SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for shorewall-4.5.21.2-112.1.noarch.rpm :
Mon Oct 21 14:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.21.2 For more details see changelog.txt and
releasenotes.txt

* Previously, the AutoBL action would fail if the kernel and
iptables did not support the Recent Match \'--reap\' option. A new
REAP_OPTION capability has been added to work around this issue.

* The Shorewall-core installer no longer reports an error from
\'cp\' stating that it could not stat the shorewallrc file.

* When a non-root user attempts to execute \'version -a\', the CLI
no longer attempts to get the version of the compiled
firewall. Previously, the command issued the following
diagnostic when run by non-root:
/sbin/shorewall: /var/lib/shorewallhorewall/firewall:
Permission denied

* Shorewall no longer uses \'fgrep\' thus allowing for use on
systems without that utility. All uses of \'fgrep\' have been
replaced by \'grep -F\'.

* Placing | in the ACTION column of the tcrules file no
longer raises a fatal compilation error.

Wed Oct 9 14:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.21.1 For more details see changelog.txt and
releasenotes.txt

* Problems with the Shorewall Init installer (install.sh) were
corrected. These problems affected initial Gentoo and Debian
installs.

* A problem that prevented multiple ICMP/ICMP6 types to be
specified in a rule has been corrected.

* Previously, an attempt to specify RAS or Q.931 in the HELPER
column was rejected with an error.

* The \'nohostroute\' provider option was not honored in the
default table when USE_DEFAULT_RT=Yes.

Thu Oct 3 14:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.21 For more details see changelog.txt and
releasenotes.txt

* ip[6]tables 1.4.20 introduced an incompatible change that
causes the program to fail if there is another instance of either
iptables or ip6tables already running. This behavior can be avoided
if the new -w option is specified.
To work around this problem, the compiler now uses the -w
option (when available) during capabilities determination so that
shorewall and shorewall6 compilations can proceed in parallel.

* Previously, the Shorewall-init installer unconditionally
installed the sysconfig file even when a different SYSCONFFILE was
specified. (Thomas D).

* /sbin/shorewall-init now includes the correct SYSCONFDIR name
in its error message that reports the absense of
${SYSCONFDIR}/shorewall-init. (Thomas D).

* /sbin/shorewall-init and the Shorewall-init SysV init scripts
now honor the setting of $OPTIONS.

* The -lite installers now look in ${SHAREDIR} for the
coreversion file rather than in /usr/share/.

* If a Shorewall-lite installation used an
/etc/shorewall-lite/vardir file to set a non-standard state
directory, the administrative system would send the firewall
and firewall.conf files to the wrong directory on the firewall
system.

* Previously, the compiler verified \'monthdays\' specifications in
the rules TIME column, but failed to include --monthdays in the
generated rule. That omission has been corrected.

* The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
non-priv port range (1024-65535) for the the dynamic unicast
port. Previously, only the Linux 2.6+ dynamic port range
(32768-65535) were allowed.
- Spec file changes

* Add 0001-fillup-install.patch

* Remove shorewall-init-4.5.15-install.patch

Wed Aug 28 14:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.20 For more details see changelog.txt and
releasenotes.txt

* A typographical error in the usage text produced by the -h
command in the compiled firewall script has been corrected.

* The handling of INITSOURCE is now uniform between the standard
and the -lite installers.

* Previously, when SYSCONFFILE was specified in shorewallrc, the
installers would always install default.debian rather than the
named file. That has been corrected.
- Spec file changes

* removed the following pathces:
0001-Os-release.patch
0001-Fix-Exec-directory.patch

Thu Aug 8 14:00:00 2013 toganmAATTopensuse.org
- Spec file changes

* Add 0001-Os-release.patch Fixes bnc#833999

* dropped 0001-Use-etc-os-release-as-of-release-13.1.patch

Thu Aug 8 14:00:00 2013 toganmAATTopensuse.org
- Spec file changes

* Added 0001-Use-etc-os-release-as-of-release-13.1.patch
Fixes bnc#833999 for /etc/os-release

Wed Jul 24 14:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.19 For more details see changelog.txt and
releasenotes.txt

* Previously, the \'-q\' option did not suppress all output from
certain commands such as \'check\'.

Sun Jun 30 14:00:00 2013 toganmAATTopensuse.org
- Spec file changes

* Added 0001-Fix-Exec-directory.patch which fixes ExecStart
ExecStop path of systemd shorewall-init.service (bnc#827524)

* removed systemd.patch

Sun Jun 30 14:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.18 For more details see changelog.txt and
releasenotes.txt

* This release includes all defect repair from Shorewall
4.5.17.1.

* The following warning message could be emitted inappropriately
when running shorewall 4.5.17.
The rule(s) generated by this entry are unreachable and have
been discarded
These warnings, which were disabled in Shorewall 4.5.17.1, are
now only emitted where appropriate. The message has also been
reworded to:
One or more unreachable rules in chain have been
discarded
The message is issued a maximum of once per Netfilter chain.

* A problem that could cause the \'trace\' compiler option to
produce false error messages or to produce an altered generated
firewall script has been corrected.

* If the \'Owner Name Match\' capability was not available, the
following error message would previously appear during
compilation:
iptables: No chain/target/match by that name.
- spec file changes

* rebased systemd.patch

Wed Jun 5 14:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.17.1 For more details see changelog.txt and
releasenotes.txt.

* The following warning message may be emitted inappropriately
when running shorewall 4.5.17. The message is no longer issued.
The rule(s) generated by this entry are unreachable and have
been discarded

* Rules intended to increment nfacct objects would previously be
optimized away when they immediately preceded an unconditional
jump to the same target. Such rules are now retained.

* A bug in the optimizer in 4.5.17 can cause \'set\' and \'geoip\'
matches to be dropped. That has been corrected.
- spec file changes

* rebased systemd.patch

Thu Apr 4 14:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.15 For more details see changelog.txt and
releasenotes.txt

* Previously, the Shorewall and Shorewall6 install.sh scripts did
two things wrong with respect to the /etc/shorewall[6]/routes
file:
+ The existing file was unconditionally removed.
+ A skeleton file was not installed when SPARSE was not set in
the shorewallrc file.
Additionally, the installer would remove /etc/shorewall[6]/tcstart

* The Shorewall-init install.sh script previously refused to
replace /sbin/ifup-local and /sbin/ifdown-local when those files has
been installed by an earlier version of Shorewall-init.

* Previously, Shorewall-init\'s integration with NetworkManager
was incomplete on SuSE with the result that NetworkManager
interface change events were not processed. That has been corrected.

* Beginning with Shorewall 4.5.8, Shorewall6 has interpreted /32
networks as hosts (/128). /32 IPv6 networks are once again
handled correctly.

* Using names such as such as EF, BE, CS1, ... for DSCP didn\'t
work previously. Thibaut Chèze has provided a fix.

* An incorrect range test prevented DSCP classes CS6 and CS7 from
being accepted. The test has been corrected and those classes
are now allowed.
- spec file changes

* rebased systemd.patch

* added shorewall-init-4.5.15-install.patch and removed
shorewall-init-4.5.2-install.patch

Mon Mar 11 13:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.14 For more details see changelog.txt and
releasenotes.txt

* Previously, a list of IPv6 host addresses where each address
was enclosed in square brackets generated a fatal compile-time
error.
Such lists are now handled correctly.

* The Shorewall \'load\', \'reload\' and \'export\' commands have now
been modified to use a shorewallrc file in a remote system\'s export
directory. If the directory layout of the remote system differs
from that of the administrative system, then the remote
system\'s export directory should contains a copy of that system\'s
shorewallrc file.

* A syntax error in the Shorewall uninstall.sh file has been
eliminated.

* The contents of the various configpath files have been
corrected.

* The Shorewall uninstall.sh script previously failed to remove
the macro files from ${SHAREDIR}/shorewall. Those files are now
removed.

* The \'version -a\' command now prints the correct shorewall-core
version when it is run from shorewall6, shorewall-lite and
shorewall6-lite.

* It is now possible to specify a port or port range along with
an address variable in the ADDRESSES column of/etc/shorewall/masq.
Example:
[#]INTERFACE SOURCE ADDRESS PROTO DEST
[#] PORT(S)
eth0 172.20.4.0/24 ð0:44 tcp 45
Previously, this usage generated a fatal compilation error.

* Port numbers and service names may now be specified with the
UDPLITE protocol.

* The SUBSYSLOCK setting in the default shorewall6.conf file has
been changed from /var/lock/subsys/shorewall to
/var/lock/subsys/shorewall6.
- rebased systemd.patch

Wed Feb 13 13:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.13 For more details see changelog.txt and
releasenotes.txt

* If a chain consisted of a single RETURN rule, optimize level 4
would handle it incorrectly by moving the RETURN rule to the
chain(s) that jumped to the single-rule chain. The optimizer
now simply eliminates the chain and rule.
As part of this change, the optimizer now deletes trailing
RETURN rules from chains.

* If a default inline action was specified with parameters, the
compiler would fail with an internal error.

* The compiler was mis-handling simple arithmetic expressions
consisting of a single number, evaluating the number as \'\'
rather than as its numberic value.
- Rebased systemd.patch

Sun Jan 20 13:00:00 2013 toganmAATTopensuse.org
- Update to version 4.5.12 For more details see changelog.txt and
releasenotes.txt

* This release contains the defect repairs from Shorewall
4.5.11.1 and 4.5.11.2.

* Two defects associated with \'update -D\' have been corrected.
+ shorewall.conf.bak is no longer deleted.
+ files that are not changed no longer have their mtime updated.

* Inline actions in the RELATED and ESTABLISHED sections now work
correctly.

* The \'dropInvalid\' built-in function now works correctly.

* The compiler now generates an error when a protocol list is
used in a context where only a single protocol name/number is
accepted.

* The generated script now correctly deletes Traffic Control
configurations when CLEAR_TC=Yes. Previously, the
configurations on interfaces with a \'AATTxxxxxx\' suffix in their
names were not cleared.

* Under very rare circumstances, optimize level 4 could leave a
rule that jumped to a non-existant chain, causing
iptables-restore to fail.

* If an error was raised while compiling a default action, a Perl
diagnostic could appear and the Shorewall error message would
not be printed.

* It is once again possible to use DNS names in rules without an
interface name.

Tue Jan 15 13:00:00 2013 toganmAATTopensuse.org
- Added systemd.patch to fix the exec path (bnc# 798525)

Sat Jan 12 13:00:00 2013 toganmAATTopensuse.org
- Update to 4.5.11.2 For more details see changelog.txt and
releasenotes.txt

* Corrected fix 2 from 4.5.11.1.

* 4.5.11.1
Beginning with Shorewall 4.5.10, if the name of an optional
interface contained one or more characters that are not valid
in a shell function name, then the generated script would fail with
a \"syntax error: bad function name\" shell diagnostic.
That problem has been corrected so that a valid function name
is generated.

* The kernel modules supplied by xtables-addons are now listed in
the modules.xtables files. They were previously omitted.

Mon Dec 17 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.10.1 For more details see changelog.txt and
releasenotes.txt

* Correct typo in conntrack module

Sun Dec 9 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.10 For more details see changelog.txt and
releasenotes.txt

* This release includes all defect repair included in
4.5.9.1-4.5.9.3.

* Under rare circumstances, optimize level 16 could produce
invalid iptables-restore input which would cause start/restart
to fail.

* Before this release, the \'started\' script was run prior to
copying the temporary script file (e.g., /var/lib/shorewall/.start)
to /var/dir/shorewall/firewall. If the script failed, the copy
would not take place even though the firewall had started
successfully. The script is now copied before running the
\'started\' script.
If you compare the script generated by this release with one
generated by a prior release, We suggest that you ignore
whitespace changes (e.g., use the \'-w\' option in diff); that way,
you can see the actual change more clearly.

* AUTOCOMMENT=No now works correctly; previously, it behaved the
same as AUTOCOMMENT=Yes.

* A harmless extraneous comma has been deleted from the rule
generated by action.RST.

Wed Nov 21 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.9.2 For more details see changelog.txt and
releasenotes.txt

* Previously, the rules in the \'routemark\' chain did not specify
a mask in the MARK target. While a mask isn\'t strictly necessary
in those rules, one has been added to ally fears of those who read
the generated ruleset.
Note: The \'routemark\' chain is used to apply provider marks to
packets received from \'track\' provider interfaces. It is
traversed early in the mangle PREROUTING chain when no other
marks have yet been applied to the packet.

* If exclusion was used with TPROXY in the tcrules file, an
invalid iptables ruleset was generated causing start and
restart commands to fail when running iptables-restore.

* Previously, if a provider and its interface had the same name,
then the \'enable\' command would not work on that interface.

Sat Nov 10 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.9.1 For more details see changelog.txt and
releasenotes.txt

* Previously, using a wildcard interface name in a rule would
result in this error:
ERROR: Invalid ipset name (ppp+) : ...
Such entries are now handled correctly.

* The shorewall-masq(5) manpage incorrectly stated that the
SOURCE column may use exclusion with an interface name (e.g.,
eth1:!1.2.3.4). That hasn\'t been the case for some time. To
accomplish the same thing, do this:
eth0 1.2.3.4 NONAT
eth0 eth1
Note: Using an interface name in the SOURCE column is deprecated.

* Previously, if a MARK was specified for a tc class that
explicitly specified a class number, the following spurious
warning message was issued:
WARNING: Class NUMBER ignored --
INTERFACE does not have the \'classify\' option
That warning message is no longer issued.

* With Shorewall 4.5.9, there were issues when the ipset utility
was not installed, some of which prevented Shorewall from
starting.
- Adjust for the usr move

* change /sbin/service to /usr/service in requires and setting links

Tue Oct 30 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.9 For more details see changelog.txt and
releasenotes.txt

* This release contains all defect repair from Shorewall 4.5.8.2.

* A typo has been corrected in the shorewallrc.default file.

* Beginning with Shorewall 4.5.7.2, Shorewall unconditionally
restores the provider mark as the first rule in the mangle
table OUTPUT and PREROUTING chains. Previously, the provider
mark was restored only if it was non-zero.
It has become clear that some users need it one way while
others need it the other way. To resolve this issue, a
RESTORE_ROUTEMARKS option has been added to shorewall.conf and
shorewall6.conf. When this option is set to Yes (the default),
the 4.5.7.2 approach is used (always restore the mark, even if
it is zero); when it is set to No, the pre-4.5.7.2 behavior is
retained (only restore the mark if it is non-zero).

* Two error messages produced by the RST action have been
corrected. They previously referred to errors in the NotSyn
action rather than RST.

Wed Oct 10 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.8.2 For more details see changelog.txt and
releasenotes.txt

* The \'shorewall show\' command previously produced no output.
That command now works with ipset versions 4 and later.

* The change in 4.5.8.1 that enabled industry-standard IPv4
address representation broke the ability to place IP ranges or
IPv6 ipsets in the hosts file. Those abilities have been
restored.

* The treatment of the SYSTEMD and INITFILE shorewallrc variables
has been inconsistent. The -lite installers ignore INITFILE
when SYSTEMD is specified, while the other installers do not.
Now, the -lite installers install the .service file if SYSTEMD
is specified and they install the sysv-init script if INITFILE
is specified. That is consistent with the behavior of the other
installers.

Sun Oct 7 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.8.1 For more details see changelog.txt and
releasenotes.txt

* When ipset version 5 or later was installed, the \'shorewall show
dynamic \' command produced no outout and the \'add\' command
failed with this error message:
Zone , interface does not have a dynamic
host list\"

* When generating ipset names for dynamic zones, the compiler was
dropping dashes (\'-\') from the interface name and adding a unique
suffix. For example the ipset for zone \'foo\' and interface \'bar-if\'
might be \'foo_barif_1\'. Dashes are now retained so that the
generated set name in this example will be \'foo_bar-if\'. This change
also allows the \'add\' and \'delete\' commands to work correctly when
the interface name contains one or more dashes.
Although dash is documented as being an accepted character in ipset
names, names containing a dash would generate an error in some
contexts. That has also been corrected.

* In most contexts, Shorewall6 has required IPv6 addresses to be
enclosed in either angled brackets ( <....> , deprecated) or in
square brackets ([....]). This includes network addresses, where
both the IPv6 address and the VLSM are required to be within the
brackets (e.g., [2001;470:b:787::/64]). This differs from the
industry-standard network form in which the IPv6 address is enclosed
in square brackets and the VLSM is outside of the brackets (e.g.,
[2001:470:b:787::]/64). Beginning with this release, the
industry-standard representation is also accepted by Shorewall6.
Note: Those of you who read the patches will probably have noticed
that much of this change was actually in 4.5.8; because the change
was commited late in the 4.5.8 release cycle, we chose not to
document the change until it had undergone additional testing.
- Added 0001-remote_fs.patch for shorewall-init sysv-init scripts
rebased patches to -p1 level

Fri Oct 5 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.8 For more details see changelog.txt and
releasenotes.txt

* This release includes the defect repair from Shorewall 4.5.7.1.

* The restriction that TTL and HL rules could only be placed in
the FORWARD chain prevented these rules from being used to hide
a router from traceroute[6]. It is now allowed to place these
rules in the PREROUTING chain by following the specification
with \':P\' (e.g., \'TTL(+1):P\').

* Previously, the macro.SNMP macro opened both UDP ports 161 and
162 from SOURCE to DEST. This is against the usual practice of
opening these ports in the opposite direction. Beginning with
this release, port 162 is opened in to SOURCE to DEST as
before, while port 161 is opened from DEST to SOURCE.

* Previously, when compiling for export, both
/etc/shorewall/shorewall[6].conf and the shorewall[6].conf in
the configuration directory were processed. Now, only the copy
in the configuration directory is processed.

* The \'iptables_raw\' module has been added to the
modules.essential file.

* Several corrections have been made to the Fedora/Redhat init
script for Shorewall-init.

* The parameter to the \'try\' command is now
documented in the shorewall(8) and shorewall6(8) manpages.

* Some redundant interface-option rules have been removed in
configurations with multiple zones configured on a single
interface.

* Previously, when compiling for export, the compilation would
fail if the setting of SHAREDIR in the firewall\'s shorewallrc
was different from the setting on the admin system. Such
compilations now succeed.
- For openSUSE 12.3 provide only systemd and drop sysv-init scripts

Mon Sep 24 14:00:00 2012 toganmAATTopensuse.org
- Since shorewall executables are in /usr/sbin systemd service
files now reflect the correct location

Mon Sep 3 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.7.1 For more details see changelog.txt and
releasenotes.txt

* When using IPSEC in a multi-ISP configuration, it is possible
for the kernel to mis-route ESP packets. To date, this problem
has only been observed on a system running a 3.5 kernel where
traffic is being tunneled through GRE which is in turn being
tunneled via IPSEC.
This Shorewall release includes a low-cost workaround.

* The Netfilter team have announced their intention to remove the
NOTRACK target in favor of \'CT --notrack\'. Shorewall will now
map NOTRACK to \'CT --notrack\' if the CT Target is available.

* Previously, the current COMMENT was not being cleared after the
blrules file was processed, causing that COMMENT to be used on
entries in the rules file. That defect has been corrected.
- Add a note to the spec for reviewer explaining the configure
command usage
- Removed following opensuse specific patches as they are merged to
upstream now
+ shorewall-lite-4.5.2-init.patch
+ shorewall6-4.5.2-init.patch
+ shorewall6-lite-4.5.2-init.patch
+ shorewall-init-4.4.21_init_sh.patch
- Added 001-required-stop-fix patch for shorewall-lite/init.suse.sh

Tue Aug 21 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.7 For more details see changelog.txt and
releasenotes.txt

* This release includes the defect repair from Shorewall 4.5.6.2.

* The command \'shorewall enable pppX\' could fail with the ip
diagnostic Error: either \"to\" is duplicate, or \"weight\" is a
garbage.
Shorewall now generates the correct ip command.

* Optimize level 4 could previously combine two rules that each
specified the \'policy\' match, leading to this iptables-restore
failure:
policy match: multiple elements but no --strict
The optimizer now avoids combining such rules.
While this is a long-standing defect in the optimizer, it was
exposed by changes in Shorewall 4.5.6.

* There were several cases where hard-wired directory names
appeared in the tarball installers. These have been replaced
with the appropriate shorewallrc variables.

* A defect in RHEL 6.3 and derivatives causes \'shorewall show
capabilities\' to leave an empty ipset in the configuration. The
same defect can cause the Shorewall compiler to similarly leave
an empty ipset behind.
This Shorewall release has a workaround for this problem.
- Added Bash >= 4 to BuildRequires
- Fix builds for Fedora

Wed Aug 8 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.6.2 For more details see changelog.txt and
releasenotes.txt

* The compiler now generates an error when a SOURCE interface is
specified in a rule where the SOURCE zone is the firewall
itself.

* Previously, entries in /etc/shorewall/notrack that specified a
Vserver zone in the SOURCE column were omitted from the
generated ruleset.

* The set of helpers available in the notrack file and in the
HELPER column of the tcrules file was incorrect:
- The Amanda helper requires a UDP port -- Shorewall was
requiring
TCP.
- The H323 module supplies two helpers: \'RAW\' and \'Q.931\';
Shorewall only accepted \'h323\'.
- The Netbios NS module supplies the \'netbios-ns\' helper;
Shorewall
only accepted \'netbios_ns\'.

* The conditional directive \'?IF 0\' generated an error from the
compiler. It now causes following lines to be omitted.

Tue Jul 10 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.6 For more details see changelog.txt and
releasenotes.txt

* This release includes the defect repairs from Shorewall 4.5.5.1
through 4.5.5.4.

* Previously, the tcrules file was not processed when
TC_ENABLED=No. That meant that to use features like TPROXY, it
was necessary to set TC_ENABLED=Yes and create a dummy
/etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is
required.

Sun Jul 1 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.5.3 For more details see changelog.txt and
releasenotes.txt

* When logical interface names were used, an entry in tcrules
that included a classid could result in the compiler failing with
this Perl diagnostic:
Can\'t use an undefined value as an ARRAY reference at
/usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile>
line 20.

Fri Jun 15 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.5.1 For more details see changelog.txt and
releasenotes.txt

* The change in Shorewall 4.5.4 that cleared the \'default\' table
if there were no \'fallback\' providers broke multiple \'fallback\'
providers that don\'t supply a weight. The symptoms were that
there were host routes to the default gateways in the \'default\'
routing table but no default routes through those gateways.
This has now been corrected and multiple \'fallback\' routes are
once again supported.

* When a logical device name was specified in the REDIRECTED
INTERFACES column of /etc/shorewall/tcdevices, that name was
used in the generated script rather than the devices\'s physical
name. Unless the two were the same, this caused start/restart
failure. Shorewall now uses the physical name.

Sat Jun 9 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.5 For more details see changelog.txt and
releasnotes.txt

* This release includes all defect repair from Shorewall 4.5.4.1
and 4.5.4.2.

* The Shorewall compiler sometimes must defer generating a rule
until runtime. This is done by placing shell commands in its
internal representation of a chain. These commands are then
executed at run time to create the final rule.
If all of the following were true, then an incorrect ruleset
could be generated:
+ Optimization level 4 was set.
+ A chain (chain A) containing shell commands had three or
fewer rules and commands.
+ The last rule in a second chain was a conditional jump to
chain A.
Under these conditions, the rules and commands in Chain A

* The Shorewall-core configure and configure.pl script were
treating SYSCONFDIR as a synonym for CONFDIR making it
impossible to set SYSCONFDIR.

Thu Jun 7 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.4.2 For more details see changelog.txt and
releasenotes.txt

* The problems corrected section of the 4.5.4.1 release notes was
missing the third problem corrected in the release. It has now
been added.

* A number of problems in Shorewall-init have been corrected:
+ If more than one product was listed in the PRODUCTS setting
in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init)
then the second product would not be started/stopped.
+ Shorewall-init used \'restart\' in response to an optional
provider interface coming up. If the interface has been
marked unusable (1 in the interface\'s .status file), then the
\'restart\' would not enable the interface.
+ Shorewal-init produced a lot of clutter on the console
during boot. You may now specify a LOGFILE in
/etc/default/shorewall-init (/etc/sysconfig/shorewall-init)
and all output produced by up and down events will be sent to
that log. If no log is specified, this output is sent to
/dev/null.

* The order in which the compiler processes line-continuation
(line ending in \'\\\') and conditional-inclusion directives (?IF,
?ELSE, and ?ENDIF) has been reversed.
Previously, the compiler built a concatenated line, then
checked to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the
compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents
those lines from becoming part of the concatenation.

* Two issues with the shorecap programs have been corrected:
+ The Shorewall6-lite version failed to run with the message:
/usr/share/shorewall6-lite/lib.cli: No such file or
directory
+ The Shorewall-lite version would not run if SHAREDIR was
set to a value other than /usr/share in shorewallrc.

* The Shorewall 4.5.2.3 fix for the Shorewall-core installer\'s
handling of --host=linux was not brought forward into 4.5.3.
It has been included again in this version.

* Single-line embedded PERL and SHELL commands have been
re-enabled.

Fri Jun 1 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.4.1 For more details see changelog.txt and
releasenotes.txt

* Beginning with Shorewall 4.4.22, the \'pptpserver\' tunnel type
has been configured as a PPTP client running on the firewall
rather than as a server on the firewall. It is now correctly
configured as a server.

* The shorewall-accounting (5) and shorewall6-accounting (5)
documentation for the IPSEC column is incorrect. Rather than
\'accountin\' and \'accountout\', the chain names should be
\'accipsecin\' and \'accipsecout\'.

* IPSEC accounting did not work if the accounting file was
sectioned. Beginning with this release, the IPSEC column can
be specified in any section. As always, the IPSEC column
contains a comma-separated list of items. In the FORWARD
chain, the first (or only) item in the list must be either
\'in\' or \'out\' to indicate whether the rule matches incoming
packets that have been decrypted (\'in\') or outgoing packets
that will be encrypted (\'out\'). There are no restrictions with
respect to which chain IPSEC rules can appear in a sectioned
file.

Sat May 26 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.4 For more details see changelog.txt and
releasenotes.txt

* When EXPORTMODULES=No in shorewall.conf, the error messages
have been eliminated

* If the configuration settings in the PACKET MARK LAYOUT section
of shorewall.conf (shorewall6.conf) had empty settings, the
\'update\' command would previously set them to their default
settings. It now leaves them empty.

* Previously, Shorewall used \'unreachable\' routes to null-route
the RFC1918 subnets. This approach has two drawbacks:
- It can cause problems for IPSEC in that it can cause packets
to be rejected rather than encrypted and forwarded.
- It can return \'host unreachable\' ICMPs to other systems that
attempt to route RFC1918 addresses through the firewall.
To eliminate these problems, Shorewall now uses \'blackhole\'
routes.
Such routes don\'t interfere with IPSEC and silently drop
packets rather than return an ICMP.

* The \'default\' routing table is now cleared if there are no
\'fallback\' providers.

* Tproxy implementation has been reworked. For more details
please consult the releasenotes.txt and changelog.txt

Tue May 15 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.3.1 For more details see changelog.txt and
releasenotes.txt

* Previously, nested conditionals did not work correctly in all
cases. In particular:
?IF $FALSE
?IF $FALSE
foo
bar
?ENDIF
baz
bop
?ENDIF
In this case, the lines \'baz\' and \'bodyp\' were incorrectly
included when they should have beeen omitted.

* The \'balance\' routing table is now cleared if there are no
\'balance\' providers.

* Previously, the compiler generated an invalid \'ip add route\'
command if an IPv6 provider had \'-\' in the GATEWAY column.

* As noted in the Migration Considerations, the generated
firewall script maintains the interface .status files used by
LSM and SWPING. Up to now, however, the \'disable\' command did
not update the .status file. That has been corrected. As part
of the change, the \'isusable\' script is no longer consulted by
the\'enable\' command.

Fri May 11 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.3 For more details see changelog.txt and
releasenotes.txt

* The LOCKFILE setting in shorewall.conf and shorewall6.conf had
inadvertently become undocumented. It is now documented again.

* In an initial installation of Shorewall, Shorewall6, Shorewall
Lite or Shorewall6 Lite was done under Shorewall 4.5.2, then the
firewall would not start up at boot even though the installer
indicated that it would. That defect has been corrected.

* Previously, when per-IP rate limiting was invoked, the compiler
would use the deprecated \'--ratelimit\' option, even if the
preferred \'--ratelimit-upto\' option was available. Now, the
compiler uses the preferred option if it is supported by the
installed version of iptables.

* Prior to this release, using a manual chain in the ACTION
column of a macro body generated an error:
ERROR: Invalid Action (mychain) in macro, macro.FOO (line ...)
This now works correctly and generates a jump to the specified
manual chain.

* Previously, a line with the single word COMMENT in the tunnels
file would generate the following error:
ERROR: Zone must be specified
Now, such a line correctly resets the current rule comment.

* In Shorewall 4.5.2, the MARK column in the tcrules file was
renamed to ACTION but only \'mark\' was accepted in the alternate
specification format. Now both \'mark\' and \'action\' are
accepted.

* The alternative method of provider balancing using the
statistic match feature of iptables/Netfilter was missing some
logic, with the result that it was ineffective.

* If a logical interface name was used by itself in the SOURCE
column of the rtrules file, the generated routing rule would
contain the logical name rather than the physical name.

Tue May 1 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.2.4 For more details see changelog.txt and
releasenotes.txt

* The \'shorewall reset\' command now correctly resets the IPv4
packet and byte counters; previously, it was resetting the IPv6
counters.

* The Shorewall installer now modifies the Chains.pm file for
Digest::SHA depencency when $DESTDIR is set, provided that
$BUILD = $HOST. This allows rpm to automatically generate the correct
module dependency.

Sun Apr 15 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.2.2 For more details see changelog.txt and
releasenotes.txt

* If a shorewallrc file is passed to the 4.5.2.1 Shorewall-core
install.sh, subsequent compilations fail. The error message
indicates that the compiler is looking for lib.core, but the
pathname has embedded spaces.

* The 4.5.2.1 Shorewall/Shorewall6 installer installs an
incorrect file as /etc/shorewall[6]/Makefile.

Sat Apr 14 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.2.1 For more details see changelog.txt and
releasenotes.txt

* In release 4.5.2, if an INCLUDE directive appeared inside a ?IF
... ?ENDIF sequence, then the following error would be
generated after the included file had been read:
ERROR: Missing ?ENDIF to match the ?IF at line ...

* An error in the shorewallrc.apple file has been corrected.

* The shorewallrc.redhat file has been change to conform to
Fedora packaging guidelines.

* The output of the \'version -a\' command reflected incorrect
versions when Shorewall-core 4.5.2 was installed. That has been
corrected.

Fri Apr 13 14:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.2 For more details see changelog.txt and
releasenotes.txt

* The generated firewall script includes code to automatically
create ipsets that are referenced but that don\'t exist. That code
was broken in releases 4.4.22 and later. This defect has been
corrected. As part of the fix, the generated script will now
issue a warning message when it creates an ipset.

* The \'mss\' option is now supported in the /etc/shorewall[6]/hosts
files. See the manpages for details.

* It is now possible to conditionally include or omit
configuration entries based on the settings of shell variables.
See http://www.shorewall.net/configuration_file_basics.htm
for details.

* The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been
renamed ACTION to reflect the expanded set of actions that can
be specified in the column.

* Some users are finding these ipset warnings objectionable:
+ Warning when a referenced ipset does not exist.
+ Warning when using [src] in a destination column or [dst] in
a source column.
These warnings may now be suppressed by setting
IPSET_WARNINGS=No in shorewall.conf and/or shorewall6.conf.

Tue Mar 20 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.1.1 For more details see changelog.txt and
releasenotes.txt

* When checking or compiling for export (-e option),
/sbin/shorewall would previously issue a warning message if
the SHOREWALL_SHELL specified in the remote
firewall\'s shorewall.conf did not exist.

* The changes to TOS handling in 4.5.1 are incompatible with
older releases such as RHEL5 and derivatives. That has been
corrected.

* The rules compiler now verifies that the protocol is TCP, UDP,
SCTP or DCCP when checking a port range (low:high or low-high).

* Previously, start or restart using the init script would fail
with an error message referencing \'SHOREWALL_INIT_SCRIPT\'.
This defect was not visible to users that set AUTOMAKE=Yes or
that run Shorewall-init.

Fri Mar 16 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.1 For more details see changelog.txt and
releasenotes.txt

* This release includes all defect repair from versions
4.5.0.1-4.5.0.3.

* A typo has been corrected in the blrules man pages.

* Previously, if the interface appearing in the HOSTS column of
/etc/shorewall6/hosts was not defined in
/etc/shorewall6/interfaces, then the compiler would terminate
with a Perl diagnostic:
Can\'t use an undefined value as a HASH reference at
/usr/share/shorewall/Shorewall/Zones.pm line 1817,
<$currentfile> line ...

* The compiler was previously failing to validate the contents of
the LENGTH and TOS columns in /etc/shorewall/tcrules. The
contents of those columns are now validated by the compiler and
an appropriate error message is issued if validation fails.

* The column headings in the tos files are now in the proper
order. Previously, the SOURCE PORT and DEST PORT columns were
reversed.

Sun Feb 26 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.1-Beta2 For more details see changelog.txt and
releasenotes.txt

* A typo has been corrected in the blrules man pages.
Previously, if the interface appearing in the HOSTS column of
/etc/shorewall6/hosts was not defined in
/etc/shorewall6/interfaces, then the compiler would terminate
with a Perl diagnostic:
Can\'t use an undefined value as a HASH reference at
/usr/share/shorewall/Shorewall/Zones.pm line 1817,
<$currentfile> line ...

Wed Feb 22 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.5.1-Beta For more details see changelog.txt and
releasenotes.txt

* The packing of the Shorewall products has been changed. Beginning
with this release, the packages are:
+ Shorewall Core -- Core libraries installed in
/usr/share/shorewall/
+ Shorewall -- Requires Shorewall Core. Together with
Shorewall Core, provides IPv4 firewalling.
+ Shorewall6 -- Requires Shorewall. Provides IPv6
firewalling.
+ Shorewall Lite -- Requires Shorewall Core. As before.
+ Shorewall6 Lite -- Requires Shorewall Core. As before.
+ Shorewall Init -- As before

Sat Jan 21 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.4.27.3 For more details see changelog.txt and
releasenotes.txt

* Previously, if USE_DEFAULT_RT=Yes and \'loose\' was specified on
all providers, then no routing rule targeting the main routing
table was generated. This has been corrected so that
USE_DEFAULT_RT=Yes always results in such a rule at
priority 999.

* Shorewall 4.4.27 broke Shorewall-init functionality. It is
restored in this release.

Mon Jan 16 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.4.27.2. For more details see changelog.txt and
releasenotes.txt

* A long-standing problem with Shorewall\'s \'save\' facility has
been discovered. The defect can cause rules to be dropped during
\'save\' so that they are not available to be reapplied during
\'restore\'. This can occur in \'safe-restart\' when the prompt is
not acknowledged or when it is acknowledged with \'n\'.
The problem can occur when:
a) There are IPSEC zones or hosts present; and
b) GOTO Target support is available in the kernel and
iptables.
Example of rule that will be dropped:
- A eth2_fwd -m policy --dir in --pol ipsec -g AAA_frwd
The defective code has been corrected so that rules are no
longer dropped.

Thu Jan 12 13:00:00 2012 toganmAATTopensuse.org
- Update to 4.4.27.1. For more details see changelog.txt and
releasenotes.txt

* When optimization category 4 is used, unconditional jumps at
the end of chains are replaced with the rules in the target
chain. This can result in rulesets that are considerably larger
than necessary. Beginning with this release, replacement will
only occur if:
a) The jump is the only reference to the target chain; or
b) The target chain contains 3 or less rules.

* The feature introduced in 4.4.25 that allowed provider names in
the \'enable\' and \'disable\' commands was only implemented for
\'enable\'. It is now implemented for \'disable\' as well.

* When detecting IPv6 global addresses through an interface,
Shorewall6-generated scripts were ignoring addresses beginning
with \'3\'.

* A typo in /usr/share/shorewall/prog.header caused an \'awk\' script
to fail when saving a multi-hop default route during \'start\'.

* The value \'0\' is once again accepted in the IN_BANDWIDTH
columns of tcinterfaces and tcrules, and causes no ingress
policing to be configured.

* MARK_IN_FORWARD_CHAIN=Yes no longer generates an error when
$FW:
is entered in the SOURCE column of the tcrules
file.

* In most Shorewall 4.4 versions, if an exported params file
(EXPORTPARAMS=Yes in shorewall.conf) generates any output to
stdout, then the following messages would appear during
start/restart:
Compiling /etc/shorewall/routestopped...
Shorewall configuration compiled to
/var/lib/shorewall/.restart
printf: 214: Build: expected numeric value
printf: 214: ipset: expected numeric value
printf: 214: of: expected numeric value
Processing /etc/shorewall/params ...
Build ipset of blacklisted addresses
Usage: /var/lib/shorewall/.restart [ options ]
is one of:
start
stop
...
This has now been corrected.

Wed Dec 14 13:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.26.1 For more details see changelog.txt and
releasenotes.txt

* The Perl module version numbers have now been updated to
reflect changes in 4.4.26.

* The 4.4.26 rules compiler does not issue a warning when a
capabilities file was generated with Shorewall 4.4.25, even
though new capabilities were added in 4.4.26. This has been
corrected so that a warning is generated.

* When TC_ENABLED=Shared, CLASSIFY rules could not be used in the
tcrules file. Thanks to a patch from Chris Boot, this now works
as expected.

* The quoted part of the progress message \'Provider \"...\"
compiled\' was inadvertently omitted by a change in Shorewall 4.4.23.
That text has now been restored.

Sat Dec 3 13:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.26 For more details see changelog.txt and
releasenotes.txt

* This release includes all corrections included in 4.4.25.1
through .3.

* In 4.4.25, ACCEPT behaved in the BLACKLIST section the same way
as in the other rules file sections. This could lead to
connections being accepted inadvertently.
Now, ACCEPT behaves like WHITELIST; that is, it exempts the
packet from the remaining rules in the BLACKLIST section.

* Previously, Shorewall did not detect the ULOG and NFLOG
capabilities. This lead to run-time failures during \'start\' and
\'restart\' as well as confusing error messages during
compilation when ULOG or NFLOG was used when the LOG target was
not available.
ULOG and NFLOG are now detected capabilities so, if you use a
capabilities file, you will need to regenerate it in order to
use these log levels.

* The SAME tcrules target was broken in Shorewall 4.4.22. It now
works correctly again.

* Previously, \'shorewall6 update\' did not update shorewall6.conf.
The command now works as expected.

* In earlier releases, the compiler was attempting to process the
params file before it was aware of the setting of CONFIG_PATH.
This could cause the params file to be missed if it was not located
in /etc/shorewall[6] or in the directory named in the start
(restart,compile,check,...) command.
Now, /sbin/shorewall[6] passes $CONFIG_PATH to the compiler
(/usr/share/shorewall/compiler.pl) in the new \'--config_path\'
option.

Sat Nov 12 13:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.25.3 For more details see changelog.txt and
releasenotes.txt

* Correction of the produced ruleset when wildchars are used in
the zone configuration

Sun Nov 6 13:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.25.2 For more details see changelog.txt and
releasenotes.txt

* Previously, if all the following were true:
- AUTOMAKE=Yes
- Current compiled script (/var/lib/shorewall/firewall or
/var/lib/shorewall6/firewall) up to date
- LEGACY_FASTSTART=No
- There was a saved configuration
then rather than start the current configuration, \'shorewall
start -f\' or \'shorewall6 start -f\' would incorrectly restore
the saved configuration.

* The DropSmurfs and TCPFlags actions are now available in
Shorewall6. They were previously omitted from the IPv6
actions.std file.

* The \'rawpost\' table was previously omitted from the output of
the \'dump\' command. It is now displayed.

* Previously, if a configuration contained more than one wildcard
interface (physical name ending in \'+\'), then the generated script
might not work properly with Shorewall-init. This defect dates back
to the introduction of Shorewall-init.

Tue Nov 1 13:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.25.1 For more details see changelog.txt and
releasenotes.txt

* A\'refresh\' command with no chains or tables specified will
now reload chains created by entries in the BLACKLIST section of
the rules file.

* The rules compiler previously failed to detect the \'Flow
Filter\' capability. That capability is now correctly detected.

* The IN_BANDWIDTH handling changes in 4.4.25 was incompatible
with moribund distributions such as RHEL4. Restoring IN_BANDWIDTH
functionality on those releases required a new \'Basic Filter\'
capability.

Sun Oct 30 13:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.25 For more details see changelog.txt and
releasenotes.txt

* A defect in the optimizer that allowed incompatible rules to be
combined has been corrected.

* Routes and rules added as a result of entries in
/etc/shorewall6/providers were previously not deleted by
\'stop\' or \'restart\'. Repeated \'restart\' commands could
therefore lead to an incorrect routing configuration.

* Previously, capital letters were disallowed in IPv6 addresses.
They are now permitted.

* If the COPY column in /etc/shorewall6/providers was non-empty,
previously a run-time error could occur when copying a table.
The diagnostic produced by ip was:
Either \"to\" is duplicate, or \"cache\" is garbage

* When copying IPv6 routes, the generated script previously
attempted to copy \'cache\' entries. Those entries are now omitted.

* Previously, the use of large provider numbers could cause some
Shorewall-generated routing rules to be ineffective.

* In some contexts, IPv6 addresses of the form ::i.j.k.l were
incorrectly classified as invalid by the configuration compile

* New blacklisting facility implemented. For this and other new
features please refer to the releasenotes.txt

Sat Oct 15 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.24.1

* When the logical and physical name of an interface were
different, including the logical name in the tcdevices file
caused the device\'s classes to be ignored. This defect was
introduced in Shorewall 4.4.23.

* Remove the ExecReload from all services, since systemd
doesn\'t allow an ExecReload for OneShot services. Also, add a
missing After=network.target to shorewall.service.
- Fixed Url typo in the spec

Mon Oct 10 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.24. For more details see changelog.txt and
releasenotes.txt

* This release includes all problem corrections from releases
4.4.23.1-4.4.23.3.

* The \'fallback\' option without = previously produced
invalid \'ip\' commands.

Thu Sep 29 14:00:00 2011 toganmAATTopensuse.org
- reworked systemd related rpm macros for 12.1

Sat Sep 17 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.23.3

* When providers were present that specify neither \'balance\' nor
\'fallback\', then the following message was issued during
compilation and \'enable\' of the interface would fail.
Use of uninitialized value $weight in concatenation (.) or
string at /usr/share/shorewall/Shorewall/Providers.pm line 644.

* TC_ENABLED=Shared was broken in Shorewall 4.4.23, 4.4.23.1 and
4.4.23.2. It produced a shell script with syntax errors.
- Backported patches removed.

Fri Sep 16 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.23.2 For more details see changelog.txt and
releasenotes.txt
- Support of systemd for openSUSE 12.1
- Backported patches WEIGHT.patch and SHARED.patch fixing a
harmless message and traffic shaping issues respectively

Sat Aug 20 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.22.3. Corrections in this release are below.

* On older distributions where \'shorewall show capabilities\'
indicates \'Connection Tracking Match: Not Available\', harmless
Perl diagnostics like the following could be issued:
Use of uninitialized value $list in pattern match (m//)
at /usr/share/shorewall/Shorewall/Config.pm line 1273,
<$currentfile> line 14.
Use of uninitialized value $list in split
at /usr/share/shorewall/Shorewall/Config.pm line 1275,
<$currentfile> line 14.

* On older distributions where \'shorewall show capabilities\'
indicates \'Mangle FORWARD Chain: Not Available\', entries in the
ecn file generated the following Perl Diagnostic:
Use of uninitialized value in hash element
at /usr/share/shorewall/Shorewall/Chains.pm line 1119.

* Previously, if a provider interface was derived from an optional
wildcard entry in /etc/shorewall/providers, then the interface
was never considered to be usable.
Example:
/etc/shorewall/interfaces:
[#]ZONE INTERFACE BROADCAST OPTIONS
net ppp+ - optionsl
/etc/shorewall/providers:net
[#]PROVIDER NUMBER MARK INTERFACE ...
ISP1 1 1 ppp0

* When \'shorewall update\' or \'shorewall6 update\' results in no change
to the .conf file, a message is issued, the .bak file is removed
and the command terminates without error.

Fri Aug 12 14:00:00 2011 toganmAATTopensuse.org
- patch the Perl diagnostic with a WARNING message.

Tue Aug 9 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.22.2

* On older distributions where \'shorewall show capabilities\'
indicates \'Connection Tracking Match: Not Available\', Shorewall
4.4.22 and 4.4.22.1 generated invalid iptables-restore input.

* Previously, the compiler always placed \'#!/bin/sh\' on the first
line of the generated script. It now uses the setting of
SHOREWALL_SHELL on that line rather than \'/bin/sh\'. Note that
SHOREWALL_SHELL defaults to \'/bin/sh\' so this change only affects
those who specify a different shell.
- Patched REDIRECT rule

Thu Aug 4 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.22.1

* Previously, if the name of a zone began with \'all\', then entries
for that zone in /etc/shorewall/rules and /etc/shoreawll6/rules
treated the name the same as \'all\'.
This defect is present in Shorewall 4.4.13 through 4.4.22.

* Previously, when LOAD_HELPERS_ONLY=No, harmless
iptables-restore warnings as follows could be generated:
...
Running /usr/local/sbin/iptables-restore...
- -set option deprecated, please use --match-set
- -set option deprecated, please use --match-set
IPv4 Forwarding Enabled

Wed Aug 3 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.22. For more details see changelog.txt and
releasenotes.txt

* Under rare conditions, long port lists (>15 ports) could result in
the following failure when optimization level 4 was enabled.
Use of uninitialized value in numeric gt (>)
at /usr/share/shorewall/Shorewall/Chains.pm line 1264.
ERROR: Internal error in
Shorewall::Chains::decrement_reference_count at
/usr/share/shorewall/Shorewall/Chains.pm line 1264

* All corrections included in Shorewall 4.4.21.1.
- A bug in recent versions of Shorewall that could result in rules
that are wider in scope than intended was fixed by applying a patch
by the upstream.

Tue Jul 19 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.21.1 Changes in this release are:

* A harmless Perl run-time \"uninitialized variable\" diagnostic has
been eliminated from the compiler. The diagnostic was issued while
displaying the capabilities.

* As the result of a typo, an orphan filter chain named FORWAR
could be created under rare circumstances. This chain was deleted
by OPTIMIZE level 4.

* The SNAT options --persistent and --randomize now work properly
(/etc/shorewall/masq).

* The LOGMARK log level was previously generated invalid iptables
input making it unusable. That has been corrected.
The syntax for LOGMARK is now:
LOGMARK() where is a syslog priority (1-7 or debug,
info, notice, etc.).
Example rule:
[#]ACTION SOURCE DEST PROTO DEST
[#] PORT(S)
LOG:LOGMARK(info) lan dmz udp 1234

Mon Jul 11 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.21 For more details see changelog.txt and
releasenotes.txt

* The Shorewall and Shorewall6 \'load\' and \'reload\' commands
now use the .conf file in the current working directory.

* The \'balance\' and \'fallback\' options in /etc/shorewall/providers
have always been mutually exclusive but the compiler previously
didn\'t enforce that restriction. Now it does.

* The ipset modules are now automatically loaded by Shorewall6 when
LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally,
there is now a /usr/share/shorewall6/modules.ipset file that
lists all of the required modules.

* TPROXY descriptions have been added to shorewall-tcrules(5) and
shorewall6-tcrules(5).

Thu Jun 16 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.20.3. Changes in this release are

* Deprecated options have been removed from the .conf files.
They remain in the man pages.

* A simple configuration like the \'Universal\' sample that includes a
single wildcard interface (\'+\' in the INTERFACE column) produces a
ruleset that blocks all incoming packets.
As part of correcting this defect, which was introduced in
4.4.20.2, one or more superfluous rules (which could never
match) have been eliminated from most configurations.

Wed Jun 15 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.20.2

* A defect introduced in 4.4.20 could cause the following failure at
start/restart:
ERROR: Command \"tc qdisc add dev eth0 parent 1:11 handle 1:
sfq quantum 12498 limit 127 perturb 10\" failed

* The \'sfilter\' interface option introduced in 4.4.20 was only
applied to forwarded traffic. Now it is also applied to traffic
addressed to the firewall itself.

* Issues with iptables-restore is corrected

* IPSEC traffic is now (correctly) excluded from sfilter.

* The following incorrect warning message has been eliminated:
WARNING: sfilter is ineffective with FASTACCEPT=Yes

Tue Jun 7 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.20.1

* The address of the Free Software Foundation has been corrected in
the License files.

* The shorewall[6].conf file installed in
/usr/share/shorewall[6]/configfiles is no longer modified for use
with Shorewall[6]-lite. When creating a new configuration for a
remote forewall, two lines need to be modified in the copy
CONFIG_PATH=/usr/share/shorewall (or shorewall6)
STARTUP_LOG=/var/log/shorewall-lite-init.log
(or shorewall6-lite-init.log)

Mon Jun 6 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.20

* Removed backported patches for openSUSE specific locations as
they are incorporated in upstream.
- Changes in 4.4.20 (for more read changelog.txt and releasenotes.txt)

* Support for the AUDIT target has been added. AUDIT is a feature of
the 2.6.39 kernel and iptables 1.4.10 that allows security auditing
of access decisions.

Wed May 18 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.19.4

* Previously, the compiler would allow a degenerate entry (only the
BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
compilation error.

* Previously, it was possible to specify tcfilters and tcrules that
classified traffic with the class-id of a non-leaf HFSC class. Such
classes are not capabable of handling packets.
Shorewall now generates a compile-time warning in this case and
ignores the entry.
If a non-leaf class is specified as the default class, then
Shorewall now generates a compile-time error since that
configuration allows no network traffic to flow.

* Traditionally, Shorewall has not checked for the existance of
ipsets mentioned in the configuration, potentially resulting in a
run-time start/restart failure. Now, the compiler will issue a
WARNING if:
a) The compiler is being run by root.
b) The compilation isn\'t producing a script to run on a remote
system under a -lite product.
c) An ipset appearing in the configuration does not exist on the
local system.

* As previously implemented, the \'refresh\' command could fail or
could result in a ruleset other than what was intended. If there
had been changes in the ruleset since it was originally
started/restarted/restored that added or deleted sequenced chains
(chains such as ~lognnn and ~exclnnn), the resulting ruleset could
jump to the wrong such chains or could fail to \'refresh\'
successfully.
This issue has been corrected as follows. When a \'refresh\' is done
and individual chains are involved, then each table that contains
both sequenced chains and one of the chains being refreshed is
refreshed in its entirety.
For example, if \'shorwall refresh foo\' is issued and the filter
table (which is the default) contains any sequenced chains, then
the entire table is reloaded. Note that this reload operation is
atomic so no packets are passed through an inconsistent
configuration.

* When \'shorewall6 refresh\' was run previously, a harmless
\'ip6tables: Chain exists\' message was generated.
- Reworked backported patches so shorewall still uses openSUSE specific
locations
- Fix the zone definitions in shorewall6/Samples6/zones examples

Wed May 11 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.19.3

* incompatibility with gawk has been corrected

* Previously, an entry in the USER/GROUP column in the rules and
tcrules files could cause run-time start/restart failures if the
rule(s) being added did not have the firewall as the source (rules
file) and were not being added to the POSTROUTING chain (:T
designator in the tcrules file). This error is now caught by
the compiler.

* Shorewall now insures that a route to a default gateway exists in
the main table before it attempts to add a default route through
that gateway in a provider table. This prevents start/restart
failures in the rare event that such a route does not exist.

* CLASSIFY TC rules can apply to traffic exiting only the interface
associated with the class-id specified in the first column.

* Fixes start of shorewall6 (bnc#693162)

Fri May 6 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.19.2 For more details see changelog.txt and
releasenotes.txt

* In Shorewall-shell, there was the ability to specify IPSET names in
the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability,
inadvertently dropped in Shorewall-perl, has been restored

* Several problems with complex TC have been corrected:

* Double exclusion involving ipset lists was previously not detected,
resulting in anomalous behavior.

Mon Apr 18 14:00:00 2011 toganmAATTopensuse.org
- Update to 4.4.19.1

* Eliminate silly duplicate rule when stopped.

* Don\'t believe that all nexthop routes are default routes.

* Restore :- in masq file.

* Correct default route safe/restore.
- backported paths related patches from git as they are in mainstream
now

Wed Apr 13 14:00:00 2011 toganmAATTopensuse.org
- Shorewall packages have their openSUSE specific locations now

* Executable files in /usr/lib/shorewall
*. These include;
getparams
compiler.pl
wait4ifup
shorecap
ifupdown

* Perl Modules in /usr/lib/perl5/vendor_perl/PERL_VERSION/Shorewall.
- Updated to 4.4.19 (for more info please consult changelog.txt and
releasenotes.txt)

* Corrected a problem in optimize level 4 that resulted in the following
compile-time failure
Can\'t use an undefined value as an ARRAY reference at
/usr/share/shorewall/Shorewall/Chains.pm line 862.

* If a DNAT or REDIRECT rule applied to a source zone with an interface
defined with \'physical=+\', then the nat table \'dnat\' chain might have
been created but not referenced. This prevented the DNAT or REDIRECT
rule from working correctly.

* Previously, if a variable set in /etc/shorewall/params was given a value
containing shell metacharacters, then the compiled script would contain
syntax errors.

* The pathname of the \'conntrack\' binary was erroneously printed in the
output of \'shorewall6 show connections\'.

* Correct a problem whereby incorrect Netfilter rules were generated when
a bridge with ports was given a logical name.

* If a bridge interface had subordinate ports defined in
/etc/shorewall/interface, then an ipsec entry (either ipsec zone or the
\'ipsec\' option specified) in /etc/shorewall/hosts resulted in the
compiler generating an incorrect Netfilter configuration.

* A fatal error is now raised if \'!0\' appears in the PROTO column of files
that have that column. This avoids an iptables-restore failure at run time.

Mon Apr 4 14:00:00 2011 toganmAATTopensuse.org
- Updated to 4.4.18.2

* SAVE_IPSETS=Yes didn\'t work unless there is a dynamic zone defined.

* If a logical name was given to a bridge and the ports on the bridge
were defined in /etc/shorewall/interfac, then the compiler could
generate matches that used the logical name rather than the
physical name.

Mon Mar 21 13:00:00 2011 toganmAATTopensuse.org
- Updated to 4.4.18.1

* An issue with params processing on RHEL6 has been corrected. The
problem manifested as the following type of warning:
WARNING: Param line (export OLDPWD) ignored at
/usr/share/shorewall/Shorewall/Config.pm line 2993.

* The editing of the value of the TC_PRIOMAP option has been
tightened. Previously, many invalid settings were allowed,
resulting in run-time tc command failures.

* The Shorewall Lite and Shorewall6 Lite installers now install the
\'helpers\' modules file. Previously, this file was not installed
with the result that both \'shorewall[6]-lite show capabilities\' and
\'shorecap\' failed.

* Previously, if an icmp or icmp6 type which included both a type and
a code was used in the tcfilters file, \'start\' and \'restart\' would
fail with a \'tc\' error.

Fri Mar 11 13:00:00 2011 toganmAATTopensuse.org
- Updated to 4.4.18

* for accounting modules xtables-addons must be installed
- Changes in 4.4.18 (for more read changelog.txt and releasenotes.txt)

* The modules files are now just a driver that INCLUDEs several new
files and one old file:

* Beginning with Shorewall 4.4.18, the accounting structure can be
created with three root chains:
- accountin: Rules that are valid in the INPUT chain (may not
specify an output interface).
- accountout: Rules that are valid in the OUTPUT chain (may not
specify an input interface or a MAC address).
- accountfwd: Other rules.

* Internals Change: The Policy.pm module has been merged into the
Rules.pm module.

Thu Feb 10 13:00:00 2011 toganmAATTopensuse.org
- Updated to 4.4.17

* This release adds support for per-IP accounting using the ACCOUNT
target. That target is only available when xtables-addons is
installed.
- Changes in 4.4.17 (for more read changelog.txt and releasenotes.txt)

* Previously, Shorewall did not check the length of the names of
accounting chains and manual chains. This could result in
errors when loading the resulting ruleset. Now, the compiler issues
an error for chain names longer than 29 characters.
Additionally, the compiler now ensures that these chain names are
composed only of letters, digits, underscores (\'_\') and dashes
(\"-\"). This eliminates Perl runtime errors or other failures when a
chain name is embedded within a regular expression.

* Several issues with complex traffic shaping have been resolved:
a) Specifying IPv6 network addresses in the SOURCE or DEST columns
of /etc/shorewall6/tcfilters now works correctly. Previously,
Perl runtime warnings occurred and an invalid tc command was
generated.
b) Previously, if flow= was specified on a parent class, a perl
runtime warning occurred and an invalid tc command was
generated. This combination is now flagged as an error at
compile time.
c) There is now an ipv6 tcfilters skeleton included with
Shorewall6.

* Several issues with accounting are corrected.
a) If an accounting rule of the form:
chain1 chain2
was configured and neither chain was referenced again in the
configuration, then an internal error was generated when
optimize level 4 was selected and OPTIMIZE_ACCOUNTING=Yes.
b) If there was only a single accounting rule and that rule
specified an interface in the SOURCE or DEST columns, then the
generated ruleset would fail to load when
OPTIMIZE_ACCOUNTING=Yes.
c) If a per-IP accounting table name appeared in more than one
rule and the specified network was not the same in all
occurrences, then the generated ruleset would fail to load.
This is now flagged as an error at compile time.

* Two defects in compiler module loading have been corrected:
a) Previously, the kernel/net/ipv6/netfilter/ directory was not
searched.
b) A Perl diagnostic was issued when running on a monolithic kernel
when the modutils package was installed.

* A line containing only \'INCLUDE\' appearing in an extension script
now generates a compile-time diagnostic rather than a run-time
diagnostic.

* Previously, the uninstall.sh scripts used insserv (if installed) on
Debian-based systems. These scripts now use the preferred tool
(updaterc.d).

* Beginning with 4.4.16, compilation would fail if an empty shell
variable was referenced in a config file on a system where /bin/sh
is the Bourne Again Shell (bash).

* In earlier versions. if OPTIMIZE=8 then the ruleset displayed by
\'check -r\' was the same as when OPTIMIZE=0 (unoptimized).
Similarly, if OPTIMIZE=9 then the ruleset displayed was the same
as when OPTIMIZE=1.

* Startup could previously fail on a system where kernel module
autoloading was not available and where TC_ENABLED=Simple was
specified in shorewall.conf or shorewall6.conf.

* Previously, a \'done.\' message could be printed at the end of
command processing even when the command had failed. Now, such a
message only appears if the command completed successfully.

Sat Jan 22 13:00:00 2011 toganmAATTopensuse.org
- Updated to 4.4.16.1

* Beginning with 4.4.16, compilation would fail if an empty shell
variable was referenced in a config file on a system where /bin/sh
is the Bourne Again Shell (bash).

Wed Jan 12 13:00:00 2011 toganmAATTopensuse.org
- fix fillup for shorewall-init so it will be copied to sysconfig
directory
- link network/scripts/shorewall to if-up.d and if-down.d
- Changes in 4.4.16 (for more read changelog.txt and releasenotes.txt)
+ If the output of \'env\' contained a multi-line value, then
compilation failed with an Internal Error. The code has been
changed so that the compiler now handles multi-line values
correctly.

* In 4.4.15, output to Standard Out (FD 1) generated by
/etc/shorewall/params (/etc/shorewall6/params) was redirected to
/dev/null. It is now redirected to Standard Error (FD 2).

* If a params file did not appear in the CONFIG_PATH, compilation
failed with the error:
.: 31: Can\'t open /etc/shorewall6/params
ERROR: Processing of /etc/shorewall6/params failed

* Previously, proxy ARP with logical interface names did not
work. Symptoms included numerous Perl runtime error messages.

* Previously, the root of a wildcard name erroneously matched that
name. For example \'eth\' matched \'eth+\'. Now there must be at least
one additional character (e.g., \'eth4\').

* Use of logical interface names in the notrack and ecn files
resulted in perl runtime warning messages.

* The use of wildcard-matching names in certain contexts would result
in anomalous behavior. Among the symptoms were:
- Perl run-time messages similar to this one:
Use of uninitialized value in numeric comparison (<=>)
at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
- Failure to treat the interface as optional or required.

* Where two ISPs share the same interface, if one of the ISPs was not
reachable, an iptables-restore error such as this occurred:
iptables-restore v1.4.10: Bad mac address \"-j\"

* Previously, under very rare circumstances, a chain would be
optimized away while there were still jumps to the chain. This caused
Shorewall start/restart to fail during iptables-restore.
11) Previously, the setting of BLACKLIST_DISPOSITION was not
validated. Now, an error is raised unless the value is DROP or REJECT.

Mon Jan 3 13:00:00 2011 toganmAATTopensuse.org
- Update to version 4.4.15.3
- Changes in 4.4.15.3

* Previously, the root of a wildcard name erroneously matched that
name. For example \'eth\' matched \'eth+\'. Now there must be at least
one additional character (e.g., \'eth4\').

* Use of logical interface names in the notrack and ecn files
resulted in perl runtime warning messages.

* The use of wildcard-matching names in certain contexts would result
in perl run-time messages similar to this one:
Use of uninitialized value in numeric comparison (<=>)
at /usr/share/shorewall/Shorewall/Zones.pm line 1334.

* Under very rare circumstances, a chain could be optimized away
even when there are jumps to the chain. This resulted in a
start/restart failure.
- Changes in 4.4.15.2

* Previously, proxy ARP with logical interface names did not
work. Symptoms included numerous Perl runtime error messages.

* Previously, unknown interface names in the proxyarp and
tcinterfaces files resulted in Perl runtime errors.

Thu Dec 2 13:00:00 2010 toganmAATTopensuse.org
- Upgrade to version 4.4.15.1
- Changes in version 4.4.15.1
1) If the output of \'env\' contained a multi-line value, then
compilation failed with an Internal Error. The code has been
changed to ignore all but the first line of a multi-line value.
2) If a params file did not appear in the CONFIG_PATH, compilation
failed with the error:
.: 31: Can\'t open /etc/shorewall6/params
ERROR: Processing of /etc/shorewall6/params failed

Thu Dec 2 13:00:00 2010 toganmAATTopensuse.org
- Update to version 4.4.15
- Changes in Shorewall 4.4.15
1) Add macros from Tuomo Soini.
2) Corrected macro.JAP.
3) Added fatal_error() functions to the -lite CLIs.
RC 1
1) Another Perl 5.12 warning.
2) Avoid anomalous behavior regarding syn flood chains.
3) Add HEADERS column for IPv6
Beta 2
1) Tweaks to IPv6 tcfilters
2) Add support for explicit provider routes
3) Fix shared TC tcfilters handling.
Beta 1
1) Handle exported VERBOSE.
2) Modernize handling of the params file.
3) Fix NULL_ROUTE_RFC1918
4) Fix problem of appending incorrect files.
5) Implement shared TC.

Thu Nov 25 13:00:00 2010 toganmAATTopensuse.org
- Added README.openSUSE which warns the user

Wed Nov 24 13:00:00 2010 toganmAATTopensuse.org
- Fix init-4.4.14.patch
- Cleaned spec file
- Removed Provides shoreline_firewall
- Until upstream clarifies non-executable scripts put them under rpmlintrc
- TODO

* the code files should go into %_libexecdir/shorewall, only non-executable
data is for %_datadir/shorewall.

Wed Nov 24 13:00:00 2010 toganmAATTopensuse.org
- Included docs-html to the packaging as well
- Patches have the version number reflecting the diff to the original

Thu Nov 11 13:00:00 2010 toganmAATTopensuse.org
- Initial packaging of shorewall for opensuse


 
ICM