3.1.4/test/ipsecconf_test.rb 2016-10-10 12:15:17.000000000 +0200 @@ -204,21 +204,127 @@ end end - describe ".GenFirewallScript" do - it "Creates a SuSE firewall script for all connections" do + describe ".gen_firewall_commands" do + it "Creates firewall commands for all connections" do # Set reduce MSS to true exported = Yast::IPSecConf.Export exported["tcp_reduce_mss"] = true Yast::IPSecConf.Import(exported) - expect(Yast::IPSecConf.GenFirewallScript).to eq "# The file is automatically generated by YaST VPN module. -# You may run the file using bourne-shell-compatible interpreter. + expect(Yast::IPSecConf.gen_firewall_commands).to eq [ + "iptables -A INPUT -p udp --dport 500 -j ACCEPT", + "iptables -A INPUT -p udp --dport 4500 -j ACCEPT", + "ip6tables -A INPUT -p udp --dport 500 -j ACCEPT", + "ip6tables -A INPUT -p udp --dport 4500 -j ACCEPT", + "iptables -A INPUT -p 50 -j ACCEPT", + "ip6tables -A INPUT -p 50 -j ACCEPT", + "iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220", + "ip6tables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220", + "iptables -A FORWARD -s 192.168.83.0/24 -j ACCEPT", + "iptables -A FORWARD -d 192.168.83.0/24 -j ACCEPT", + "iptables -t nat -A POSTROUTING -s 192.168.83.0/24 -j MASQUERADE", + "iptables -A FORWARD -s 192.168.98.0/24 -j ACCEPT", + "iptables -A FORWARD -d 192.168.98.0/24 -j ACCEPT", + "iptables -t nat -A POSTROUTING -s 192.168.98.0/24 -j MASQUERADE", + "iptables -A FORWARD -s 192.168.99.0/24 -j ACCEPT", + "iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT", + "iptables -t nat -A POSTROUTING -s 192.168.99.0/24 -j MASQUERADE" + ] + end + end + + describe ".merge_into_customrules" do + it "Merge iptable commands into appropriate sections of rules file" do + txt = "#/bin/bash fw_custom_after_chain_creation() { -iptables -A INPUT -p udp --dport 500 -j ACCEPT +true +} +fw_custom_after_chain_creation +fw_custom_before_port_handling() { +true +} +fw_custom_before_port_handling +fw_custom_before_masq() { +true +} +fw_custom_before_masq +fw_custom_before_denyall() { +true +} +fw_custom_before_denyall +fw_custom_after_finished() { +true +} +fw_custom_after_finished +" + cmds = [ + "ip6tables -A INPUT -p 50 -j ACCEPT", + "iptables -A INPUT -p udp --dport 4500 -j ACCEPT", + "iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220", + "iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT", + "iptables -t nat -A POSTROUTING -s 192.168.99.0/24 -j MASQUERADE" + ] + expect(Yast::IPSecConf.merge_into_customrules(txt, cmds)).to eq "#/bin/bash +fw_custom_after_chain_creation() { +ip6tables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT -ip6tables -A INPUT -p udp --dport 500 -j ACCEPT -ip6tables -A INPUT -p udp --dport 4500 -j ACCEPT -iptables -A INPUT -p 50 -j ACCEPT +true +} +fw_custom_after_chain_creation +fw_custom_before_port_handling() { +true +} +fw_custom_before_port_handling +fw_custom_before_masq() { +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220 +iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT +iptables -t nat -A POSTROUTING -s 192.168.99.0/24 -j MASQUERADE +true +} +fw_custom_before_masq +fw_custom_before_denyall() { +true +} +fw_custom_before_denyall +fw_custom_after_finished() { +true +} +fw_custom_after_finished +" + # In another exercise, merge with existing firewall commands with some overlap. + txt = "#/bin/bash +fw_custom_after_chain_creation() { +iptables -A INPUT -p udp --dport 4500 -j ACCEPT +my_own_command1 +true +} +fw_custom_after_chain_creation +fw_custom_before_port_handling() { +true +} +fw_custom_before_port_handling +fw_custom_before_masq() { +my_own_command2 +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220 +my_own_command3 +iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT +my_own_command4 +true +} +fw_custom_before_masq +fw_custom_before_denyall() { +true +} +fw_custom_before_denyall +fw_custom_after_finished() { +true +} +fw_custom_after_finished +" + expect(Yast::IPSecConf.merge_into_customrules(txt, cmds)).to eq "#/bin/bash +fw_custom_after_chain_creation() { ip6tables -A INPUT -p 50 -j ACCEPT +iptables -A INPUT -p udp --dport 4500 -j ACCEPT +my_own_command1 true } fw_custom_after_chain_creation @@ -227,17 +333,80 @@ } fw_custom_before_port_handling fw_custom_before_masq() { +iptables -t nat -A POSTROUTING -s 192.168.99.0/24 -j MASQUERADE +my_own_command2 iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220 -ip6tables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220 -iptables -A FORWARD -s 192.168.83.0/24 -j ACCEPT -iptables -A FORWARD -d 192.168.83.0/24 -j ACCEPT -iptables -t nat -A POSTROUTING -s 192.168.83.0/24 -j MASQUERADE -iptables -A FORWARD -s 192.168.98.0/24 -j ACCEPT -iptables -A FORWARD -d 192.168.98.0/24 -j ACCEPT -iptables -t nat -A POSTROUTING -s 192.168.98.0/24 -j MASQUERADE -iptables -A FORWARD -s 192.168.99.0/24 -j ACCEPT +my_own_command3 iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT +my_own_command4 +true +} +fw_custom_before_masq +fw_custom_before_denyall() { +true +} +fw_custom_before_denyall +fw_custom_after_finished() { +true +} +fw_custom_after_finished +" + end + end + describe ".remove_from_customrules" do + it "Remove iptable commands from rules file" do + txt = "#/bin/bash +fw_custom_after_chain_creation() { +ip6tables -A INPUT -p 50 -j ACCEPT +iptables -A INPUT -p udp --dport 4500 -j ACCEPT +my_own_command1 +true +} +fw_custom_after_chain_creation +fw_custom_before_port_handling() { +true +} +fw_custom_before_port_handling +fw_custom_before_masq() { iptables -t nat -A POSTROUTING -s 192.168.99.0/24 -j MASQUERADE +my_own_command2 +iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220 +my_own_command3 +iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT +my_own_command4 +true +} +fw_custom_before_masq +fw_custom_before_denyall() { +true +} +fw_custom_before_denyall +fw_custom_after_finished() { +true +} +fw_custom_after_finished +" + cmds = [ + "ip6tables -A INPUT -p 50 -j ACCEPT", + "iptables -A INPUT -p udp --dport 4500 -j ACCEPT", + "iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1221:65535 -j TCPMSS --set-mss 1220", + "iptables -A FORWARD -d 192.168.99.0/24 -j ACCEPT", + "iptables -t nat -A POSTROUTING -s 192.168.99.0/24 -j MASQUERADE" + ] + expect(Yast::IPSecConf.remove_from_customrules(txt, cmds)).to eq "#/bin/bash +fw_custom_after_chain_creation() { +my_own_command1 +true +} +fw_custom_after_chain_creation +fw_custom_before_port_handling() { +true +} +fw_custom_before_port_handling +fw_custom_before_masq() { +my_own_command2 +my_own_command3 +my_own_command4 true } fw_custom_before_masq