Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / boot / i386 / root / usr / share / YaST2 / modules / SuSEFirewall.ycp < prev next >

Wrap

Text File | 2006-11-29 | 84.5 KB | 2,752 lines

/** * Copyright 2004, Novell, Inc. All rights reserved. * * File: modules/SuSEFirewall.ycp * Package: SuSEFirewall configuration * Summary: Interface manipulation of /etc/sysconfig/SuSEFirewall * Authors: Lukas Ocilka <locilka@suse.cz> * * $id$ * * Module for handling SuSEfirewall2. */ { module "SuSEFirewall"; textdomain "base"; import "Mode"; import "Service"; import "NetworkDevices"; import "SuSEFirewallServices"; import "PortAliases"; import "Report"; import "Message"; import "Progress"; import "PortRanges"; #  /** * configuration hasn't been read for the default * this should reduce the readings to only ONE */ boolean configuration_has_been_read = false; /** * String which includes all interfaces not-defined in any zone */ global string special_all_interface_string = "any"; /** * Maximal number of port number, they are in the interval 1-65535 included */ global integer max_port_number = PortRanges::max_port_number; /** * Zone which works with the special_all_interface_string string */ global string special_all_interface_zone = "EXT"; /* firewall settings map */ map<string, any> SETTINGS = $[]; /* configuration was modified when true */ boolean modified = false; /* defines if SuSEFirewall is running */ boolean is_running = false; /* default settings for SuSEFirewall */ map<string, string> DEFAULT_SETTINGS = $[ "FW_LOG_ACCEPT_ALL" : "no", "FW_LOG_ACCEPT_CRIT" : "yes", "FW_LOG_DROP_ALL" : "no", "FW_LOG_DROP_CRIT" : "yes", "FW_PROTECT_FROM_INT" : "no", "FW_ROUTE" : "no", "FW_MASQUERADE" : "no", "FW_ALLOW_FW_TRACEROUTE" : "yes", "FW_ALLOW_PING_FW" : "yes", "FW_ALLOW_FW_BROADCAST_EXT" : "no", "FW_ALLOW_FW_BROADCAST_INT" : "no", "FW_ALLOW_FW_BROADCAST_DMZ" : "no", "FW_IGNORE_FW_BROADCAST_EXT" : "yes", "FW_IGNORE_FW_BROADCAST_INT" : "no", "FW_IGNORE_FW_BROADCAST_DMZ" : "no", "FW_IPSEC_TRUST" : "no", ]; /* verbose_level -> if verbosity is more than 0, be verbose, starting in verbose mode */ integer verbose_level = 1; /* list of known firewall zones */ list <string> known_firewall_zones = [ "INT", "DMZ", "EXT" ]; /* map defines zone name for all known firewall zones */ map <string, string> zone_names = $[ // TRANSLATORS: Firewall zone name - used in combo box or dialog title "EXT" : _("External Zone"), // TRANSLATORS: Firewall zone name - used in combo box or dialog title "INT" : _("Internal Zone"), // TRANSLATORS: Firewall zone name - used in combo box or dialog title "DMZ" : _("Demilitarized Zone"), ]; /* internal zone identification - useful for protect-from-internal */ string int_zone_shortname = "INT"; /* list of protocols supported in firewall, use only upper-cases */ list <string> supported_protocols = [ "TCP", "UDP", "RPC", "IP" ]; /* list of keys in map of definition well-known services */ list <string> service_defined_by = ["tcp_ports", "udp_ports", "rpc_ports", "ip_protocols", "broadcast_ports"]; /* list of services currently allowed, which share ports (for instance RPC services) */ map <string, list <string> > allowed_conflict_services = $[]; /* services needed for well-running firewall */ list <string> firewall_services = [ "SuSEfirewall2_init", "SuSEfirewall2_setup" ]; list <string> firewall_services_reverse = [ "SuSEfirewall2_setup", "SuSEfirewall2_init" ]; list <string> SuSEFirewall_variables = [ // zones and interfaces "FW_DEV_INT", "FW_DEV_DMZ", "FW_DEV_EXT", // services in zones "FW_SERVICES_INT_TCP", "FW_SERVICES_INT_UDP", "FW_SERVICES_INT_RPC", "FW_SERVICES_INT_IP", "FW_SERVICES_DMZ_TCP", "FW_SERVICES_DMZ_UDP", "FW_SERVICES_DMZ_RPC", "FW_SERVICES_DMZ_IP", "FW_SERVICES_EXT_TCP", "FW_SERVICES_EXT_UDP", "FW_SERVICES_EXT_RPC", "FW_SERVICES_EXT_IP", "FW_PROTECT_FROM_INT", // global routing, masquerading "FW_ROUTE", "FW_MASQUERADE", "FW_FORWARD_MASQ", "FW_FORWARD_ALWAYS_INOUT_DEV", // broadcast packets "FW_ALLOW_FW_BROADCAST_EXT", "FW_ALLOW_FW_BROADCAST_INT", "FW_ALLOW_FW_BROADCAST_DMZ", "FW_IGNORE_FW_BROADCAST_EXT", "FW_IGNORE_FW_BROADCAST_INT", "FW_IGNORE_FW_BROADCAST_DMZ", // logging "FW_LOG_DROP_CRIT", "FW_LOG_DROP_ALL", "FW_LOG_ACCEPT_CRIT", "FW_LOG_ACCEPT_ALL", // IPsec support "FW_IPSEC_TRUST", // Custom rulezz // net,protocol[,dport][,sport] "FW_SERVICES_ACCEPT_EXT", "FW_SERVICES_ACCEPT_INT", "FW_SERVICES_ACCEPT_DMZ", ]; #  #  /** * Function sets internal variable, which indicates, that any * "firewall settings were modified", to "true" */ global define void SetModified () { modified = true; } // Please, do not us this function // Only for firewall installation proposal global define void ResetModified () { y2milestone("Reseting firewall-modified to 'false'"); modified = false; } /** * Function returns list of known firewall zones (shortnames) * * @return list <string> of firewall zones */ global define list <string> GetKnownFirewallZones () { return known_firewall_zones; } global define boolean IsServiceSupportedInZone (string service, string zone); global define list <string> GetSpecialInterfacesInZone (string zone); global define void AddSpecialInterfaceIntoZone (string interface, string zone); /** * Variable for ReportOnlyOnce() function */ list <string> report_only_once = []; /** * Report the error, warning, message only once. * Stores the error, warning, message in memory. * This is just a helper function that could avoid from filling y2log up with * a lot of the very same messages - 'foreach()' is a very powerful builtin. * * @param string error, warning or message * @return boolean whether the message should be reported or not * * @example * string error = sformat("Port number %1 is invalid.", port_nr); * if (ReportOnlyOnce(error)) y2error(error); */ boolean ReportOnlyOnce (string what_to_report) { if (contains(report_only_once, what_to_report)) { return false; } else { report_only_once = add (report_only_once, what_to_report); return true; } } #  #  /** * Function returns whether the feature 'any' network interface is supported in the * firewall configuration. The string 'any' must be in the 'EXT' zone. * * @return boolean is_supported whether the feature is supported or not */ global boolean IsAnyNetworkInterfaceSupported () { return contains(GetSpecialInterfacesInZone(special_all_interface_zone), special_all_interface_string); } /** * Function return list of variables needed for SuSEFirewall's settings. * * @return list <string> of names of variables */ list <string> GetListOfSuSEFirewallVariables () { return SuSEFirewall_variables; } /** * Local function for increasing the verbosity level. */ void IncreaseVerbosity () { verbose_level = verbose_level + 1; } /** * Local function for decreasing the verbosity level. */ void DecreaseVerbosity () { verbose_level = verbose_level - 1; } /** * Local function returns if other functions should produce verbose output. * like popups, reporting errors, etc. */ boolean IsVerbose () { // verbose level must be above zero to be verbose return (verbose_level > 0); } /** * Local function for returning default values (if defined) for sysconfig variables. * * @param string sysconfig variable */ string GetDefaultValue (string variable) { return (string) DEFAULT_SETTINGS[variable]:""; } /** * Local function for reading list of sysconfig variables into internal variables. * * @param list <string> of sysconfig variables */ void ReadSysconfigSuSEFirewall (list<string> variables) { foreach (string variable, variables, { string value = (string) SCR::Read(add(.sysconfig.SuSEfirewall2,variable)); // if variable is undefined, get default value if (value == nil || value == "") value = GetDefaultValue(variable); // see bugzilla #194419 // replace all "\n" with " " in variables if (regexpmatch(value, "\n")) value = mergestring(splitstring(value, "\n"), " "); // replace all "\t" with " " in variables if (regexpmatch(value, "\t")) value = mergestring(splitstring(value, "\t"), " "); SETTINGS[variable] = value; }); } /** * Local function for reseting list of sysconfig variables in internal variables. * * @param list <string> of sysconfig variables */ void ResetSysconfigSuSEFirewall (list<string> variables) { foreach (string variable, variables, { // reseting means getting default variables SETTINGS[variable] = GetDefaultValue(variable); }); } /** * Local function for writing the list of internal variables into sysconfig. * List of variables is list of keys in SETTINGS map, to sync configuration * into the disk, use `nil` as the last list item. * * @param list <string> of sysconfig variables */ boolean WriteSysconfigSuSEFirewall (list<string> variables) { boolean write_status = true; foreach (string variable, variables, { write_status = (boolean) SCR::Write( add(.sysconfig.SuSEfirewall2,variable), // if variable is undefined, get default value SETTINGS[variable]:GetDefaultValue(variable) ); if (! write_status) { Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall")); break; } }); write_status = SCR::Write(.sysconfig.SuSEfirewall2, nil); if (! write_status) { Report::Error(Message::CannotWriteSettingsTo("/etc/sysconfig/SuSEFirewall")); } return write_status; } /** * Local function returns if protocol is supported by firewall. * Protocol name must be in upper-cases. * * @param string protocol * @return boolean if protocol is supported */ boolean IsSupportedProtocol (string protocol) { return contains(supported_protocols, protocol); } /** * Local function returns if zone (shortname like "EXT") is supported by firewall. * Undefined zones are, for sure, unsupported. * * @param string zone shortname * @return boolean if zone is known and supported. */ boolean IsKnownZone (string zone) { boolean is_zone = false; foreach (string known_zone, GetKnownFirewallZones(), { if (known_zone == zone) { is_zone = true; break; } }); return is_zone; } /** * Local function returns configuration string used in configuration for zone. * For instance "ext" for "EXT" zone. * * @param string zone shortname * @return string zone configuration string */ string GetZoneConfigurationString (string zone) { if (IsKnownZone(zone)) { // zones in SuSEFirewall configuration are identified by lowercased zone shorters return tolower(zone); } return nil; } /** * Local function returns zone name (shortname) for configuration string. * For instance "EXT" for "ext" zone. * * @param string zone configuration string * @return string zone shortname */ string GetConfigurationStringZone (string zone_string) { if (IsKnownZone(toupper(zone_string))) { // zones in SuSEFirewall configuration are identified by lowercased zone shorters return toupper(zone_string); } return nil; } /** * Function returns list of allowed services for zone and protocol * * @param string zone * @param string protocol * @return list <string> of allowed services/ports */ list <string> GetAllowedServicesForZoneProto (string zone, string protocol) { return splitstring(SETTINGS["FW_SERVICES_" + zone + "_" + protocol]:"", " "); } /** * Function sets list of services as allowed ports for zone and protocol * * @param list <string> of allowed ports/services * @param string zone * @param string protocol */ void SetAllowedServicesForZoneProto (list <string> allowed_services, string zone, string protocol) { SetModified(); SETTINGS["FW_SERVICES_" + zone + "_" + protocol] = mergestring (toset(allowed_services), " "); } /** * Local function returns configuration string for broadcast packets. * * @return string with broadcast configuration */ string GetBroadcastConfiguration (string zone) { return SETTINGS["FW_ALLOW_FW_BROADCAST_" + zone]:"no"; } /** * Local function saves configuration string for broadcast packets. * * @param string with broadcast configuration */ void SetBroadcastConfiguration (string zone, string broadcast_configuration) { SetModified(); SETTINGS["FW_ALLOW_FW_BROADCAST_" + zone] = broadcast_configuration; } /** * Local function return map of allowed ports (without aliases). * If any list for zone is defined but empty, all allowed * UDP ports for this zone also accept broadcast packets. * * @return map <zone, list <string> > strings are allowed ports or port ranges */ global define map <string, list <string> > GetBroadcastAllowedPorts () { map <string, list <string> > allowed_ports = $[]; foreach (string zone, GetKnownFirewallZones(), { string broadcast = GetBroadcastConfiguration(zone); // no broadcast allowed for this zone if (broadcast == "no") { allowed_ports[zone] = []; // all UDP port allowed in zone also allow broadcast } else if (broadcast == "yes") { allowed_ports[zone] = GetAllowedServicesForZoneProto (zone, "UDP"); // only listed ports allows broadcast } else { allowed_ports[zone] = splitstring(broadcast, " "); allowed_ports[zone] = filter (string not_space, splitstring(broadcast, " "), { return not_space != ""; }); } }); y2debug("Allowed Broadcast Ports: %1", allowed_ports); return allowed_ports; } /** * Function creates allowed-broadcast-ports string from broadcast map and saves it. * * @param map <zone_string, list <string> > strings are allowed ports or port ranges */ global define void SetBroadcastAllowedPorts (map <string, list <string> > broadcast) { SetModified(); foreach (string zone, GetKnownFirewallZones(), { SetBroadcastConfiguration(zone, mergestring(broadcast[zone]:[], " ")); }); } /** * Function returns if broadcast is allowed for needed ports in zone. * * @param list <string> ports * @param string zone * @return boolean if is allowed */ boolean IsBroadcastAllowed (list <string> needed_ports, string zone) { if (size(needed_ports)==0) { y2warning("Unknown service with no needed ports!"); return nil; } // getting broadcast allowed ports map <string, list <string> > allowed_ports_map = GetBroadcastAllowedPorts(); // Divide allowed port ranges and aliases (also with their port aliases) map <string, list <string> > allowed_ports_divided = PortRanges::DividePortsAndPortRanges ( allowed_ports_map[zone]:[], true ); // If there are no allowed ports at all if (allowed_ports_divided["ports"]:[] == [] && allowed_ports_divided["port_ranges"]:[] == []) { return false; } // clean up the memory a bit allowed_ports_map = nil; boolean is_allowed = true; // checking all needed ports; foreach (string needed_port, needed_ports, { // allowed ports don't contain the needed one and also portranges don't if ( !contains (allowed_ports_divided["ports"]:[], needed_port) && !PortRanges::PortIsInPortranges (needed_port, allowed_ports_divided["port_ranges"]:[]) ) { is_allowed = false; break; } }); return is_allowed; } /** * Local function removes list of ports from port allowing broadcast packets in zone. * * @param list <of ports> to be removed * @param string zone */ void RemoveAllowedBroadcast (list <string> needed_ports, string zone) { SetModified(); map <string, list <string> > allowed_ports = GetBroadcastAllowedPorts(); list <string> list_ports_allowed = allowed_ports[zone]:[]; // ports to be allowed one by one foreach (string allow_this_port, needed_ports, { // remove all aliases of ports yet mentioned in zone list <string> aliases_of_port = PortAliases::GetListOfServiceAliases(allow_this_port); list_ports_allowed = filter (string just_allowed, list_ports_allowed, { return (! contains(aliases_of_port, just_allowed)); }); }); allowed_ports[zone] = list_ports_allowed; // save it using function SetBroadcastAllowedPorts(allowed_ports); } /** * Local function adds list of ports to ports accepting broadcast * * @param list <string> of ports */ void AddAllowedBroadcast (list <string> needed_ports, string zone) { // changing only if ports are not allowed if (! IsBroadcastAllowed (needed_ports, zone)) { SetModified(); map <string, list <string> > allowed_ports = GetBroadcastAllowedPorts(); list <string> list_ports_allowed = allowed_ports[zone]:[]; // ports to be allowed one by one foreach (string allow_this_port, needed_ports, { // at first: remove all aliases of ports yet mentioned in zone list <string> aliases_of_port = PortAliases::GetListOfServiceAliases(allow_this_port); list_ports_allowed = filter (string just_allowed, list_ports_allowed, { return (! contains(aliases_of_port, just_allowed)); }); // at second: add only one list_ports_allowed = add(list_ports_allowed, allow_this_port); }); allowed_ports[zone] = list_ports_allowed; // save it using function SetBroadcastAllowedPorts(allowed_ports); } } /** * Local function for removing (disallowing) single service/port * for defined protocol and zone. Functions doesn't take care of * port-aliases. * * @param string service/port * @param string protocol * @param string zone * @return boolean success */ boolean RemoveServiceFromProtocolZone(string remove_service, string protocol, string zone) { SetModified(); string key = "FW_SERVICES_" + zone + "_" + protocol; list <string> allowed = splitstring(SETTINGS[key]:"", " "); allowed = filter (string single_service, allowed, { return single_service != "" && single_service != remove_service; }); SETTINGS[key] = mergestring(toset(allowed), " "); return true; } /** * Local function removes ports and their aliases (if check_for_aliases is true), for * requested protocol and zone. * * @param list <string> ports to be removed * @param string protocol * @param string zone * @param boolean check for port-aliases */ void RemoveAllowedPortsOrServices (list <string> remove_ports, string protocol, string zone, boolean check_for_aliases) { if (size(remove_ports)<1) { y2warning("Undefined list of %1 services/ports for service", protocol); return; } SetModified(); // all allowed ports map <string, list <string> > allowed_services = PortRanges::DividePortsAndPortRanges ( GetAllowedServicesForZoneProto (zone, protocol), false ); // removing all aliases of ports too, adding aliases into if (check_for_aliases) { list <string> remove_ports_with_aliases = []; foreach (string remove_port, remove_ports, { // skip port ranges, they cannot have any port-alias if (PortRanges::IsPortRange (remove_port)) { remove_ports_with_aliases = add (remove_ports_with_aliases, remove_port); return; } list <string> remove_these_ports = PortAliases::GetListOfServiceAliases(remove_port); if (remove_these_ports == nil) { remove_these_ports = [ remove_port ]; } remove_ports_with_aliases = (list<string>) union (remove_ports_with_aliases, remove_these_ports ); }); remove_ports = remove_ports_with_aliases; } remove_ports = toset(remove_ports); // Remove ports only once (because of port aliases), any => integers and strings list <any> already_removed = []; foreach (string remove_port, remove_ports, { // Removing from normal ports allowed_services["ports"] = filter (string allowed_port, allowed_services["ports"]:[], { return allowed_port != "" && allowed_port != remove_port; }); // Removing also from port ranges if (allowed_services["port_ranges"]:[] != []) { // Removing a real port from port ranges if (! PortRanges::IsPortRange (remove_port)) { integer remove_port_nr = PortAliases::GetPortNumber(remove_port); // Because of all port aliases if (!contains(already_removed, remove_port_nr)) { already_removed = add (already_removed, remove_port_nr); allowed_services["port_ranges"] = PortRanges::RemovePortFromPortRanges ( remove_port_nr, allowed_services["port_ranges"]:[] ); } // Removing a port range from port ranges } else { if (!contains(already_removed, remove_port)) { // Just filtering the exact port range allowed_services["port_ranges"] = filter (string one_port_range, allowed_services["port_ranges"]:[], { return one_port_range != remove_port; }); already_removed = add (already_removed, remove_port); } } } }); list <string> allowed_services_all = (list <string>) union ( allowed_services["ports"]:[], allowed_services["port_ranges"]:[] ); allowed_services_all = PortRanges::FlattenServices (allowed_services_all, protocol); SetAllowedServicesForZoneProto (allowed_services_all, zone, protocol); } /** * Local function allows ports for requested protocol and zone. * * @param list <string> ports to be added * @param string protocol * @param string zone */ void AddAllowedPortsOrServices (list <string> add_ports, string protocol, string zone) { if (size(add_ports)<1) { y2warning("Undefined list of %1 services/ports for service", protocol); return; } SetModified(); // all allowed ports list <string> allowed_services = GetAllowedServicesForZoneProto (zone, protocol); allowed_services = (list<string>) union (allowed_services, add_ports); allowed_services = PortRanges::FlattenServices (allowed_services, protocol); SetAllowedServicesForZoneProto (allowed_services, zone, protocol); } /** * Local function removes well-known service's support from zone. * Allowed ports are removed with all of their port-aliases. * * @param string service id * @param string zone */ void RemoveServiceSupportFromZone (string service, string zone) { map <string, list <string> > needed = SuSEFirewallServices::GetNeededPortsAndProtocols(service); // unknown service if (needed == nil) { y2error("Undefined service '%1'", service); return nil; } SetModified(); // Removing service ports (and also port aliases for TCP and UDP) foreach (string key, service_defined_by, { list <string> needed_ports = needed[key]:[]; if (needed_ports == []) return; if (key == "tcp_ports") { RemoveAllowedPortsOrServices(needed_ports, "TCP", zone, true); } else if (key == "udp_ports") { RemoveAllowedPortsOrServices(needed_ports, "UDP", zone, true); } else if (key == "rpc_ports") { RemoveAllowedPortsOrServices(needed_ports, "RPC", zone, false); } else if (key == "ip_protocols") { RemoveAllowedPortsOrServices(needed_ports, "IP", zone, false); } else if ("broadcast_ports" == key) { RemoveAllowedBroadcast(needed_ports, zone); } else { y2error("Unknown key '%1'", key); } }); } /** * Local function adds well-known service's support into zone. It first of all * removes the current support for service with port-aliases. * * @param string service id * @param string zone */ void AddServiceSupportIntoZone (string service, string zone) { map <string, list <string> > needed = SuSEFirewallServices::GetNeededPortsAndProtocols(service); // unknown service if (needed == nil) { y2error("Undefined service '%1'", service); return nil; } SetModified(); // Removing service ports first (and also port aliases for TCP and UDP) if (IsServiceSupportedInZone(service,zone)) { RemoveServiceSupportFromZone(service,zone); } foreach (string key, service_defined_by, { list <string> needed_ports = needed[key]:[]; if (needed_ports == []) return; if (key == "tcp_ports") { AddAllowedPortsOrServices(needed_ports, "TCP", zone); } else if (key == "udp_ports") { AddAllowedPortsOrServices(needed_ports, "UDP", zone); } else if (key == "rpc_ports") { AddAllowedPortsOrServices(needed_ports, "RPC", zone); } else if (key == "ip_protocols") { AddAllowedPortsOrServices(needed_ports, "IP", zone); } else if ("broadcast_ports" == key) { AddAllowedBroadcast(needed_ports, zone); } else { y2error("Unknown key '%1'", key); } }); } /** * Local function returns conflicting services. * * @return list <string> of services */ list <string> GetPossiblyConflictServices () { return SuSEFirewallServices::GetPossiblyConflictServices(); } /** * Local function for handling conflicting services in memory. * Makes sense for services which share ports like RPC services. * * @param string service id * @param boolean enable or disable */ void HandleConflictService(string service, string zone, boolean enable) { // only possibly conflict services are handled if (! contains(GetPossiblyConflictServices(), service)) return; SetModified(); if (enable) { // adding new conflict service into list of allowed services allowed_conflict_services[zone] = toset(add(allowed_conflict_services[zone]:[], service)); } else { // removing current conflict service from list allowed_conflict_services[zone] = filter(string filter_service, allowed_conflict_services[zone]:[], { return filter_service != service; }); // adding all allowed conflict services again foreach (string conflict_service, allowed_conflict_services[zone]:[], { AddServiceSupportIntoZone (conflict_service, zone); }); } } #  #  /** * Functions returns if any firewall's configuration was modified * or wasn't * * @return boolean if the configuration was modified */ global define boolean GetModified () { return modified; } /** * Function resets flag which doesn't allow to read configuration from disk again */ global define void ResetReadFlag () { configuration_has_been_read = false; } /** * Function returns name of the zone identified by zone shortname. * * @param string short name * @return string zone name */ global define string GetZoneFullName (string zone) { // TRANSLATORS: Firewall zone full-name, used as combo box item or dialog title return zone_names[zone]:_("Unknown Zone"); } /** * Function sets if firewall should be protected from internal zone. * * @param boolean set to be protected from internal zone */ global define void SetProtectFromInternalZone (boolean set_protect) { SetModified(); if (set_protect) { SETTINGS["FW_PROTECT_FROM_INT"] = "yes"; } else { SETTINGS["FW_PROTECT_FROM_INT"] = "no"; } } /** * Function returns if firewall is protected from internal zone * * @return boolean if protected from internal */ global define boolean GetProtectFromInternalZone () { return (SETTINGS["FW_PROTECT_FROM_INT"]:"no" == "yes"); } /** * Function sets if firewall should support routing. * * @param boolean set to support route or not */ global define void SetSupportRoute (boolean set_route) { SetModified(); if (set_route) { SETTINGS["FW_ROUTE"] = "yes"; } else { SETTINGS["FW_ROUTE"] = "no"; } } /** * Function returns if firewall supports routing. * * @return boolean if route is supported */ global define boolean GetSupportRoute () { return (SETTINGS["FW_ROUTE"]:"no" == "yes"); } /** * Function sets how firewall should trust successfully decrypted IPsec packets. * It should be the zone name (shortname) or 'no' to trust packets the same as * firewall trusts the zone from which IPsec packet came. * * @param string zone or "no" */ global define void SetTrustIPsecAs (string zone) { SetModified(); // do not trust if (zone == "no") { SETTINGS["FW_IPSEC_TRUST"] = "no"; } else { // trust IPsec is a known zone if (IsKnownZone(zone)) { zone = GetZoneConfigurationString(zone); SETTINGS["FW_IPSEC_TRUST"] = zone; // unknown zone, changing to default value } else { string defaultv = GetDefaultValue("FW_IPSEC_TRUST"); y2warning("Trust IPsec as '%1' (unknown zone) changed to '%2'", zone, defaultv); SETTINGS["FW_IPSEC_TRUST"] = defaultv; } } } /** * Function returns the trust level of IPsec packets. * See SetTrustIPsecAs() for more information. * * @return string zone or "no" */ global define string GetTrustIPsecAs () { // do not trust if (SETTINGS["FW_IPSEC_TRUST"]:nil == "no") { return "no"; // default value for 'yes" ~= "INT" } else if (SETTINGS["FW_IPSEC_TRUST"]:nil == "yes") { return "INT"; } else { string zone = GetConfigurationStringZone(SETTINGS["FW_IPSEC_TRUST"]:""); // trust as named zone (if known) if (IsKnownZone(zone)) { return zone; // unknown zone, change to default value } else { SetModified(); string defaultv = GetDefaultValue("FW_IPSEC_TRUST"); y2warning("Trust IPsec as '%1' (unknown zone) changed to '%2'", SETTINGS["FW_IPSEC_TRUST"]:"", defaultv); SetTrustIPsecAs(defaultv); return "no"; } } } /** * Function which returns if SuSEfirewall should start in Write process * * @return boolean if the firewall should start */ global define boolean GetStartService () { return (boolean) SETTINGS["start_firewall"]:false; } /** * Function which sets if SuSEfirewall should start in Write process * * @param boolean start_service at Write() process */ global define void SetStartService (boolean start_service) { if (GetStartService() != start_service) { SetModified(); y2milestone("Setting start-firewall to %1", start_service); SETTINGS["start_firewall"] = start_service; } else { // without set modified! y2milestone("start-firewall has been already set to %1", start_service); SETTINGS["start_firewall"] = start_service; } } /** * Function which returns whether SuSEfirewall should be enabled in * /etc/init.d/ starting scripts during the Write() process * @see Write() * @see EnableServices() * * @return boolean if the firewall should start */ global define boolean GetEnableService () { return (boolean) SETTINGS["enable_firewall"]:false; } /** * Function which sets if SuSEfirewall should start in Write process * * @param boolean start_service at Write() process */ global define void SetEnableService (boolean enable_service) { if (GetEnableService() != enable_service) { SetModified(); y2milestone("Setting enable-firewall to %1", enable_service); SETTINGS["enable_firewall"] = enable_service; } else { // without set modified y2milestone("enable-firewall has been already set to %1", enable_service); SETTINGS["enable_firewall"] = enable_service; } } /** * Functions starts services needed for SuSEFirewall * * @return boolean result */ global define boolean StartServices () { boolean all_ok = true; // bug #215416 // SuSEfirewall2_init doesn't need to be called, only enabled //foreach (string service, firewall_services, { // y2debug("Starting service: %1", service); // // if (! Service::Start(service)) { // all_ok = false; // y2error("Error starting service: %1", service); // } //}); //string tmpdir_file = (string) SCR::Read(.target.tmpdir); //if (tmpdir_file == nil || tmpdir_file == "") tmpdir_file = "/tmp"; string tmpdir_file = "/var/lib/YaST2"; tmpdir_file = tmpdir_file + "/SuSEfirewall2_YaST_output"; string command = sformat( "/sbin/SuSEfirewall2 start 2>'%1'; cat '%1'; rm -rf '%1'", tmpdir_file ); y2milestone ("Starting firewall..."); map cmd = (map) SCR::Execute (.target.bash_output, command); if (cmd["exit"]:nil != 0) { y2error ("Starting firewall: >%1< returned %2", command, cmd); all_ok = false; } else { y2milestone ("Started"); } return all_ok; } /** * Functions stops services needed for SuSEFirewall * * @return boolean result */ global define boolean StopServices () { boolean all_ok = true; // bug #215416 // SuSEfirewall2_init doesn't need to be called, only disabled //foreach (string service, firewall_services_reverse, { // y2debug("Stopping service: %1", service); // // if (! Service::Stop (service)) { // y2error("Error stopping service: %1", service); // all_ok = false; // } //}); // string tmpdir_file = (string) SCR::Read(.target.tmpdir); // if (tmpdir_file == nil || tmpdir_file == "") tmpdir_file = "/tmp"; string tmpdir_file = "/var/lib/YaST2"; tmpdir_file = tmpdir_file + "/SuSEfirewall2_YaST_output"; string command = sformat( "/sbin/SuSEfirewall2 stop 2>'%1'; cat '%1'; rm -rf '%1'", tmpdir_file ); y2milestone ("Stopping firewall..."); map cmd = (map) SCR::Execute (.target.bash_output, command); if (cmd["exit"]:nil != 0) { y2error ("Stopping firewall: >%1< returned %2", command, cmd); all_ok = false; } else { y2milestone ("Stopped"); } return all_ok; } /** * Functions enables services needed for SuSEFirewall in /etc/inet.d/ * * @return boolean result */ global define boolean EnableServices () { boolean all_ok = true; foreach (string service, firewall_services, { y2debug("Enabling service: %1", service); if (! Service::Enable(service)) { all_ok = true; // TRANSLATORS: a popup error message Report::Error (sformat (_("Cannot enable service '%1'."), service)); } }); return all_ok; } /** * Functions disables services needed for SuSEFirewall in /etc/inet.d/ * * @return boolean result */ global define boolean DisableServices () { boolean all_ok = true; foreach (string service, firewall_services_reverse, { y2debug("Disabling service: %1", service); if (! Service::Disable(service)) { all_ok = false; // TRANSLATORS: a popup error message Report::Error (sformat (_("Cannot disable service '%1'."), service)); } }); return all_ok; } /** * Function determines if all SuSEFirewall scripts are enabled in * init scripts /etc/init.d/ now. * For configuration "enabled" status use GetEnableService(). * * @return boolean if enabled */ global define boolean IsEnabled () { boolean enabled = false; //if (Mode::normal() || Mode::commandline()) { foreach (string service, firewall_services, { enabled = Service::Enabled(service); // All services have to be enabled if (!enabled) { y2milestone("Firewall service %1 is not enabled", service); break; } }); //} if (enabled) { y2milestone("Firewall init scripts are enabled"); } return enabled; } /** * Function determines if at least one SuSEFirewall script is started now. * For configuration "started" status use GetStartService(). * * @return boolean if started */ global define boolean IsStarted () { boolean started = false; //if (Mode::normal() || Mode::commandline()) { foreach (string service, firewall_services, { if (Service::Status(service) == 0) { started = true; break; } }); //} if (started == true) { y2milestone("Firewall services are started"); } else { y2milestone("Firewall services are stopped"); } return started; } /** * Function for getting exported SuSEFirewall configuration * * @return map <string, any> with configuration */ global define map <string, any> Export () { return SETTINGS; } /** * Function for setting SuSEFirewall configuration from input * * @param map <string, any> with configuration */ global define void Import (map <string, any> import_settings) { SetModified(); SETTINGS = import_settings; } /** * Function returns if the interface is in zone. * * @param string interface * @param string firewall zone * @return boolean is in zone */ global define boolean IsInterfaceInZone(string interface, string zone) { list <string> interfaces = splitstring(SETTINGS[ "FW_DEV_" + zone ]:"", " "); return contains(interfaces, interface); } /** * Function returns the firewall zone of interface, nil if no zone includes * the interface. Error is reported when interface is found in multiple * firewall zones, then the first appearance is returned. * * @param string interface * @return string zone */ global define string GetZoneOfInterface (string interface) { list interface_zone = []; foreach (string zone, GetKnownFirewallZones(), { if (IsInterfaceInZone(interface, zone)) interface_zone = add (interface_zone, zone); }); if (IsVerbose() && size(interface_zone) > 1) { // TRANSLATORS: Error message, %1 = interface name (like eth0) Report::Error(sformat(_("Interface '%1' is included in multiple firewall zones. Continuing with configuration can produce errors. It is recommended to leave the configuration and repair it manually in the file '/etc/sysconfig/SuSEFirewall'."), interface)); } // return the first existence of interface in zones // if it is not presented anywhere, nil is returned return (string) interface_zone[0]:nil; } /** * Function returns list of zones of requested interfaces * * @param list<string> interfaces * @param list<string> firewall zones */ global define list<string> GetZonesOfInterfaces (list<string> interfaces) { list<string> zones = []; string zone = ""; foreach (string interface, interfaces, { zone = GetZoneOfInterface(interface); if (zone != nil) zones = add(zones, zone); }); return toset(zones); } global define list<string> GetInterfacesInZoneSupportingAnyFeature (string zone); /** * Function returns list of zones of requested interfaces. * Special string 'any' in 'EXT' zone is supported. * * @param list<string> interfaces * @param list<string> firewall zones */ global define list<string> GetZonesOfInterfacesWithAnyFeatureSupported (list<string> interfaces) { list<string> zones = []; string zone = ""; // 'any' in 'EXT' list <string> interfaces_covered_by_any = SuSEFirewall::GetInterfacesInZoneSupportingAnyFeature(special_all_interface_zone); foreach (string interface, interfaces, { // interface is covered by 'any' in 'EXT' if (contains(interfaces_covered_by_any, interface)) zone = special_all_interface_zone; // interface is explicitely mentioned in some zone else zone = GetZoneOfInterface(interface); if (zone != nil) zones = add(zones, zone); }); return toset(zones); } /** * Function returns list of maps of known interfaces. * @struct [ $[ "id":"modem0", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ] * * @return list <map <string, string> > */ global define list <map <string, string> > GetAllKnownInterfaces () { list <map <string, string> > known_interfaces = []; // All dial-up interfaces list <string> dialup_interfaces = NetworkDevices::List("dialup"); dialup_interfaces = filter(string interface, dialup_interfaces, ``{ return interface != "" && !issubstring(interface, "lo") && !issubstring(interface, "sit"); }); // All non-dial-up interfaces list <string> non_dialup_interfaces = NetworkDevices::List(""); non_dialup_interfaces = filter(string interface, non_dialup_interfaces, ``{ return interface != "" && !issubstring(interface, "lo") && !issubstring(interface, "sit") && !contains(dialup_interfaces, interface); }); foreach (string interface, dialup_interfaces, { known_interfaces = add(known_interfaces, $[ "id" : interface, "type" : "dialup", // using function to get name "name" : NetworkDevices::GetValue(interface, "NAME"), "zone" : GetZoneOfInterface(interface), ]); }); foreach (string interface, non_dialup_interfaces, { known_interfaces = add(known_interfaces, $[ "id" : interface, // using function to get name "name" : NetworkDevices::GetValue(interface, "NAME"), "zone" : GetZoneOfInterface(interface), ]); }); return known_interfaces; } /** * Function returns list of non-dial-up interfaces. * * @return list <string> of non-dial-up interface names */ global define list <string> GetAllNonDialUpInterfaces () { list <string> non_dial_up_interfaces = []; foreach (map<string, string> interface, SuSEFirewall::GetAllKnownInterfaces(), { if (interface["type"]:nil != "dial_up") non_dial_up_interfaces = add (non_dial_up_interfaces, interface["id"]:""); }); return non_dial_up_interfaces; } /** * Function returns list of dial-up interfaces. * * @return list <string> of dial-up interface names */ global define list <string> GetAllDialUpInterfaces () { list <string> dial_up_interfaces = []; foreach (map <string, string> interface, SuSEFirewall::GetAllKnownInterfaces(), { if (interface["type"]:nil == "dial_up") dial_up_interfaces = add (dial_up_interfaces, interface["id"]:""); }); return dial_up_interfaces; } /** * Function returns list of all known interfaces. * * @return list <string> of interfaces */ global define list <string> GetListOfKnownInterfaces () { list <string> interfaces = []; foreach (map interface_map, GetAllKnownInterfaces(), { interfaces = add (interfaces, interface_map["id"]:""); }); return interfaces; } /** * Function removes interface from defined zone. * * @param string interface * @param string zone */ global define void RemoveInterfaceFromZone (string interface, string zone) { SetModified(); y2milestone("Removing interface '%1' from '%2' zone.", interface, zone); list <string> interfaces_in_zone = splitstring (SETTINGS["FW_DEV_" + zone]:"", " "); interfaces_in_zone = filter (string single_interface, interfaces_in_zone, { return single_interface != "" && single_interface != interface; }); SETTINGS["FW_DEV_" + zone] = mergestring(interfaces_in_zone, " "); } /** * Functions adds interface into defined zone. * All appearances of interface in other zones are removed. * * @param string interface * @param string zone */ global define void AddInterfaceIntoZone (string interface, string zone) { SetModified(); string current_zone = GetZoneOfInterface(interface); DecreaseVerbosity(); // removing all appearances of interface in zones, excepting current_zone==new_zone while (current_zone != nil && current_zone != zone) { // interface is in any zone already, removing it at first if (current_zone != zone) { RemoveInterfaceFromZone(interface, current_zone); } current_zone = GetZoneOfInterface(interface); } IncreaseVerbosity(); y2milestone("Adding interface '%1' into '%2' zone.", interface, zone); list <string> interfaces_in_zone = splitstring (SETTINGS["FW_DEV_" + zone]:"", " "); interfaces_in_zone = toset(add (interfaces_in_zone, interface)); SETTINGS["FW_DEV_" + zone] = mergestring(interfaces_in_zone, " "); } /** * Function returns list of known interfaces in requested zone. * Special strings like 'any' or 'auto' and unknown interfaces are removed from list. * * @param string zone * @return list <string> of interfaces */ global define list<string> GetInterfacesInZone (string zone) { list <string> interfaces_in_zone = splitstring (SETTINGS["FW_DEV_" + zone]:"", " "); list <string> known_interfaces_now = GetListOfKnownInterfaces(); // filtering special strings interfaces_in_zone = filter(string interface, interfaces_in_zone, ``{ return interface != "" && contains(known_interfaces_now, interface); }); return interfaces_in_zone; } /** * Function returns all interfaces configured in firewall, already * * @return list <string> of configured interfaces */ global define list<string> GetFirewallInterfaces () { list<string> firewall_configured_devices = []; foreach (string zone, GetKnownFirewallZones(), { firewall_configured_devices = (list<string>) union (firewall_configured_devices, GetInterfacesInZone(zone)); }); return toset(firewall_configured_devices); } /** * Returns list of interfaces not mentioned in any zone and covered by the * special string 'any' in zone 'EXT' if such string exists there and the zone * is EXT. * * @param string zone * @return list <string> of interfaces covered by special string 'any' */ global define list<string> InterfacesSupportedByAnyFeature (string zone) { list <string> result = []; if (zone == special_all_interface_zone && IsAnyNetworkInterfaceSupported()) { list <string> known_interfaces_now = GetListOfKnownInterfaces(); list <string> configured_interfaces = GetFirewallInterfaces(); foreach (string one_interface, known_interfaces_now, { if (! contains(configured_interfaces, one_interface)) { y2milestone("Interface '%1' supported by special string '%2' in zone '%3'", one_interface, special_all_interface_string, special_all_interface_zone); result = add (result, one_interface); } }); } return result; } /** * Function returns list of known interfaces in requested zone. * Special string 'any' in EXT zone covers all interfaces without * any zone assignment. * * @param string zone * @return list <string> of interfaces */ global define list<string> GetInterfacesInZoneSupportingAnyFeature (string zone) { list <string> interfaces_in_zone = GetInterfacesInZone(zone); // 'any' in EXT zone, add all interfaces without zone to this one list <string> interfaces_covered_by_any = InterfacesSupportedByAnyFeature(zone); if (size(interfaces_covered_by_any)>0) { interfaces_in_zone = (list <string>) union (interfaces_in_zone, interfaces_covered_by_any); } return interfaces_in_zone; } boolean ArePortsOrServicesAllowed (list <string> needed_ports, string protocol, string zone, boolean check_for_aliases); /** * Function returns if requested service is allowed in respective zone. * Function takes care for service's aliases (only for TCP and UDP). * * @param string service (service name, port name, port alias or port number) * @param protocol TCP, UDP, RCP or IP * @param interface name (like modem0), firewall zone (like "EXT") or "any" for all zones. * @return boolean if service is allowed */ global define boolean HaveService(string service, string protocol, string interface) { if (! IsSupportedProtocol(protocol)) { y2error("Unknown protocol: %1", protocol); return nil; } // definition of searched zones list<string> zones = []; // "any" for all zones, this is ugly if (interface == "any") { zones = GetKnownFirewallZones(); // string interface is the zone name } else if (IsKnownZone(interface)) { zones = add (zones, interface); // interface is the interface name } else { interface = GetZoneOfInterface(interface); if (interface != nil) { zones = add (zones, interface); } } // SuSEFirewall feature FW_PROTECT_FROM_INT // should not be protected and searched zones include also internal (or the zone IS internal, sure) if (! GetProtectFromInternalZone() && contains(zones, int_zone_shortname)) { y2milestone("Checking for service '%1', in '%2', PROTECT_FROM_INTERNAL='no' => allowed", service, interface); return true; } // Check and return whether the service (port) is supported anywhere boolean ret = false; foreach (string zone, zones, { // This function can also handle port ranges if (ArePortsOrServicesAllowed([service], protocol, zone, true)) { ret = true; break; } }); return ret; } /** * Function adds service into selected zone (or zone of interface) for selected protocol. * Function take care about port-aliases, first of all, removes all of them. * * @param string service/port * @param string protocol TCP, UDP, RPC, IP * @param string zone name or interface name * @return boolean success */ global define boolean AddService (string service, string protocol, string interface) { boolean success = false; y2milestone("Adding service %1, protocol %2 to %3", service, protocol, interface); if (! IsSupportedProtocol(protocol)) { y2error("Unknown protocol: %1", protocol); return false; } list <string> zones_affected = []; // "all" means for all known zones if (interface == "all") { zones_affected = GetKnownFirewallZones(); // zone or interface name } else { // is probably an interface name if (! IsKnownZone(interface)) { // interface is probably interface-name, checking for respective zone interface = GetZoneOfInterface(interface); // interface is not assigned to any zone if (interface == nil) { // TRANSLATORS: Error message, %1 = interface name (like eth0) Report::Error(sformat(_("Interface '%1' is not assigned to any firewall zone. Run YaST2 Firewall and assign it. "), interface) ); y2warning("Interface '%1' is not assigned to any firewall zone", interface); return false; } } zones_affected = [interface]; } SetModified(); // Adding service support into each mentioned zone foreach (string zone, zones_affected, { // If there isn't already if (!ArePortsOrServicesAllowed([service], protocol, zone, true)) { AddAllowedPortsOrServices([service], protocol, zone); } else { y2milestone("Port %1 has been already allowed in %2", service, zone); } }); return true; } /** * Function removes service from selected zone (or for interface) for selected protocol. * Function take care about port-aliases, removes all of them. * * @param string service/port * @param string protocol TCP, UDP, RPC, IP * @param string zone name or interface name * @return boolean success */ global define boolean RemoveService (string service, string protocol, string interface) { boolean success = false; y2milestone("Removing service %1, protocol %2 from %3", service, protocol, interface); if (! IsSupportedProtocol(protocol)) { y2error("Unknown protocol: %1", protocol); return false; } list <string> zones_affected = []; // "all" means for all known zones if (interface == "all") { zones_affected = GetKnownFirewallZones(); // zone or interface name } else { if (! IsKnownZone(interface)) { // interface is probably interface-name, checking for respective zone interface = GetZoneOfInterface(interface); // interface is not assigned to any zone if (interface == nil) { // TRANSLATORS: Error message, %1 = interface name (like eth0) Report::Error(sformat(_("Interface '%1' is not assigned to any firewall zone. Run YaST2 Firewall and assign it. "), interface) ); y2warning("Interface '%1' is not assigned to any firewall zone", interface); return false; } } zones_affected = [interface]; } SetModified(); // Adding service support into each mentioned zone foreach (string zone, zones_affected, { // if the service is allowed if (ArePortsOrServicesAllowed([service], protocol, zone, true)) { RemoveAllowedPortsOrServices([service], protocol, zone, true); } else { y2milestone("Port %1 has been already removed from %2", service, zone); } }); return true; } /** * Function returns if needed services are all allowed (or not) in the firewall. * Last parameter sets if it also should check for port-aliases, what makes sense * for TCP and UDP ports. * Protocols and Zones aren't checked for existency. It's on you to do it. * * @param list <string> needed (checked) ports for service * @param string protocol TCP, UDP, RPC or IP * @param zone name like EXT * @param boolean check for port-aliases * @return boolean if all ports are allowed */ boolean ArePortsOrServicesAllowed (list <string> needed_ports, string protocol, string zone, boolean check_for_aliases) { boolean are_allowed = true; if (size(needed_ports)<1) { y2warning("Undefined list of %1 services/ports for service", protocol); return true; } map <string, list <string> > allowed_ports = $[]; // BTW: only TCP and UDP ports can have aliases and only TCP and UDP ports can have port ranges if (check_for_aliases) { allowed_ports = PortRanges::DividePortsAndPortRanges ( GetAllowedServicesForZoneProto (zone, protocol), true ); } else { allowed_ports["ports"] = GetAllowedServicesForZoneProto (zone, protocol); } foreach (string needed_port, needed_ports, { if ( ! contains(allowed_ports["ports"]:[], needed_port) && ! PortRanges::PortIsInPortranges (needed_port, allowed_ports["port_ranges"]:[]) ) { are_allowed = false; break; } }); return are_allowed; } /** * Function returns if service is supported (allowed) in zone. Service must be defined * in the SuSEFirewallServices. * * @see Module SuSEFirewallServices * @param string service id * @param string zone * @return boolean if supported */ global define boolean IsServiceSupportedInZone (string service, string zone) { if (! IsKnownZone(zone)) { return nil; } map <string, list <string> > needed = SuSEFirewallServices::GetNeededPortsAndProtocols(service); // unknown service if (needed == nil) { y2error("Undefined service '%1'", service); return nil; } // SuSEFirewall feature FW_PROTECT_FROM_INT // should not be protected and searched zones include also internal (or the zone IS internal, sure) if (zone == int_zone_shortname && ! GetProtectFromInternalZone()) { y2milestone("Checking for service '%1', in '%2', PROTECT_FROM_INTERNAL='no' => allowed", service, zone); return true; } // starting with nil value, any false means that the service is not supported boolean service_is_supported = nil; foreach (string key, service_defined_by, { list <string> needed_ports = needed[key]:[]; if (needed_ports == []) return; if (key == "tcp_ports") { service_is_supported = ArePortsOrServicesAllowed(needed_ports, "TCP", zone, true); } else if (key == "udp_ports") { service_is_supported = ArePortsOrServicesAllowed(needed_ports, "UDP", zone, true); } else if (key == "rpc_ports") { service_is_supported = ArePortsOrServicesAllowed(needed_ports, "RPC", zone, false); } else if (key == "ip_protocols") { service_is_supported = ArePortsOrServicesAllowed(needed_ports, "IP", zone, false); } else if ("broadcast_ports" == key) { // testing for allowed broadcast ports service_is_supported = IsBroadcastAllowed(needed_ports, zone); } else { y2error("Unknown key '%1'", key); } // service is not supported, we don't have to do more tests if (service_is_supported == false) break; }); return service_is_supported; } /** * Function returns map of supported services all network interfaces. * * @param list <string> of services * @return map <string, map < string : boolean > > * @struct Returns $[service : $[ interface : supported_status ]] */ global define map <string, map <string, boolean> > GetServicesInZones (list<string> services) { // list of interfaces for each zone map <string, list <string> > interface_in_zone = $[]; foreach (string interface, GetListOfKnownInterfaces(), { // zone of interface string zone_used = GetZoneOfInterface(interface); // interface can be unassigned if (zone_used == nil || zone_used == "") { return; } interface_in_zone[zone_used] = add (interface_in_zone[zone_used]:[], interface); }); // $[ service : $[ network_interface : status ]] map <string, map <string, boolean> > services_status = $[]; // for all services requested foreach (string service, services, { services_status[service] = $[]; // for all zones in configuration foreach (string zone, list <string> interfaces, interface_in_zone, { boolean status = IsServiceSupportedInZone(service, zone); // for all interfaces in zone foreach (string interface, interfaces, { services_status[service, interface] = status; }); }); }); return services_status; } /** * Function returns map of supported services in all firewall zones. * * @param list <string> of services * @return map <string, map < string : boolean> > * @struct Returns $[service : $[ zone_name : supported_status]] */ global define map <string, map <string, boolean> > GetServices (list<string> services) { // $[ service : $[ firewall_zone : status ]] map <string, map <string, boolean> > services_status = $[]; // for all services requested foreach (string service, services, { services_status[service] = $[]; // for all zones in configuration foreach (string zone, GetKnownFirewallZones(), { services_status[service,zone] = IsServiceSupportedInZone(service, zone); }); }); return services_status; } /** * Function sets status for several services in several firewall zones. * * @param list <string> service ids * @param list <string> firewall zones (EXT|INT|DMZ...) * @param boolean new status of services * @return boolean if successfull */ global define boolean SetServicesForZones (list<string> services_ids, list<string> firewall_zones, boolean new_status) { // no groups == all groups if (size(firewall_zones)==0) firewall_zones = GetKnownFirewallZones(); // setting for each service foreach (string service_id, services_ids, { foreach (string firewall_zone, firewall_zones, { // zone must be known one if (! IsKnownZone(firewall_zone)) { y2error("Zone '%1' is unknown firewall zone, skipping...", firewall_zone); return; } SetModified(); // setting new status if (new_status == true) { y2milestone("Adding '%1' into '%2' zone", service_id, firewall_zone); AddServiceSupportIntoZone(service_id, firewall_zone); HandleConflictService(service_id, firewall_zone, true); } else { y2milestone("Removing '%1' from '%2' zone", service_id, firewall_zone); RemoveServiceSupportFromZone(service_id, firewall_zone); HandleConflictService(service_id, firewall_zone, false); } }); }); } /** * Function sets status for several services in several network interfaces. * * @param list <string> service ids * @param list <string> network interfaces * @param boolean new status of services * @return boolean if successfull */ global define boolean SetServices (list<string> services_ids, list<string> interfaces, boolean new_status) { list<string> firewall_zones = GetZonesOfInterfacesWithAnyFeatureSupported(interfaces); if (size(firewall_zones)==0) { y2error("Interfaces '%1' are not in any group if interfaces", interfaces); return false; } SetModified(); return SetServicesForZones(services_ids, firewall_zones, new_status); } /** * Local function check is any of possibly conflicting services was turned on in * the firewall configuration. */ void CheckAllPossiblyConflictingServices () { // For all known zones foreach (string zone, GetKnownFirewallZones(), { // Exception: // There are no possible conflicts if zone isn't protected if (zone == "INT" && ! GetProtectFromInternalZone()) return; // For all possible conflicting services foreach (string service, GetPossiblyConflictServices(), { // Possibly conflicting service is supported (on) if (IsServiceSupportedInZone (service, zone)) { allowed_conflict_services[zone] = add (allowed_conflict_services[zone]:[], service); } }); // Exception: // NIS-client's ports are the subset of NIS-server's ports if ( contains(allowed_conflict_services[zone]:[], "nis-server") && contains(allowed_conflict_services[zone]:[], "nis-client") ) { // Removing nis-client from allowed services, when both of them found y2warning("Ignoring found nis-client as the subset of nis-server, for zone %1", zone); allowed_conflict_services[zone] = filter ( string service, allowed_conflict_services[zone]:[], { return service != "nis-client"; } ); } allowed_conflict_services[zone] = toset(allowed_conflict_services[zone]:[]); }); y2milestone("Possibly conflicting services found allowed: %1", allowed_conflict_services); } /** * Local function sets the default configuration and fills internal values. */ void ReadDefaultConfiguration () { SETTINGS = $[]; ResetSysconfigSuSEFirewall ( GetListOfSuSEFirewallVariables() ); } /** * Local function reads current configuration and fills internal values. */ void ReadCurrentConfiguration () { SETTINGS = $[]; // is firewall enabled in /etc/init.d/ ? SETTINGS["enable_firewall"] = IsEnabled(); // is firewall started now? SETTINGS["start_firewall"] = IsStarted(); ReadSysconfigSuSEFirewall ( GetListOfSuSEFirewallVariables() ); } /** * Function for reading SuSEFirewall configuration. * Fills internal variables only. */ global define boolean Read () { // Don't fill up the logs with tones of Check-logs // Turn on for debugging // NetworkDevices::report_every_check = false; if (configuration_has_been_read) { y2milestone("SuSEfirewall2 configuration has been read already."); return true; } // Progress only for normal configuration boolean have_progress = (Mode::normal()); if (have_progress) { // TRANSLATORS: Dialog caption string read_caption = _("Initializing Firewall Configuration"); Progress::New( read_caption, " ", 3, [ // TRANSLATORS: Progress step _("Check for network devices"), // TRANSLATORS: Progress step _("Read current configuration"), // TRANSLATORS: Progress step _("Check possibly conflicting services"), ], [ // TRANSLATORS: Progress step _("Checking for network devices..."), // TRANSLATORS: Progress step _("Reading current configuration..."), // TRANSLATORS: Progress step _("Checking possibly conflicting services..."), Message::Finished(), ], "" ); Progress::NextStage(); } if (Mode::normal() || Mode::commandline()) { NetworkDevices::Read(); } else if (Mode::installation() || Mode::autoinst()) { // Allways modified for installation, allways save the final state // fixing bug #67355 // SetModified(); boolean make_parser_happy = true; } if (have_progress) Progress::NextStage(); // get default configuration for autoinstallation // if (Mode::installation() || Mode::autoinst()) { if (Mode::autoinst()) { ReadDefaultConfiguration(); // read current configuration for another cases } else { ReadCurrentConfiguration(); } if (have_progress) Progress::NextStage(); // checking if any possibly conficting services were turned on in configuration // filling internal values for later checkings CheckAllPossiblyConflictingServices(); y2milestone("Firewall configuration has been read: %1.", SETTINGS); // to read configuration only once configuration_has_been_read = true; if (have_progress) Progress::NextStage(); if (have_progress) Progress::Finish(); return true; } /** * Function returns whether some RPC service is allowed in the configuration. * These services reallocate their ports when restarted. See details in * bugzilla bug #186186. * * @return boolean some_RPC_service_used */ boolean AnyRPCServiceInConfiguration () { boolean ret = false; foreach (string fw_zone, GetKnownFirewallZones(), { string fw_rule = sformat("FW_SERVICES_%1_RPC", fw_zone); string listed_services = SETTINGS[fw_rule]:GetDefaultValue(fw_rule); // easy case if (listed_services == nil || listed_services == "") return; // something listed but it still might be empty definition list <string> services_list = splitstring (listed_services, " \n\t"); services_list = filter (string service, services_list, { return (service != ""); }); if (size (listed_services) > 0) { ret = true; break; } }); y2milestone ("Some RPC service found: %1", ret); return ret; } /** * Function which stops firewall. Then firewall is started immediately when firewall * is wanted to be started: SetStartService(boolean). * * @return boolean if successful */ global define boolean ActivateConfiguration () { // Firewall should start after Write() if (GetStartService()) { // Not started - start it if (!IsStarted()) { y2milestone("Starting firewall services"); return StartServices(); // Started - restart it } else { // modified - restart it, or ... // bugzilla #186186 // If any RPC service is configured to be allowed, always restart the firewall // Some of these service's ports might have been reallocated (when SuSEFirewall // is used from outside, e.g., yast2-nfs-server) if (GetModified() || AnyRPCServiceInConfiguration()) { y2milestone("Stopping firewall services"); StopServices(); y2milestone("Starting firewall services"); return StartServices(); // not modified - skip restart } else { y2milestone("Configuration hasn't modified, skipping restarting services"); } } // Firewall should stop after Write() } else { // started - stop if (IsStarted()) { y2milestone("Stopping firewall services"); return StopServices(); // stopped - skip stopping } else { y2milestone("Firewall has been stopped already"); return true; } } } /** * Function writes configuration into /etc/sysconfig/ and enables or disables * firewall in /etc/init.d/ by the setting SetEnableService(boolean). * This is a write-only configuration, firewall is never started only enabled * or disabled. * * @return boolean if successful */ global define boolean WriteConfiguration () { // Progress only for normal configuration and command line boolean have_progress = (Mode::normal()); if (have_progress) { // TRANSLATORS: Dialog caption string write_caption = _("Writing Firewall Configuration"); Progress::New( write_caption, " ", 2, [ // TRANSLATORS: Progress step _("Write firewall settings"), // TRANSLATORS: Progress step _("Adjust firewall service"), ], [ // TRANSLATORS: Progress step _("Writing firewall settings..."), // TRANSLATORS: Progress step _("Adjusting firewall service..."), // TRANSLATORS: Progress step Message::Finished(), ], "" ); Progress::NextStage(); } // only modified configuration is written if (GetModified()) { y2milestone("Firewall configuration has been changed. Writing: %1.", SETTINGS); if (! WriteSysconfigSuSEFirewall ( GetListOfSuSEFirewallVariables() )) { // TRANSLATORS: a popup error message Report::Error(_("Writing settings failed")); return false; } } else { y2milestone("Firewall settings weren't modified, skipping..."); } if (have_progress) Progress::NextStage(); // Adjusting services if (GetModified()) { // enabling firewall in /etc/init.d/ if (SETTINGS["enable_firewall"]:false) { y2milestone("Enabling firewall services"); if (! EnableServices()) { return false; } // disabling firewall in /etc/init.d/ } else { y2milestone("Disabling firewall services"); if (! DisableServices()) { return false; } } } else { y2milestone("Firewall enable/disable wasn't modified, skipping..."); } if (have_progress) Progress::NextStage(); if (have_progress) Progress::Finish(); return true; } /** * Helper function for the backward compatibility. * See WriteConfiguration(). Remove from code ASAP. */ global define boolean WriteOnly() { return WriteConfiguration(); } /** * Function for writing and enabling configuration it is an union of * WriteConfiguration() and ActivateConfiguration(). * * @return boolean if succesfull */ global define boolean Write () { if (! WriteConfiguration()) return false; if (! ActivateConfiguration()) return false; return true; } /** * Function for saving configuration and restarting firewall. * Is is the same as Write() but write is allways forced. * * @return boolean if successful */ global define boolean SaveAndRestartService () { y2milestone("Forced save and restart"); SetModified(); SetStartService(true); if (! Write()) { return false; } return true; } /** * This powerful function returns list of services/ports which are * not assigned to any fully-supported known-services. * * @return list <string> of additional (unassigned) services */ global define list <string> GetAdditionalServices (string protocol, string zone) { list <string> additional_services = []; if (! IsSupportedProtocol(protocol)) { y2error("Unknown protocol '%1'", protocol); return nil; } if (! IsKnownZone(zone)) { y2error("Unknown zone '%1'", zone); return nil; } // all ports or services allowed in zone for protocol list <string> all_allowed_services = GetAllowedServicesForZoneProto(zone, protocol); // all ports or services used by known service list <string> all_used_services = []; // trying all possible (known) services foreach (string service_id, string service_name, SuSEFirewallServices::GetSupportedServices(), { // only when the service is allowed in zone - remove all its needed ports if (IsServiceSupportedInZone(service_id, zone)) { // all needed ports etc for service/protocol, well, I'm not good at function pointers :-< list <string> needed_all = []; if (protocol == "TCP") { needed_all = SuSEFirewallServices::GetNeededTCPPorts(service_id); } else if (protocol == "UDP") { needed_all = SuSEFirewallServices::GetNeededUDPPorts(service_id); } else if (protocol == "RPC") { needed_all = SuSEFirewallServices::GetNeededRPCPorts(service_id); } else if (protocol == "IP") { needed_all = SuSEFirewallServices::GetNeededIPProtocols(service_id); } foreach (string remove_port, needed_all, { // all used services and their aliases all_used_services = (list <string>) union ( all_used_services, PortAliases::GetListOfServiceAliases(remove_port) ); }); } }); // some services are used by known defined-services if (size(all_used_services)>0) { all_used_services = toset (all_used_services); // removing all used services from all allowed all_allowed_services = filter (string port, all_allowed_services, { return (! contains(all_used_services, port)); }); } // well, actually it returns list of services not-assigned to any well-known service return all_allowed_services; } /** * Function sets additional ports/services from taken list. Firstly, all additional services * are removed also with their aliases. Secondly new ports/protocols are added. * * @param string protocol * @param string zone * @param list <string> list of ports/protocols */ global define void SetAdditionalServices (string protocol, string zone, list <string> new_list_services) { list <string> old_list_services = toset(GetAdditionalServices(protocol, zone)); new_list_services = toset(new_list_services); if (new_list_services != old_list_services) { SetModified(); list <string> add_services = []; list <string> remove_services = []; // Add these services foreach (string service, new_list_services, { if (!contains(old_list_services, service)) add_services = add (add_services, service); }); // Remove these services foreach (string service, old_list_services, { if (!contains(new_list_services, service)) remove_services = add (remove_services, service); }); if (size(remove_services)>0) { y2milestone("Removing additional services %1/%2 from zone %3", remove_services, protocol, zone); RemoveAllowedPortsOrServices (remove_services, protocol, zone, true); } if (size(add_services)>0) { y2milestone("Adding additional services %1/%2 into zone %3", add_services, protocol, zone); AddAllowedPortsOrServices (add_services, protocol, zone); } } } /** * Function returns if any other firewall then SuSEfirewall2 is currently running on the * system. It uses command `iptables` to get information about just active iptables * rules and compares the output with current status of SuSEfirewall2. * * @return boolean if other firewall is running */ global define boolean IsOtherFirewallRunning () { boolean any_firewall_running = true; // grep must return at least blank lines, else it returns 'exit 1' instead of 'exit 0' string command = "iptables -L -n | grep -v \"^\$Chain\\|target\$\""; map iptables = (map) SCR::Execute(.target.bash_output, command); if (iptables["exit"]:0 == 0) { list <string> iptables_list = splitstring(iptables["stdout"]:"", "\n"); iptables_list = filter (string iptable_rule, iptables_list, { return iptable_rule != ""; }); y2milestone("Count of active iptables now: %1", size(iptables_list)); // none iptables rules if (size(iptables_list)>0) { any_firewall_running = true; // any iptables rules exist } else { any_firewall_running = false; } // error running command } else { y2error("Services Command: %1 (Exit %2) -> %3", command, iptables["exit"]:nil, iptables["stderr"]:nil); return nil; } // any firewall is running but it is not a SuSEfirewall2 if (any_firewall_running && !IsStarted()) { y2warning("Any other firewall is running..."); return true; } // no firewall is running or the running firewall is SuSEfirewall2 return false; } /** * Function returns map of `interfaces in zones`. * * @return map <string, list <string> > * @struct map $[zone : [list of interfaces]] */ global define map <string, list <string> > GetFirewallInterfacesMap () { map <string, list <string> > firewall_interfaces_now = $[]; // list of all known interfaces list <string> known_interfaces = GetListOfKnownInterfaces(); // searching each zone foreach (string zone, GetKnownFirewallZones(), { // filtering non-existing interfaces firewall_interfaces_now[zone] = filter (string interface, GetInterfacesInZone(zone), { return contains(known_interfaces, interface); }); }); return firewall_interfaces_now; } /** * Function returns list of special strings like 'any' or 'auto' and uknown interfaces. * * @param string zone * @return list <string> special strings or unknown interfaces */ global define list <string> GetSpecialInterfacesInZone (string zone) { list <string> interfaces_in_zone = splitstring (SETTINGS["FW_DEV_" + zone]:"", " "); list <string> known_interfaces_now = GetInterfacesInZone (zone); // filtering known interfaces and spaces interfaces_in_zone = filter(string interface, interfaces_in_zone, { return interface != "" && !contains(known_interfaces_now, interface); }); return interfaces_in_zone; } /** * Function removes special string from defined zone. * * @param string interface * @param string zone */ global define void RemoveSpecialInterfaceFromZone (string interface, string zone) { SetModified(); y2milestone("Removing special string '%1' from '%2' zone.", interface, zone); list <string> interfaces_in_zone = splitstring (SETTINGS["FW_DEV_" + zone]:"", " "); interfaces_in_zone = filter (string single_interface, interfaces_in_zone, { return single_interface != "" && single_interface != interface; }); SETTINGS["FW_DEV_" + zone] = mergestring(interfaces_in_zone, " "); } /** * Functions adds special string into defined zone. * * @param string interface * @param string zone */ global define void AddSpecialInterfaceIntoZone (string interface, string zone) { SetModified(); y2milestone("Adding special string '%1' into '%2' zone.", interface, zone); list <string> interfaces_in_zone = splitstring (SETTINGS["FW_DEV_" + zone]:"", " "); interfaces_in_zone = toset(add (interfaces_in_zone, interface)); SETTINGS["FW_DEV_" + zone] = mergestring(interfaces_in_zone, " "); } /** * Function returns actual state of Masquerading support. * * @return boolean if supported */ global define boolean GetMasquerade () { return (SETTINGS["FW_MASQUERADE"]:"no" == "yes" && SETTINGS["FW_ROUTE"]:"no" == "yes"); } /** * Function sets Masquerade support. * * @param boolean to support or not to support it */ global define void SetMasquerade (boolean enable) { SetModified(); SETTINGS["FW_MASQUERADE"] = (enable ? "yes" : "no"); // routing is needed for masquerading, but we can't swithc it off when disabling masquerading if (enable) SETTINGS["FW_ROUTE"] = "yes"; } /** * Function returns list of rules of forwarding ports * to masqueraded IPs. * * @retyrn list <map <string, string> > * @struct list [$[ key: value ]] */ global define list <map <string, string> > GetListOfForwardsIntoMasquerade () { list <map <string, string> > list_of_rules = []; foreach (string forward_rule, splitstring(SETTINGS["FW_FORWARD_MASQ"]:"", " "), { if (forward_rule == "") return; // Format: <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]] list <string> fw_rul = splitstring(forward_rule,","); // first four parameters has to be defined if (fw_rul[0]:"" == "" || fw_rul[1]:"" == "" || fw_rul[2]:"" == "" || fw_rul[3]:"" == "") y2warning("Wrong definition of redirect rule: '%1', part of '%2'", forward_rule, SETTINGS["FW_FORWARD_MASQ"]:"" ); list_of_rules = add (list_of_rules, $[ "source_net" : fw_rul[0]:"", "forward_to" : fw_rul[1]:"", "protocol" : tolower(fw_rul[2]:""), "req_port" : tolower(fw_rul[3]:""), // to_port is req_port when undefined "to_port" : tolower(fw_rul[4]:fw_rul[3]:""), "req_ip" : tolower(fw_rul[5]:""), ]); }); return list_of_rules; } /** * Function removes rule for forwarding into masquerade * from the list of current rules. * * @params integer item number */ global define void RemoveForwardIntoMasqueradeRule (integer remove_item) { SetModified(); list <string> forward_rules = []; integer row_counter = 0; foreach (string forward_rule, splitstring(SETTINGS["FW_FORWARD_MASQ"]:"", " "), { if (forward_rule == "") return; if (row_counter != remove_item) { forward_rules = add (forward_rules, forward_rule); } row_counter = row_counter + 1; }); SETTINGS["FW_FORWARD_MASQ"] = mergestring(forward_rules, " "); } /** * Adds forward into masquerade rule. */ global define void AddForwardIntoMasqueradeRule ( string source_net, string forward_to_ip, string protocol, string req_port, string redirect_to_port, string requested_ip ) { SetModified(); string masquerade_rules = SETTINGS["FW_FORWARD_MASQ"]:""; masquerade_rules = masquerade_rules + (masquerade_rules != "" ? " ":"") + source_net + "," + forward_to_ip + "," + protocol + "," + req_port; if (redirect_to_port != "" || requested_ip != "") { if (requested_ip != "") { masquerade_rules = masquerade_rules + "," + redirect_to_port + "," + requested_ip; // port1 -> port2 are same } else if (redirect_to_port != req_port) { masquerade_rules = masquerade_rules + "," + redirect_to_port; } } SETTINGS["FW_FORWARD_MASQ"] = masquerade_rules; } /** * Function returns actual state of logging for rule taken as parameter. * * @param string rule definition 'ACCEPT' or 'DROP' * @return string 'ALL', 'CRIT', or 'NONE' */ global define string GetLoggingSettings(string rule) { string ret_val = nil; if (rule == "ACCEPT") { if (SETTINGS["FW_LOG_ACCEPT_ALL"]:"no" == "yes") { ret_val = "ALL"; } else if (SETTINGS["FW_LOG_ACCEPT_CRIT"]:"yes" == "yes") { ret_val = "CRIT"; } else { ret_val = "NONE"; } } else if (rule == "DROP") { if (SETTINGS["FW_LOG_DROP_ALL"]:"no" == "yes") { ret_val = "ALL"; } else if (SETTINGS["FW_LOG_DROP_CRIT"]:"yes" == "yes") { ret_val = "CRIT"; } else { ret_val = "NONE"; } } else { y2error("Possible rules are only 'ACCEPT' or 'DROP'"); } return ret_val; } /** * Function sets state of logging for rule taken as parameter. * * @param string rule definition 'ACCEPT' or 'DROP' * @param string new logging state 'ALL', 'CRIT', or 'NONE' */ global define void SetLoggingSettings(string rule, string state) { SetModified(); if (rule == "ACCEPT") { if (state == "ALL") { SETTINGS["FW_LOG_ACCEPT_CRIT"] = "yes"; SETTINGS["FW_LOG_ACCEPT_ALL"] = "yes"; } else if (state == "CRIT") { SETTINGS["FW_LOG_ACCEPT_CRIT"] = "yes"; SETTINGS["FW_LOG_ACCEPT_ALL"] = "no"; } else { SETTINGS["FW_LOG_ACCEPT_CRIT"] = "no"; SETTINGS["FW_LOG_ACCEPT_ALL"] = "no"; } } else if (rule == "DROP") { if (state == "ALL") { SETTINGS["FW_LOG_DROP_CRIT"] = "yes"; SETTINGS["FW_LOG_DROP_ALL"] = "yes"; } else if (state == "CRIT") { SETTINGS["FW_LOG_DROP_CRIT"] = "yes"; SETTINGS["FW_LOG_DROP_ALL"] = "no"; } else { SETTINGS["FW_LOG_DROP_CRIT"] = "no"; SETTINGS["FW_LOG_DROP_ALL"] = "no"; } } else { y2error("Possible rules are only 'ACCEPT' or 'DROP'"); } } /** * Function returns yes/no - ingoring broadcast for zone * * @param string zone */ global define string GetIgnoreLoggingBroadcast (string zone) { if (! IsKnownZone(zone)) { y2error("Unknown zone '%1'", zone); return nil; } return SETTINGS["FW_IGNORE_FW_BROADCAST_" + zone]:"no"; } /** * Function sets yes/no - ingoring broadcast for zone * * @param string zone * @param string ignore 'yes' or 'no' */ global define void SetIgnoreLoggingBroadcast (string zone, string bcast) { if (! IsKnownZone(zone)) { y2error("Unknown zone '%1'", zone); return nil; } SetModified(); SETTINGS["FW_IGNORE_FW_BROADCAST_" + zone] = bcast; } /** * Function adds a special interface into the FW_FORWARD_ALWAYS_INOUT_DEV variable * * @see: https://bugzilla.novell.com/show_bug.cgi?id=154133 */ global define void AddXenSupport () { string special_xen_interface = "xenbr0"; SetModified(); list <string> allways_inout_dev = splitstring (SETTINGS["FW_FORWARD_ALWAYS_INOUT_DEV"]:"", " "); allways_inout_dev = toset(add (allways_inout_dev, special_xen_interface)); SETTINGS["FW_FORWARD_ALWAYS_INOUT_DEV"] = mergestring(allways_inout_dev, " "); y2milestone("FW_FORWARD_ALWAYS_INOUT_DEV -> %1", SETTINGS["FW_FORWARD_ALWAYS_INOUT_DEV"]:""); } // Firewall Expert Rulezz /*\ * Returns list of rules describing protocols and ports that are allowed * to be accessed from listed hosts. All is returned as a single string. * Zone needs to be defined. * * @param string zone * @return string with rules */ global define string GetAcceptExpertRules (string zone) { zone = toupper(zone); // Check for zone if (! contains(GetKnownFirewallZones(), zone)) { y2error("Unknown firewall zone: %1", zone); return nil; } return SETTINGS["FW_SERVICES_ACCEPT_" + zone]:""; } /*\ * Sets expert allow rules for zone. * * @param string zone * @param string whitespace-separated expert_rules * @return boolean if successful */ global define boolean SetAcceptExpertRules (string zone, string expert_rules) { zone = toupper(zone); // Check for zone if (! contains(GetKnownFirewallZones(), zone)) { y2error("Unknown firewall zone: %1", zone); return false; } SETTINGS["FW_SERVICES_ACCEPT_" + zone] = expert_rules; return true; } #  /* EOF */ }