Revisions of shorewall
buildservice-autocommit
accepted
request 148719
from
Togan Muftuoglu (toganm)
(revision 109)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 148615
from
Togan Muftuoglu (toganm)
(revision 108)
- Added systemd.patch to fix the exec path (bnc# 798525)
Togan Muftuoglu (toganm)
accepted
request 148262
from
Togan Muftuoglu (toganm)
(revision 107)
- Update to 4.5.11.2 For more details see changelog.txt and releasenotes.txt * Corrected fix 2 from 4.5.11.1. * 4.5.11.1 Beginning with Shorewall 4.5.10, if the name of an optional interface contained one or more characters that are not valid in a shell function name, then the generated script would fail with a "syntax error: bad function name" shell diagnostic. That problem has been corrected so that a valid function name is generated. * The kernel modules supplied by xtables-addons are now listed in the modules.xtables files. They were previously omitted.
buildservice-autocommit
accepted
request 145720
from
Togan Muftuoglu (toganm)
(revision 106)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 145719
from
Togan Muftuoglu (toganm)
(revision 105)
- Update to 4.5.10.1 For more details see changelog.txt and releasenotes.txt * Correct typo in conntrack module
buildservice-autocommit
accepted
request 144824
from
Togan Muftuoglu (toganm)
(revision 104)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 144821
from
Togan Muftuoglu (toganm)
(revision 103)
- Update to 4.5.10 For more details see changelog.txt and releasenotes.txt * This release includes all defect repair included in 4.5.9.1-4.5.9.3. * Under rare circumstances, optimize level 16 could produce invalid iptables-restore input which would cause start/restart to fail. * Before this release, the 'started' script was run prior to copying the temporary script file (e.g., /var/lib/shorewall/.start) to /var/dir/shorewall/firewall. If the script failed, the copy would not take place even though the firewall had started successfully. The script is now copied before running the 'started' script. If you compare the script generated by this release with one generated by a prior release, We suggest that you ignore whitespace changes (e.g., use the '-w' option in diff); that way, you can see the actual change more clearly. * AUTOCOMMENT=No now works correctly; previously, it behaved the same as AUTOCOMMENT=Yes. * A harmless extraneous comma has been deleted from the rule generated by action.RST.
buildservice-autocommit
accepted
request 142300
from
Togan Muftuoglu (toganm)
(revision 102)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 142299
from
Togan Muftuoglu (toganm)
(revision 101)
- Update to 4.5.9.2 For more details see changelog.txt and releasenotes.txt * Previously, the rules in the 'routemark' chain did not specify a mask in the MARK target. While a mask isn't strictly necessary in those rules, one has been added to ally fears of those who read the generated ruleset. Note: The 'routemark' chain is used to apply provider marks to packets received from 'track' provider interfaces. It is traversed early in the mangle PREROUTING chain when no other marks have yet been applied to the packet. * If exclusion was used with TPROXY in the tcrules file, an invalid iptables ruleset was generated causing start and restart commands to fail when running iptables-restore. * Previously, if a provider and its interface had the same name, then the 'enable' command would not work on that interface.
buildservice-autocommit
accepted
request 140857
from
Togan Muftuoglu (toganm)
(revision 100)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 140855
from
Togan Muftuoglu (toganm)
(revision 99)
- Update to 4.5.9.1 For more details see changelog.txt and releasenotes.txt * Previously, using a wildcard interface name in a rule would result in this error: ERROR: Invalid ipset name (ppp+) : ... Such entries are now handled correctly. * The shorewall-masq(5) manpage incorrectly stated that the SOURCE column may use exclusion with an interface name (e.g., eth1:!1.2.3.4). That hasn't been the case for some time. To accomplish the same thing, do this: eth0 1.2.3.4 NONAT eth0 eth1 Note: Using an interface name in the SOURCE column is deprecated. * Previously, if a MARK was specified for a tc class that explicitly specified a class number, the following spurious warning message was issued: WARNING: Class NUMBER ignored -- INTERFACE <name> does not have the 'classify' option That warning message is no longer issued. * With Shorewall 4.5.9, there were issues when the ipset utility was not installed, some of which prevented Shorewall from starting. - Adjust for the usr move * change /sbin/service to /usr/service in requires and setting links
buildservice-autocommit
accepted
request 139763
from
Togan Muftuoglu (toganm)
(revision 98)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 139762
from
Togan Muftuoglu (toganm)
(revision 97)
- Update to 4.5.9 For more details see changelog.txt and releasenotes.txt * This release contains all defect repair from Shorewall 4.5.8.2. * A typo has been corrected in the shorewallrc.default file. * Beginning with Shorewall 4.5.7.2, Shorewall unconditionally restores the provider mark as the first rule in the mangle table OUTPUT and PREROUTING chains. Previously, the provider mark was restored only if it was non-zero. It has become clear that some users need it one way while others need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS option has been added to shorewall.conf and shorewall6.conf. When this option is set to Yes (the default), the 4.5.7.2 approach is used (always restore the mark, even if it is zero); when it is set to No, the pre-4.5.7.2 behavior is retained (only restore the mark if it is non-zero). * Two error messages produced by the RST action have been corrected. They previously referred to errors in the NotSyn action rather than RST.
buildservice-autocommit
accepted
request 137834
from
Togan Muftuoglu (toganm)
(revision 96)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 137828
from
Togan Muftuoglu (toganm)
(revision 95)
- Update to 4.5.8.2 For more details see changelog.txt and releasenotes.txt * The 'shorewall show' command previously produced no output. That command now works with ipset versions 4 and later. * The change in 4.5.8.1 that enabled industry-standard IPv4 address representation broke the ability to place IP ranges or IPv6 ipsets in the hosts file. Those abilities have been restored. * The treatment of the SYSTEMD and INITFILE shorewallrc variables has been inconsistent. The -lite installers ignore INITFILE when SYSTEMD is specified, while the other installers do not. Now, the -lite installers install the .service file if SYSTEMD is specified and they install the sysv-init script if INITFILE is specified. That is consistent with the behavior of the other installers. - Added 0001-remote_fs.patch for shorewall-init sysv-init scripts
buildservice-autocommit
accepted
request 137409
from
Togan Muftuoglu (toganm)
(revision 94)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 137407
from
Togan Muftuoglu (toganm)
(revision 93)
- Update to 4.5.8.1 For more details see changelog.txt and releasenotes.txt * When ipset version 5 or later was installed, the 'shorewall show dynamic <zone>' command produced no outout and the 'add' command failed with this error message: Zone <zone>, interface <interface> does not have a dynamic host list" * When generating ipset names for dynamic zones, the compiler was dropping dashes ('-') from the interface name and adding a unique suffix. For example the ipset for zone 'foo' and interface 'bar-if' might be 'foo_barif_1'. Dashes are now retained so that the generated set name in this example will be 'foo_bar-if'. This change also allows the 'add' and 'delete' commands to work correctly when the interface name contains one or more dashes. Although dash is documented as being an accepted character in ipset names, names containing a dash would generate an error in some contexts. That has also been corrected. * In most contexts, Shorewall6 has required IPv6 addresses to be enclosed in either angled brackets ( <....> , deprecated) or in square brackets ([....]). This includes network addresses, where both the IPv6 address and the VLSM are required to be within the brackets (e.g., [2001;470:b:787::/64]). This differs from the industry-standard network form in which the IPv6 address is enclosed in square brackets and the VLSM is outside of the brackets (e.g., [2001:470:b:787::]/64). Beginning with this release, the industry-standard representation is also accepted by Shorewall6. Note: Those of you who read the patches will probably have noticed that much of this change was actually in 4.5.8; because the change was commited late in the 4.5.8 release cycle, we chose not to document the change until it had undergone additional testing.
Togan Muftuoglu (toganm)
accepted
request 137233
from
Togan Muftuoglu (toganm)
(revision 92)
- Update to 4.5.8 For more details see changelog.txt and releasenotes.txt * This release includes the defect repair from Shorewall 4.5.7.1. * The restriction that TTL and HL rules could only be placed in the FORWARD chain prevented these rules from being used to hide a router from traceroute[6]. It is now allowed to place these rules in the PREROUTING chain by following the specification with ':P' (e.g., 'TTL(+1):P'). * Previously, the macro.SNMP macro opened both UDP ports 161 and 162 from SOURCE to DEST. This is against the usual practice of opening these ports in the opposite direction. Beginning with this release, port 162 is opened in to SOURCE to DEST as before, while port 161 is opened from DEST to SOURCE. * Previously, when compiling for export, both /etc/shorewall/shorewall[6].conf and the shorewall[6].conf in the configuration directory were processed. Now, only the copy in the configuration directory is processed. * The 'iptables_raw' module has been added to the modules.essential file. * Several corrections have been made to the Fedora/Redhat init script for Shorewall-init. * The <directory> parameter to the 'try' command is now documented in the shorewall(8) and shorewall6(8) manpages. * Some redundant interface-option rules have been removed in configurations with multiple zones configured on a single interface. * Previously, when compiling for export, the compilation would fail if the setting of SHAREDIR in the firewall's shorewallrc was different from the setting on the admin system. Such compilations now succeed. - For openSUSE 12.3 provide only systemd and drop sysv-init scripts
buildservice-autocommit
accepted
request 135625
from
Togan Muftuoglu (toganm)
(revision 91)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 135613
from
Togan Muftuoglu (toganm)
(revision 90)
- Since shorewall executables are in /usr/sbin systemd service files now reflect the correct location
Displaying revisions 181 - 200 of 289