Class: Yast::SuSEFirewalldClass

Inherits:

SuSEFirewallClass

• Object
• Module
• SuSEFirewallClass
• Yast::SuSEFirewalldClass

Defined in:

library/network/src/lib/network/susefirewalld.rb

Overview

---

SuSEFirewalld Class. Trying to provide relevent pieces of SF2 functionality via firewalld.

Constant Summary

ZONE_ATTRIBUTES =

Valid attributes for firewalld zones :interfaces = [Array] :masquerade = Boolean :modified = [Set] :ports = [Array] :protocols = [Array] :services = [Array]

[:interfaces, :masquerade, :modified, :ports, :protocols, :services].freeze

KEY_SETTINGS =

_firewall are "inherited" from SF2 so we can't use symbols there without having to change all the SF2 callers.

["enable_firewall", "logging", "routing", "start_firewall"].freeze

EMPTY_ZONE =

{
  interfaces: [],
  masquerade: false,
  modified:   Set.new,
  ports:      [],
  protocols:  [],
  services:   []
}.freeze

Instance Attribute Summary

• #special_all_interface_zone ⇒ Object readonly

  Returns the value of attribute special_all_interface_zone.

Attributes inherited from SuSEFirewallClass

#firewall_service

Instance Method Summary

• #ActivateConfiguration ⇒ Boolean

  Function which starts/stops firewall.

• #AddAllowedPortsOrServices(add_ports, protocol, zone) ⇒ Object

  Local function allows ports for requested protocol and zone.

• #AddInterfaceIntoZone(interface, zone) ⇒ Object

  Functions adds interface into defined zone.

• #AddSpecialInterfaceIntoZone(interface, zone) ⇒ Object

  Functions adds special string into defined zone.

• #api ⇒ Object

  We need that for the tests.

• #ArePortsOrServicesAllowed(needed_ports, protocol, zone, _check_for_aliases) ⇒ Object
• #Export ⇒ Hash{String => Object}

  Function for getting exported SuSEFirewall configuration.

• #full_init_on_boot(new_state) ⇒ Object

  FIXME: this method currently does nothing at all and has been added just for having the same API than SuSEFirewall2 but it is deprecated.

• #GetAcceptExpertRules(zone) ⇒ String

  Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts.

• #GetAdditionalServices(protocol, zone) ⇒ Array<String>

  This powerful function returns list of services/ports which are not assigned to any fully-supported known-services.

• #GetAllowedServicesForZoneProto(zone, protocol) ⇒ Array<String>

  Function returns list of allowed ports for zone and protocol.

• #GetIgnoreLoggingBroadcast(_zone) ⇒ String

  Function returns yes/no - ingoring broadcast for zone.

• #GetInterfacesInZone(zone) ⇒ Array<String>

  Function returns list of known interfaces in requested zone.

• #GetInterfacesInZoneSupportingAnyFeature(zone) ⇒ Array<String>

  Function returns list of known interfaces in requested zone.

• #GetLoggingSettings(rule) ⇒ String

  Function returns actual state of logging.

• #GetMasquerade(zone = "internal") ⇒ Boolean

  Function returns actual state of Masquerading support.

• #GetProtectFromInternalZone ⇒ Boolean

  Function returns if firewall is protected from internal zone.

• #GetServicesInZones(services) ⇒ Hash<String, Hash<String, Boolean>>

  Function returns map of supported services all network interfaces.

• #GetSpecialInterfacesInZone(zone) ⇒ Array<String>

  Function returns list of special strings like 'any' or 'auto' and unknown interfaces.

• #GetZoneOfInterface(interface) ⇒ Object

  Function returns the firewall zone of interface, nil if no zone includes the interface.

• #GetZonesOfInterfacesWithAnyFeatureSupported(interfaces) ⇒ Array<String>

  Function returns list of zones of requested interfaces.

• #Import(import_settings) ⇒ Object

  Function for setting SuSEFirewall configuration from input.

• #initialize ⇒ SuSEFirewalldClass constructor

  A new instance of SuSEFirewalldClass.

• #IsAnyNetworkInterfaceSupported ⇒ Object

  Function returns whether the feature 'any' network interface is supported.

• #IsInterfaceInZone(interface, zone) ⇒ Boolean

  Function returns if the interface is in zone.

• #IsServiceSupportedInZone(service, zone) ⇒ Boolean

  Function returns true if service is supported (allowed) in zone.

• #Read ⇒ Object
• #read_zones ⇒ Object
• #ReadCurrentConfiguration ⇒ Object
• #RemoveAllowedPortsOrServices(remove_ports, protocol, zone, _check_for_aliases) ⇒ Object

  Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.

• #RemoveInterfaceFromZone(interface, zone) ⇒ Object

  Function removes interface from defined zone.

• #RemoveSpecialInterfaceFromZone(interface, zone) ⇒ Object

  Function removes special string from defined zone.

• #SetAcceptExpertRules(zone, expert_rules) ⇒ Boolean

  Sets expert allow rules for zone.

• #SetAllowedServicesForZoneProto(allowed_services, zone, protocol) ⇒ Object

  Function sets list of services as allowed ports for zone and protocol.

• #SetIgnoreLoggingBroadcast(_zone, bcast) ⇒ Object

  Function sets yes/no - ingoring broadcast for zone.

• #SetLoggingSettings(rule, state) ⇒ Object

  Function sets state of logging.

• #SetMasquerade(enable, zone = "internal") ⇒ Object

  Function sets Masquerade support.

• #SetServicesForZones(services_ids, firewall_zones, new_status) ⇒ Object

  Function sets status for several services in several firewall zones.

• #sf2_to_firewalld_service(service) ⇒ Object

  Function which attempts to convert a sf2_service name to a firewalld equivalent.

• #sf2_to_firewalld_zone(zone) ⇒ Object
• #Write ⇒ Object
• #WriteConfiguration ⇒ Object
• #WriteOnly ⇒ Object

  In SF2, it's used to write configuration, but not activate.

Methods inherited from SuSEFirewallClass

#AddService, #AddXenSupport, #DisableServices, #EnableServices, #GetAllKnownInterfaces, #GetEnableService, #GetKnownFirewallZones, #GetListOfKnownInterfaces, #GetModified, #GetServices, #GetStartService, #GetZoneFullName, #GetZonesOfInterfaces, #HaveService, #IsEnabled, #IsKnownZone, #IsOtherFirewallRunning, #IsStarted, #IsSupportedProtocol, #RemoveService, #ResetModified, #SaveAndRestartService, #SetAdditionalServices, #SetEnableService, #SetInstallPackagesIfMissing, #SetModified, #SetServices, #SetStartService, #StartServices, #StopServices, #SuSEFirewallIsInstalled, #SuSEFirewallIsSelectedOrInstalled

Constructor Details

#initialize ⇒ SuSEFirewalldClass

Returns a new instance of SuSEFirewalldClass.

# File 'library/network/src/lib/network/susefirewalld.rb', line 69

def initialize
  super

  textdomain "base"

  # firewalld API interface.
  @fwd_api = Y2Firewall::Firewalld::Api.new
  # firewalld service
  @firewall_service = "firewalld"
  # firewalld package
  @FIREWALL_PACKAGE = "firewalld"
  # flag to indicate that FirewallD configuration has been read
  @configuration_has_been_read = false
  # firewall settings map
  @SETTINGS = {}
  # list of known firewall zones
  @known_firewall_zones = ["block", "dmz", "drop", "external", "home",
                           "internal", "public", "trusted", "work"]
  # map defines zone name for all known firewall zones
  @zone_names = {
    # TRANSLATORS: Firewall zone name - used in combo box or dialog title
    "block"    => _(
      "Block Zone"
    ),
    "dmz"      => _(
      "Demilitarized Zone"
    ),
    "drop"     => _(
      "Drop Zone"
    ),
    "external" => _(
      "External Zone"
    ),
    "home"     => _(
      "Home Zone"
    ),
    "internal" => _(
      "Internal Zone"
    ),
    "public"   => _(
      "Public Zone"
    ),
    "trusted"  => _(
      "Trusted Zone"
    ),
    "work"     => _(
      "Work Zone"
    )
  }

  # Zone which works with the special_all_interface_string string. In our case,
  # we don't want to deal with this just yet. FIXME
  @special_all_interface_zone = ""

  # Initialize the @SETTINGS hash
  KEY_SETTINGS.each { |x| @SETTINGS[x] = nil }
  GetKnownFirewallZones().each { |zone| @SETTINGS[zone] = deep_copy(EMPTY_ZONE) }

  # Are needed packages installed?
  @needed_packages_installed = nil

  # bnc #388773
  # By default needed packages are just checked, not installed
  @check_and_install_package = false

  # internal zone identification - useful for protect-from-internal
  @int_zone_shortname = "internal"

  # list of protocols supported in firewall, use only upper-cases
  @supported_protocols = ["TCP", "UDP", "IP"]
end

Instance Attribute Details

#special_all_interface_zone ⇒ Object (readonly)

Returns the value of attribute special_all_interface_zone.

# File 'library/network/src/lib/network/susefirewalld.rb', line 40

def special_all_interface_zone
  @special_all_interface_zone
end

Instance Method Details

#ActivateConfiguration ⇒ Boolean

Function which starts/stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean). FirewallD needs to be reloaded instead of doing a full-blown restart to get the new configuration up and running.

Returns:

• (Boolean) —

  if successful

# File 'library/network/src/lib/network/susefirewalld.rb', line 368

def ActivateConfiguration
  # starting firewall during second stage can cause deadlock in systemd - bnc#798620
  # Moreover, it is not needed. Firewall gets started via dependency on multi-user.target
  # when second stage is over.
  if Mode.installation
    Builtins.y2milestone("Do not touch firewall services during installation")

    return true
  end

  if GetStartService()
    # Not started - start it
    if IsStarted()
      Builtins.y2milestone("Firewall has been started already")
      # Make it real
      @fwd_api.reload
      true
    else
      Builtins.y2milestone("Starting firewall services")
      StartServices()
      # Started - restart it
    end
  # Firewall should stop after Write()
  # started - stop
  elsif IsStarted()
    Builtins.y2milestone("Stopping firewall services")
    StopServices()
    # stopped - skip stopping
  else
    Builtins.y2milestone("Firewall has been stopped already")
    true
  end
end

#AddAllowedPortsOrServices(add_ports, protocol, zone) ⇒ Object

Local function allows ports for requested protocol and zone.

Parameters:

• add_ports (Array<String>) —

  ports to be added

• protocol (String)
• zone (String)

# File 'library/network/src/lib/network/susefirewalld.rb', line 956

def AddAllowedPortsOrServices(add_ports, protocol, zone)
  add_ports = deep_copy(add_ports)
  if Ops.less_than(Builtins.size(add_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return
  end

  SetModified()

  # all allowed ports
  allowed_services = GetAllowedServicesForZoneProto(zone, protocol)

  allowed_services = Convert.convert(
    Builtins.union(allowed_services, add_ports),
    from: "list",
    to:   "list <string>"
  )

  SetAllowedServicesForZoneProto(allowed_services, zone, protocol)

  nil
end

#AddInterfaceIntoZone(interface, zone) ⇒ Object

Functions adds interface into defined zone. All appearances of interface in other zones are removed.

Examples:

AddInterfaceIntoZone ("eth5", "DMZ")

Parameters:

• interface (String)
• zone (String)

# File 'library/network/src/lib/network/susefirewalld.rb', line 533

def AddInterfaceIntoZone(interface, zone)
  return nil if !IsKnownZone(zone)

  SetModified()

  current_zone = GetZoneOfInterface(interface)

  # removing all appearances of interface in zones, excepting current_zone==new_zone
  while !current_zone.nil? && current_zone != zone
    # interface is in any zone already, removing it at first
    RemoveInterfaceFromZone(interface, current_zone) if current_zone != zone
    current_zone = GetZoneOfInterface(interface)
  end

  Builtins.y2milestone(
    "Adding interface '%1' into '%2' zone.",
    interface,
    zone
  )

  add_to_zone_attr(zone, :interfaces, interface)
  add_zone_modified(zone, :interfaces)

  nil
end

#AddSpecialInterfaceIntoZone(interface, zone) ⇒ Object

Functions adds special string into defined zone. For firewalld we return nil.

Parameters:

• interface (String)
• zone (String)

# File 'library/network/src/lib/network/susefirewalld.rb', line 729

def AddSpecialInterfaceIntoZone(interface, zone)
  AddInterfaceIntoZone(interface, zone)
end

#api ⇒ Object

We need that for the tests. Nothing else should access the API directly

# File 'library/network/src/lib/network/susefirewalld.rb', line 65

def api
  @fwd_api
end

#ArePortsOrServicesAllowed(needed_ports, protocol, zone, _check_for_aliases) ⇒ Object

# File 'library/network/src/lib/network/susefirewalld.rb', line 947

def ArePortsOrServicesAllowed(needed_ports, protocol, zone, _check_for_aliases)
  super(needed_ports, protocol, zone, false)
end

#Export ⇒ Hash{String => Object}

Function for getting exported SuSEFirewall configuration

Returns:

• (Hash{String => Object}) —

  with configuration

# File 'library/network/src/lib/network/susefirewalld.rb', line 170

def Export
  # FIXME: Temporal export until a new schema is defined for firewalld
  @SETTINGS.select { |k, v| KEY_SETTINGS.include?(k) && !v.nil? }
end

#full_init_on_boot(new_state) ⇒ Object

FIXME: this method currently does nothing at all and has been added just for having the same API than SuSEFirewall2 but it is deprecated

# File 'library/network/src/lib/network/susefirewalld.rb', line 1024

def full_init_on_boot(new_state)
  new_state
end

#GetAcceptExpertRules(zone) ⇒ String

Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.

Parameters:

• zone (String)

Returns:

• (String) —

  with rules

# File 'library/network/src/lib/network/susefirewalld.rb', line 990

def GetAcceptExpertRules(zone)
  zone = Builtins.toupper(zone)

  # Check for zone
  if !Builtins.contains(GetKnownFirewallZones(), zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return nil
  end

  Ops.get_string(@SETTINGS, Ops.add("FW_SERVICES_ACCEPT_", zone), "")
end

#GetAdditionalServices(protocol, zone) ⇒ Array<String>

This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different way.

Examples:

GetAdditionalServices("TCP", "EXT") -> ["53", "128"]

Returns:

• (Array<String>) —

  of additional (unassigned) services

# File 'library/network/src/lib/network/susefirewalld.rb', line 869

def GetAdditionalServices(protocol, zone)
  protocol = protocol.upcase

  if !IsSupportedProtocol(protocol.upcase)
    Builtins.y2error("Unknown protocol '%1'", protocol)
    return nil
  end
  if !IsKnownZone(zone)
    Builtins.y2error("Unknown zone '%1'", zone)
    return nil
  end

  # all ports or services allowed in zone for protocol
  all_allowed_services = GetAllowedServicesForZoneProto(zone, protocol)

  # And now drop the known ones
  all_allowed_services -= SuSEFirewallServices.GetSupportedServices().keys

  # well, actually it returns list of services not-assigned to any well-known service
  deep_copy(all_allowed_services)
end

#GetAllowedServicesForZoneProto(zone, protocol) ⇒ Array<String>

Function returns list of allowed ports for zone and protocol

Parameters:

• zone (String)
• protocol (String)

Returns:

• (Array<String>) —

  of allowed ports

# File 'library/network/src/lib/network/susefirewalld.rb', line 834

def GetAllowedServicesForZoneProto(zone, protocol)
  Yast.import "SuSEFirewallServices"

  result = []
  protocol = protocol.downcase

  get_zone_attr(zone, :ports).each do |p|
    port_proto = p.split("/")
    result << port_proto[0] if port_proto[1] == protocol
  end
  result = get_zone_attr(zone, :protocols) if protocol == "ip"
  # We return the name of service instead of its ports
  get_zone_attr(zone, :services).each do |s| # to be SF2 compatible.
    case protocol
    when "tcp"
      result << s if !SuSEFirewallServices.GetNeededTCPPorts(s).empty?
    when "udp"
      result << s if !SuSEFirewallServices.GetNeededUDPPorts(s).empty?
    end
  end
  # FIXME: Is this really needed?
  result.flatten!

  deep_copy(result)
end

#GetIgnoreLoggingBroadcast(_zone) ⇒ String

Function returns yes/no - ingoring broadcast for zone

Examples:

# Does not log ignored broadcast packets
GetIgnoreLoggingBroadcast () -> "yes"

Parameters:

• _zone (String) —

  unused

Returns:

• (String) —

  "yes" or "no"

# File 'library/network/src/lib/network/susefirewalld.rb', line 798

def GetIgnoreLoggingBroadcast(_zone)
  return "no" if @SETTINGS["logging"] == "broadcast"

  "yes"
end

#GetInterfacesInZone(zone) ⇒ Array<String>

Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

Examples:

GetInterfacesInZone ("external") -> ["eth4", "eth5"]

Parameters:

• zone (String)

Returns:

• (Array<String>) —

  of interfaces

# File 'library/network/src/lib/network/susefirewalld.rb', line 498

def GetInterfacesInZone(zone)
  return [] unless IsKnownZone(zone)

  known_interfaces_now = GetListOfKnownInterfaces()
  get_zone_attr(zone, :interfaces).find_all { |i| known_interfaces_now.include?(i) }
end

#GetInterfacesInZoneSupportingAnyFeature(zone) ⇒ Array<String>

Function returns list of known interfaces in requested zone. In the firewalld case, we don't support the special 'any' string. Thus, interfaces not in a zone will not be included.

Parameters:

• zone (String)

Returns:

• (Array<String>) —

  of interfaces

# File 'library/network/src/lib/network/susefirewalld.rb', line 565

def GetInterfacesInZoneSupportingAnyFeature(zone)
  GetInterfacesInZone(zone)
end

#GetLoggingSettings(rule) ⇒ String

Function returns actual state of logging. @ note There is no 1-1 matching between SF2 and FirewallD when @ note it comes to logging. We need to be backwards compatible and @ note so we use the following conventions: @ note ACCEPT -> FirewallD can't log accepted packets so we always return @ note false. @ note DROP -> We map "all" to "ALL", "broadcast, multicast or unicast" @ note to "CRIT" and "off" to "NONE". @ note As a result of which, this method has little value in FirewallD

Parameters:

• rule (String) —

  definition 'ACCEPT' or 'DROP'

Returns:

• (String) —

  'ALL' or 'NONE'

# File 'library/network/src/lib/network/susefirewalld.rb', line 745

def GetLoggingSettings(rule)
  return false if rule == "ACCEPT"

  if rule == "DROP"
    drop_rule = @SETTINGS["logging"]
    case drop_rule
    when "off"
      "NONE"
    when "broadcast", "multicast", "unicast"
      "CRIT"
    when "all"
      "ALL"
    end
  else
    Builtins.y2error("Possible rules are only 'ACCEPT' or 'DROP'")
  end
end

#GetMasquerade(zone = "internal") ⇒ Boolean

Function returns actual state of Masquerading support. In FirewallD, masquerade is enabled per-zone so this function treats the 'internal' zone as the default zone if no zone is given as parameter.

Parameters:

• zone (String) (defaults to: "internal") —

  zone to get masqurade status from (default: internal)

Returns:

• (Boolean) —

  if supported

# File 'library/network/src/lib/network/susefirewalld.rb', line 677

def GetMasquerade(zone = "internal")
  if !IsKnownZone(zone)
    Builtins.y2error("zone %1 is not valid", zone)
    return nil
  end
  get_zone_attr(zone, :masquerade)
end

#GetProtectFromInternalZone ⇒ Boolean

Function returns if firewall is protected from internal zone. For firewalld, we just return true since the internal zone is treated like any other zone.

Returns:

• (Boolean) —

  if protected from internal

# File 'library/network/src/lib/network/susefirewalld.rb', line 488

def GetProtectFromInternalZone
  true
end

#GetServicesInZones(services) ⇒ Hash<String, Hash<String, Boolean>>

Function returns map of supported services all network interfaces.

Examples:

GetServicesInZones (["service:irc-server"]) -> $["service:irc-server":$["eth1":true]]
# No such service "something"
GetServicesInZones (["something"])) -> $["something":$["eth1":nil]]
GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]

Parameters:

• services (Array<String>) —

  list of services

Returns:

• (Hash<String, Hash<String, Boolean>>) —

  Returns in format {service => { interface => supported_status }}

# File 'library/network/src/lib/network/susefirewalld.rb', line 580

def GetServicesInZones(services)
  services = deep_copy(services)
  tmp_services = deep_copy(services)
  services = []
  Builtins.foreach(tmp_services) do |service|
    sf2_to_firewalld_service(service).each do |s|
      s = service.include?("service:") ? "service:" + s : s
      services << s
    end
  end
  super(services)
end

#GetSpecialInterfacesInZone(zone) ⇒ Array<String>

Function returns list of special strings like 'any' or 'auto' and unknown interfaces. This function is only valid for SF2. For firewalld, we return an empty array.

Examples:

GetSpecialInterfacesInZone("EXT") -> ["any", "unknown-1", "wrong-3"]

Parameters:

• zone (String)

Returns:

• (Array<String>) —

  special strings or unknown interfaces

# File 'library/network/src/lib/network/susefirewalld.rb', line 710

def GetSpecialInterfacesInZone(zone)
  known_interfaces_now = GetListOfKnownInterfaces()
  get_zone_attr(zone, :interfaces).reject { |i| known_interfaces_now.include?(i) }
end

#GetZoneOfInterface(interface) ⇒ Object

Function returns the firewall zone of interface, nil if no zone includes the interface. Firewalld does not allow an interface to be in more than one zone, so no error detection for this case is needed.

Parameters:

• interface (String)

Returns:

• string zone, or nil

# File 'library/network/src/lib/network/susefirewalld.rb', line 428

def GetZoneOfInterface(interface)
  GetKnownFirewallZones().each do |zone|
    return zone if IsInterfaceInZone(interface, zone)
  end

  nil
end

#GetZonesOfInterfacesWithAnyFeatureSupported(interfaces) ⇒ Array<String>

Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

Examples:

GetZonesOfInterfaces (["eth1","eth4"]) -> ["EXT"]

Parameters:

• interfaces (Array<String>)

Returns:

• (Array<String>) —

  firewall zones

# File 'library/network/src/lib/network/susefirewalld.rb', line 444

def GetZonesOfInterfacesWithAnyFeatureSupported(interfaces)
  interfaces = deep_copy(interfaces)
  zones = []
  interfaces.each { |interface| zones << GetZoneOfInterface(interface) }
  zones
end

#Import(import_settings) ⇒ Object

Function for setting SuSEFirewall configuration from input

Parameters:

• import_settings (Hash<String, Object>) —

  with configuration

# File 'library/network/src/lib/network/susefirewalld.rb', line 178

def Import(import_settings)
  Read()
  import_settings = deep_copy(import_settings || {})
  # Sanitize it
  import_settings.each_key do |k|
    if !GetKnownFirewallZones().include?(k) && !KEY_SETTINGS.include?(k)
      Builtins.y2warning("Removing invalid key: %1 from imported settings", k)
      import_settings.delete(k)
    elsif import_settings[k].is_a?(Hash)
      import_settings[k].each_key do |v|
        if !ZONE_ATTRIBUTES.include?(v)
          Builtins.y2warning("Removing invalid value: %1 from key %2", v, k)
          import_settings[k].delete(v)
        end
      end
    end
  end

  # Ruby's merge will probably not work since we have nested hashes
  @SETTINGS.each_key do |key|
    if import_settings.include?(key)
      if import_settings[key].instance_of?(Hash)
        # Merge them
        @SETTINGS[key].merge!(import_settings[key])
      else
        @SETTINGS[key] = import_settings[key]
      end
    end
    # Merge missing attributes
    if GetKnownFirewallZones().include?(key)
      # is this a zone?
      @SETTINGS[key] = EMPTY_ZONE.merge(@SETTINGS[key])
      # Everything may have been modified
      @SETTINGS[key][:modified] = [:interfaces, :masquerade, :ports, :protocols, :services]
    end
  end

  # Tests mock the read method so read the NetworkInterface list again
  NetworkInterfaces.Read if !@configuration_has_been_read

  SetModified()

  nil
end

#IsAnyNetworkInterfaceSupported ⇒ Object

Function returns whether the feature 'any' network interface is supported. This is a SF2 specific construct. For firewalld, we simply return false. We may decide to change this in the future.

Returns:

• boolean false

# File 'library/network/src/lib/network/susefirewalld.rb', line 456

def IsAnyNetworkInterfaceSupported
  false
end

#IsInterfaceInZone(interface, zone) ⇒ Boolean

Function returns if the interface is in zone.

Examples:

IsInterfaceInZone ("eth-id-01:11:DA:9C:8A:2F", "INT") -> false

Parameters:

• interface (String)
• zone (String) —

  firewall zone

Returns:

• (Boolean) —

  is in zone

# File 'library/network/src/lib/network/susefirewalld.rb', line 417

def IsInterfaceInZone(interface, zone)
  interfaces = get_zone_attr(zone, :interfaces)
  interfaces.include?(interface)
end

#IsServiceSupportedInZone(service, zone) ⇒ Boolean

Function returns true if service is supported (allowed) in zone. Service must be defined already be defined.

Examples:

# All ports defined by dns-server service in SuSEFirewallServices module
# are enabled in the respective zone
IsServiceSupportedInZone ("dns-server", "external") -> true

Parameters:

• service (String) —

  id

• zone (String)

Returns:

• (Boolean) —

  if supported

See Also:

• SuSEFirewallServices

# File 'library/network/src/lib/network/susefirewalld.rb', line 472

def IsServiceSupportedInZone(service, zone)
  return nil if !IsKnownZone(zone)

  # We may have more than one FirewallD service per SF2 service
  sf2_to_firewalld_service(service).each do |s|
    return false if !in_zone_attr?(zone, :services, s)
  end

  true
end

#Read ⇒ Object

# File 'library/network/src/lib/network/susefirewalld.rb', line 233

def Read
  # Do not read it again and again
  # to avoid overwritting live configuration.
  if @configuration_has_been_read
    Builtins.y2milestone(
      "FirewallD configuration has been read already."
    )
    return true
  end

  ReadCurrentConfiguration()

  Builtins.y2milestone(
    "Firewall configuration has been read: %1.",
    @SETTINGS
  )
  # Always call NI::Read, bnc #396646
  NetworkInterfaces.Read

  # to read configuration only once
  @configuration_has_been_read = true
end

#read_zones ⇒ Object

# File 'library/network/src/lib/network/susefirewalld.rb', line 256

def read_zones
  # Get all the information from zones and load them to @SETTINGS["zones"]
  # The following may seem somewhat complicated or fragile but it is more
  # efficient to only invoke a single firewall-cmd command instead of
  # iterating over the zones and then using all the different
  # firewall-cmd commands to get service, port, masquerade etc
  # information from them.
  all_zone_info = @fwd_api.list_all_zones
  # Drop empty lines
  all_zone_info.reject!(&:empty?)
  # And now build the hash
  zone = nil
  all_zone_info.each do |e|
    # is it a zone?
    z = e.split[0]
    if GetKnownFirewallZones().include?(z)
      zone = z
      next
    end
    if ZONE_ATTRIBUTES.any? { |w| e.include?(w.to_s) }
      attrs = e.split(":\s")
      attr = attrs[0].lstrip.to_sym
      # do not bother if empty
      next if attrs[1].nil?

      vals = attrs[1].split
      # Fix up for masquerade
      if attr == :masquerade
        set_to_zone_attr(zone, attr, vals != "no")
      else
        vals.each { |x| add_to_zone_attr(zone, attr, x) }
      end
    end
  end
end

#ReadCurrentConfiguration ⇒ Object

# File 'library/network/src/lib/network/susefirewalld.rb', line 292

def ReadCurrentConfiguration
  if SuSEFirewallIsInstalled()
    read_zones
    @SETTINGS["logging"] = @fwd_api.log_denied_packets
  end

  @SETTINGS["enable_firewall"] = IsEnabled()
  @SETTINGS["start_firewall"] = IsStarted()

  true
end

#RemoveAllowedPortsOrServices(remove_ports, protocol, zone, _check_for_aliases) ⇒ Object

Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.

Parameters:

• remove_ports (Array<String>) —

  ports to be removed

• protocol (String) —

  Protocol

• zone (String) —

  Zone

• _check_for_aliases (Boolean) —

  unused

# File 'library/network/src/lib/network/susefirewalld.rb', line 925

def RemoveAllowedPortsOrServices(remove_ports, protocol, zone, _check_for_aliases)
  remove_ports = deep_copy(remove_ports)
  if Ops.less_than(Builtins.size(remove_ports), 1)
    Builtins.y2warning(
      "Undefined list of %1 services/ports for service",
      protocol
    )
    return
  end

  SetModified()

  allowed_services = GetAllowedServicesForZoneProto(zone, protocol)
  Builtins.y2debug("RemoveAdditionalServices: currently allowed services for %1_%2 -> %3",
    zone, protocol, allowed_services)
  # and this is what we keep
  allowed_services -= remove_ports
  Builtins.y2debug("RemoveAdditionalServices: new allowed services for %1_%2 -> %3",
    zone, protocol, allowed_services)
  SetAllowedServicesForZoneProto(allowed_services, zone, protocol)
end

#RemoveInterfaceFromZone(interface, zone) ⇒ Object

Function removes interface from defined zone.

Examples:

RemoveInterfaceFromZone ("modem0", "EXT")

Parameters:

• interface (String)
• zone (String)

# File 'library/network/src/lib/network/susefirewalld.rb', line 510

def RemoveInterfaceFromZone(interface, zone)
  return nil if !IsKnownZone(zone)

  SetModified()

  Builtins.y2milestone(
    "Removing interface '%1' from '%2' zone.",
    interface,
    zone
  )

  del_from_zone_attr(zone, :interfaces, interface)
  add_zone_modified(zone, :interfaces)

  nil
end

#RemoveSpecialInterfaceFromZone(interface, zone) ⇒ Object

Function removes special string from defined zone. For firewalld we return nil.

Parameters:

• interface (String)
• zone (String)

# File 'library/network/src/lib/network/susefirewalld.rb', line 720

def RemoveSpecialInterfaceFromZone(interface, zone)
  RemoveInterfaceFromZone(interface, zone)
end

#SetAcceptExpertRules(zone, expert_rules) ⇒ Boolean

Sets expert allow rules for zone.

Parameters:

• zone (String)
• expert_rules (String) —

  whitespace-separated expert_rules

Returns:

• (Boolean) —

  if successful

# File 'library/network/src/lib/network/susefirewalld.rb', line 1007

def SetAcceptExpertRules(zone, expert_rules)
  zone = Builtins.toupper(zone)

  # Check for zone
  if !Builtins.contains(GetKnownFirewallZones(), zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return false
  end

  Ops.set(@SETTINGS, Ops.add("FW_SERVICES_ACCEPT_", zone), expert_rules)
  SetModified()

  true
end

#SetAllowedServicesForZoneProto(allowed_services, zone, protocol) ⇒ Object

Function sets list of services as allowed ports for zone and protocol

Parameters:

• allowed_services (Array<string>) —

  list of allowed ports/services

• zone (String)
• protocol (String)

# File 'library/network/src/lib/network/susefirewalld.rb', line 896

def SetAllowedServicesForZoneProto(allowed_services, zone, protocol)
  allowed_services = deep_copy(allowed_services)

  SetModified()

  protocol = protocol.downcase

  # allowed_services can contain both services and port definitions so the
  # first step is to split them up
  services, ports = sanitize_services_and_ports(allowed_services, protocol)

  # First we drop existing services and ports.
  delete_ports_with_protocol_from_zone(protocol, zone)
  delete_services_with_protocol_from_zone(protocol, zone)

  # And now add the new ports and services
  set_ports_with_protocol_to_zone(ports, protocol, zone)
  set_services_to_zone(services, zone)

  nil
end

#SetIgnoreLoggingBroadcast(_zone, bcast) ⇒ Object

Note:

Since Firewalld only accepts a single packet type to log,

Note:

we simply disable logging if broadcast logging is not desirable.

Note:

If you used SetIgnoreLoggingBroadcast is your code, make sure you

Note:

use SetLoggingSettings afterwards to enable the type of logging you

Note:

want.

Function sets yes/no - ingoring broadcast for zone

Examples:

# Do not log broadcast packetes from DMZ
SetIgnoreLoggingBroadcast ("DMZ", "yes")

Parameters:

• _zone (String) —

  unused

• bcast (String) —

  ignore 'yes' or 'no'

# File 'library/network/src/lib/network/susefirewalld.rb', line 817

def SetIgnoreLoggingBroadcast(_zone, bcast)
  bcast = bcast.casecmp("no").zero? ? "broadcast" : "off"

  return nil if @SETTINGS["logging"] == bcast

  SetModified()

  @SETTINGS["logging"] = bcast.downcase

  nil
end

#SetLoggingSettings(rule, state) ⇒ Object

Note:

Similar restrictions to GetLoggingSettings apply

Function sets state of logging.

Parameters:

• rule (String) —

  definition 'ACCEPT' or 'DROP'

• state (String) —

  new logging state 'ALL', 'CRIT', or 'NONE'

# File 'library/network/src/lib/network/susefirewalld.rb', line 767

def SetLoggingSettings(rule, state)
  return nil if rule == "ACCEPT"

  if rule == "DROP"
    drop_rule = state.downcase
    case drop_rule
    when "none"
      @SETTINGS["logging"] = "off"
    when "crit"
      # Choosing unicast since it's likely to be the most common case
      @SETTINGS["logging"] = "unicast"
    when "all"
      @SETTINGS["logging"] = "all"
    end
  else
    Builtins.y2error("Possible rules are only 'ACCEPT' or 'DROP'")
  end

  SetModified()

  nil
end

#SetMasquerade(enable, zone = "internal") ⇒ Object

Function sets Masquerade support.

Parameters:

• enable (Boolean) —

  Enable or Disable masquerade

• zone (String) (defaults to: "internal") —

  Zone to enable masquerade on.

Returns:

• nil

# File 'library/network/src/lib/network/susefirewalld.rb', line 690

def SetMasquerade(enable, zone = "internal")
  if !IsKnownZone(zone)
    Builtins.y2error("zone %1 is not valid", zone)
    return nil
  end
  SetModified()
  set_to_zone_attr(zone, :masquerade, enable)
  add_zone_modified(zone, :masquerade)

  nil
end

#SetServicesForZones(services_ids, firewall_zones, new_status) ⇒ Object

Function sets status for several services in several firewall zones.

Examples:

SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false);
SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);

Parameters:

• services_ids (Array<String>) —

  service ids

• firewall_zones (Array<String>) —

  firewall zones (EXT|INT|DMZ...)

• new_status (true, false) —

  new status of services

Returns:

• nil

See Also:

• #GetServicesInZones()
• #GetServices()

# File 'library/network/src/lib/network/susefirewalld.rb', line 606

def SetServicesForZones(services_ids, firewall_zones, new_status)
  Yast.import "SuSEFirewallServices"

  services_ids = deep_copy(services_ids)
  zones = deep_copy(firewall_zones)

  tmp_services_ids = deep_copy(services_ids)
  services_ids = []
  tmp_services_ids.each do |service|
    sf2_to_firewalld_service(service).each do |s|
      services_ids << s
    end
  end

  # setting for each service
  services_ids.each do |service|
    # Service is not supported by firewalld.
    # We can only do such error checking if backend is running
    if IsStarted() && !@fwd_api.service_supported?(service)
      Builtins.y2error("Undefined service '#{service}'")
      raise(SuSEFirewalServiceNotFound, "Service with name '#{service}' does not exist")
    end
    zones.each do |zone|
      # Add/remove service to/from zone only if zone is not 'trusted',
      # 'blocked' or 'drop'. For these zones there is no need to
      # explicitly add/remove
      # services as all connections are by default accepted.
      next if ["block", "drop", "trusted"].include?(zone)

      # zone must be known one
      if !IsKnownZone(zone)
        Builtins.y2error(
          "Zone '%1' is unknown firewall zone, skipping...",
          zone
        )
        next
      end

      if new_status == true # enable
        Builtins.y2milestone(
          "Adding '%1' into '%2' zone",
          service, zone
        )
        # Only add it if it is not there
        if !in_zone_attr?(zone, :services, service)
          add_to_zone_attr(zone, :services, service)
          SetModified()
          add_zone_modified(zone, :services)
        end
      else # disable
        Builtins.y2milestone(
          "Removing '%1' from '%2' zone",
          service, zone
        )
        del_from_zone_attr(zone, :services, service)
        SetModified()
        add_zone_modified(zone, :services)
      end
    end
  end

  nil
end

#sf2_to_firewalld_service(service) ⇒ Object

Function which attempts to convert a sf2_service name to a firewalld equivalent.

# File 'library/network/src/lib/network/susefirewalld.rb', line 143

def sf2_to_firewalld_service(service)
  # First, let's strip off 'service:' from service name if present.
  tmp_service = if service.include?("service:")
    service.partition(":")[2]
  else
    service
  end

  sf2_to_firewalld_map = {
    # netbios is covered in the samba service file
    "netbios-server"    => ["samba"],
    "nfs-client"        => ["nfs"],
    "nfs-kernel-server" => ["mountd", "nfs", "rpc-bind"],
    "samba-server"      => ["samba"],
    "sshd"              => ["ssh"]
  }

  if sf2_to_firewalld_map.key?(tmp_service)
    sf2_to_firewalld_map[tmp_service]
  else
    [tmp_service]
  end
end

#sf2_to_firewalld_zone(zone) ⇒ Object

# File 'library/network/src/lib/network/susefirewalld.rb', line 223

def sf2_to_firewalld_zone(zone)
  sf2_to_firewalld_map = {
    "INT" => "trusted",
    "EXT" => "external",
    "DMZ" => "dmz"
  }

  sf2_to_firewalld_map[zone] || zone
end

#Write ⇒ Object

# File 'library/network/src/lib/network/susefirewalld.rb', line 402

def Write
  # Make the firewall changes permanent.
  return false if !WriteConfiguration()
  return false if !ActivateConfiguration()

  true
end

#WriteConfiguration ⇒ Object

# File 'library/network/src/lib/network/susefirewalld.rb', line 304

def WriteConfiguration
  # just disabled
  return true if !SuSEFirewallIsInstalled()

  return false if !GetModified()

  Builtins.y2milestone(
    "Firewall configuration has been changed. Writing: %1.",
    @SETTINGS
  )
  # FIXME: Need to improve that to not re-write everything
  begin
    # Set logging
    @fwd_api.log_denied_packets(@SETTINGS["logging"]) if !@SETTINGS["logging"].nil? && !@fwd_api.log_denied_packets?(@SETTINGS["logging"])
    # Configure the zones
    GetKnownFirewallZones().each do |zone|
      if zone_attr_modified?(zone)
        Builtins.y2milestone("zone=#{zone} hasn't been modified. Skipping...")
        next
      end

      write_zone_masquerade(zone)
      write_zone_interfaces(zone)
      write_zone_services(zone)
      write_zone_ports(zone)
      write_zone_protocols(zone)

      # Configuration is now live. Move on
      ResetModified()
    end
  rescue FirewallCMDError
    Builtins.y2error("firewall-cmd failed")
    raise
  end

  # FIXME: perhaps "== true" can be dropped since this should
  # always be boolean?
  if !@SETTINGS["enable_firewall"].nil?
    if @SETTINGS["enable_firewall"] == true
      Builtins.y2milestone("Enabling firewall services")
      return false if !EnableServices()
    else
      Builtins.y2milestone("Disabling firewall services")
      return false if !DisableServices()
    end
  end

  true
end

#WriteOnly ⇒ Object

In SF2, it's used to write configuration, but not activate. For firewalld this is simply here to satisfy callers, like modules/Nfs.rb.

Returns:

• true

# File 'library/network/src/lib/network/susefirewalld.rb', line 357

def WriteOnly
  # This does not check if firewalld is running
  return false if !WriteConfiguration()
end