From owner-svn-src-stable-10@freebsd.org Thu Jul 23 19:53:50 2015 Return-Path: Delivered-To: svn-src-stable-10@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 640949A94DC; Thu, 23 Jul 2015 19:53:50 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3A00B18EF; Thu, 23 Jul 2015 19:53:50 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6NJroKh028748; Thu, 23 Jul 2015 19:53:50 GMT (envelope-from hrs@FreeBSD.org) Received: (from hrs@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6NJroCX028747; Thu, 23 Jul 2015 19:53:50 GMT (envelope-from hrs@FreeBSD.org) Message-Id: <201507231953.t6NJroCX028747@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hrs set sender to hrs@FreeBSD.org using -f From: Hiroki Sato Date: Thu, 23 Jul 2015 19:53:50 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r285821 - stable/10/etc X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-10@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for only the 10-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2015 19:53:50 -0000 Author: hrs Date: Thu Jul 23 19:53:49 2015 New Revision: 285821 URL: https://svnweb.freebsd.org/changeset/base/285821 Log: MFC r273201, r273301: Add support of "/{udp,tcp,proto}" suffix into $firewall_myservices, which interpreted the listed items as port numbers of TCP services. A service with no suffix still works and recognized as a TCP service for backward compatibility. It should be updated with /tcp suffix. Approved by: re (gjb) Modified: stable/10/etc/rc.firewall Directory Properties: stable/10/ (props changed) Modified: stable/10/etc/rc.firewall ============================================================================== --- stable/10/etc/rc.firewall Thu Jul 23 19:52:03 2015 (r285820) +++ stable/10/etc/rc.firewall Thu Jul 23 19:53:49 2015 (r285821) @@ -422,8 +422,8 @@ case ${firewall_type} in [Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn]) # Configuration: - # firewall_myservices: List of TCP ports on which this host - # offers services. + # firewall_myservices: List of ports/protocols on which this + # host offers services. # firewall_allowservices: List of IPv4 and/or IPv6 addresses # that have access to # $firewall_myservices. @@ -487,7 +487,25 @@ case ${firewall_type} in # for i in ${firewall_allowservices} ; do for j in ${firewall_myservices} ; do - ${fwcmd} add pass tcp from $i to me $j + case $j in + [0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo]) + ${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me + ;; + [0-9A-Za-z]*/[Tt][Cc][Pp]) + ${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]} + ;; + [0-9A-Za-z]*/[Uu][Dd][Pp]) + ${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]} + ;; + *[0-9A-Za-z]) + echo "Consider using ${j}/tcp in firewall_myservices." \ + > /dev/stderr + ${fwcmd} add pass tcp from $i to me $j + ;; + *) + echo "Invalid port in firewall_myservices: $j" > /dev/stderr + ;; + esac done done