Revisions of shorewall
Stephan Kulow (coolo)
accepted
request 124348
from
Togan Muftuoglu (toganm)
(revision 24)
- Update to 4.5.5 For more details see changelog.txt and
releasnotes.txt
* This release includes all defect repair from Shorewall 4.5.4.1
and 4.5.4.2.
* The Shorewall compiler sometimes must defer generating a rule
until runtime. This is done by placing shell commands in its
internal representation of a chain. These commands are then
executed at run time to create the final rule.
If all of the following were true, then an incorrect ruleset
could be generated:
+ Optimization level 4 was set.
+ A chain (chain A) containing shell commands had three or
fewer rules and commands.
+ The last rule in a second chain was a conditional jump to
chain A.
Under these conditions, the rules and commands in Chain A
* The Shorewall-core configure and configure.pl script were
treating SYSCONFDIR as a synonym for CONFDIR making it
impossible to set SYSCONFDIR.
- Update to 4.5.4.2 For more details see changelog.txt and
releasenotes.txt
* The problems corrected section of the 4.5.4.1 release notes was
missing the third problem corrected in the release. It has now
been added.
* A number of problems in Shorewall-init have been corrected:
+ If more than one product was listed in the PRODUCTS setting
in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init)
then the second product would not be started/stopped.
+ Shorewall-init used 'restart' in response to an optional
Stephan Kulow (coolo)
accepted
request 123172
from
Togan Muftuoglu (toganm)
(revision 23)
- Update to 4.5.4.1 For more details see changelog.txt and
releasenotes.txt
* Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type
has been configured as a PPTP client running on the firewall
rather than as a server on the firewall. It is now correctly
configured as a server.
* The shorewall-accounting (5) and shorewall6-accounting (5)
documentation for the IPSEC column is incorrect. Rather than
'accountin' and 'accountout', the chain names should be
'accipsecin' and 'accipsecout'.
* IPSEC accounting did not work if the accounting file was
sectioned. Beginning with this release, the IPSEC column can
be specified in any section. As always, the IPSEC column
contains a comma-separated list of items. In the FORWARD
chain, the first (or only) item in the list must be either
'in' or 'out' to indicate whether the rule matches incoming
packets that have been decrypted ('in') or outgoing packets
that will be encrypted ('out'). There are no restrictions with
respect to which chain IPSEC rules can appear in a sectioned
file.
Stephan Kulow (coolo)
accepted
request 122613
from
Togan Muftuoglu (toganm)
(revision 22)
- Update to 4.5.4 For more details see changelog.txt and
releasenotes.txt
* When EXPORTMODULES=No in shorewall.conf, the error messages
have been eliminated
* If the configuration settings in the PACKET MARK LAYOUT section
of shorewall.conf (shorewall6.conf) had empty settings, the
'update' command would previously set them to their default
settings. It now leaves them empty.
* Previously, Shorewall used 'unreachable' routes to null-route
the RFC1918 subnets. This approach has two drawbacks:
- It can cause problems for IPSEC in that it can cause packets
to be rejected rather than encrypted and forwarded.
- It can return 'host unreachable' ICMPs to other systems that
attempt to route RFC1918 addresses through the firewall.
To eliminate these problems, Shorewall now uses 'blackhole'
routes.
Such routes don't interfere with IPSEC and silently drop
packets rather than return an ICMP.
* The 'default' routing table is now cleared if there are no
'fallback' providers.
* Tproxy implementation has been reworked. For more details
please consult the releasenotes.txt and changelog.txt
Stephan Kulow (coolo)
accepted
request 121134
from
Togan Muftuoglu (toganm)
(revision 21)
- Update to 4.5.3.1 For more details see changelog.txt and
releasenotes.txt
* Previously, nested conditionals did not work correctly in all
cases. In particular:
?IF $FALSE
?IF $FALSE
foo
bar
?ENDIF
baz
bop
?ENDIF
In this case, the lines 'baz' and 'bodyp' were incorrectly
included when they should have beeen omitted.
* The 'balance' routing table is now cleared if there are no
'balance' providers.
* Previously, the compiler generated an invalid 'ip add route'
command if an IPv6 provider had '-' in the GATEWAY column.
* As noted in the Migration Considerations, the generated
firewall script maintains the interface .status files used by
LSM and SWPING. Up to now, however, the 'disable' command did
not update the .status file. That has been corrected. As part
of the change, the 'isusable' script is no longer consulted by
the'enable' command.
- Update to 4.5.3 For more details see changelog.txt and
releasenotes.txt
* The LOCKFILE setting in shorewall.conf and shorewall6.conf had
inadvertently become undocumented. It is now documented again.
Stephan Kulow (coolo)
accepted
request 116207
from
Togan Muftuoglu (toganm)
(revision 20)
- Update to 4.5.2.4 For more details see changelog.txt and
releasenotes.txt
* The 'shorewall reset' command now correctly resets the IPv4
packet and byte counters; previously, it was resetting the IPv6
counters.
* The Shorewall installer now modifies the Chains.pm file for
Digest::SHA depencency when $DESTDIR is set, provided that
$BUILD = $HOST. This allows rpm to automatically generate the correct
module dependency.
Stephan Kulow (coolo)
accepted
request 113832
from
Togan Muftuoglu (toganm)
(revision 19)
- Update to 4.5.2.2 For more details see changelog.txt and
releasenotes.txt
* If a shorewallrc file is passed to the 4.5.2.1 Shorewall-core
install.sh, subsequent compilations fail. The error message
indicates that the compiler is looking for lib.core, but the
pathname has embedded spaces.
* The 4.5.2.1 Shorewall/Shorewall6 installer installs an
incorrect file as /etc/shorewall[6]/Makefile.
- Update to 4.5.2.1 For more details see changelog.txt and
releasenotes.txt
* In release 4.5.2, if an INCLUDE directive appeared inside a ?IF
... ?ENDIF sequence, then the following error would be
generated after the included file had been read:
ERROR: Missing ?ENDIF to match the ?IF at line ...
* An error in the shorewallrc.apple file has been corrected.
* The shorewallrc.redhat file has been change to conform to
Fedora packaging guidelines.
* The output of the 'version -a' command reflected incorrect
versions when Shorewall-core 4.5.2 was installed. That has been
corrected.
- Update to 4.5.2 For more details see changelog.txt and
releasenotes.txt
* The generated firewall script includes code to automatically
create ipsets that are referenced but that don't exist. That code
was broken in releases 4.4.22 and later. This defect has been
corrected. As part of the fix, the generated script will now
issue a warning message when it creates an ipset.
Stephan Kulow (coolo)
accepted
request 110125
from
Togan Muftuoglu (toganm)
(revision 18)
- Fixed missing-rclink rpmlint errors as suggested in declined
request #109645
* no-reload-entry for shorewall-init is harmless as shorewall-init
should not do a reload anyway. If more info is needed please look
http://shorewall.net/Anatomy.html
- Update to 4.5.1.1 For more details see changelog.txt and
releasenotes.txt
* When checking or compiling for export (-e option),
/sbin/shorewall would previously issue a warning message if
the SHOREWALL_SHELL specified in the remote
firewall's shorewall.conf did not exist.
* The changes to TOS handling in 4.5.1 are incompatible with
older releases such as RHEL5 and derivatives. That has been
corrected.
* The rules compiler now verifies that the protocol is TCP, UDP,
SCTP or DCCP when checking a port range (low:high or low-high).
* Previously, start or restart using the init script would fail
with an error message referencing 'SHOREWALL_INIT_SCRIPT'.
This defect was not visible to users that set AUTOMAKE=Yes or
that run Shorewall-init.
- Update to 4.5.1 For more details see changelog.txt and
releasenotes.txt
* This release includes all defect repair from versions
4.5.0.1-4.5.0.3.
* A typo has been corrected in the blrules man pages.
* Previously, if the interface appearing in the HOSTS column of
/etc/shorewall6/hosts was not defined in
/etc/shorewall6/interfaces, then the compiler would terminate
with a Perl diagnostic:
Can't use an undefined value as a HASH reference at
/usr/share/shorewall/Shorewall/Zones.pm line 1817,
<$currentfile> line ...
* The compiler was previously failing to validate the contents of
the LENGTH and TOS columns in /etc/shorewall/tcrules. The
Stephan Kulow (coolo)
accepted
request 101029
from
Togan Muftuoglu (toganm)
(revision 17)
- Update to 4.4.27.3 For more details see changelog.txt and
releasenotes.txt
* Previously, if USE_DEFAULT_RT=Yes and 'loose' was specified on
all providers, then no routing rule targeting the main routing
table was generated. This has been corrected so that
USE_DEFAULT_RT=Yes always results in such a rule at
priority 999.
* Shorewall 4.4.27 broke Shorewall-init functionality. It is
restored in this release.
Stephan Kulow (coolo)
accepted
request 100354
from
Togan Muftuoglu (toganm)
(revision 16)
- Update to 4.4.27.2. For more details see changelog.txt and
releasenotes.txt
* A long-standing problem with Shorewall's 'save' facility has
been discovered. The defect can cause rules to be dropped during
'save' so that they are not available to be reapplied during
'restore'. This can occur in 'safe-restart' when the prompt is
not acknowledged or when it is acknowledged with 'n'.
The problem can occur when:
a) There are IPSEC zones or hosts present; and
b) GOTO Target support is available in the kernel and
iptables.
Example of rule that will be dropped:
-A eth2_fwd -m policy --dir in --pol ipsec -g AAA_frwd
The defective code has been corrected so that rules are no
longer dropped.
- Update to 4.4.27.1. For more details see changelog.txt and
releasenotes.txt
* When optimization category 4 is used, unconditional jumps at
the end of chains are replaced with the rules in the target
chain. This can result in rulesets that are considerably larger
than necessary. Beginning with this release, replacement will
only occur if:
a) The jump is the only reference to the target chain; or
b) The target chain contains 3 or less rules.
* The feature introduced in 4.4.25 that allowed provider names in
the 'enable' and 'disable' commands was only implemented for
'enable'. It is now implemented for 'disable' as well.
* When detecting IPv6 global addresses through an interface,
Stephan Kulow (coolo)
accepted
request 96568
from
Togan Muftuoglu (toganm)
(revision 15)
- Update to 4.4.26.1 For more details see chnagelog.txt and releasenotes.txt * The Perl module version numbers have now been updated to reflect changes in 4.4.26. * The 4.4.26 rules compiler does not issue a warning when a capabilities file was generated with Shorewall 4.4.25, even though new capabilities were added in 4.4.26. This has been corrected so that a warning is generated. * When TC_ENABLED=Shared, CLASSIFY rules could not be used in the tcrules file. Thanks to a patch from Chris Boot, this now works as expected. * The quoted part of the progress message 'Provider "..." compiled' was inadvertently omitted by a change in Shorewall 4.4.23. That text has now been restored.
Stephan Kulow (coolo)
accepted
request 95243
from
Togan Muftuoglu (toganm)
(revision 13)
- Update to 4.4.26 For more details see changelog.txt and
releasenotes.txt
* This release includes all corrections included in 4.4.25.1
through .3.
* In 4.4.25, ACCEPT behaved in the BLACKLIST section the same way
as in the other rules file sections. This could lead to
connections being accepted inadvertently.
Now, ACCEPT behaves like WHITELIST; that is, it exempts the
packet from the remaining rules in the BLACKLIST section.
* Previously, Shorewall did not detect the ULOG and NFLOG
capabilities. This lead to run-time failures during 'start' and
'restart' as well as confusing error messages during
compilation when ULOG or NFLOG was used when the LOG target was
not available.
ULOG and NFLOG are now detected capabilities so, if you use a
capabilities file, you will need to regenerate it in order to
use these log levels.
* The SAME tcrules target was broken in Shorewall 4.4.22. It now
works correctly again.
* Previously, 'shorewall6 update' did not update shorewall6.conf.
The command now works as expected.
* In earlier releases, the compiler was attempting to process the
params file before it was aware of the setting of CONFIG_PATH.
This could cause the params file to be missed if it was not located
in /etc/shorewall[6] or in the directory named in the start
(restart,compile,check,...) command.
Now, /sbin/shorewall[6] passes $CONFIG_PATH to the compiler
(/usr/share/shorewall/compiler.pl) in the new '--config_path'
option.
Stephan Kulow (coolo)
accepted
request 91026
from
Togan Muftuoglu (toganm)
(revision 12)
- Update to 4.4.25.3 For more details see changelog.txt and
releasenotes.txt
* Correction of the produced ruleset when wildchars are used in
the zone configuration
Stephan Kulow (coolo)
accepted
request 90215
from
Togan Muftuoglu (toganm)
(revision 11)
- Update to 4.4.25.2 For more details see changelog.txt and
releasenotes.txt
* Previously, if all the following were true:
- AUTOMAKE=Yes
- Current compiled script (/var/lib/shorewall/firewall or
/var/lib/shorewall6/firewall) up to date
- LEGACY_FASTSTART=No
- There was a saved configuration
then rather than start the current configuration, 'shorewall
start -f' or 'shorewall6 start -f' would incorrectly restore
the saved configuration.
* The DropSmurfs and TCPFlags actions are now available in
Shorewall6. They were previously omitted from the IPv6
actions.std file.
* The 'rawpost' table was previously omitted from the output of
the 'dump' command. It is now displayed.
* Previously, if a configuration contained more than one wildcard
interface (physical name ending in '+'), then the generated script
might not work properly with Shorewall-init. This defect dates back
to the introduction of Shorewall-init.
Stephan Kulow (coolo)
accepted
request 89890
from
Togan Muftuoglu (toganm)
(revision 10)
- Update to 4.4.25.1 For more details see changelog.txt and
releasenotes.txt
* A'refresh' command with no chains or tables specified will
now reload chains created by entries in the BLACKLIST section of
the rules file.
* The rules compiler previously failed to detect the 'Flow
Filter' capability. That capability is now correctly detected.
* The IN_BANDWIDTH handling changes in 4.4.25 was incompatible
with moribund distributions such as RHEL4. Restoring IN_BANDWIDTH
functionality on those releases required a new 'Basic Filter'
capability.
- Update to 4.4.25 For more details see changelog.txt and
releasenotes.txt
* A defect in the optimizer that allowed incompatible rules to be
combined has been corrected.
* Routes and rules added as a result of entries in
/etc/shorewall6/providers were previously not deleted by
'stop' or 'restart'. Repeated 'restart' commands could
therefore lead to an incorrect routing configuration.
* Previously, capital letters were disallowed in IPv6 addresses.
They are now permitted.
* If the COPY column in /etc/shorewall6/providers was non-empty,
previously a run-time error could occur when copying a table.
The diagnostic produced by ip was:
Either "to" is duplicate, or "cache" is garbage
* When copying IPv6 routes, the generated script previously
attempted to copy 'cache' entries. Those entries are now omitted.
* Previously, the use of large provider numbers could cause some
Adrian Schröter (adrianSuSE)
committed
(revision 9)
Lars Vogdt (lrupp)
accepted
request 88044
from
Togan Muftuoglu (toganm)
(revision 8)
- Update to 4.4.24.1
* When the logical and physical name of an interface were
different, including the logical name in the tcdevices file
caused the device's classes to be ignored. This defect was
introduced in Shorewall 4.4.23.
* Remove the ExecReload from all services, since systemd
doesn't allow an ExecReload for OneShot services. Also, add a
missing After=network.target to shorewall.service.
- Fixed Url typo in the spec
Ruediger Oertel (oertel)
accepted
request 87228
from
Togan Muftuoglu (toganm)
(revision 7)
- Update to 4.4.24. For more details see changelog.txt and
releasenotes.txt
* This release includes all problem corrections from releases
4.4.23.1-4.4.23.3.
* The 'fallback' option without =<weight> previously produced
invalid 'ip' commands.
Lars Vogdt (lrupp)
accepted
request 85485
from
Togan Muftuoglu (toganm)
(revision 6)
- reworked systemd related rpm macros for 12.1 due to new systemd macros are in effect - removed %clean macro as it not needed
Displaying revisions 101 - 120 of 125
