- Update to version 4.5.17.1 For more details see changelog.txt and
  releasenotes.txt.  
   * The following warning message may be emitted inappropriately
     when running shorewall 4.5.17. The message is no longer issued.
      The rule(s) generated by  this entry are unreachable and have
      been discarded
    * Rules intended to increment nfacct objects would previously be
      optimized away when they immediately preceded an unconditional
      jump to the same target. Such rules are now retained.
    * A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip'
      matches to be dropped. That has been corrected. 
- spec file changes
  * rebased systemd.patch (forwarded request 177859 from toganm)

• Files Changed
• Browse Source

Update to 4.5.15 version

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

Split 12.3 from Factory

• Files Changed
• Browse Source

No package depends on Shorewall, making it a leaf package so the version upgrade does not affect other packages.

There is also a fix for bnc#798525 which corrects the messed systemd service files

This version also corrects fixes some other bugs related to the xtable-addon modules.

http://lists.opensuse.org/opensuse-factory/2013-01/msg00229.html

Thanks 

Togan

• Files Changed
• Browse Source

- Update to 4.5.10.1 For more details see changelog.txt and
  releasenotes.txt
  * Correct typo in conntrack module (forwarded request 145719 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.10 For more details see changelog.txt and
  releasenotes.txt
  * This release includes all defect repair included in
    4.5.9.1-4.5.9.3.
  * Under rare circumstances, optimize level 16 could produce
    invalid iptables-restore input which would cause start/restart
    to fail.
  * Before this release, the 'started' script was run prior to
    copying the temporary script file (e.g., /var/lib/shorewall/.start)
    to /var/dir/shorewall/firewall. If the script failed, the copy
    would not take place even though the firewall had started
    successfully. The script is now copied before running the
    'started' script.
    If you compare the script generated by this release with one
    generated by a prior release, We suggest that you ignore
    whitespace changes (e.g., use the '-w' option in diff); that way,
    you can see the actual change more clearly.
  * AUTOCOMMENT=No now works correctly; previously, it behaved the
    same as AUTOCOMMENT=Yes.
  * A harmless extraneous comma has been deleted from the rule
    generated by action.RST. (forwarded request 144821 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.9.2 For more details see changelog.txt and
  releasenotes.txt
 * Previously, the rules in the 'routemark' chain did not specify
   a mask in the MARK target. While a mask isn't strictly necessary
   in those rules, one has been added to ally fears of those who read
   the  generated ruleset.
    Note: The 'routemark' chain is used to apply provider marks to
    packets received from 'track' provider interfaces. It is
    traversed  early in the mangle PREROUTING chain when no other
    marks have yet been applied to the packet.
 * If exclusion was used with TPROXY in the tcrules file, an
   invalid  iptables ruleset was generated causing start and
   restart commands  to fail when running iptables-restore.
 * Previously, if a provider and its interface had the same name,
   then the 'enable' command would not work on that interface. (forwarded request 142299 from toganm)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to 4.5.9 For more details see changelog.txt and
  releasenotes.txt
  * This release contains all defect repair from Shorewall 4.5.8.2.
  * A typo has been corrected in the shorewallrc.default file.
  * Beginning with Shorewall 4.5.7.2, Shorewall unconditionally
    restores the provider mark as the first rule in the mangle
    table OUTPUT and PREROUTING chains. Previously, the provider
    mark was restored only if it was non-zero.
    It has become clear that some users need it one way while
    others need it the other way. To resolve this issue, a
    RESTORE_ROUTEMARKS option has been added to shorewall.conf and
    shorewall6.conf. When this option is set to Yes (the default),
    the 4.5.7.2 approach is used (always restore the mark, even if
    it is zero); when it is set to No, the pre-4.5.7.2 behavior is
    retained (only restore the mark if it is non-zero).
  * Two error messages produced by the RST action have been
    corrected. They previously referred to errors in the NotSyn
    action rather than RST. (forwarded request 139762 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.8.2 For more details see changelog.txt and
  releasenotes.txt
  * The 'shorewall show' command previously produced no output.
    That command now works with ipset versions 4 and later.
  * The change in 4.5.8.1 that enabled industry-standard IPv4
    address representation broke the ability to place IP ranges or
    IPv6 ipsets in the hosts file. Those abilities have been
    restored.
  * The treatment of the SYSTEMD and INITFILE shorewallrc variables
    has been inconsistent. The -lite installers ignore INITFILE
    when SYSTEMD is specified, while the other installers do not.
    Now, the -lite installers install the .service file if SYSTEMD
    is specified and they install the sysv-init script if INITFILE
    is specified. That is consistent with the behavior of the other
    installers.

-  Added 0001-remote_fs.patch for shorewall-init sysv-init scripts (forwarded request 137828 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.8.1 For more details see changelog.txt and
  releasenotes.txt
  * When ipset version 5 or later was installed, the 'shorewall show
    dynamic <zone>' command produced no outout and the 'add' command
    failed with this error message:
        Zone <zone>, interface <interface> does not have a dynamic
        host list"
  * When generating ipset names for dynamic zones, the compiler was
    dropping dashes ('-') from the interface name and adding a unique
    suffix. For example the ipset for zone 'foo' and interface 'bar-if'
    might be 'foo_barif_1'. Dashes are now retained so that the
    generated set name in this example will be 'foo_bar-if'. This change
    also allows the 'add' and 'delete' commands to work correctly when
    the interface name contains one or more dashes.
    Although dash is documented as being an accepted character in ipset
    names, names containing a dash would generate an error in some
    contexts. That has also been corrected.
  * In most contexts, Shorewall6 has required IPv6 addresses to be
    enclosed in either angled brackets ( <....> , deprecated) or in
    square brackets ([....]). This includes network addresses, where
    both the IPv6 address and the VLSM are required to be within the
    brackets (e.g., [2001;470:b:787::/64]). This differs from the
    industry-standard network form in which the IPv6 address is enclosed
    in square brackets and the VLSM is outside of the brackets (e.g.,
    [2001:470:b:787::]/64). Beginning with this release, the
    industry-standard representation is also accepted by Shorewall6.
    Note: Those of you who read the patches will probably have noticed
    that much of this change was actually in 4.5.8; because the change
    was commited late in the 4.5.8 release cycle, we chose not to
    document the change until it had undergone additional testing. (forwarded request 137407 from toganm)

• Files Changed
• Browse Source

- Since shorewall executables are in /usr/sbin systemd service
  files now reflect the correct location (forwarded request 135613 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.7.1 For more details see changelog.txt and
  releasenotes.txt
  * When using IPSEC in a multi-ISP configuration, it is possible
    for the kernel to mis-route ESP packets. To date, this problem
    has only been observed on a system running a 3.5 kernel where
    traffic is being tunneled through GRE which is in turn being
    tunneled via IPSEC.
    This Shorewall release includes a low-cost workaround.
  * The Netfilter team have announced their intention to remove the
    NOTRACK target in favor of 'CT --notrack'. Shorewall will now
    map  NOTRACK to 'CT --notrack' if the CT Target is available.
  * Previously, the current COMMENT was not being cleared after the
    blrules file was processed, causing that COMMENT to be used on
    entries in the rules file. That defect has been corrected.
- Add a note to the spec for reviewer explaining the configure
  command usage
- Removed following opensuse specific patches as they are merged to
  upstream now
   + shorewall-lite-4.5.2-init.patch
   + shorewall6-4.5.2-init.patch
   + shorewall6-lite-4.5.2-init.patch
   + shorewall-init-4.4.21_init_sh.patch
- Added 001-required-stop-fix patch for shorewall-lite/init.suse.sh (forwarded request 132373 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.7 For more details see changelog.txt and
  releasenotes.txt
  * This release includes the defect repair from Shorewall 4.5.6.2.
  * The command 'shorewall enable pppX' could fail with the ip
    diagnostic Error: either "to" is duplicate, or "weight" is a
    garbage.
     Shorewall now generates the correct ip command.
  * Optimize level 4 could previously combine two rules that each
    specified the 'policy' match, leading to this iptables-restore
    failure:
        policy match: multiple elements but no --strict
     The optimizer now avoids combining such rules.
     While this is a long-standing defect in the optimizer, it was
     exposed by changes in Shorewall 4.5.6.
   * There were several cases where hard-wired directory names
     appeared in the tarball installers. These have been replaced
     with the appropriate shorewallrc variables.
   * A defect in RHEL 6.3 and derivatives causes 'shorewall show
     capabilities' to leave an empty ipset in the configuration. The
     same defect can cause the Shorewall compiler to similarly leave
     an empty ipset behind.
     This Shorewall release has a workaround for this problem.
-  Added Bash >= 4 to BuildRequires
-  Fix builds for Fedora

    compiler. It now causes following lines to be omitted.
  releasenotes.txt
    required.
     failure. Shorewall now uses the physical name.
    impossible to set SYSCONFDIR. (forwarded request 131522 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.6.2 For more details see changelog.txt and
  releasenotes.txt
  * The compiler now generates an error when a SOURCE interface is
    specified in a rule where the SOURCE zone is the firewall
    itself.
  * Previously, entries in /etc/shorewall/notrack that specified a
    Vserver zone in the SOURCE column were omitted from the
    generated  ruleset.
  * The set of helpers available in the notrack file and in the
    HELPER column of the tcrules file was incorrect:
     - The Amanda helper requires a UDP port -- Shorewall was
       requiring
       TCP.
     - The H323 module supplies two helpers: 'RAW' and 'Q.931';
       Shorewall only accepted 'h323'.
     - The Netbios NS module supplies the 'netbios-ns' helper;
       Shorewall
       only accepted 'netbios_ns'.
  * The conditional directive '?IF 0' generated an error from the
    compiler. It now causes following lines to be omitted. (forwarded request 130454 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.6 For more details see changelog.txt and
  releasenotes.txt 
  * This release includes the defect repairs from Shorewall 4.5.5.1
     through 4.5.5.4.
  * Previously, the tcrules file was not processed when
    TC_ENABLED=No. That meant that to use features like TPROXY, it
    was  necessary to set TC_ENABLED=Yes and create a dummy
    /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is
    required. (forwarded request 127518 from toganm)

• Files Changed
• Browse Source

- Update to 4.5.5.3 For more details see changelog.txt and
  releasenotes.txt
  * When logical interface names were used, an entry in tcrules
    that included a classid could result in the compiler failing with
    this Perl diagnostic:
      Can't use an undefined value as an ARRAY reference at
      /usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile>
      line 20. (forwarded request 126786 from toganm)

• Files Changed
• Browse Source

branched from openSUSE:Factory

• Files Changed
• Browse Source