Revisions of shorewall
buildservice-autocommit
accepted
request 148719
from
Togan Muftuoglu (toganm)
(revision 109)
Togan Muftuoglu (toganm)
(revision 109)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 148615
from
Togan Muftuoglu (toganm)
(revision 108)
- Added systemd.patch to fix the exec path (bnc# 798525)
Togan Muftuoglu (toganm)
accepted
request 148262
from
Togan Muftuoglu (toganm)
(revision 107)
- Update to 4.5.11.2 For more details see changelog.txt and
releasenotes.txt
* Corrected fix 2 from 4.5.11.1.
* 4.5.11.1
Beginning with Shorewall 4.5.10, if the name of an optional
interface contained one or more characters that are not valid
in a shell function name, then the generated script would fail with
a "syntax error: bad function name" shell diagnostic.
That problem has been corrected so that a valid function name
is generated.
* The kernel modules supplied by xtables-addons are now listed in
the modules.xtables files. They were previously omitted.
buildservice-autocommit
accepted
request 145720
from
Togan Muftuoglu (toganm)
(revision 106)
Togan Muftuoglu (toganm)
(revision 106)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 145719
from
Togan Muftuoglu (toganm)
(revision 105)
- Update to 4.5.10.1 For more details see changelog.txt and releasenotes.txt * Correct typo in conntrack module
buildservice-autocommit
accepted
request 144824
from
Togan Muftuoglu (toganm)
(revision 104)
Togan Muftuoglu (toganm)
(revision 104)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 144821
from
Togan Muftuoglu (toganm)
(revision 103)
- Update to 4.5.10 For more details see changelog.txt and
releasenotes.txt
* This release includes all defect repair included in
4.5.9.1-4.5.9.3.
* Under rare circumstances, optimize level 16 could produce
invalid iptables-restore input which would cause start/restart
to fail.
* Before this release, the 'started' script was run prior to
copying the temporary script file (e.g., /var/lib/shorewall/.start)
to /var/dir/shorewall/firewall. If the script failed, the copy
would not take place even though the firewall had started
successfully. The script is now copied before running the
'started' script.
If you compare the script generated by this release with one
generated by a prior release, We suggest that you ignore
whitespace changes (e.g., use the '-w' option in diff); that way,
you can see the actual change more clearly.
* AUTOCOMMENT=No now works correctly; previously, it behaved the
same as AUTOCOMMENT=Yes.
* A harmless extraneous comma has been deleted from the rule
generated by action.RST.
buildservice-autocommit
accepted
request 142300
from
Togan Muftuoglu (toganm)
(revision 102)
Togan Muftuoglu (toganm)
(revision 102)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 142299
from
Togan Muftuoglu (toganm)
(revision 101)
- Update to 4.5.9.2 For more details see changelog.txt and
releasenotes.txt
* Previously, the rules in the 'routemark' chain did not specify
a mask in the MARK target. While a mask isn't strictly necessary
in those rules, one has been added to ally fears of those who read
the generated ruleset.
Note: The 'routemark' chain is used to apply provider marks to
packets received from 'track' provider interfaces. It is
traversed early in the mangle PREROUTING chain when no other
marks have yet been applied to the packet.
* If exclusion was used with TPROXY in the tcrules file, an
invalid iptables ruleset was generated causing start and
restart commands to fail when running iptables-restore.
* Previously, if a provider and its interface had the same name,
then the 'enable' command would not work on that interface.
buildservice-autocommit
accepted
request 140857
from
Togan Muftuoglu (toganm)
(revision 100)
Togan Muftuoglu (toganm)
(revision 100)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 140855
from
Togan Muftuoglu (toganm)
(revision 99)
- Update to 4.5.9.1 For more details see changelog.txt and
releasenotes.txt
* Previously, using a wildcard interface name in a rule would
result in this error:
ERROR: Invalid ipset name (ppp+) : ...
Such entries are now handled correctly.
* The shorewall-masq(5) manpage incorrectly stated that the
SOURCE column may use exclusion with an interface name (e.g.,
eth1:!1.2.3.4). That hasn't been the case for some time. To
accomplish the same thing, do this:
eth0 1.2.3.4 NONAT
eth0 eth1
Note: Using an interface name in the SOURCE column is deprecated.
* Previously, if a MARK was specified for a tc class that
explicitly specified a class number, the following spurious
warning message was issued:
WARNING: Class NUMBER ignored --
INTERFACE <name> does not have the 'classify' option
That warning message is no longer issued.
* With Shorewall 4.5.9, there were issues when the ipset utility
was not installed, some of which prevented Shorewall from
starting.
- Adjust for the usr move
* change /sbin/service to /usr/service in requires and setting links
buildservice-autocommit
accepted
request 139763
from
Togan Muftuoglu (toganm)
(revision 98)
Togan Muftuoglu (toganm)
(revision 98)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 139762
from
Togan Muftuoglu (toganm)
(revision 97)
- Update to 4.5.9 For more details see changelog.txt and
releasenotes.txt
* This release contains all defect repair from Shorewall 4.5.8.2.
* A typo has been corrected in the shorewallrc.default file.
* Beginning with Shorewall 4.5.7.2, Shorewall unconditionally
restores the provider mark as the first rule in the mangle
table OUTPUT and PREROUTING chains. Previously, the provider
mark was restored only if it was non-zero.
It has become clear that some users need it one way while
others need it the other way. To resolve this issue, a
RESTORE_ROUTEMARKS option has been added to shorewall.conf and
shorewall6.conf. When this option is set to Yes (the default),
the 4.5.7.2 approach is used (always restore the mark, even if
it is zero); when it is set to No, the pre-4.5.7.2 behavior is
retained (only restore the mark if it is non-zero).
* Two error messages produced by the RST action have been
corrected. They previously referred to errors in the NotSyn
action rather than RST.
buildservice-autocommit
accepted
request 137834
from
Togan Muftuoglu (toganm)
(revision 96)
Togan Muftuoglu (toganm)
(revision 96)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 137828
from
Togan Muftuoglu (toganm)
(revision 95)
- Update to 4.5.8.2 For more details see changelog.txt and
releasenotes.txt
* The 'shorewall show' command previously produced no output.
That command now works with ipset versions 4 and later.
* The change in 4.5.8.1 that enabled industry-standard IPv4
address representation broke the ability to place IP ranges or
IPv6 ipsets in the hosts file. Those abilities have been
restored.
* The treatment of the SYSTEMD and INITFILE shorewallrc variables
has been inconsistent. The -lite installers ignore INITFILE
when SYSTEMD is specified, while the other installers do not.
Now, the -lite installers install the .service file if SYSTEMD
is specified and they install the sysv-init script if INITFILE
is specified. That is consistent with the behavior of the other
installers.
- Added 0001-remote_fs.patch for shorewall-init sysv-init scripts
buildservice-autocommit
accepted
request 137409
from
Togan Muftuoglu (toganm)
(revision 94)
Togan Muftuoglu (toganm)
(revision 94)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 137407
from
Togan Muftuoglu (toganm)
(revision 93)
- Update to 4.5.8.1 For more details see changelog.txt and
releasenotes.txt
* When ipset version 5 or later was installed, the 'shorewall show
dynamic <zone>' command produced no outout and the 'add' command
failed with this error message:
Zone <zone>, interface <interface> does not have a dynamic
host list"
* When generating ipset names for dynamic zones, the compiler was
dropping dashes ('-') from the interface name and adding a unique
suffix. For example the ipset for zone 'foo' and interface 'bar-if'
might be 'foo_barif_1'. Dashes are now retained so that the
generated set name in this example will be 'foo_bar-if'. This change
also allows the 'add' and 'delete' commands to work correctly when
the interface name contains one or more dashes.
Although dash is documented as being an accepted character in ipset
names, names containing a dash would generate an error in some
contexts. That has also been corrected.
* In most contexts, Shorewall6 has required IPv6 addresses to be
enclosed in either angled brackets ( <....> , deprecated) or in
square brackets ([....]). This includes network addresses, where
both the IPv6 address and the VLSM are required to be within the
brackets (e.g., [2001;470:b:787::/64]). This differs from the
industry-standard network form in which the IPv6 address is enclosed
in square brackets and the VLSM is outside of the brackets (e.g.,
[2001:470:b:787::]/64). Beginning with this release, the
industry-standard representation is also accepted by Shorewall6.
Note: Those of you who read the patches will probably have noticed
that much of this change was actually in 4.5.8; because the change
was commited late in the 4.5.8 release cycle, we chose not to
document the change until it had undergone additional testing.
Togan Muftuoglu (toganm)
accepted
request 137233
from
Togan Muftuoglu (toganm)
(revision 92)
- Update to 4.5.8 For more details see changelog.txt and
releasenotes.txt
* This release includes the defect repair from Shorewall 4.5.7.1.
* The restriction that TTL and HL rules could only be placed in
the FORWARD chain prevented these rules from being used to hide
a router from traceroute[6]. It is now allowed to place these
rules in the PREROUTING chain by following the specification
with ':P' (e.g., 'TTL(+1):P').
* Previously, the macro.SNMP macro opened both UDP ports 161 and
162 from SOURCE to DEST. This is against the usual practice of
opening these ports in the opposite direction. Beginning with
this release, port 162 is opened in to SOURCE to DEST as
before, while port 161 is opened from DEST to SOURCE.
* Previously, when compiling for export, both
/etc/shorewall/shorewall[6].conf and the shorewall[6].conf in
the configuration directory were processed. Now, only the copy
in the configuration directory is processed.
* The 'iptables_raw' module has been added to the
modules.essential file.
* Several corrections have been made to the Fedora/Redhat init
script for Shorewall-init.
* The <directory> parameter to the 'try' command is now
documented in the shorewall(8) and shorewall6(8) manpages.
* Some redundant interface-option rules have been removed in
configurations with multiple zones configured on a single
interface.
* Previously, when compiling for export, the compilation would
fail if the setting of SHAREDIR in the firewall's shorewallrc
was different from the setting on the admin system. Such
compilations now succeed.
- For openSUSE 12.3 provide only systemd and drop sysv-init scripts
buildservice-autocommit
accepted
request 135625
from
Togan Muftuoglu (toganm)
(revision 91)
Togan Muftuoglu (toganm)
(revision 91)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 135613
from
Togan Muftuoglu (toganm)
(revision 90)
- Since shorewall executables are in /usr/sbin systemd service files now reflect the correct location
Displaying revisions 181 - 200 of 289
