Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
openSUSE:12.2:PowerPC
shorewall
shorewall.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File shorewall.changes of Package shorewall
------------------------------------------------------------------- Tue Jul 10 08:02:07 UTC 2012 - toganm@opensuse.org - Update to 4.5.6 For more details see changelog.txt and releasenotes.txt * This release includes the defect repairs from Shorewall 4.5.5.1 through 4.5.5.4. * Previously, the tcrules file was not processed when TC_ENABLED=No. That meant that to use features like TPROXY, it was necessary to set TC_ENABLED=Yes and create a dummy /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is required. ------------------------------------------------------------------- Sun Jul 1 11:24:54 UTC 2012 - toganm@opensuse.org - Update to 4.5.5.3 For more details see changelog.txt and releasenotes.txt * When logical interface names were used, an entry in tcrules that included a classid could result in the compiler failing with this Perl diagnostic: Can't use an undefined value as an ARRAY reference at /usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile> line 20. ------------------------------------------------------------------- Fri Jun 15 14:25:19 UTC 2012 - toganm@opensuse.org - Update to 4.5.5.1 For more details see changelog.txt and releasenotes.txt * The change in Shorewall 4.5.4 that cleared the 'default' table if there were no 'fallback' providers broke multiple 'fallback' providers that don't supply a weight. The symptoms were that there were host routes to the default gateways in the 'default' routing table but no default routes through those gateways. This has now been corrected and multiple 'fallback' routes are once again supported. * When a logical device name was specified in the REDIRECTED INTERFACES column of /etc/shorewall/tcdevices, that name was used in the generated script rather than the devices's physical name. Unless the two were the same, this caused start/restart failure. Shorewall now uses the physical name. ------------------------------------------------------------------- Sat Jun 9 22:21:56 UTC 2012 - toganm@opensuse.org - Update to 4.5.5 For more details see changelog.txt and releasnotes.txt * This release includes all defect repair from Shorewall 4.5.4.1 and 4.5.4.2. * The Shorewall compiler sometimes must defer generating a rule until runtime. This is done by placing shell commands in its internal representation of a chain. These commands are then executed at run time to create the final rule. If all of the following were true, then an incorrect ruleset could be generated: + Optimization level 4 was set. + A chain (chain A) containing shell commands had three or fewer rules and commands. + The last rule in a second chain was a conditional jump to chain A. Under these conditions, the rules and commands in Chain A * The Shorewall-core configure and configure.pl script were treating SYSCONFDIR as a synonym for CONFDIR making it impossible to set SYSCONFDIR. ------------------------------------------------------------------- Thu Jun 7 17:17:59 UTC 2012 - toganm@opensuse.org - Update to 4.5.4.2 For more details see changelog.txt and releasenotes.txt * The problems corrected section of the 4.5.4.1 release notes was missing the third problem corrected in the release. It has now been added. * A number of problems in Shorewall-init have been corrected: + If more than one product was listed in the PRODUCTS setting in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init) then the second product would not be started/stopped. + Shorewall-init used 'restart' in response to an optional provider interface coming up. If the interface has been marked unusable (1 in the interface's .status file), then the 'restart' would not enable the interface. + Shorewal-init produced a lot of clutter on the console during boot. You may now specify a LOGFILE in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init) and all output produced by up and down events will be sent to that log. If no log is specified, this output is sent to /dev/null. * The order in which the compiler processes line-continuation (line ending in '\') and conditional-inclusion directives (?IF, ?ELSE, and ?ENDIF) has been reversed. Previously, the compiler built a concatenated line, then checked to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents those lines from becoming part of the concatenation. * Two issues with the shorecap programs have been corrected: + The Shorewall6-lite version failed to run with the message: /usr/share/shorewall6-lite/lib.cli: No such file or directory + The Shorewall-lite version would not run if SHAREDIR was set to a value other than /usr/share in shorewallrc. * The Shorewall 4.5.2.3 fix for the Shorewall-core installer's handling of --host=linux was not brought forward into 4.5.3. It has been included again in this version. * Single-line embedded PERL and SHELL commands have been re-enabled. ------------------------------------------------------------------- Fri Jun 1 07:27:24 UTC 2012 - toganm@opensuse.org - Update to 4.5.4.1 For more details see changelog.txt and releasenotes.txt * Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type has been configured as a PPTP client running on the firewall rather than as a server on the firewall. It is now correctly configured as a server. * The shorewall-accounting (5) and shorewall6-accounting (5) documentation for the IPSEC column is incorrect. Rather than 'accountin' and 'accountout', the chain names should be 'accipsecin' and 'accipsecout'. * IPSEC accounting did not work if the accounting file was sectioned. Beginning with this release, the IPSEC column can be specified in any section. As always, the IPSEC column contains a comma-separated list of items. In the FORWARD chain, the first (or only) item in the list must be either 'in' or 'out' to indicate whether the rule matches incoming packets that have been decrypted ('in') or outgoing packets that will be encrypted ('out'). There are no restrictions with respect to which chain IPSEC rules can appear in a sectioned file. ------------------------------------------------------------------- Sat May 26 14:18:26 UTC 2012 - toganm@opensuse.org - Update to 4.5.4 For more details see changelog.txt and releasenotes.txt * When EXPORTMODULES=No in shorewall.conf, the error messages have been eliminated * If the configuration settings in the PACKET MARK LAYOUT section of shorewall.conf (shorewall6.conf) had empty settings, the 'update' command would previously set them to their default settings. It now leaves them empty. * Previously, Shorewall used 'unreachable' routes to null-route the RFC1918 subnets. This approach has two drawbacks: - It can cause problems for IPSEC in that it can cause packets to be rejected rather than encrypted and forwarded. - It can return 'host unreachable' ICMPs to other systems that attempt to route RFC1918 addresses through the firewall. To eliminate these problems, Shorewall now uses 'blackhole' routes. Such routes don't interfere with IPSEC and silently drop packets rather than return an ICMP. * The 'default' routing table is now cleared if there are no 'fallback' providers. * Tproxy implementation has been reworked. For more details please consult the releasenotes.txt and changelog.txt ------------------------------------------------------------------- Tue May 15 22:40:55 UTC 2012 - toganm@opensuse.org - Update to 4.5.3.1 For more details see changelog.txt and releasenotes.txt * Previously, nested conditionals did not work correctly in all cases. In particular: ?IF $FALSE ?IF $FALSE foo bar ?ENDIF baz bop ?ENDIF In this case, the lines 'baz' and 'bodyp' were incorrectly included when they should have beeen omitted. * The 'balance' routing table is now cleared if there are no 'balance' providers. * Previously, the compiler generated an invalid 'ip add route' command if an IPv6 provider had '-' in the GATEWAY column. * As noted in the Migration Considerations, the generated firewall script maintains the interface .status files used by LSM and SWPING. Up to now, however, the 'disable' command did not update the .status file. That has been corrected. As part of the change, the 'isusable' script is no longer consulted by the'enable' command. ------------------------------------------------------------------- Fri May 11 07:03:29 UTC 2012 - toganm@opensuse.org - Update to 4.5.3 For more details see changelog.txt and releasenotes.txt * The LOCKFILE setting in shorewall.conf and shorewall6.conf had inadvertently become undocumented. It is now documented again. * In an initial installation of Shorewall, Shorewall6, Shorewall Lite or Shorewall6 Lite was done under Shorewall 4.5.2, then the firewall would not start up at boot even though the installer indicated that it would. That defect has been corrected. * Previously, when per-IP rate limiting was invoked, the compiler would use the deprecated '--ratelimit' option, even if the preferred '--ratelimit-upto' option was available. Now, the compiler uses the preferred option if it is supported by the installed version of iptables. * Prior to this release, using a manual chain in the ACTION column of a macro body generated an error: ERROR: Invalid Action (mychain) in macro, macro.FOO (line ...) This now works correctly and generates a jump to the specified manual chain. * Previously, a line with the single word COMMENT in the tunnels file would generate the following error: ERROR: Zone must be specified Now, such a line correctly resets the current rule comment. * In Shorewall 4.5.2, the MARK column in the tcrules file was renamed to ACTION but only 'mark' was accepted in the alternate specification format. Now both 'mark' and 'action' are accepted. * The alternative method of provider balancing using the statistic match feature of iptables/Netfilter was missing some logic, with the result that it was ineffective. * If a logical interface name was used by itself in the SOURCE column of the rtrules file, the generated routing rule would contain the logical name rather than the physical name. ------------------------------------------------------------------- Tue May 1 06:19:41 UTC 2012 - toganm@opensuse.org - Update to 4.5.2.4 For more details see changelog.txt and releasenotes.txt * The 'shorewall reset' command now correctly resets the IPv4 packet and byte counters; previously, it was resetting the IPv6 counters. * The Shorewall installer now modifies the Chains.pm file for Digest::SHA depencency when $DESTDIR is set, provided that $BUILD = $HOST. This allows rpm to automatically generate the correct module dependency. ------------------------------------------------------------------- Sun Apr 15 09:00:27 UTC 2012 - toganm@opensuse.org - Update to 4.5.2.2 For more details see changelog.txt and releasenotes.txt * If a shorewallrc file is passed to the 4.5.2.1 Shorewall-core install.sh, subsequent compilations fail. The error message indicates that the compiler is looking for lib.core, but the pathname has embedded spaces. * The 4.5.2.1 Shorewall/Shorewall6 installer installs an incorrect file as /etc/shorewall[6]/Makefile. ------------------------------------------------------------------- Sat Apr 14 19:27:13 UTC 2012 - toganm@opensuse.org - Update to 4.5.2.1 For more details see changelog.txt and releasenotes.txt * In release 4.5.2, if an INCLUDE directive appeared inside a ?IF ... ?ENDIF sequence, then the following error would be generated after the included file had been read: ERROR: Missing ?ENDIF to match the ?IF at line ... * An error in the shorewallrc.apple file has been corrected. * The shorewallrc.redhat file has been change to conform to Fedora packaging guidelines. * The output of the 'version -a' command reflected incorrect versions when Shorewall-core 4.5.2 was installed. That has been corrected. ------------------------------------------------------------------- Fri Apr 13 13:58:52 UTC 2012 - toganm@opensuse.org - Update to 4.5.2 For more details see changelog.txt and releasenotes.txt * The generated firewall script includes code to automatically create ipsets that are referenced but that don't exist. That code was broken in releases 4.4.22 and later. This defect has been corrected. As part of the fix, the generated script will now issue a warning message when it creates an ipset. * The 'mss' option is now supported in the /etc/shorewall[6]/hosts files. See the manpages for details. * It is now possible to conditionally include or omit configuration entries based on the settings of shell variables. See http://www.shorewall.net/configuration_file_basics.htm for details. * The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been renamed ACTION to reflect the expanded set of actions that can be specified in the column. * Some users are finding these ipset warnings objectionable: + Warning when a referenced ipset does not exist. + Warning when using [src] in a destination column or [dst] in a source column. These warnings may now be suppressed by setting IPSET_WARNINGS=No in shorewall.conf and/or shorewall6.conf. ------------------------------------------------------------------- Tue Mar 20 07:38:46 UTC 2012 - toganm@opensuse.org - Update to 4.5.1.1 For more details see changelog.txt and releasenotes.txt * When checking or compiling for export (-e option), /sbin/shorewall would previously issue a warning message if the SHOREWALL_SHELL specified in the remote firewall's shorewall.conf did not exist. * The changes to TOS handling in 4.5.1 are incompatible with older releases such as RHEL5 and derivatives. That has been corrected. * The rules compiler now verifies that the protocol is TCP, UDP, SCTP or DCCP when checking a port range (low:high or low-high). * Previously, start or restart using the init script would fail with an error message referencing 'SHOREWALL_INIT_SCRIPT'. This defect was not visible to users that set AUTOMAKE=Yes or that run Shorewall-init. ------------------------------------------------------------------- Fri Mar 16 06:36:10 UTC 2012 - toganm@opensuse.org - Update to 4.5.1 For more details see changelog.txt and releasenotes.txt * This release includes all defect repair from versions 4.5.0.1-4.5.0.3. * A typo has been corrected in the blrules man pages. * Previously, if the interface appearing in the HOSTS column of /etc/shorewall6/hosts was not defined in /etc/shorewall6/interfaces, then the compiler would terminate with a Perl diagnostic: Can't use an undefined value as a HASH reference at /usr/share/shorewall/Shorewall/Zones.pm line 1817, <$currentfile> line ... * The compiler was previously failing to validate the contents of the LENGTH and TOS columns in /etc/shorewall/tcrules. The contents of those columns are now validated by the compiler and an appropriate error message is issued if validation fails. * The column headings in the tos files are now in the proper order. Previously, the SOURCE PORT and DEST PORT columns were reversed. ------------------------------------------------------------------- Sun Feb 26 13:11:01 UTC 2012 - toganm@opensuse.org - Update to 4.5.1-Beta2 For more details see changelog.txt and releasenotes.txt * A typo has been corrected in the blrules man pages. Previously, if the interface appearing in the HOSTS column of /etc/shorewall6/hosts was not defined in /etc/shorewall6/interfaces, then the compiler would terminate with a Perl diagnostic: Can't use an undefined value as a HASH reference at /usr/share/shorewall/Shorewall/Zones.pm line 1817, <$currentfile> line ... ------------------------------------------------------------------- Wed Feb 22 18:34:14 UTC 2012 - toganm@opensuse.org - Update to 4.5.1-Beta For more details see changelog.txt and releasenotes.txt * The packing of the Shorewall products has been changed. Beginning with this release, the packages are: + Shorewall Core -- Core libraries installed in /usr/share/shorewall/ + Shorewall -- Requires Shorewall Core. Together with Shorewall Core, provides IPv4 firewalling. + Shorewall6 -- Requires Shorewall. Provides IPv6 firewalling. + Shorewall Lite -- Requires Shorewall Core. As before. + Shorewall6 Lite -- Requires Shorewall Core. As before. + Shorewall Init -- As before ------------------------------------------------------------------- Sat Jan 21 14:27:48 UTC 2012 - toganm@opensuse.org - Update to 4.4.27.3 For more details see changelog.txt and releasenotes.txt * Previously, if USE_DEFAULT_RT=Yes and 'loose' was specified on all providers, then no routing rule targeting the main routing table was generated. This has been corrected so that USE_DEFAULT_RT=Yes always results in such a rule at priority 999. * Shorewall 4.4.27 broke Shorewall-init functionality. It is restored in this release. ------------------------------------------------------------------- Mon Jan 16 14:13:20 UTC 2012 - toganm@opensuse.org - Update to 4.4.27.2. For more details see changelog.txt and releasenotes.txt * A long-standing problem with Shorewall's 'save' facility has been discovered. The defect can cause rules to be dropped during 'save' so that they are not available to be reapplied during 'restore'. This can occur in 'safe-restart' when the prompt is not acknowledged or when it is acknowledged with 'n'. The problem can occur when: a) There are IPSEC zones or hosts present; and b) GOTO Target support is available in the kernel and iptables. Example of rule that will be dropped: -A eth2_fwd -m policy --dir in --pol ipsec -g AAA_frwd The defective code has been corrected so that rules are no longer dropped. ------------------------------------------------------------------- Thu Jan 12 19:33:16 UTC 2012 - toganm@opensuse.org - Update to 4.4.27.1. For more details see changelog.txt and releasenotes.txt * When optimization category 4 is used, unconditional jumps at the end of chains are replaced with the rules in the target chain. This can result in rulesets that are considerably larger than necessary. Beginning with this release, replacement will only occur if: a) The jump is the only reference to the target chain; or b) The target chain contains 3 or less rules. * The feature introduced in 4.4.25 that allowed provider names in the 'enable' and 'disable' commands was only implemented for 'enable'. It is now implemented for 'disable' as well. * When detecting IPv6 global addresses through an interface, Shorewall6-generated scripts were ignoring addresses beginning with '3'. * A typo in /usr/share/shorewall/prog.header caused an 'awk' script to fail when saving a multi-hop default route during 'start'. * The value '0' is once again accepted in the IN_BANDWIDTH columns of tcinterfaces and tcrules, and causes no ingress policing to be configured. * MARK_IN_FORWARD_CHAIN=Yes no longer generates an error when $FW:<address> is entered in the SOURCE column of the tcrules file. * In most Shorewall 4.4 versions, if an exported params file (EXPORTPARAMS=Yes in shorewall.conf) generates any output to stdout, then the following messages would appear during start/restart: Compiling /etc/shorewall/routestopped... Shorewall configuration compiled to /var/lib/shorewall/.restart printf: 214: Build: expected numeric value printf: 214: ipset: expected numeric value printf: 214: of: expected numeric value Processing /etc/shorewall/params ... Build ipset of blacklisted addresses Usage: /var/lib/shorewall/.restart [ options ] <command> <command> is one of: start stop ... This has now been corrected. ------------------------------------------------------------------- Wed Dec 14 09:05:51 UTC 2011 - toganm@opensuse.org - Update to 4.4.26.1 For more details see changelog.txt and releasenotes.txt * The Perl module version numbers have now been updated to reflect changes in 4.4.26. * The 4.4.26 rules compiler does not issue a warning when a capabilities file was generated with Shorewall 4.4.25, even though new capabilities were added in 4.4.26. This has been corrected so that a warning is generated. * When TC_ENABLED=Shared, CLASSIFY rules could not be used in the tcrules file. Thanks to a patch from Chris Boot, this now works as expected. * The quoted part of the progress message 'Provider "..." compiled' was inadvertently omitted by a change in Shorewall 4.4.23. That text has now been restored. ------------------------------------------------------------------- Sat Dec 3 10:23:47 UTC 2011 - toganm@opensuse.org - Update to 4.4.26 For more details see changelog.txt and releasenotes.txt * This release includes all corrections included in 4.4.25.1 through .3. * In 4.4.25, ACCEPT behaved in the BLACKLIST section the same way as in the other rules file sections. This could lead to connections being accepted inadvertently. Now, ACCEPT behaves like WHITELIST; that is, it exempts the packet from the remaining rules in the BLACKLIST section. * Previously, Shorewall did not detect the ULOG and NFLOG capabilities. This lead to run-time failures during 'start' and 'restart' as well as confusing error messages during compilation when ULOG or NFLOG was used when the LOG target was not available. ULOG and NFLOG are now detected capabilities so, if you use a capabilities file, you will need to regenerate it in order to use these log levels. * The SAME tcrules target was broken in Shorewall 4.4.22. It now works correctly again. * Previously, 'shorewall6 update' did not update shorewall6.conf. The command now works as expected. * In earlier releases, the compiler was attempting to process the params file before it was aware of the setting of CONFIG_PATH. This could cause the params file to be missed if it was not located in /etc/shorewall[6] or in the directory named in the start (restart,compile,check,...) command. Now, /sbin/shorewall[6] passes $CONFIG_PATH to the compiler (/usr/share/shorewall/compiler.pl) in the new '--config_path' option. ------------------------------------------------------------------- Sat Nov 12 08:39:06 UTC 2011 - toganm@opensuse.org - Update to 4.4.25.3 For more details see changelog.txt and releasenotes.txt * Correction of the produced ruleset when wildchars are used in the zone configuration ------------------------------------------------------------------- Sun Nov 6 10:05:33 UTC 2011 - toganm@opensuse.org - Update to 4.4.25.2 For more details see changelog.txt and releasenotes.txt * Previously, if all the following were true: - AUTOMAKE=Yes - Current compiled script (/var/lib/shorewall/firewall or /var/lib/shorewall6/firewall) up to date - LEGACY_FASTSTART=No - There was a saved configuration then rather than start the current configuration, 'shorewall start -f' or 'shorewall6 start -f' would incorrectly restore the saved configuration. * The DropSmurfs and TCPFlags actions are now available in Shorewall6. They were previously omitted from the IPv6 actions.std file. * The 'rawpost' table was previously omitted from the output of the 'dump' command. It is now displayed. * Previously, if a configuration contained more than one wildcard interface (physical name ending in '+'), then the generated script might not work properly with Shorewall-init. This defect dates back to the introduction of Shorewall-init. ------------------------------------------------------------------- Tue Nov 1 18:16:52 UTC 2011 - toganm@opensuse.org - Update to 4.4.25.1 For more details see changelog.txt and releasenotes.txt * A'refresh' command with no chains or tables specified will now reload chains created by entries in the BLACKLIST section of the rules file. * The rules compiler previously failed to detect the 'Flow Filter' capability. That capability is now correctly detected. * The IN_BANDWIDTH handling changes in 4.4.25 was incompatible with moribund distributions such as RHEL4. Restoring IN_BANDWIDTH functionality on those releases required a new 'Basic Filter' capability. ------------------------------------------------------------------- Sun Oct 30 09:47:11 UTC 2011 - toganm@opensuse.org - Update to 4.4.25 For more details see changelog.txt and releasenotes.txt * A defect in the optimizer that allowed incompatible rules to be combined has been corrected. * Routes and rules added as a result of entries in /etc/shorewall6/providers were previously not deleted by 'stop' or 'restart'. Repeated 'restart' commands could therefore lead to an incorrect routing configuration. * Previously, capital letters were disallowed in IPv6 addresses. They are now permitted. * If the COPY column in /etc/shorewall6/providers was non-empty, previously a run-time error could occur when copying a table. The diagnostic produced by ip was: Either "to" is duplicate, or "cache" is garbage * When copying IPv6 routes, the generated script previously attempted to copy 'cache' entries. Those entries are now omitted. * Previously, the use of large provider numbers could cause some Shorewall-generated routing rules to be ineffective. * In some contexts, IPv6 addresses of the form ::i.j.k.l were incorrectly classified as invalid by the configuration compile * New blacklisting facility implemented. For this and other new features please refer to the releasenotes.txt ------------------------------------------------------------------- Sat Oct 15 16:58:32 UTC 2011 - toganm@opensuse.org - Update to 4.4.24.1 * When the logical and physical name of an interface were different, including the logical name in the tcdevices file caused the device's classes to be ignored. This defect was introduced in Shorewall 4.4.23. * Remove the ExecReload from all services, since systemd doesn't allow an ExecReload for OneShot services. Also, add a missing After=network.target to shorewall.service. - Fixed Url typo in the spec ------------------------------------------------------------------- Mon Oct 10 07:17:47 UTC 2011 - toganm@opensuse.org - Update to 4.4.24. For more details see changelog.txt and releasenotes.txt * This release includes all problem corrections from releases 4.4.23.1-4.4.23.3. * The 'fallback' option without =<weight> previously produced invalid 'ip' commands. ------------------------------------------------------------------- Thu Sep 29 14:56:11 UTC 2011 - toganm@opensuse.org - reworked systemd related rpm macros for 12.1 ------------------------------------------------------------------- Sat Sep 17 11:20:49 UTC 2011 - toganm@opensuse.org - Update to 4.4.23.3 * When providers were present that specify neither 'balance' nor 'fallback', then the following message was issued during compilation and 'enable' of the interface would fail. Use of uninitialized value $weight in concatenation (.) or string at /usr/share/shorewall/Shorewall/Providers.pm line 644. * TC_ENABLED=Shared was broken in Shorewall 4.4.23, 4.4.23.1 and 4.4.23.2. It produced a shell script with syntax errors. - Backported patches removed. ------------------------------------------------------------------- Fri Sep 16 15:06:03 UTC 2011 - toganm@opensuse.org - Update to 4.4.23.2 For more details see changelog.txt and releasenotes.txt - Support of systemd for openSUSE 12.1 - Backported patches WEIGHT.patch and SHARED.patch fixing a harmless message and traffic shaping issues respectively ------------------------------------------------------------------- Sat Aug 20 18:47:26 UTC 2011 - toganm@opensuse.org - Update to 4.4.22.3. Corrections in this release are below. * On older distributions where 'shorewall show capabilities' indicates 'Connection Tracking Match: Not Available', harmless Perl diagnostics like the following could be issued: Use of uninitialized value $list in pattern match (m//) at /usr/share/shorewall/Shorewall/Config.pm line 1273, <$currentfile> line 14. Use of uninitialized value $list in split at /usr/share/shorewall/Shorewall/Config.pm line 1275, <$currentfile> line 14. * On older distributions where 'shorewall show capabilities' indicates 'Mangle FORWARD Chain: Not Available', entries in the ecn file generated the following Perl Diagnostic: Use of uninitialized value in hash element at /usr/share/shorewall/Shorewall/Chains.pm line 1119. * Previously, if a provider interface was derived from an optional wildcard entry in /etc/shorewall/providers, then the interface was never considered to be usable. Example: /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net ppp+ - optionsl /etc/shorewall/providers:net #PROVIDER NUMBER MARK INTERFACE ... ISP1 1 1 ppp0 * When 'shorewall update' or 'shorewall6 update' results in no change to the .conf file, a message is issued, the .bak file is removed and the command terminates without error. ------------------------------------------------------------------- Fri Aug 12 08:28:00 UTC 2011 - toganm@opensuse.org - patch the Perl diagnostic with a WARNING message. ------------------------------------------------------------------- Tue Aug 9 19:22:07 UTC 2011 - toganm@opensuse.org - Update to 4.4.22.2 * On older distributions where 'shorewall show capabilities' indicates 'Connection Tracking Match: Not Available', Shorewall 4.4.22 and 4.4.22.1 generated invalid iptables-restore input. * Previously, the compiler always placed '#!/bin/sh' on the first line of the generated script. It now uses the setting of SHOREWALL_SHELL on that line rather than '/bin/sh'. Note that SHOREWALL_SHELL defaults to '/bin/sh' so this change only affects those who specify a different shell. - Patched REDIRECT rule ------------------------------------------------------------------- Thu Aug 4 05:13:07 UTC 2011 - toganm@opensuse.org - Update to 4.4.22.1 * Previously, if the name of a zone began with 'all', then entries for that zone in /etc/shorewall/rules and /etc/shoreawll6/rules treated the name the same as 'all'. This defect is present in Shorewall 4.4.13 through 4.4.22. * Previously, when LOAD_HELPERS_ONLY=No, harmless iptables-restore warnings as follows could be generated: ... Running /usr/local/sbin/iptables-restore... --set option deprecated, please use --match-set --set option deprecated, please use --match-set IPv4 Forwarding Enabled ------------------------------------------------------------------- Wed Aug 3 15:45:01 UTC 2011 - toganm@opensuse.org - Update to 4.4.22. For more details see changelog.txt and releasenotes.txt * Under rare conditions, long port lists (>15 ports) could result in the following failure when optimization level 4 was enabled. Use of uninitialized value in numeric gt (>) at /usr/share/shorewall/Shorewall/Chains.pm line 1264. ERROR: Internal error in Shorewall::Chains::decrement_reference_count at /usr/share/shorewall/Shorewall/Chains.pm line 1264 * All corrections included in Shorewall 4.4.21.1. - A bug in recent versions of Shorewall that could result in rules that are wider in scope than intended was fixed by applying a patch by the upstream. ------------------------------------------------------------------- Tue Jul 19 22:06:11 UTC 2011 - toganm@opensuse.org - Update to 4.4.21.1 Changes in this release are: * A harmless Perl run-time "uninitialized variable" diagnostic has been eliminated from the compiler. The diagnostic was issued while displaying the capabilities. * As the result of a typo, an orphan filter chain named FORWAR could be created under rare circumstances. This chain was deleted by OPTIMIZE level 4. * The SNAT options --persistent and --randomize now work properly (/etc/shorewall/masq). * The LOGMARK log level was previously generated invalid iptables input making it unusable. That has been corrected. The syntax for LOGMARK is now: LOGMARK(<priority>) where <priority> is a syslog priority (1-7 or debug, info, notice, etc.). Example rule: #ACTION SOURCE DEST PROTO DEST # PORT(S) LOG:LOGMARK(info) lan dmz udp 1234 ------------------------------------------------------------------- Mon Jul 11 08:13:36 UTC 2011 - toganm@opensuse.org - Update to 4.4.21 For more details see changelog.txt and releasenotes.txt * The Shorewall and Shorewall6 'load' and 'reload' commands now use the .conf file in the current working directory. * The 'balance' and 'fallback' options in /etc/shorewall/providers have always been mutually exclusive but the compiler previously didn't enforce that restriction. Now it does. * The ipset modules are now automatically loaded by Shorewall6 when LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally, there is now a /usr/share/shorewall6/modules.ipset file that lists all of the required modules. * TPROXY descriptions have been added to shorewall-tcrules(5) and shorewall6-tcrules(5). ------------------------------------------------------------------- Thu Jun 16 06:59:20 UTC 2011 - toganm@opensuse.org - Update to 4.4.20.3. Changes in this release are * Deprecated options have been removed from the .conf files. They remain in the man pages. * A simple configuration like the 'Universal' sample that includes a single wildcard interface ('+' in the INTERFACE column) produces a ruleset that blocks all incoming packets. As part of correcting this defect, which was introduced in 4.4.20.2, one or more superfluous rules (which could never match) have been eliminated from most configurations. ------------------------------------------------------------------- Wed Jun 15 06:57:32 UTC 2011 - toganm@opensuse.org - Update to 4.4.20.2 * A defect introduced in 4.4.20 could cause the following failure at start/restart: ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1: sfq quantum 12498 limit 127 perturb 10" failed * The 'sfilter' interface option introduced in 4.4.20 was only applied to forwarded traffic. Now it is also applied to traffic addressed to the firewall itself. * Issues with iptables-restore is corrected * IPSEC traffic is now (correctly) excluded from sfilter. * The following incorrect warning message has been eliminated: WARNING: sfilter is ineffective with FASTACCEPT=Yes ------------------------------------------------------------------- Tue Jun 7 14:14:12 UTC 2011 - toganm@opensuse.org - Update to 4.4.20.1 * The address of the Free Software Foundation has been corrected in the License files. * The shorewall[6].conf file installed in /usr/share/shorewall[6]/configfiles is no longer modified for use with Shorewall[6]-lite. When creating a new configuration for a remote forewall, two lines need to be modified in the copy CONFIG_PATH=/usr/share/shorewall (or shorewall6) STARTUP_LOG=/var/log/shorewall-lite-init.log (or shorewall6-lite-init.log) ------------------------------------------------------------------- Mon Jun 6 07:30:14 UTC 2011 - toganm@opensuse.org - Update to 4.4.20 *Removed backported patches for openSUSE specific locations as they are incorporated in upstream. - Changes in 4.4.20 (for more read changelog.txt and releasenotes.txt) * Support for the AUDIT target has been added. AUDIT is a feature of the 2.6.39 kernel and iptables 1.4.10 that allows security auditing of access decisions. ------------------------------------------------------------------- Wed May 18 11:03:16 UTC 2011 - toganm@opensuse.org - Update to 4.4.19.4 * Previously, the compiler would allow a degenerate entry (only the BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a compilation error. * Previously, it was possible to specify tcfilters and tcrules that classified traffic with the class-id of a non-leaf HFSC class. Such classes are not capabable of handling packets. Shorewall now generates a compile-time warning in this case and ignores the entry. If a non-leaf class is specified as the default class, then Shorewall now generates a compile-time error since that configuration allows no network traffic to flow. * Traditionally, Shorewall has not checked for the existance of ipsets mentioned in the configuration, potentially resulting in a run-time start/restart failure. Now, the compiler will issue a WARNING if: a) The compiler is being run by root. b) The compilation isn't producing a script to run on a remote system under a -lite product. c) An ipset appearing in the configuration does not exist on the local system. * As previously implemented, the 'refresh' command could fail or could result in a ruleset other than what was intended. If there had been changes in the ruleset since it was originally started/restarted/restored that added or deleted sequenced chains (chains such as ~lognnn and ~exclnnn), the resulting ruleset could jump to the wrong such chains or could fail to 'refresh' successfully. This issue has been corrected as follows. When a 'refresh' is done and individual chains are involved, then each table that contains both sequenced chains and one of the chains being refreshed is refreshed in its entirety. For example, if 'shorwall refresh foo' is issued and the filter table (which is the default) contains any sequenced chains, then the entire table is reloaded. Note that this reload operation is atomic so no packets are passed through an inconsistent configuration. * When 'shorewall6 refresh' was run previously, a harmless 'ip6tables: Chain exists' message was generated. - Reworked backported patches so shorewall still uses openSUSE specific locations - Fix the zone definitions in shorewall6/Samples6/zones examples ------------------------------------------------------------------- Wed May 11 16:17:38 UTC 2011 - toganm@opensuse.org - Update to 4.4.19.3 * incompatibility with gawk has been corrected * Previously, an entry in the USER/GROUP column in the rules and tcrules files could cause run-time start/restart failures if the rule(s) being added did not have the firewall as the source (rules file) and were not being added to the POSTROUTING chain (:T designator in the tcrules file). This error is now caught by the compiler. * Shorewall now insures that a route to a default gateway exists in the main table before it attempts to add a default route through that gateway in a provider table. This prevents start/restart failures in the rare event that such a route does not exist. * CLASSIFY TC rules can apply to traffic exiting only the interface associated with the class-id specified in the first column. * Fixes start of shorewall6 (bnc#693162) ------------------------------------------------------------------- Fri May 6 08:03:49 UTC 2011 - toganm@opensuse.org - Update to 4.4.19.2 For more details see changelog.txt and releasenotes.txt * In Shorewall-shell, there was the ability to specify IPSET names in the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability, inadvertently dropped in Shorewall-perl, has been restored * Several problems with complex TC have been corrected: * Double exclusion involving ipset lists was previously not detected, resulting in anomalous behavior. ------------------------------------------------------------------- Mon Apr 18 09:42:37 UTC 2011 - toganm@opensuse.org - Update to 4.4.19.1 * Eliminate silly duplicate rule when stopped. * Don't believe that all nexthop routes are default routes. * Restore :<low port>-<high port> in masq file. * Correct default route safe/restore. - backported paths related patches from git as they are in mainstream now ------------------------------------------------------------------- Wed Apr 13 17:23:31 UTC 2011 - toganm@opensuse.org - Shorewall packages have their openSUSE specific locations now * Executable files in /usr/lib/shorewall*. These include; getparams compiler.pl wait4ifup shorecap ifupdown * Perl Modules in /usr/lib/perl5/vendor_perl/PERL_VERSION/Shorewall. - Updated to 4.4.19 (for more info please consult changelog.txt and releasenotes.txt) * Corrected a problem in optimize level 4 that resulted in the following compile-time failure Can't use an undefined value as an ARRAY reference at /usr/share/shorewall/Shorewall/Chains.pm line 862. * If a DNAT or REDIRECT rule applied to a source zone with an interface defined with 'physical=+', then the nat table 'dnat' chain might have been created but not referenced. This prevented the DNAT or REDIRECT rule from working correctly. * Previously, if a variable set in /etc/shorewall/params was given a value containing shell metacharacters, then the compiled script would contain syntax errors. * The pathname of the 'conntrack' binary was erroneously printed in the output of 'shorewall6 show connections'. * Correct a problem whereby incorrect Netfilter rules were generated when a bridge with ports was given a logical name. * If a bridge interface had subordinate ports defined in /etc/shorewall/interface, then an ipsec entry (either ipsec zone or the 'ipsec' option specified) in /etc/shorewall/hosts resulted in the compiler generating an incorrect Netfilter configuration. * A fatal error is now raised if '!0' appears in the PROTO column of files that have that column. This avoids an iptables-restore failure at run time. ------------------------------------------------------------------- Mon Apr 4 17:11:01 UTC 2011 - toganm@opensuse.org - Updated to 4.4.18.2 * SAVE_IPSETS=Yes didn't work unless there is a dynamic zone defined. * If a logical name was given to a bridge and the ports on the bridge were defined in /etc/shorewall/interfac, then the compiler could generate matches that used the logical name rather than the physical name. ------------------------------------------------------------------- Mon Mar 21 08:46:40 UTC 2011 - toganm@opensuse.org - Updated to 4.4.18.1 * An issue with params processing on RHEL6 has been corrected. The problem manifested as the following type of warning: WARNING: Param line (export OLDPWD) ignored at /usr/share/shorewall/Shorewall/Config.pm line 2993. * The editing of the value of the TC_PRIOMAP option has been tightened. Previously, many invalid settings were allowed, resulting in run-time tc command failures. * The Shorewall Lite and Shorewall6 Lite installers now install the 'helpers' modules file. Previously, this file was not installed with the result that both 'shorewall[6]-lite show capabilities' and 'shorecap' failed. * Previously, if an icmp or icmp6 type which included both a type and a code was used in the tcfilters file, 'start' and 'restart' would fail with a 'tc' error. ------------------------------------------------------------------- Fri Mar 11 23:46:49 UTC 2011 - toganm@opensuse.org - Updated to 4.4.18 * for accounting modules xtables-addons must be installed - Changes in 4.4.18 (for more read changelog.txt and releasenotes.txt) * The modules files are now just a driver that INCLUDEs several new files and one old file: * Beginning with Shorewall 4.4.18, the accounting structure can be created with three root chains: - accountin: Rules that are valid in the INPUT chain (may not specify an output interface). - accountout: Rules that are valid in the OUTPUT chain (may not specify an input interface or a MAC address). - accountfwd: Other rules. * Internals Change: The Policy.pm module has been merged into the Rules.pm module. ------------------------------------------------------------------- Thu Feb 10 16:24:41 UTC 2011 - toganm@opensuse.org - Updated to 4.4.17 * This release adds support for per-IP accounting using the ACCOUNT target. That target is only available when xtables-addons is installed. - Changes in 4.4.17 (for more read changelog.txt and releasenotes.txt) * Previously, Shorewall did not check the length of the names of accounting chains and manual chains. This could result in errors when loading the resulting ruleset. Now, the compiler issues an error for chain names longer than 29 characters. Additionally, the compiler now ensures that these chain names are composed only of letters, digits, underscores ('_') and dashes ("-"). This eliminates Perl runtime errors or other failures when a chain name is embedded within a regular expression. * Several issues with complex traffic shaping have been resolved: a) Specifying IPv6 network addresses in the SOURCE or DEST columns of /etc/shorewall6/tcfilters now works correctly. Previously, Perl runtime warnings occurred and an invalid tc command was generated. b) Previously, if flow= was specified on a parent class, a perl runtime warning occurred and an invalid tc command was generated. This combination is now flagged as an error at compile time. c) There is now an ipv6 tcfilters skeleton included with Shorewall6. * Several issues with accounting are corrected. a) If an accounting rule of the form: chain1 chain2 was configured and neither chain was referenced again in the configuration, then an internal error was generated when optimize level 4 was selected and OPTIMIZE_ACCOUNTING=Yes. b) If there was only a single accounting rule and that rule specified an interface in the SOURCE or DEST columns, then the generated ruleset would fail to load when OPTIMIZE_ACCOUNTING=Yes. c) If a per-IP accounting table name appeared in more than one rule and the specified network was not the same in all occurrences, then the generated ruleset would fail to load. This is now flagged as an error at compile time. * Two defects in compiler module loading have been corrected: a) Previously, the kernel/net/ipv6/netfilter/ directory was not searched. b) A Perl diagnostic was issued when running on a monolithic kernel when the modutils package was installed. * A line containing only 'INCLUDE' appearing in an extension script now generates a compile-time diagnostic rather than a run-time diagnostic. * Previously, the uninstall.sh scripts used insserv (if installed) on Debian-based systems. These scripts now use the preferred tool (updaterc.d). * Beginning with 4.4.16, compilation would fail if an empty shell variable was referenced in a config file on a system where /bin/sh is the Bourne Again Shell (bash). * In earlier versions. if OPTIMIZE=8 then the ruleset displayed by 'check -r' was the same as when OPTIMIZE=0 (unoptimized). Similarly, if OPTIMIZE=9 then the ruleset displayed was the same as when OPTIMIZE=1. * Startup could previously fail on a system where kernel module autoloading was not available and where TC_ENABLED=Simple was specified in shorewall.conf or shorewall6.conf. * Previously, a 'done.' message could be printed at the end of command processing even when the command had failed. Now, such a message only appears if the command completed successfully. ------------------------------------------------------------------- Sat Jan 22 19:00:26 UTC 2011 - toganm@opensuse.org - Updated to 4.4.16.1 * Beginning with 4.4.16, compilation would fail if an empty shell variable was referenced in a config file on a system where /bin/sh is the Bourne Again Shell (bash). ------------------------------------------------------------------- Wed Jan 12 18:23:38 UTC 2011 - toganm@opensuse.org - fix fillup for shorewall-init so it will be copied to sysconfig directory - link network/scripts/shorewall to if-up.d and if-down.d - Changes in 4.4.16 (for more read changelog.txt and releasenotes.txt) + If the output of 'env' contained a multi-line value, then compilation failed with an Internal Error. The code has been changed so that the compiler now handles multi-line values correctly. * In 4.4.15, output to Standard Out (FD 1) generated by /etc/shorewall/params (/etc/shorewall6/params) was redirected to /dev/null. It is now redirected to Standard Error (FD 2). * If a params file did not appear in the CONFIG_PATH, compilation failed with the error: .: 31: Can't open /etc/shorewall6/params ERROR: Processing of /etc/shorewall6/params failed * Previously, proxy ARP with logical interface names did not work. Symptoms included numerous Perl runtime error messages. * Previously, the root of a wildcard name erroneously matched that name. For example 'eth' matched 'eth+'. Now there must be at least one additional character (e.g., 'eth4'). * Use of logical interface names in the notrack and ecn files resulted in perl runtime warning messages. * The use of wildcard-matching names in certain contexts would result in anomalous behavior. Among the symptoms were: - Perl run-time messages similar to this one: Use of uninitialized value in numeric comparison (<=>) at /usr/share/shorewall/Shorewall/Zones.pm line 1334. - Failure to treat the interface as optional or required. * Where two ISPs share the same interface, if one of the ISPs was not reachable, an iptables-restore error such as this occurred: iptables-restore v1.4.10: Bad mac address "-j" * Previously, under very rare circumstances, a chain would be optimized away while there were still jumps to the chain. This caused Shorewall start/restart to fail during iptables-restore. 11) Previously, the setting of BLACKLIST_DISPOSITION was not validated. Now, an error is raised unless the value is DROP or REJECT. ------------------------------------------------------------------- Mon Jan 3 10:54:16 UTC 2011 - toganm@opensuse.org - Update to version 4.4.15.3 - Changes in 4.4.15.3 * Previously, the root of a wildcard name erroneously matched that name. For example 'eth' matched 'eth+'. Now there must be at least one additional character (e.g., 'eth4'). * Use of logical interface names in the notrack and ecn files resulted in perl runtime warning messages. * The use of wildcard-matching names in certain contexts would result in perl run-time messages similar to this one: Use of uninitialized value in numeric comparison (<=>) at /usr/share/shorewall/Shorewall/Zones.pm line 1334. * Under very rare circumstances, a chain could be optimized away even when there are jumps to the chain. This resulted in a start/restart failure. - Changes in 4.4.15.2 * Previously, proxy ARP with logical interface names did not work. Symptoms included numerous Perl runtime error messages. * Previously, unknown interface names in the proxyarp and tcinterfaces files resulted in Perl runtime errors. ------------------------------------------------------------------- Thu Dec 2 20:49:39 UTC 2010 - toganm@opensuse.org - Upgrade to version 4.4.15.1 - Changes in version 4.4.15.1 1) If the output of 'env' contained a multi-line value, then compilation failed with an Internal Error. The code has been changed to ignore all but the first line of a multi-line value. 2) If a params file did not appear in the CONFIG_PATH, compilation failed with the error: .: 31: Can't open /etc/shorewall6/params ERROR: Processing of /etc/shorewall6/params failed ------------------------------------------------------------------- Thu Dec 2 09:38:00 UTC 2010 - toganm@opensuse.org - Update to version 4.4.15 - Changes in Shorewall 4.4.15 1) Add macros from Tuomo Soini. 2) Corrected macro.JAP. 3) Added fatal_error() functions to the -lite CLIs. RC 1 1) Another Perl 5.12 warning. 2) Avoid anomalous behavior regarding syn flood chains. 3) Add HEADERS column for IPv6 Beta 2 1) Tweaks to IPv6 tcfilters 2) Add support for explicit provider routes 3) Fix shared TC tcfilters handling. Beta 1 1) Handle exported VERBOSE. 2) Modernize handling of the params file. 3) Fix NULL_ROUTE_RFC1918 4) Fix problem of appending incorrect files. 5) Implement shared TC. ------------------------------------------------------------------- Thu Nov 25 10:20:58 UTC 2010 - toganm@opensuse.org - Added README.openSUSE which warns the user ------------------------------------------------------------------- Wed Nov 24 22:21:47 UTC 2010 - toganm@opensuse.org - Fix init-4.4.14.patch - Cleaned spec file - Removed Provides shoreline_firewall - Until upstream clarifies non-executable scripts put them under rpmlintrc - TODO * the code files should go into %_libexecdir/shorewall, only non-executable data is for %_datadir/shorewall. ------------------------------------------------------------------- Wed Nov 24 10:57:37 UTC 2010 - toganm@opensuse.org - Included docs-html to the packaging as well - Patches have the version number reflecting the diff to the original ------------------------------------------------------------------- Thu Nov 11 16:55:07 UTC 2010 - toganm@opensuse.org - Initial packaging of shorewall for opensuse
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
