- Update to 4.4.19.4
  * Previously, the compiler would allow a degenerate entry (only the
    BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
    compilation error.
  * Previously, it was possible to specify tcfilters and tcrules that
    classified traffic with the class-id of a non-leaf HFSC class. Such
    classes are not capabable of handling packets.
    Shorewall now generates a compile-time warning in this case and
    ignores the entry.
    If a non-leaf class is specified as the default class, then
    Shorewall now generates a compile-time error since that
    configuration allows no network traffic to flow.
 * Traditionally, Shorewall has not checked for the existance of
   ipsets mentioned in the configuration, potentially resulting in a
   run-time start/restart failure. Now, the compiler will issue a
   WARNING if:
    a) The compiler is being run by root.
    b) The compilation isn't producing a script to run on a remote
       system under a -lite product.
    c) An ipset appearing in the configuration does not exist on the
       local system.
 * As previously implemented, the 'refresh' command could fail or
   could result in a ruleset other than what was intended. If there
   had been changes in the ruleset since it was originally
   started/restarted/restored that added or deleted sequenced chains
   (chains such as ~lognnn and ~exclnnn), the resulting ruleset could
   jump to the wrong such chains or could fail to 'refresh'
   successfully.
   This issue has been corrected as follows. When a 'refresh' is done
   and individual chains are involved, then each table that contains
   both sequenced chains and one of the chains being refreshed is
   refreshed in its entirety.
   For example, if 'shorwall refresh foo' is issued and the filter
   table (which is the default) contains any sequenced chains, then
   the entire table is reloaded. Note that this reload operation is
   atomic so no packets are passed through an inconsistent
   configuration.
 * When 'shorewall6 refresh' was run previously, a harmless
   'ip6tables: Chain exists' message was generated.
- Reworked backported patches so shorewall still uses openSUSE specific
  locations 
- Fix the zone definitions in shorewall6/Samples6/zones examples 

old: security:netfilter/shorewall
new: home:toganm:branches:security:netfilter/shorewallIndex: shorewall.spec
===================================================================
--- shorewall.spec (revision 16)
+++ shorewall.spec (revision 2)
@@ -4,8 +4,9 @@
 #
 #  skip-check-libtool-deps
 
+
 Name:           shorewall
-Version:        4.4.19.3
+Version:        4.4.19.4
 Release:        0
 License:        GPLv2
 Summary:        Shoreline Firewall is an iptables-based firewall for Linux systems
@@ -31,16 +32,21 @@
 Patch4:		shorewall-init-4.4.14.init.patch
 # PATCH-FIX-OPENSUSE install-4.4.14.patch toganm@opensuse.org -- use of fillup template
 Patch5:		install-4.4.14.patch
-# PATCH-FIX-OPENSUSE shorewall*-4.4.19.1_paths.patch toganm@opensuse.org -- really use libexec and say so
+# PATCH-FEATURE-UPSTREAM shorewall*-4.4.19.1_paths.patch toganm@opensuse.org -- really use libexec and say so
 # backported from git version
-Patch6:		shorewall-4.4.19.1_paths.patch
+Patch6:		shorewall-4.4.19.4_paths.patch
 Patch7:		shorewall6-4.4.19.1_paths.patch
+Patch14:	shorewall6-4.4.19.4_paths.patch
 Patch8:		shorewall-lite-4.4.19.1_paths.patch
 Patch9:		shorewall6-lite-4.4.19.1_paths.patch
 Patch10:	shorewall-init-4.4.19.1_paths.patch
 #PATCH corrects bnc#693162
-Patch11:	PERL5LIB.patch
-Patch12:	shorewall6-4.4.19.3-PERL5LIB.patch
+# these are fixed upstream now
+#Patch11:	PERL5LIB.patch
+#Patch12:	shorewall6-4.4.19.3-PERL5LIB.patch
+#PATCH-FEATURE-UPSTREAM shorewall-4.4.19.4_PERL5LIB.patch toganm@opensuse.org
+#--use perllib correctly
+Patch13:	shorewall-4.4.19.4_PERL5LIB.patch
 PreReq:         %fillup_prereq
 PreReq:         %insserv_prereq
 
@@ -153,7 +159,8 @@
 pushd %name-%version
 %patch0 
 %patch6 -p2
-%patch11 -p2
+#%patch11 -p2
+%patch13 -p1
 popd
 
 # apply patches to shorewall-lite
@@ -167,7 +174,8 @@
 pushd %{name}6-%version
 %patch2
 %patch7 -p2
-%patch12
+%patch14 -p1
+#%patch12
 popd
 
 
Index: shorewall.changes
===================================================================
--- shorewall.changes (revision 16)
+++ shorewall.changes (revision 2)
@@ -1,4 +1,62 @@
 -------------------------------------------------------------------
+Wed May 18 11:03:16 UTC 2011 - toganm@opensuse.org
+
+- Update to 4.4.19.4
+
+  * Previously, the compiler would allow a degenerate entry (only the
+    BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
+    compilation error.
+
+  * Previously, it was possible to specify tcfilters and tcrules that
+    classified traffic with the class-id of a non-leaf HFSC class. Such
+    classes are not capabable of handling packets.
+
+    Shorewall now generates a compile-time warning in this case and
+    ignores the entry.
+
+    If a non-leaf class is specified as the default class, then
+    Shorewall now generates a compile-time error since that
+    configuration allows no network traffic to flow.
+
+ * Traditionally, Shorewall has not checked for the existance of
+   ipsets mentioned in the configuration, potentially resulting in a
+   run-time start/restart failure. Now, the compiler will issue a
+   WARNING if:
+
+    a) The compiler is being run by root.
+    b) The compilation isn't producing a script to run on a remote
+       system under a -lite product.
+    c) An ipset appearing in the configuration does not exist on the
+       local system.
+
+ * As previously implemented, the 'refresh' command could fail or
+   could result in a ruleset other than what was intended. If there
+   had been changes in the ruleset since it was originally
+   started/restarted/restored that added or deleted sequenced chains
+   (chains such as ~lognnn and ~exclnnn), the resulting ruleset could
+   jump to the wrong such chains or could fail to 'refresh'
+   successfully.
+
+   This issue has been corrected as follows. When a 'refresh' is done
+   and individual chains are involved, then each table that contains
+   both sequenced chains and one of the chains being refreshed is
+   refreshed in its entirety.
+
+   For example, if 'shorwall refresh foo' is issued and the filter
+   table (which is the default) contains any sequenced chains, then
+   the entire table is reloaded. Note that this reload operation is
+   atomic so no packets are passed through an inconsistent
+   configuration.
+
+ * When 'shorewall6 refresh' was run previously, a harmless
+   'ip6tables: Chain exists' message was generated.
+
+- Reworked backported patches so shorewall still uses openSUSE specific
+  locations 
+
+- Fix the zone definitions in shorewall6/Samples6/zones examples 
+
+-------------------------------------------------------------------
 Wed May 11 16:17:38 UTC 2011 - toganm@opensuse.org
 
 - Update to 4.4.19.3
Index: shorewall6-4.4.19.1_paths.patch
===================================================================
--- shorewall6-4.4.19.1_paths.patch (revision 16)
+++ shorewall6-4.4.19.1_paths.patch (revision 2)
@@ -63,15 +63,6 @@
  
      local command
      command=$1
-@@ -300,7 +300,7 @@ compiler() {
- 	PERL=/usr/bin/perl
-     fi
- 
--    if [ $g_perllib = share/shorewall ]; then
-+    if [ $g_perllib = /usr/share/shorewall ]; then
- 	$command $PERL $debugflags $pc $options $@
-     else
- 	$command PERL5LIB=$g_perllib $PERL $debugflags $pc $options $@
 @@ -1073,7 +1073,7 @@ reload_command() # $* = original arguments less the command.
      local compiler
      compiler=
Index: shorewall-lite-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall-lite-4.4.19.4.tar.bz2 added
Index: shorewall-docs-html-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall-docs-html-4.4.19.4.tar.bz2 added
Index: shorewall-4.4.19.4_PERL5LIB.patch
===================================================================
--- shorewall-4.4.19.4_PERL5LIB.patch (revision 0)
+++ shorewall-4.4.19.4_PERL5LIB.patch (revision 2)
@@ -0,0 +1,20 @@
+--- shorewall-4.4.19.4/shorewall.orig
++++ shorewall-4.4.19.4/shorewall
+@@ -363,12 +363,13 @@ compiler() {
+ 	PERL=/usr/bin/perl
+     fi
+ 
+-    if [ $g_perllib != ${g_libexec}/shorewall ]; then
+-	PERL5LIB=/usr/$g_perllib
++    if [ $g_perllib = ${g_libexec}/shorewall ]; then
++	$PERL $debugflags $g_libexec/shorewall/compiler.pl $options   $@
++    else
++	PERL5LIB=$g_perllib
+ 	export PERL5LIB
++	$PERL $debugflags $g_libexec/shorewall/compiler.pl $options $@
+     fi
+-    
+-    $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
+ }
+ 
+ #
Index: shorewall-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall-4.4.19.4.tar.bz2 added
Index: shorewall6-lite-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall6-lite-4.4.19.4.tar.bz2 added
Index: shorewall-4.4.19.4_paths.patch
===================================================================
--- shorewall-4.4.19.4_paths.patch (revision 0)
+++ shorewall-4.4.19.4_paths.patch (revision 2)
@@ -0,0 +1,168 @@
+--- a/Shorewall/install.sh
++++ b/Shorewall/install.sh
+@@ -107,8 +107,8 @@ fi
+ 
+ SPARSE=
+ MANDIR=${MANDIR:-"/usr/share/man"}
+-[ -n "${LIBEXEC:=share}" ]
+-[ -n "${PERLLIB:=share/shorewall}" ]
++[ -n "${LIBEXEC:=/usr/share}" ]
++[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+ 
+ INSTALLD='-D'
+ 
+@@ -236,8 +236,14 @@ fi
+ if [ -z "$CYGWIN" ]; then
+    install_file shorewall ${DESTDIR}/sbin/shorewall 0755
+    echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
+-   eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
+-   eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
++
++   if [ -z "$MAC" ]; then
++       eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
++       eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
++   else
++       eval sed -i -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
++       eval sed -i -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
++   fi
+ else
+    install_file shorewall ${DESTDIR}/bin/shorewall 0755
+    echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
+@@ -265,8 +271,8 @@ fi
+ # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
+ #
+ mkdir -p ${DESTDIR}/etc/shorewall
+-mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall
+-mkdir -p ${DESTDIR}/usr/${PERLLIB}/Shorewall
++mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
++mkdir -p ${DESTDIR}${PERLLIB}/Shorewall
+ mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
+ mkdir -p ${DESTDIR}/var/lib/shorewall
+ 
+@@ -331,10 +337,10 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
+ # Install wait4ifup
+ #
+ 
+-install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup 0755
++install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+ 
+ echo
+-echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup"
++echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+ 
+ #
+ # Install the policy file
+@@ -824,23 +830,23 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall
+ #
+ cd Perl
+ 
+-install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755
++install_file compiler.pl ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl 0755
+ 
+ echo
+-echo "Compiler installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl"
++echo "Compiler installed in ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl"
+ #
+ # Install the params file helper
+ #
+-install_file getparams ${DESTDIR}/usr/${LIBEXEC}/shorewall/getparams 0755
++install_file getparams ${DESTDIR}${LIBEXEC}/shorewall/getparams 0755
+ 
+ echo
+-echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
++echo "Params file helper installed in ${DESTDIR}${LIBEXEC}/shorewall/getparams"
+ #
+ # Install the libraries
+ #
+ for f in Shorewall/*.pm ; do
+-    install_file $f ${DESTDIR}/usr/${PERLLIB}/$f 0644
+-    echo "Module ${f%.*} installed as ${DESTDIR}/usr/${PERLLIB}/$f"
++    install_file $f ${DESTDIR}${PERLLIB}/$f 0644
++    echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIB}/$f"
+ done
+ #
+ # Install the program skeleton files
+@@ -901,7 +907,7 @@ fi
+ if [ -z "$DESTDIR" ]; then
+     rm -rf /usr/share/shorewall-perl
+     rm -rf /usr/share/shorewall-shell
+-    [ "$PERLLIB" != share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
++    [ "$PERLLIB" != /usr/share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
+ fi
+ 
+ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
+
+--- a/Shorewall/shorewall
++++ b/Shorewall/shorewall
+@@ -1140,7 +1140,7 @@ reload_command() # $* = original arguments less the command.
+     local root
+     root=root
+     local libexec
+-    libexec=share
++    libexec=/usr/share
+ 
+     litedir=/var/lib/shorewall-lite
+ 
+@@ -1203,7 +1203,16 @@ reload_command() # $* = original arguments less the command.
+ 
+     temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
+ 
+-    [ -n "$temp" ] && libexec="$temp"
++    if [ -n "$temp" ]; then
++	case $temp in
++	    /*)
++		libexec="$temp"
++		;;
++	    *)
++		libexec=/usr/$temp
++		;;
++	esac
++    fi
+ 
+     if [ -z "$getcaps" ]; then
+ 	SHOREWALL_DIR=$(resolve_file $directory)
+@@ -1221,7 +1230,7 @@ reload_command() # $* = original arguments less the command.
+ 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+ 
+ 	progress_message "Getting Capabilities on system $system..."
+-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/$libexec/shorewall-lite/shorecap" > $directory/capabilities; then
++	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then
+ 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
+ 	fi
+     fi
+@@ -1584,7 +1593,7 @@ CONFDIR=/etc/shorewall
+ g_product="Shorewall"
+ g_recovering=
+ g_timestamp=
+-g_libexec=share
++g_libexec=/usr/share/share
+ g_perllib=share/shorewall
+ 
+ [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
+
+--- a/Shorewall/uninstall.sh
++++ b/Shorewall/uninstall.sh
+@@ -72,8 +72,8 @@ else
+     VERSION=""
+ fi
+ 
+-[ -n "${LIBEXEC:=share}" ]
+-[ -n "${PERLLIB:=share/shorewall}" ]
++[ -n "${LIBEXEC:=/usr/share}" ]
++[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+ 
+ echo "Uninstalling shorewall $VERSION"
+ 
+@@ -109,8 +109,8 @@ rm -rf /etc/shorewall
+ rm -rf /etc/shorewall-*.bkout
+ rm -rf /var/lib/shorewall
+ rm -rf /var/lib/shorewall-*.bkout
+-rm -rf /usr/$PERLLIB}/Shorewall/*
+-rm -rf /usr/${LIBEXEC}/shorewall
++rm -rf $PERLLIB}/Shorewall/*
++rm -rf ${LIBEXEC}/shorewall
+ rm -rf /usr/share/shorewall
+ rm -rf /usr/share/shorewall-*.bkout
+ rm -rf /usr/share/man/man5/shorewall*
+
+
Index: shorewall6-4.4.19.4_paths.patch
===================================================================
--- shorewall6-4.4.19.4_paths.patch (revision 0)
+++ shorewall6-4.4.19.4_paths.patch (revision 2)
@@ -0,0 +1,21 @@
+--- shorewall6-4.4.19.4/shorewall6.orig
++++ shorewall6-4.4.19.4/shorewall6
+@@ -300,12 +300,13 @@ compiler() {
+ 	PERL=/usr/bin/perl
+     fi
+ 
+-    if [ $g_perllib != ${g_libexec}/shorewall ]; then
+-	PERL5LIB=$g_perllib
+-	export PERL5LIB
++    if [ $g_perllib = ${g_libexec}/shorewall ]; then
++       $command $PERL $debugflags $pc $options $@
++    else
++        PERL5LIB=$g_perllib
++        export PERL5LIB
++       $command $PERL	$debugflags $pc $options $@
+     fi
+-    
+-    $command $PERL $debugflags $pc $options $@
+ }    
+ 
+ #
Index: shorewall-init-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall-init-4.4.19.4.tar.bz2 added
Index: shorewall6-4.4.19.4.tar.bz2
===================================================================
Binary file shorewall6-4.4.19.4.tar.bz2 added
Index: shorewall-init-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall-init-4.4.19.3.tar.bz2 deleted
Index: shorewall-docs-html-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall-docs-html-4.4.19.3.tar.bz2 deleted
Index: shorewall-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall-4.4.19.3.tar.bz2 deleted
Index: shorewall6-lite-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall6-lite-4.4.19.3.tar.bz2 deleted
Index: shorewall-lite-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall-lite-4.4.19.3.tar.bz2 deleted
Index: shorewall6-4.4.19.3.tar.bz2
===================================================================
Binary file shorewall6-4.4.19.3.tar.bz2 deleted

• Files Changed
• Browse Source