openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

Revisions of shorewall

Togan Muftuoglu (toganm) accepted request 78633 from

Togan Muftuoglu (toganm) over 13 years ago (revision 29)

-  patch the Perl diagnostic with a WARNING  message.

Togan Muftuoglu (toganm) committed over 13 years ago (revision 28)

resolved conflict

Sascha Peilicke (saschpe) accepted request 74031 from

Togan Muftuoglu (toganm) over 13 years ago (revision 27)

initialized devel package after accepting 74031

Togan Muftuoglu (toganm) accepted request 78435 from

Togan Muftuoglu (toganm) over 13 years ago (revision 26)

- Update to 4.4.22.2
  * On older distributions where 'shorewall show capabilities'
    indicates 'Connection Tracking Match: Not Available', Shorewall
    4.4.22 and 4.4.22.1 generated invalid iptables-restore input.
  * Previously, the compiler always placed '#!/bin/sh' on the first
    line of the generated script. It now uses the setting of
    SHOREWALL_SHELL on that line rather than '/bin/sh'. Note that
    SHOREWALL_SHELL defaults to '/bin/sh' so this change only affects
    those who specify a different shell. 
- Patched REDIRECT rule

Togan Muftuoglu (toganm) accepted request 77951 from

Togan Muftuoglu (toganm) over 13 years ago (revision 25)

- Update to 4.4.22.1
  * Previously, if the name of a zone began with 'all', then entries
    for that zone in /etc/shorewall/rules and /etc/shoreawll6/rules
    treated the name the same as 'all'.
    This defect is present in Shorewall 4.4.13 through 4.4.22.
 *  Previously, when LOAD_HELPERS_ONLY=No, harmless
    iptables-restore  warnings as follows could be generated:
        ...
      Running 	/usr/local/sbin/iptables-restore...
	 --set option deprecated, please use --match-set
	 --set option deprecated, please use --match-set
      IPv4 Forwarding Enabled

  * Under rare conditions, long port lists (>15 ports) could result in

Togan Muftuoglu (toganm) accepted request 77914 from

Togan Muftuoglu (toganm) over 13 years ago (revision 24)

- removed ifupdown scripts from %post section and added to %files
  section

- according to upstream 

"The prog.header* files become the first part of the compiled script, so
must contain '#!'.

It can be removed from the lib.* files. I have it there primarily to
cause Emacs to automatically choose shell mode when I edit the files.

Currently, the function 'show_connection_filter()' (*/lib.cli), depends
on the '#!' in an scfilter."

Therefore removed the she-bang from:
    /usr/share/shorewall/lib.*
    /usr/share/shorewall6/lib.*
    /usr/share/shorewall-lite/lib.*
    /usr/share/shorewall6-lite/lib.*

- reworked rpmlintrc as shorewall-4.4.22.rpmlintrc


- Update to 4.4.22. For more details see changelog.txt and
  releasenotes.txt
  *Under rare conditions, long port lists (>15 ports) could result in
  the following failure when optimization level 4 was enabled.
       Use of uninitialized value in numeric gt (>) 
       at /usr/share/shorewall/Shorewall/Chains.pm line 1264.
       ERROR: Internal error in
       Shorewall::Chains::decrement_reference_count at
       /usr/share/shorewall/Shorewall/Chains.pm line 1264
  * All corrections included in Shorewall 4.4.21.1.
- A bug in recent versions of Shorewall that could result in rules
  that are  wider in scope than intended was fixed by applying a patch  
  by the upstream.

Togan Muftuoglu (toganm) accepted request 76502 from

Togan Muftuoglu (toganm) over 13 years ago (revision 23)

- Update to 4.4.21.1 Changes in this release are:
  * A harmless Perl run-time "uninitialized variable" diagnostic has
  been eliminated from the compiler. The diagnostic was issued while
  displaying the capabilities.
  * As the result of a typo, an orphan filter chain named FORWAR
  could be created under rare circumstances. This chain was deleted
  by OPTIMIZE level 4.
  * The SNAT options --persistent and --randomize now work properly
  (/etc/shorewall/masq).
  * The LOGMARK log level was previously generated invalid iptables
  input making it unusable. That has been corrected.
 The syntax for LOGMARK is now:
 LOGMARK(<priority>) where <priority> is a syslog priority (1-7 or debug,
 info, notice,  etc.).
 Example rule:
    #ACTION   	      SOURCE  DEST   PROTO   DEST
    #				  	     PORT(S)
    LOG:LOGMARK(info)  lan    dmz    udp     1234

Togan Muftuoglu (toganm) accepted request 76052 from

Togan Muftuoglu (toganm) over 13 years ago (revision 22)

- Update to 4.4.21 For more details see changelog.txt and
  releasenotes.txt
 * The Shorewall and Shorewall6 'load' and 'reload' commands
   now use the .conf file in the current working directory.
 * The 'balance' and 'fallback' options in /etc/shorewall/providers
   have always been mutually exclusive but the compiler previously
   didn't enforce that restriction. Now it does.
 * The ipset modules are now automatically loaded by Shorewall6 when
   LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally,
   there is now a /usr/share/shorewall6/modules.ipset file that
   lists  all of the required modules.
 * TPROXY descriptions have been added to shorewall-tcrules(5) and
   shorewall6-tcrules(5).

Togan Muftuoglu (toganm) accepted request 73804 from

Togan Muftuoglu (toganm) over 13 years ago (revision 21)

- Update to 4.4.20.3. Changes in this release are
 * Deprecated options have been removed from the .conf files. 
   They remain in the man pages.
 * A simple configuration like the 'Universal' sample that includes a
   single wildcard interface ('+' in the INTERFACE column) produces a
   ruleset that blocks all incoming packets.
   As part of correcting this defect, which was introduced in
   4.4.20.2, one or more superfluous rules (which could never
   match) have been eliminated from most configurations.

Togan Muftuoglu (toganm) accepted request 73643 from

Togan Muftuoglu (toganm) over 13 years ago (revision 20)

- Update to 4.4.20.2
  * A defect introduced in 4.4.20 could cause the following failure at
    start/restart:
    ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1:
           sfq quantum 12498 limit 127 perturb 10" failed
  * The 'sfilter' interface option introduced in 4.4.20 was only
    applied to forwarded traffic. Now it is also applied to traffic
    addressed to the firewall itself.
  * Issues with iptables-restore is corrected  
  * IPSEC traffic is now (correctly) excluded from sfilter.
  * The following incorrect warning message has been eliminated:
     WARNING: sfilter is ineffective with FASTACCEPT=Yes

Togan Muftuoglu (toganm) accepted request 72900 from

Togan Muftuoglu (toganm) over 13 years ago (revision 19)

- Changed license to  GPL-2.0 as stated in http://spdx.org/licenses/


- Update to 4.4.20.1
  * The address of the Free Software Foundation has been corrected in
  the License files.
  * The shorewall[6].conf file installed in
    /usr/share/shorewall[6]/configfiles is no longer modified for use
    with Shorewall[6]-lite. When creating a new configuration for a
    remote forewall, two lines need to be modified in the copy
    	   CONFIG_PATH=/usr/share/shorewall (or shorewall6)
	   STARTUP_LOG=/var/log/shorewall-lite-init.log
	               (or shorewall6-lite-init.log)

Togan Muftuoglu (toganm) accepted request 72791 from

Togan Muftuoglu (toganm) over 13 years ago (revision 18)

cleanup spec from patches that are now in upstream and upgrade to 4.4.20
version.


- Update to 4.4.20 
  *Removed backported patches for openSUSE specific locations as
  they are incorporated in upstream.
- Changes in 4.4.20 (for more read changelog.txt and releasenotes.txt)
  * Support for the AUDIT target has been added. AUDIT is a feature of
  the 2.6.39 kernel and iptables 1.4.10 that allows security auditing
  of access decisions.

 * Previously, the compiler would allow a degenerate entry (only the
   BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
   compilation error.
 * Previously, it was possible to specify tcfilters and tcrules that
   classified traffic with the class-id of a non-leaf HFSC class. Such
   classes are not capabable of handling packets.
   Shorewall now generates a compile-time warning in this case and
   ignores the entry.
   If a non-leaf class is specified as the default class, then
   Shorewall now generates a compile-time error since that
   configuration allows no network traffic to flow.
 * Traditionally, Shorewall has not checked for the existance of
   ipsets mentioned in the configuration, potentially resulting in a
   run-time start/restart failure. Now, the compiler will issue a
   WARNING if:
   a) The compiler is being run by root.
   b) The compilation isn't producing a script to run on a remote
   system under a -lite product.
   c) An ipset appearing in the configuration does not exist on the
   local system.
* As previously implemented, the 'refresh' command could fail or
  could result in a ruleset other than what was intended. If there

Togan Muftuoglu (toganm) accepted request 70556 from

Togan Muftuoglu (toganm) over 13 years ago (revision 17)

- Update to 4.4.19.4
  * Previously, the compiler would allow a degenerate entry (only the
    BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
    compilation error.
  * Previously, it was possible to specify tcfilters and tcrules that
    classified traffic with the class-id of a non-leaf HFSC class. Such
    classes are not capabable of handling packets.
    Shorewall now generates a compile-time warning in this case and
    ignores the entry.
    If a non-leaf class is specified as the default class, then
    Shorewall now generates a compile-time error since that
    configuration allows no network traffic to flow.
 * Traditionally, Shorewall has not checked for the existance of
   ipsets mentioned in the configuration, potentially resulting in a
   run-time start/restart failure. Now, the compiler will issue a
   WARNING if:
    a) The compiler is being run by root.
    b) The compilation isn't producing a script to run on a remote
       system under a -lite product.
    c) An ipset appearing in the configuration does not exist on the
       local system.
 * As previously implemented, the 'refresh' command could fail or
   could result in a ruleset other than what was intended. If there
   had been changes in the ruleset since it was originally
   started/restarted/restored that added or deleted sequenced chains
   (chains such as ~lognnn and ~exclnnn), the resulting ruleset could
   jump to the wrong such chains or could fail to 'refresh'
   successfully.
   This issue has been corrected as follows. When a 'refresh' is done
   and individual chains are involved, then each table that contains
   both sequenced chains and one of the chains being refreshed is
   refreshed in its entirety.
   For example, if 'shorwall refresh foo' is issued and the filter
   table (which is the default) contains any sequenced chains, then
   the entire table is reloaded. Note that this reload operation is
   atomic so no packets are passed through an inconsistent
   configuration.
 * When 'shorewall6 refresh' was run previously, a harmless
   'ip6tables: Chain exists' message was generated.
- Reworked backported patches so shorewall still uses openSUSE specific
  locations 
- Fix the zone definitions in shorewall6/Samples6/zones examples 

old: security:netfilter/shorewall
new: home:toganm:branches:security:netfilter/shorewallIndex: shorewall.spec
===================================================================
--- shorewall.spec (revision 16)
+++ shorewall.spec (revision 2)
@@ -4,8 +4,9 @@
 #
 #  skip-check-libtool-deps
 
+
 Name:           shorewall
-Version:        4.4.19.3
+Version:        4.4.19.4
 Release:        0
 License:        GPLv2
 Summary:        Shoreline Firewall is an iptables-based firewall for Linux systems
@@ -31,16 +32,21 @@
 Patch4:		shorewall-init-4.4.14.init.patch
 # PATCH-FIX-OPENSUSE install-4.4.14.patch toganm@opensuse.org -- use of fillup template
 Patch5:		install-4.4.14.patch
-# PATCH-FIX-OPENSUSE shorewall*-4.4.19.1_paths.patch toganm@opensuse.org -- really use libexec and say so
+# PATCH-FEATURE-UPSTREAM shorewall*-4.4.19.1_paths.patch toganm@opensuse.org -- really use libexec and say so
 # backported from git version
-Patch6:		shorewall-4.4.19.1_paths.patch
+Patch6:		shorewall-4.4.19.4_paths.patch
 Patch7:		shorewall6-4.4.19.1_paths.patch
+Patch14:	shorewall6-4.4.19.4_paths.patch
 Patch8:		shorewall-lite-4.4.19.1_paths.patch
 Patch9:		shorewall6-lite-4.4.19.1_paths.patch
 Patch10:	shorewall-init-4.4.19.1_paths.patch
 #PATCH corrects bnc#693162
-Patch11:	PERL5LIB.patch
-Patch12:	shorewall6-4.4.19.3-PERL5LIB.patch
+# these are fixed upstream now
+#Patch11:	PERL5LIB.patch
+#Patch12:	shorewall6-4.4.19.3-PERL5LIB.patch
+#PATCH-FEATURE-UPSTREAM shorewall-4.4.19.4_PERL5LIB.patch toganm@opensuse.org
+#--use perllib correctly
+Patch13:	shorewall-4.4.19.4_PERL5LIB.patch
 PreReq:         %fillup_prereq
 PreReq:         %insserv_prereq
 
@@ -153,7 +159,8 @@
 pushd %name-%version
 %patch0 
 %patch6 -p2
-%patch11 -p2
+#%patch11 -p2
+%patch13 -p1
 popd
 
 # apply patches to shorewall-lite
@@ -167,7 +174,8 @@
 pushd %{name}6-%version
 %patch2
 %patch7 -p2
-%patch12
+%patch14 -p1
+#%patch12
 popd
 
 
Index: shorewall.changes
===================================================================
--- shorewall.changes (revision 16)
+++ shorewall.changes (revision 2)
@@ -1,4 +1,62 @@
 -------------------------------------------------------------------
+Wed May 18 11:03:16 UTC 2011 - toganm@opensuse.org
+
+- Update to 4.4.19.4
+
+  * Previously, the compiler would allow a degenerate entry (only the
+    BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
+    compilation error.
+
+  * Previously, it was possible to specify tcfilters and tcrules that
+    classified traffic with the class-id of a non-leaf HFSC class. Such
+    classes are not capabable of handling packets.
+
+    Shorewall now generates a compile-time warning in this case and
+    ignores the entry.
+
+    If a non-leaf class is specified as the default class, then
+    Shorewall now generates a compile-time error since that
+    configuration allows no network traffic to flow.
+
+ * Traditionally, Shorewall has not checked for the existance of
+   ipsets mentioned in the configuration, potentially resulting in a
+   run-time start/restart failure. Now, the compiler will issue a
+   WARNING if:
+
+    a) The compiler is being run by root.
+    b) The compilation isn't producing a script to run on a remote
+       system under a -lite product.
+    c) An ipset appearing in the configuration does not exist on the
+       local system.
+
+ * As previously implemented, the 'refresh' command could fail or
+   could result in a ruleset other than what was intended. If there
+   had been changes in the ruleset since it was originally
+   started/restarted/restored that added or deleted sequenced chains
+   (chains such as ~lognnn and ~exclnnn), the resulting ruleset could
+   jump to the wrong such chains or could fail to 'refresh'
+   successfully.
+
+   This issue has been corrected as follows. When a 'refresh' is done
+   and individual chains are involved, then each table that contains
+   both sequenced chains and one of the chains being refreshed is
+   refreshed in its entirety.
+
+   For example, if 'shorwall refresh foo' is issued and the filter
+   table (which is the default) contains any sequenced chains, then
+   the entire table is reloaded. Note that this reload operation is
+   atomic so no packets are passed through an inconsistent
+   configuration.
+
+ * When 'shorewall6 refresh' was run previously, a harmless
+   'ip6tables: Chain exists' message was generated.
+
+- Reworked backported patches so shorewall still uses openSUSE specific
+  locations 
+
+- Fix the zone definitions in shorewall6/Samples6/zones examples 
+
+-------------------------------------------------------------------
 Wed May 11 16:17:38 UTC 2011 - toganm@opensuse.org
 
 - Update to 4.4.19.3
Index: shorewall6-4.4.19.1_paths.patch
===================================================================
--- shorewall6-4.4.19.1_paths.patch (revision 16)
+++ shorewall6-4.4.19.1_paths.patch (revision 2)
@@ -63,15 +63,6 @@
  
      local command
      command=$1
-@@ -300,7 +300,7 @@ compiler() {
- 	PERL=/usr/bin/perl
-     fi
- 
--    if [ $g_perllib = share/shorewall ]; then
-+    if [ $g_perllib = /usr/share/shorewall ]; then
- 	$command $PERL $debugflags $pc $options $@
-     else
- 	$command PERL5LIB=$g_perllib $PERL $debugflags $pc $options $@
 @@ -1073,7 +1073,7 @@ reload_command() # $* = original arguments less the command.
      local compiler
      compiler=
Index: shorewall-lite-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall-lite-4.4.19.4.tar.bz2 added
Index: shorewall-docs-html-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall-docs-html-4.4.19.4.tar.bz2 added
Index: shorewall-4.4.19.4_PERL5LIB.patch
===================================================================
--- shorewall-4.4.19.4_PERL5LIB.patch (revision 0)
+++ shorewall-4.4.19.4_PERL5LIB.patch (revision 2)
@@ -0,0 +1,20 @@
+--- shorewall-4.4.19.4/shorewall.orig
++++ shorewall-4.4.19.4/shorewall
+@@ -363,12 +363,13 @@ compiler() {
+ 	PERL=/usr/bin/perl
+     fi
+ 
+-    if [ $g_perllib != ${g_libexec}/shorewall ]; then
+-	PERL5LIB=/usr/$g_perllib
++    if [ $g_perllib = ${g_libexec}/shorewall ]; then
++	$PERL $debugflags $g_libexec/shorewall/compiler.pl $options   $@
++    else
++	PERL5LIB=$g_perllib
+ 	export PERL5LIB
++	$PERL $debugflags $g_libexec/shorewall/compiler.pl $options $@
+     fi
+-    
+-    $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
+ }
+ 
+ #
Index: shorewall-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall-4.4.19.4.tar.bz2 added
Index: shorewall6-lite-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall6-lite-4.4.19.4.tar.bz2 added
Index: shorewall-4.4.19.4_paths.patch
===================================================================
--- shorewall-4.4.19.4_paths.patch (revision 0)
+++ shorewall-4.4.19.4_paths.patch (revision 2)
@@ -0,0 +1,168 @@
+--- a/Shorewall/install.sh
++++ b/Shorewall/install.sh
+@@ -107,8 +107,8 @@ fi
+ 
+ SPARSE=
+ MANDIR=${MANDIR:-"/usr/share/man"}
+-[ -n "${LIBEXEC:=share}" ]
+-[ -n "${PERLLIB:=share/shorewall}" ]
++[ -n "${LIBEXEC:=/usr/share}" ]
++[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+ 
+ INSTALLD='-D'
+ 
+@@ -236,8 +236,14 @@ fi
+ if [ -z "$CYGWIN" ]; then
+    install_file shorewall ${DESTDIR}/sbin/shorewall 0755
+    echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
+-   eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
+-   eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
++
++   if [ -z "$MAC" ]; then
++       eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
++       eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
++   else
++       eval sed -i -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
++       eval sed -i -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
++   fi
+ else
+    install_file shorewall ${DESTDIR}/bin/shorewall 0755
+    echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
+@@ -265,8 +271,8 @@ fi
+ # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
+ #
+ mkdir -p ${DESTDIR}/etc/shorewall
+-mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall
+-mkdir -p ${DESTDIR}/usr/${PERLLIB}/Shorewall
++mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
++mkdir -p ${DESTDIR}${PERLLIB}/Shorewall
+ mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
+ mkdir -p ${DESTDIR}/var/lib/shorewall
+ 
+@@ -331,10 +337,10 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
+ # Install wait4ifup
+ #
+ 
+-install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup 0755
++install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+ 
+ echo
+-echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup"
++echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+ 
+ #
+ # Install the policy file
+@@ -824,23 +830,23 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall
+ #
+ cd Perl
+ 
+-install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755
++install_file compiler.pl ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl 0755
+ 
+ echo
+-echo "Compiler installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl"
++echo "Compiler installed in ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl"
+ #
+ # Install the params file helper
+ #
+-install_file getparams ${DESTDIR}/usr/${LIBEXEC}/shorewall/getparams 0755
++install_file getparams ${DESTDIR}${LIBEXEC}/shorewall/getparams 0755
+ 
+ echo
+-echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
++echo "Params file helper installed in ${DESTDIR}${LIBEXEC}/shorewall/getparams"
+ #
+ # Install the libraries
+ #
+ for f in Shorewall/*.pm ; do
+-    install_file $f ${DESTDIR}/usr/${PERLLIB}/$f 0644
+-    echo "Module ${f%.*} installed as ${DESTDIR}/usr/${PERLLIB}/$f"
++    install_file $f ${DESTDIR}${PERLLIB}/$f 0644
++    echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIB}/$f"
+ done
+ #
+ # Install the program skeleton files
+@@ -901,7 +907,7 @@ fi
+ if [ -z "$DESTDIR" ]; then
+     rm -rf /usr/share/shorewall-perl
+     rm -rf /usr/share/shorewall-shell
+-    [ "$PERLLIB" != share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
++    [ "$PERLLIB" != /usr/share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
+ fi
+ 
+ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
+
+--- a/Shorewall/shorewall
++++ b/Shorewall/shorewall
+@@ -1140,7 +1140,7 @@ reload_command() # $* = original arguments less the command.
+     local root
+     root=root
+     local libexec
+-    libexec=share
++    libexec=/usr/share
+ 
+     litedir=/var/lib/shorewall-lite
+ 
+@@ -1203,7 +1203,16 @@ reload_command() # $* = original arguments less the command.
+ 
+     temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
+ 
+-    [ -n "$temp" ] && libexec="$temp"
++    if [ -n "$temp" ]; then
++	case $temp in
++	    /*)
++		libexec="$temp"
++		;;
++	    *)
++		libexec=/usr/$temp
++		;;
++	esac
++    fi
+ 
+     if [ -z "$getcaps" ]; then
+ 	SHOREWALL_DIR=$(resolve_file $directory)
+@@ -1221,7 +1230,7 @@ reload_command() # $* = original arguments less the command.
+ 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+ 
+ 	progress_message "Getting Capabilities on system $system..."
+-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/$libexec/shorewall-lite/shorecap" > $directory/capabilities; then
++	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then
+ 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
+ 	fi
+     fi
+@@ -1584,7 +1593,7 @@ CONFDIR=/etc/shorewall
+ g_product="Shorewall"
+ g_recovering=
+ g_timestamp=
+-g_libexec=share
++g_libexec=/usr/share/share
+ g_perllib=share/shorewall
+ 
+ [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
+
+--- a/Shorewall/uninstall.sh
++++ b/Shorewall/uninstall.sh
+@@ -72,8 +72,8 @@ else
+     VERSION=""
+ fi
+ 
+-[ -n "${LIBEXEC:=share}" ]
+-[ -n "${PERLLIB:=share/shorewall}" ]
++[ -n "${LIBEXEC:=/usr/share}" ]
++[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+ 
+ echo "Uninstalling shorewall $VERSION"
+ 
+@@ -109,8 +109,8 @@ rm -rf /etc/shorewall
+ rm -rf /etc/shorewall-*.bkout
+ rm -rf /var/lib/shorewall
+ rm -rf /var/lib/shorewall-*.bkout
+-rm -rf /usr/$PERLLIB}/Shorewall/*
+-rm -rf /usr/${LIBEXEC}/shorewall
++rm -rf $PERLLIB}/Shorewall/*
++rm -rf ${LIBEXEC}/shorewall
+ rm -rf /usr/share/shorewall
+ rm -rf /usr/share/shorewall-*.bkout
+ rm -rf /usr/share/man/man5/shorewall*
+
+
Index: shorewall6-4.4.19.4_paths.patch
===================================================================
--- shorewall6-4.4.19.4_paths.patch (revision 0)
+++ shorewall6-4.4.19.4_paths.patch (revision 2)
@@ -0,0 +1,21 @@
+--- shorewall6-4.4.19.4/shorewall6.orig
++++ shorewall6-4.4.19.4/shorewall6
+@@ -300,12 +300,13 @@ compiler() {
+ 	PERL=/usr/bin/perl
+     fi
+ 
+-    if [ $g_perllib != ${g_libexec}/shorewall ]; then
+-	PERL5LIB=$g_perllib
+-	export PERL5LIB
++    if [ $g_perllib = ${g_libexec}/shorewall ]; then
++       $command $PERL $debugflags $pc $options $@
++    else
++        PERL5LIB=$g_perllib
++        export PERL5LIB
++       $command $PERL	$debugflags $pc $options $@
+     fi
+-    
+-    $command $PERL $debugflags $pc $options $@
+ }    
+ 
+ #
Index: shorewall-init-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall-init-4.4.19.4.tar.bz2 added
Index: shorewall6-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall6-4.4.19.4.tar.bz2 added
Index: shorewall-init-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall-init-4.4.19.3.tar.bz2 deleted
Index: shorewall-docs-html-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall-docs-html-4.4.19.3.tar.bz2 deleted
Index: shorewall-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall-4.4.19.3.tar.bz2 deleted
Index: shorewall6-lite-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall6-lite-4.4.19.3.tar.bz2 deleted
Index: shorewall-lite-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall-lite-4.4.19.3.tar.bz2 deleted
Index: shorewall6-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall6-4.4.19.3.tar.bz2 deleted

Togan Muftuoglu (toganm) accepted request 70087 from

Togan Muftuoglu (toganm) over 13 years ago (revision 16)

Fixes start of shorewall6 (bnc#693162)

Togan Muftuoglu (toganm) accepted request 70067 from

Togan Muftuoglu (toganm) over 13 years ago (revision 15)

- Update to 4.4.19.3
 * incompatibility with gawk has been corrected
 * Previously, an entry in the USER/GROUP column in the rules and
   tcrules files could cause run-time start/restart failures if the
   rule(s) being added did not have the firewall as the source (rules
   file) and were not being added to the POSTROUTING chain (:T
   designator in the tcrules file). This error is now caught by
   the compiler.
 * Shorewall now insures that a route to a default gateway exists in
   the main table before it attempts to add a default route through
   that gateway in a provider table. This prevents start/restart
   failures in the rare event that such a route does not exist.
 * CLASSIFY TC rules can apply to traffic exiting only the interface
   associated with the class-id specified in the first column.

Togan Muftuoglu (toganm) accepted request 69740 from

Togan Muftuoglu (toganm) over 13 years ago (revision 14)

- Update to 4.4.19.2 For more details see changelog.txt and
  releasenotes.txt
  * In Shorewall-shell, there was the ability to specify IPSET names in
    the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability,
    inadvertently dropped in Shorewall-perl, has been restored
  * Several problems with complex TC have been corrected:
  * Double exclusion involving ipset lists was previously not detected,
    resulting in anomalous behavior.

Togan Muftuoglu (toganm) accepted request 67696 from

Togan Muftuoglu (toganm) over 13 years ago (revision 13)