Class: Yast::SuSEFirewallClass

Inherits:

Module

• Object
• Module
• Yast::SuSEFirewallClass

Includes:

Logger

Defined in:

library/network/src/lib/network/susefirewall.rb

Overview

Factory for construction of appropriate firewall object based on desired backend.

Direct Known Subclasses

SuSEFirewall2Class, SuSEFirewalldClass

Instance Attribute Summary

• #firewall_service ⇒ String readonly

  The systemd service name: "firewalld" or "SuSEfirewall2".

Instance Method Summary

• #AddService(service, protocol, interface) ⇒ Boolean

  Function adds service into selected zone (or zone of interface) for selected protocol.

• #AddXenSupport ⇒ Object

  Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.

• #ArePortsOrServicesAllowed(needed_ports, protocol, zone, check_for_aliases) ⇒ Object
• #DisableServices ⇒ Boolean

  Functions disables services needed for SuSEFirewall in /etc/inet.d/.

• #EnableServices ⇒ Boolean

  Functions enables services needed for SuSEFirewall in /etc/inet.d/.

• #GetAllKnownInterfaces ⇒ Array<Hash{String => String>}

  Function returns list of maps of known interfaces.

• #GetEnableService ⇒ Boolean

  Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process.

• #GetKnownFirewallZones ⇒ Array<String>

  Function returns list of known firewall zones (shortnames).

• #GetListOfKnownInterfaces ⇒ Array<String>

  Function returns list of all known interfaces.

• #GetModified ⇒ Boolean

  Functions returns whether any firewall's configuration was modified.

• #GetServices(services) ⇒ Hash <String, Hash{String => Boolean>}

  Function returns map of supported services in all firewall zones.

• #GetServicesInZones(services) ⇒ Hash <String, Hash{String => Boolean} >

  Function returns map of supported services all network interfaces.

• #GetStartService ⇒ Boolean

  Function which returns if SuSEfirewall2 should start in Write process.

• #GetZoneFullName(zone) ⇒ String

  Function returns localized name of the zone identified by zone shortname.

• #GetZonesOfInterfaces(interfaces) ⇒ Array<String>

  Function returns list of zones of requested interfaces.

• #HaveService(service, protocol, interface) ⇒ Boolean

  Function returns if requested service is allowed in respective zone.

• #initialize ⇒ SuSEFirewallClass constructor

  A new instance of SuSEFirewallClass.

• #IsEnabled ⇒ Boolean

  Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now.

• #IsKnownZone(zone) ⇒ Boolean

  Function returns if zone (shortname like "EXT") is supported by firewall.

• #IsOtherFirewallRunning ⇒ Boolean

  Function returns if another firewall is currently running on the system.

• #IsStarted ⇒ Boolean

  Function determines if at least one SuSEFirewall script is started now.

• #IsSupportedProtocol(protocol) ⇒ Boolean

  Local function returns if protocol is supported by firewall.

• #RemoveAllowedPortsOrServices(remove_ports, protocol, zone, check_for_aliases) ⇒ Object

  Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.

• #RemoveService(service, protocol, interface) ⇒ Boolean

  Function removes service from selected zone (or for interface) for selected protocol.

• #ResetModified ⇒ Object

  Do not use this function.

• #SaveAndRestartService ⇒ Boolean

  Function for saving configuration and restarting firewall.

• #SetAdditionalServices(protocol, zone, new_list_services) ⇒ Object

  Function sets additional ports/services from taken list.

• #SetEnableService(enable_service) ⇒ Object

  Function which sets if SuSEfirewall should start in Write process.

• #SetInstallPackagesIfMissing(new_status) ⇒ Object

  By default Firewall packages are just checked whether they are installed.

• #SetModified ⇒ Object

  Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".

• #SetServices(services_ids, interfaces, new_status) ⇒ Boolean

  Function sets status for several services on several network interfaces.

• #SetStartService(start_service) ⇒ Object

  Function which sets if SuSEfirewall should start in Write process.

• #StartServices ⇒ Boolean

  Functions starts services needed for SuSEFirewall.

• #StopServices ⇒ Boolean

  Functions stops services needed for SuSEFirewall.

• #SuSEFirewallIsInstalled ⇒ Boolean

  Returns whether all needed packages are installed.

• #SuSEFirewallIsSelectedOrInstalled ⇒ Boolean

  Returns whether all needed packages are installed (or selected for installation).

Constructor Details

#initialize ⇒ SuSEFirewallClass

Returns a new instance of SuSEFirewallClass.

# File 'library/network/src/lib/network/susefirewall.rb', line 45

def initialize
  super

  textdomain "base"
end

Instance Attribute Details

#firewall_service ⇒ String (readonly)

Returns the systemd service name: "firewalld" or "SuSEfirewall2".

Returns:

• (String) —

  the systemd service name: "firewalld" or "SuSEfirewall2"

# File 'library/network/src/lib/network/susefirewall.rb', line 35

def firewall_service
  @firewall_service
end

Instance Method Details

#AddService(service, protocol, interface) ⇒ Boolean

Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

Examples:

AddService ("ssh", "TCP", "EXT")
AddService ("ssh", "TCP", "dsl0")

Parameters:

• service/port (String)
• protocol (String) —

  TCP, UDP, RPC, IP

• string —

  zone name or interface name

Returns:

• (Boolean) —

  success

# File 'library/network/src/lib/network/susefirewall.rb', line 920

def AddService(service, protocol, interface)
  Builtins.y2milestone(
    "Adding service %1, protocol %2 to %3",
    service,
    protocol,
    interface
  )

  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return false
  end

  zones_affected = []

  # "all" means for all known zones
  if interface == "all"
    zones_affected = GetKnownFirewallZones()

    # zone or interface name
  else
    # is probably an interface name
    if !IsKnownZone(interface)
      # interface is probably interface-name, checking for respective zone
      interface = GetZoneOfInterface(interface)
      # interface is not assigned to any zone
      if interface.nil?
        # TRANSLATORS: Error message, %1 = interface name (like eth0)
        Report.Error(
          Builtins.sformat(
            _(
              "Interface '%1' is not assigned to any firewall zone.\nRun YaST2 Firewall and assign it.\n"
            ),
            interface
          )
        )
        Builtins.y2warning(
          "Interface '%1' is not assigned to any firewall zone",
          interface
        )
        return false
      end
    end
    zones_affected = [interface]
  end

  SetModified()

  # Adding service support into each mentioned zone
  Builtins.foreach(zones_affected) do |zone|
    # If there isn't already
    if ArePortsOrServicesAllowed([service], protocol, zone, true)
      Builtins.y2milestone(
        "Port %1 has been already allowed in %2",
        service,
        zone
      )
    else
      AddAllowedPortsOrServices([service], protocol, zone)
    end
  end

  true
end

#AddXenSupport ⇒ Object

Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.

See Also:

• #https://bugzilla.novell.com/show_bug.cgi?id=154133
• #https://bugzilla.novell.com/show_bug.cgi?id=233934
• #https://bugzilla.novell.com/show_bug.cgi?id=375482

# File 'library/network/src/lib/network/susefirewall.rb', line 1066

def AddXenSupport
  Builtins.y2milestone(
    "The whole functionality is currently handled by SuSEfirewall2 itself"
  )

  nil
end

#ArePortsOrServicesAllowed(needed_ports, protocol, zone, check_for_aliases) ⇒ Object

# File 'library/network/src/lib/network/susefirewall.rb', line 809

def ArePortsOrServicesAllowed(needed_ports, protocol, zone, check_for_aliases)
  needed_ports = deep_copy(needed_ports)
  are_allowed = true

  if Ops.less_than(Builtins.size(needed_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return true
  end

  allowed_ports = {}
  # BTW: only TCP and UDP ports can have aliases and only TCP and UDP ports can have port ranges
  if check_for_aliases
    allowed_ports = PortRanges.DividePortsAndPortRanges(
      GetAllowedServicesForZoneProto(zone, protocol),
      true
    )
  else
    Ops.set(
      allowed_ports,
      "ports",
      GetAllowedServicesForZoneProto(zone, protocol)
    )
  end

  Builtins.foreach(needed_ports) do |needed_port|
    if !Builtins.contains(Ops.get(allowed_ports, "ports", []), needed_port) &&
        !PortRanges.PortIsInPortranges(
          needed_port,
          Ops.get(allowed_ports, "port_ranges", [])
        )
      are_allowed = false
      raise Break
    end
  end

  are_allowed
end

#DisableServices ⇒ Boolean

Functions disables services needed for SuSEFirewall in /etc/inet.d/

Returns:

• (Boolean) —

  result

# File 'library/network/src/lib/network/susefirewall.rb', line 177

def DisableServices
  return false if !SuSEFirewallIsInstalled()

  return true if Service.Disable(@firewall_service)

  Report.LongError(Service.Error)
  false
end

#EnableServices ⇒ Boolean

Functions enables services needed for SuSEFirewall in /etc/inet.d/

Returns:

• (Boolean) —

  result

# File 'library/network/src/lib/network/susefirewall.rb', line 160

def EnableServices
  all_ok = true

  return false if !SuSEFirewallIsInstalled()

  if !Service.Enable(@firewall_service)
    all_ok = true
    # TRANSLATORS: a popup error message
    Report.LongError(Service.Error)
  end

  all_ok
end

#GetAllKnownInterfaces ⇒ Array<Hash{String => String>}

Function returns list of maps of known interfaces.

Structure:

[ $[ "id":"modem1", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]

Returns:

• (Array<Hash{String => String>})
• (Array<Hash{String => String>}) —

  of all interfaces

# File 'library/network/src/lib/network/susefirewall.rb', line 404

def GetAllKnownInterfaces
  known_interfaces = []

  # All dial-up interfaces
  dialup_interfaces = NetworkInterfaces.List("dialup")
  dialup_interfaces = [] if dialup_interfaces.nil?

  # bugzilla #303858 - wrong values from NetworkInterfaces
  dialup_interfaces = Builtins.filter(dialup_interfaces) do |one_iface|
    if one_iface.nil? || one_iface == ""
      Builtins.y2error("Wrong interface definition '%1'", one_iface)
      next false
    end
    true
  end

  dialup_interfaces = Builtins.filter(dialup_interfaces) do |interface|
    interface != "" && !Builtins.issubstring(interface, "lo") &&
      !Builtins.issubstring(interface, "sit")
  end

  # All non-dial-up interfaces
  non_dialup_interfaces = NetworkInterfaces.List("")
  non_dialup_interfaces = [] if non_dialup_interfaces.nil?

  # bugzilla #303858 - wrong values from NetworkInterfaces
  non_dialup_interfaces = Builtins.filter(non_dialup_interfaces) do |one_iface|
    if one_iface.nil? || one_iface == ""
      Builtins.y2error("Wrong interface definition '%1'", one_iface)
      next false
    end
    true
  end

  non_dialup_interfaces = Builtins.filter(non_dialup_interfaces) do |interface|
    interface != "" && !Builtins.issubstring(interface, "lo") &&
      !Builtins.issubstring(interface, "sit") &&
      !Builtins.contains(dialup_interfaces, interface)
  end

  Builtins.foreach(dialup_interfaces) do |interface|
    known_interfaces = Builtins.add(
      known_interfaces,
      "id"   => interface,
      "type" => "dialup",
      # using function to get name
      "name" => NetworkInterfaces.GetValue(
        interface,
        "NAME"
      ),
      "zone" => GetZoneOfInterface(interface)
    )
  end

  Builtins.foreach(non_dialup_interfaces) do |interface|
    known_interfaces = Builtins.add(
      known_interfaces,
      "id"   => interface,
      # using function to get name
      "name" => NetworkInterfaces.GetValue(
        interface,
        "NAME"
      ),
      "zone" => GetZoneOfInterface(interface)
    )
  end

  deep_copy(known_interfaces)
end

#GetEnableService ⇒ Boolean

Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

Returns:

• (Boolean) —

  if the firewall should start

See Also:

• #Write()
• #EnableServices()

# File 'library/network/src/lib/network/susefirewall.rb', line 93

def GetEnableService
  Ops.get_boolean(@SETTINGS, "enable_firewall", false)
end

#GetKnownFirewallZones ⇒ Array<String>

Function returns list of known firewall zones (shortnames)

Examples:

GetKnownFirewallZones() -> ["DMZ", "EXT", "INT"]

Returns:

• (Array<String>) —

  of firewall zones

# File 'library/network/src/lib/network/susefirewall.rb', line 227

def GetKnownFirewallZones
  deep_copy(@known_firewall_zones)
end

#GetListOfKnownInterfaces ⇒ Array<String>

Function returns list of all known interfaces.

Examples:

GetListOfKnownInterfaces() -> ["eth1", "eth2", "modem0", "dsl5"]

Returns:

• (Array<String>) —

  of interfaces

# File 'library/network/src/lib/network/susefirewall.rb', line 478

def GetListOfKnownInterfaces
  GetAllKnownInterfaces().map { |i| i["id"] }
end

#GetModified ⇒ Boolean

Functions returns whether any firewall's configuration was modified.

Returns:

• (Boolean) —

  if the configuration was modified

# File 'library/network/src/lib/network/susefirewall.rb', line 365

def GetModified
  Yast.import "SuSEFirewallServices"
  # Changed SuSEFirewall or
  # Changed SuSEFirewallServices (needs resatrting as well)
  @modified || SuSEFirewallServices.GetModified
end

#GetServices(services) ⇒ Hash <String, Hash{String => Boolean>}

Function returns map of supported services in all firewall zones.

Structure:

 Returns $[service : $[ zone_name : supported_status]]

Examples:

// Firewall in not protected from internal zone, that's why
// all services report that they are enabled in INT zone
GetServices (["samba-server", "service:irc-server"]) -> $[
  "samba-server" : $["DMZ":false, "EXT":false, "INT":true],
  "service:irc-server" : $["DMZ":false, "EXT":true, "INT":true]
]

Parameters:

• list (string) —

  of services

Returns:

• (Hash <String, Hash{String => Boolean>})

# File 'library/network/src/lib/network/susefirewall.rb', line 248

def GetServices(services)
  services = deep_copy(services)
  # $[ service : $[ firewall_zone : status ]]
  services_status = {}

  # for all services requested
  Builtins.foreach(services) do |service|
    Ops.set(services_status, service, {})
    # for all zones in configuration
    Builtins.foreach(GetKnownFirewallZones()) do |zone|
      Ops.set(
        services_status,
        [service, zone],
        IsServiceSupportedInZone(service, zone)
      )
    end
  end

  deep_copy(services_status)
end

#GetServicesInZones(services) ⇒ Hash <String, Hash{String => Boolean} >

Function returns map of supported services all network interfaces.

Structure:

 Returns $[service : $[ interface : supported_status ]]

Examples:

GetServicesInZones (["service:irc-server"]) -> $["service:irc-server":$["eth1":true]]
// No such service "something"
GetServicesInZones (["something"])) -> $["something":$["eth1":nil]]
GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]

Parameters:

• list (string) —

  of services

Returns:

• (Hash <String, Hash{String => Boolean} >)

# File 'library/network/src/lib/network/susefirewall.rb', line 284

def GetServicesInZones(services)
  services = deep_copy(services)
  # list of interfaces for each zone
  interfaces_in_zone = {}

  GetListOfKnownInterfaces().each do |i|
    z = GetZoneOfInterface(i)
    next if z.nil? || z.empty?

    interfaces_in_zone[z] ||= []
    interfaces_in_zone[z] << i
  end

  # $[ service : $[ network_interface : status ]]
  services_status = {}

  # for all services requested
  Builtins.foreach(services) do |service|
    Ops.set(services_status, service, {})
    # for all zones in configuration
    Builtins.foreach(interfaces_in_zone) do |zone, interfaces|
      status = IsServiceSupportedInZone(service, zone)
      # for all interfaces in zone
      Builtins.foreach(interfaces) do |interface|
        Ops.set(services_status, [service, interface], status)
      end
    end
  end

  deep_copy(services_status)
end

#GetStartService ⇒ Boolean

Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.

Returns:

• (Boolean) —

  if the firewall should start

# File 'library/network/src/lib/network/susefirewall.rb', line 55

def GetStartService
  Ops.get_boolean(@SETTINGS, "start_firewall", false)
end

#GetZoneFullName(zone) ⇒ String

Function returns localized name of the zone identified by zone shortname.

Examples:

LANG=en_US GetZoneFullName ("EXT") -> "External Zone"
LANG=cs_CZ GetZoneFullName ("EXT") -> "Externí Zóna"

Parameters:

• string —

  short name

Returns:

• (String) —

  zone name

# File 'library/network/src/lib/network/susefirewall.rb', line 510

def GetZoneFullName(zone)
  # TRANSLATORS: Firewall zone full-name, used as combo box item or dialog title
  Ops.get(@zone_names, zone, _("Unknown Zone"))
end

#GetZonesOfInterfaces(interfaces) ⇒ Array<String>

Function returns list of zones of requested interfaces

Examples:

GetZonesOfInterfaces (["eth1","eth4"]) -> ["DMZ", "EXT"]

Parameters:

• interfaces (Array<String>)

Returns:

• (Array<String>) —

  firewall zones

# File 'library/network/src/lib/network/susefirewall.rb', line 489

def GetZonesOfInterfaces(interfaces)
  interfaces = deep_copy(interfaces)
  zones = []
  zone = ""

  Builtins.foreach(interfaces) do |interface|
    zone = GetZoneOfInterface(interface)
    zones = Builtins.add(zones, zone) if !zone.nil?
  end

  Builtins.toset(zones)
end

#HaveService(service, protocol, interface) ⇒ Boolean

Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.

Examples:

HaveService ("ssh", "TCP", "EXT") -> true
HaveService ("ssh", "TCP", "modem0") -> false
HaveService ("53", "UDP", "dsl") -> false

Parameters:

• service (String) —

  (service name, port name, port alias or port number)

• protocol (String) —

  TCP, UDP, RCP or IP

• interface (String) —

  name (like modem0), firewall zone (like "EXT") or "any" for all zones.

Returns:

• (Boolean) —

  if service is allowed

# File 'library/network/src/lib/network/susefirewall.rb', line 863

def HaveService(service, protocol, interface)
  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return nil
  end

  # definition of searched zones
  zones = []

  # "any" for all zones, this is ugly
  if interface == "any"
    zones = GetKnownFirewallZones()
    # string interface is the zone name
  elsif IsKnownZone(interface)
    zones = Builtins.add(zones, interface)
    # interface is the interface name
  else
    interface = GetZoneOfInterface(interface)
    zones = Builtins.add(zones, interface) if !interface.nil?
  end

  # SuSEFirewall feature FW_PROTECT_FROM_INT
  # should not be protected and searched zones include also internal (or the zone IS internal, sure)
  if !GetProtectFromInternalZone() &&
      Builtins.contains(zones, @int_zone_shortname)
    Builtins.y2milestone(
      "Checking for service '%1', in '%2', PROTECT_FROM_INTERNAL='no' => allowed",
      service,
      interface
    )
    return true
  end

  # Check and return whether the service (port) is supported anywhere
  ret = false
  Builtins.foreach(zones) do |zone|
    # This function can also handle port ranges
    if ArePortsOrServicesAllowed([service], protocol, zone, true)
      ret = true
      raise Break
    end
  end

  ret
end

#IsEnabled ⇒ Boolean

Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

Returns:

• (Boolean) —

  if enabled

# File 'library/network/src/lib/network/susefirewall.rb', line 191

def IsEnabled
  return false if !SuSEFirewallIsInstalled()

  if Service.Enabled(@firewall_service)
    Builtins.y2milestone("Firewall service is enabled")
    true
  else
    Builtins.y2milestone("Firewall service is not enabled")
    false
  end
end

#IsKnownZone(zone) ⇒ Boolean

Function returns if zone (shortname like "EXT") is supported by firewall. Undefined zones are, for sure, unsupported.

Parameters:

• zone (String) —

  shortname

Returns:

• (Boolean) —

  if zone is known and supported.

# File 'library/network/src/lib/network/susefirewall.rb', line 520

def IsKnownZone(zone)
  is_zone = false

  Builtins.foreach(GetKnownFirewallZones()) do |known_zone|
    if known_zone == zone
      is_zone = true
      raise Break
    end
  end

  is_zone
end

#IsOtherFirewallRunning ⇒ Boolean

Function returns if another firewall is currently running on the system. It uses command iptables to get information about just active iptables rules and compares the output with current status of the selected firewall backend

Returns:

• (Boolean) —

  if other firewall is running

# File 'library/network/src/lib/network/susefirewall.rb', line 764

def IsOtherFirewallRunning
  any_firewall_running = true

  # grep must return at least blank lines, else it returns 'exit 1' instead of 'exit 0'
  command = "LANG=C /usr/sbin/iptables -L -n | /usr/bin/grep -v \"^\\(Chain\\|target\\)\""

  iptables = Convert.to_map(
    SCR.Execute(path(".target.bash_output"), command)
  )
  if Ops.get_integer(iptables, "exit", 0) == 0
    iptables_list = Builtins.splitstring(
      Ops.get_string(iptables, "stdout", ""),
      "\n"
    )
    iptables_list = Builtins.filter(iptables_list) do |iptable_rule|
      iptable_rule != ""
    end

    Builtins.y2milestone(
      "Count of active iptables now: %1",
      Builtins.size(iptables_list)
    )

    # any iptables rule exist?
    any_firewall_running = Ops.greater_than(Builtins.size(iptables_list), 0)
  else
    # error running command
    Builtins.y2error(
      "Services Command: %1 (Exit %2) -> %3",
      command,
      Ops.get(iptables, "exit"),
      Ops.get(iptables, "stderr")
    )
    return nil
  end

  # any firewall is running but it is not desired one
  if any_firewall_running && !IsStarted()
    Builtins.y2warning("Any other firewall is running...")
    return true
  end
  # no firewall is running or the running firewall the desired one
  false
end

#IsStarted ⇒ Boolean

Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

Returns:

• (Boolean) —

  if started

# File 'library/network/src/lib/network/susefirewall.rb', line 207

def IsStarted
  return false if !SuSEFirewallIsInstalled()

  return true if Mode.testsuite

  Builtins.y2milestone("Checking firewall status...")
  if Service.Status(@firewall_service) == 0
    Builtins.y2milestone("Firewall service is started")
    true
  else
    Builtins.y2milestone("Firewall service is stopped")
    false
  end
end

#IsSupportedProtocol(protocol) ⇒ Boolean

Local function returns if protocol is supported by firewall. Protocol name must be in upper-cases.

Parameters:

• protocol (String)

Returns:

• (Boolean) —

  whether protocol is supported, that is, one of TCP, UDP, IP

# File 'library/network/src/lib/network/susefirewall.rb', line 587

def IsSupportedProtocol(protocol)
  @supported_protocols.include?(protocol)
end

#RemoveAllowedPortsOrServices(remove_ports, protocol, zone, check_for_aliases) ⇒ Object

Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.

Parameters:

• list (string) —

  ports to be removed

• protocol (String)
• zone (String)
• boolean —

  check for port-aliases

# File 'library/network/src/lib/network/susefirewall.rb', line 653

def RemoveAllowedPortsOrServices(remove_ports, protocol, zone, check_for_aliases)
  remove_ports = deep_copy(remove_ports)
  if Ops.less_than(Builtins.size(remove_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return
  end

  SetModified()

  # all allowed ports
  allowed_services = PortRanges.DividePortsAndPortRanges(
    GetAllowedServicesForZoneProto(zone, protocol),
    false
  )

  # removing all aliases of ports too, adding aliases into
  if check_for_aliases
    remove_ports_with_aliases = []
    Builtins.foreach(remove_ports) do |remove_port|
      # skip port ranges, they cannot have any port-alias
      if PortRanges.IsPortRange(remove_port)
        remove_ports_with_aliases = Builtins.add(
          remove_ports_with_aliases,
          remove_port
        )
        next
      end
      remove_these_ports = PortAliases.GetListOfServiceAliases(remove_port)
      remove_these_ports = [remove_port] if remove_these_ports.nil?
      remove_ports_with_aliases = Convert.convert(
        Builtins.union(remove_ports_with_aliases, remove_these_ports),
        from: "list",
        to:   "list <string>"
      )
    end
    remove_ports = deep_copy(remove_ports_with_aliases)
  end
  remove_ports = Builtins.toset(remove_ports)

  # Remove ports only once (because of port aliases), any => integers and strings
  already_removed = []

  Builtins.foreach(remove_ports) do |remove_port|
    # Removing from normal ports
    Ops.set(
      allowed_services,
      "ports",
      Builtins.filter(Ops.get(allowed_services, "ports", [])) do |allowed_port|
        allowed_port != "" && allowed_port != remove_port
      end
    )
    # Removing also from port ranges
    if Ops.get(allowed_services, "port_ranges", []) != []
      # Removing a real port from port ranges
      if !PortRanges.IsPortRange(remove_port)
        remove_port_nr = PortAliases.GetPortNumber(remove_port)
        # Because of all port aliases
        if !Builtins.contains(already_removed, remove_port_nr)
          already_removed = Builtins.add(already_removed, remove_port_nr)
          Ops.set(
            allowed_services,
            "port_ranges",
            PortRanges.RemovePortFromPortRanges(
              remove_port_nr,
              Ops.get(allowed_services, "port_ranges", [])
            )
          )
        end
      # Removing a port range from port ranges
      elsif !Builtins.contains(already_removed, remove_port)
        # Just filtering the exact port range
        Ops.set(
          allowed_services,
          "port_ranges",
          Builtins.filter(Ops.get(allowed_services, "port_ranges", [])) do |one_port_range|
            one_port_range != remove_port
          end
        )
        already_removed = Builtins.add(already_removed, remove_port)
      end
    end
  end

  allowed_services_all = Convert.convert(
    Builtins.union(
      Ops.get(allowed_services, "ports", []),
      Ops.get(allowed_services, "port_ranges", [])
    ),
    from: "list",
    to:   "list <string>"
  )

  allowed_services_all = PortRanges.FlattenServices(
    allowed_services_all,
    protocol
  )

  SetAllowedServicesForZoneProto(allowed_services_all, zone, protocol)

  nil
end

#RemoveService(service, protocol, interface) ⇒ Boolean

Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.

Examples:

RemoveService ("22", "TCP", "DMZ") -> true
is the same as
RemoveService ("ssh", "TCP", "DMZ") -> true

Parameters:

• service/port (String)
• protocol (String) —

  TCP, UDP, RPC, IP

• string —

  zone name or interface name

Returns:

• (Boolean) —

  success

# File 'library/network/src/lib/network/susefirewall.rb', line 997

def RemoveService(service, protocol, interface)
  Builtins.y2milestone(
    "Removing service %1, protocol %2 from %3",
    service,
    protocol,
    interface
  )

  if !IsSupportedProtocol(protocol)
    Builtins.y2error("Unknown protocol: %1", protocol)
    return false
  end

  zones_affected = []

  # "all" means for all known zones
  if interface == "all"
    zones_affected = GetKnownFirewallZones()

    # zone or interface name
  else
    if !IsKnownZone(interface)
      # interface is probably interface-name, checking for respective zone
      interface = GetZoneOfInterface(interface)
      # interface is not assigned to any zone
      if interface.nil?
        # TRANSLATORS: Error message, %1 = interface name (like eth0)
        Report.Error(
          Builtins.sformat(
            _(
              "Interface '%1' is not assigned to any firewall zone.\nRun YaST2 Firewall and assign it.\n"
            ),
            interface
          )
        )
        Builtins.y2warning(
          "Interface '%1' is not assigned to any firewall zone",
          interface
        )
        return false
      end
    end
    zones_affected = [interface]
  end

  SetModified()

  # Adding service support into each mentioned zone
  Builtins.foreach(zones_affected) do |zone|
    # if the service is allowed
    if ArePortsOrServicesAllowed([service], protocol, zone, true)
      RemoveAllowedPortsOrServices([service], protocol, zone, true)
    else
      Builtins.y2milestone(
        "Port %1 has been already removed from %2",
        service,
        zone
      )
    end
  end

  true
end

#ResetModified ⇒ Object

Do not use this function. Only for firewall installation proposal.

# File 'library/network/src/lib/network/susefirewall.rb', line 355

def ResetModified
  Builtins.y2milestone("Reseting firewall-modified to 'false'")
  @modified = false

  nil
end

#SaveAndRestartService ⇒ Boolean

Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

Returns:

• (Boolean) —

  if successful

# File 'library/network/src/lib/network/susefirewall.rb', line 571

def SaveAndRestartService
  Builtins.y2milestone("Forced save and restart")
  SetModified()

  SetStartService(true)

  return false if !Write()

  true
end

#SetAdditionalServices(protocol, zone, new_list_services) ⇒ Object

Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.

Examples:

SetAdditionalServices ("TCP", "EXT", ["53", "128"])

Parameters:

• protocol (String)
• zone (String)
• list (string) —

  list of ports/protocols

See Also:

• #GetAdditionalServices()

# File 'library/network/src/lib/network/susefirewall.rb', line 603

def SetAdditionalServices(protocol, zone, new_list_services)
  new_list_services = deep_copy(new_list_services)
  old_list_services = Builtins.toset(GetAdditionalServices(protocol, zone))
  new_list_services = Builtins.toset(new_list_services)

  if new_list_services != old_list_services
    SetModified()

    add_services = []
    remove_services = []

    # Add these services
    Builtins.foreach(new_list_services) do |service|
      add_services = Builtins.add(add_services, service) if !Builtins.contains(old_list_services, service)
    end
    # Remove these services
    Builtins.foreach(old_list_services) do |service|
      remove_services = Builtins.add(remove_services, service) if !Builtins.contains(new_list_services, service)
    end

    if Ops.greater_than(Builtins.size(remove_services), 0)
      Builtins.y2milestone(
        "Removing additional services %1/%2 from zone %3",
        remove_services,
        protocol,
        zone
      )
      RemoveAllowedPortsOrServices(remove_services, protocol, zone, true)
    end
    if Ops.greater_than(Builtins.size(add_services), 0)
      Builtins.y2milestone(
        "Adding additional services %1/%2 into zone %3",
        add_services,
        protocol,
        zone
      )
      AddAllowedPortsOrServices(add_services, protocol, zone)
    end
  end

  nil
end

#SetEnableService(enable_service) ⇒ Object

Function which sets if SuSEfirewall should start in Write process

Parameters:

• boolean —

  start_service at Write() process

# File 'library/network/src/lib/network/susefirewall.rb', line 100

def SetEnableService(enable_service)
  if !SuSEFirewallIsSelectedOrInstalled()
    Builtins.y2warning("Cannot set SetEnableService")
    return nil
  end

  if GetEnableService() == enable_service
    # without set modified
    Builtins.y2milestone(
      "enable-firewall has been already set to %1",
      enable_service
    )
  else
    SetModified()

    Builtins.y2milestone("Setting enable-firewall to %1", enable_service)
  end

  Ops.set(@SETTINGS, "enable_firewall", enable_service)

  nil
end

#SetInstallPackagesIfMissing(new_status) ⇒ Object

By default Firewall packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.

Parameters:

• new_status, (Boolean) —

  'true' if packages should be offered for installation

# File 'library/network/src/lib/network/susefirewall.rb', line 377

def SetInstallPackagesIfMissing(new_status)
  if new_status.nil?
    Builtins.y2error("Wrong value: %1", new_status)
    return
  end

  @check_and_install_package = new_status

  if @check_and_install_package
    Builtins.y2milestone("Firewall packages will installed if missing")
  else
    Builtins.y2milestone(
      "Firewall packages will not be installed even if missing"
    )
  end

  nil
end

#SetModified ⇒ Object

Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".

# File 'library/network/src/lib/network/susefirewall.rb', line 347

def SetModified
  @modified = true

  nil
end

#SetServices(services_ids, interfaces, new_status) ⇒ Boolean

Function sets status for several services on several network interfaces.

Examples:

// Disabling services
SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], false)
// Enabling services
SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], true)

Parameters:

• list (string) —

  service ids

• list (string) —

  network interfaces

• boolean —

  new status of services

Returns:

• (Boolean) —

  if successfull

See Also:

• #SetServicesForZones()

# File 'library/network/src/lib/network/susefirewall.rb', line 330

def SetServices(services_ids, interfaces, new_status)
  firewall_zones = GetZonesOfInterfacesWithAnyFeatureSupported(interfaces)
  if Builtins.size(firewall_zones) == 0
    Builtins.y2error(
      "Interfaces '%1' are not in any group of interfaces",
      interfaces
    )
    return false
  end

  SetModified()

  SetServicesForZones(services_ids, firewall_zones, new_status)
end

#SetStartService(start_service) ⇒ Object

Function which sets if SuSEfirewall should start in Write process.

Parameters:

• start_service (Boolean) —

  at Write() process

See Also:

• #GetStartService()

# File 'library/network/src/lib/network/susefirewall.rb', line 63

def SetStartService(start_service)
  if !SuSEFirewallIsSelectedOrInstalled()
    Builtins.y2warning("Cannot set SetStartService")
    return nil
  end

  if GetStartService() == start_service
    # without set modified!
    Builtins.y2milestone(
      "start-firewall has been already set to %1",
      start_service
    )
  else
    SetModified()

    Builtins.y2milestone("Setting start-firewall to %1", start_service)
  end

  Ops.set(@SETTINGS, "start_firewall", start_service)

  nil
end

#StartServices ⇒ Boolean

Functions starts services needed for SuSEFirewall

Returns:

• (Boolean) —

  result

# File 'library/network/src/lib/network/susefirewall.rb', line 126

def StartServices
  return true if Mode.testsuite

  return false if !SuSEFirewallIsInstalled()

  if Service.Start(@firewall_service)
    Builtins.y2milestone("Started")
    true
  else
    Builtins.y2error("Cannot start service %1", @firewall_service)
    false
  end
end

#StopServices ⇒ Boolean

Functions stops services needed for SuSEFirewall

Returns:

• (Boolean) —

  result

# File 'library/network/src/lib/network/susefirewall.rb', line 143

def StopServices
  return true if Mode.testsuite

  return false if !SuSEFirewallIsInstalled()

  if Service.Stop(@firewall_service)
    Builtins.y2milestone("Stopped")
    true
  else
    Builtins.y2error("Could not stop service %1", @firewall_service)
    false
  end
end

#SuSEFirewallIsInstalled ⇒ Boolean

Returns whether all needed packages are installed

Returns:

• (Boolean) —

  whether the selected firewall backend is installed

# File 'library/network/src/lib/network/susefirewall.rb', line 553

def SuSEFirewallIsInstalled
  return true if @needed_packages_installed

  if Mode.normal
    @needed_packages_installed = Package.CheckAndInstallPackages([@FIREWALL_PACKAGE])
    log.info "CheckAndInstallPackages -> #{@needed_packages_installed}"
  else
    @needed_packages_installed = Package.Installed(@FIREWALL_PACKAGE, target: :system)
    log.info "Installed -> #{@needed_packages_installed}"
  end

  @needed_packages_installed
end

#SuSEFirewallIsSelectedOrInstalled ⇒ Boolean

Returns whether all needed packages are installed (or selected for installation)

Returns:

• (Boolean) —

  whether the selected firewall backend is installed

# File 'library/network/src/lib/network/susefirewall.rb', line 537

def SuSEFirewallIsSelectedOrInstalled
  return true if @needed_packages_installed

  if Stage.initial
    packages_selected = Pkg.IsSelected(@FIREWALL_PACKAGE)
    log.info "Selected for installation -> #{packages_selected}"

    return true if packages_selected
  end

  SuSEFirewallIsInstalled()
end