Revisions of shorewall
buildservice-autocommit
accepted
request 132376
from
Togan Muftuoglu (toganm)
(revision 89)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 132373
from
Togan Muftuoglu (toganm)
(revision 88)
- Update to 4.5.7.1 For more details see changelog.txt and releasenotes.txt * When using IPSEC in a multi-ISP configuration, it is possible for the kernel to mis-route ESP packets. To date, this problem has only been observed on a system running a 3.5 kernel where traffic is being tunneled through GRE which is in turn being tunneled via IPSEC. This Shorewall release includes a low-cost workaround. * The Netfilter team have announced their intention to remove the NOTRACK target in favor of 'CT --notrack'. Shorewall will now map NOTRACK to 'CT --notrack' if the CT Target is available. * Previously, the current COMMENT was not being cleared after the blrules file was processed, causing that COMMENT to be used on entries in the rules file. That defect has been corrected. - Add a note to the spec for reviewer explaining the configure command usage - Removed following opensuse specific patches as they are merged to upstream now + shorewall-lite-4.5.2-init.patch + shorewall6-4.5.2-init.patch + shorewall6-lite-4.5.2-init.patch + shorewall-init-4.4.21_init_sh.patch - Added 001-required-stop-fix patch for shorewall-lite/init.suse.sh
buildservice-autocommit
accepted
request 131525
from
Togan Muftuoglu (toganm)
(revision 87)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 131522
from
Togan Muftuoglu (toganm)
(revision 86)
- Update to 4.5.7 For more details see changelog.txt and releasenotes.txt * This release includes the defect repair from Shorewall 4.5.6.2. * The command 'shorewall enable pppX' could fail with the ip diagnostic Error: either "to" is duplicate, or "weight" is a garbage. Shorewall now generates the correct ip command. * Optimize level 4 could previously combine two rules that each specified the 'policy' match, leading to this iptables-restore failure: policy match: multiple elements but no --strict The optimizer now avoids combining such rules. While this is a long-standing defect in the optimizer, it was exposed by changes in Shorewall 4.5.6. * There were several cases where hard-wired directory names appeared in the tarball installers. These have been replaced with the appropriate shorewallrc variables. * A defect in RHEL 6.3 and derivatives causes 'shorewall show capabilities' to leave an empty ipset in the configuration. The same defect can cause the Shorewall compiler to similarly leave an empty ipset behind. This Shorewall release has a workaround for this problem. - Added Bash >= 4 to BuildRequires - Fix builds for Fedora compiler. It now causes following lines to be omitted. releasenotes.txt required. failure. Shorewall now uses the physical name. impossible to set SYSCONFDIR.
buildservice-autocommit
accepted
request 130455
from
Togan Muftuoglu (toganm)
(revision 85)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 130454
from
Togan Muftuoglu (toganm)
(revision 84)
- Update to 4.5.6.2 For more details see changelog.txt and releasenotes.txt * The compiler now generates an error when a SOURCE interface is specified in a rule where the SOURCE zone is the firewall itself. * Previously, entries in /etc/shorewall/notrack that specified a Vserver zone in the SOURCE column were omitted from the generated ruleset. * The set of helpers available in the notrack file and in the HELPER column of the tcrules file was incorrect: - The Amanda helper requires a UDP port -- Shorewall was requiring TCP. - The H323 module supplies two helpers: 'RAW' and 'Q.931'; Shorewall only accepted 'h323'. - The Netbios NS module supplies the 'netbios-ns' helper; Shorewall only accepted 'netbios_ns'. * The conditional directive '?IF 0' generated an error from the compiler. It now causes following lines to be omitted.
buildservice-autocommit
accepted
request 127519
from
Togan Muftuoglu (toganm)
(revision 83)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 127518
from
Togan Muftuoglu (toganm)
(revision 82)
- Update to 4.5.6 For more details see changelog.txt and releasenotes.txt * This release includes the defect repairs from Shorewall 4.5.5.1 through 4.5.5.4. * Previously, the tcrules file was not processed when TC_ENABLED=No. That meant that to use features like TPROXY, it was necessary to set TC_ENABLED=Yes and create a dummy /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is required.
buildservice-autocommit
accepted
request 126787
from
Togan Muftuoglu (toganm)
(revision 81)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 126786
from
Togan Muftuoglu (toganm)
(revision 80)
- Update to 4.5.5.3 For more details see changelog.txt and releasenotes.txt * When logical interface names were used, an entry in tcrules that included a classid could result in the compiler failing with this Perl diagnostic: Can't use an undefined value as an ARRAY reference at /usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile> line 20.
buildservice-autocommit
accepted
request 125144
from
Togan Muftuoglu (toganm)
(revision 79)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 125142
from
Togan Muftuoglu (toganm)
(revision 78)
- Update to 4.5.5.1 For more details see changelog.txt and releasenotes.txt * The change in Shorewall 4.5.4 that cleared the 'default' table if there were no 'fallback' providers broke multiple 'fallback' providers that don't supply a weight. The symptoms were that there were host routes to the default gateways in the 'default' routing table but no default routes through those gateways. This has now been corrected and multiple 'fallback' routes are once again supported. * When a logical device name was specified in the REDIRECTED INTERFACES column of /etc/shorewall/tcdevices, that name was used in the generated script rather than the devices's physical name. Unless the two were the same, this caused start/restart failure. Shorewall now uses the physical name.
buildservice-autocommit
accepted
request 124348
from
Togan Muftuoglu (toganm)
(revision 77)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 124332
from
Togan Muftuoglu (toganm)
(revision 76)
- Update to 4.5.5 For more details see changelog.txt and releasnotes.txt * This release includes all defect repair from Shorewall 4.5.4.1 and 4.5.4.2. * The Shorewall compiler sometimes must defer generating a rule until runtime. This is done by placing shell commands in its internal representation of a chain. These commands are then executed at run time to create the final rule. If all of the following were true, then an incorrect ruleset could be generated: + Optimization level 4 was set. + A chain (chain A) containing shell commands had three or fewer rules and commands. + The last rule in a second chain was a conditional jump to chain A. Under these conditions, the rules and commands in Chain A * The Shorewall-core configure and configure.pl script were treating SYSCONFDIR as a synonym for CONFDIR making it impossible to set SYSCONFDIR.
Togan Muftuoglu (toganm)
accepted
request 124106
from
Togan Muftuoglu (toganm)
(revision 75)
- Update to 4.5.4.2 For more details see changelog.txt and releasenotes.txt * The problems corrected section of the 4.5.4.1 release notes was missing the third problem corrected in the release. It has now been added. * A number of problems in Shorewall-init have been corrected: + If more than one product was listed in the PRODUCTS setting in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init) then the second product would not be started/stopped. + Shorewall-init used 'restart' in response to an optional provider interface coming up. If the interface has been marked unusable (1 in the interface's .status file), then the 'restart' would not enable the interface. + Shorewal-init produced a lot of clutter on the console during boot. You may now specify a LOGFILE in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init) and all output produced by up and down events will be sent to that log. If no log is specified, this output is sent to /dev/null. * The order in which the compiler processes line-continuation (line ending in '\') and conditional-inclusion directives (?IF, ?ELSE, and ?ENDIF) has been reversed. Previously, the compiler built a concatenated line, then checked to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents those lines from becoming part of the concatenation. * Two issues with the shorecap programs have been corrected: + The Shorewall6-lite version failed to run with the message: /usr/share/shorewall6-lite/lib.cli: No such file or directory
buildservice-autocommit
accepted
request 123172
from
Togan Muftuoglu (toganm)
(revision 74)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 123169
from
Togan Muftuoglu (toganm)
(revision 73)
- Update to 4.5.4.1 For more details see changelog.txt and releasenotes.txt * Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type has been configured as a PPTP client running on the firewall rather than as a server on the firewall. It is now correctly configured as a server. * The shorewall-accounting (5) and shorewall6-accounting (5) documentation for the IPSEC column is incorrect. Rather than 'accountin' and 'accountout', the chain names should be 'accipsecin' and 'accipsecout'. * IPSEC accounting did not work if the accounting file was sectioned. Beginning with this release, the IPSEC column can be specified in any section. As always, the IPSEC column contains a comma-separated list of items. In the FORWARD chain, the first (or only) item in the list must be either 'in' or 'out' to indicate whether the rule matches incoming packets that have been decrypted ('in') or outgoing packets that will be encrypted ('out'). There are no restrictions with respect to which chain IPSEC rules can appear in a sectioned file.
buildservice-autocommit
accepted
request 122613
from
Togan Muftuoglu (toganm)
(revision 72)
baserev update by copy to link target
Togan Muftuoglu (toganm)
accepted
request 122494
from
Togan Muftuoglu (toganm)
(revision 71)
- Update to 4.5.4 For more details see changelog.txt and releasenotes.txt * When EXPORTMODULES=No in shorewall.conf, the error messages have been eliminated * If the configuration settings in the PACKET MARK LAYOUT section of shorewall.conf (shorewall6.conf) had empty settings, the 'update' command would previously set them to their default settings. It now leaves them empty. * Previously, Shorewall used 'unreachable' routes to null-route the RFC1918 subnets. This approach has two drawbacks: - It can cause problems for IPSEC in that it can cause packets to be rejected rather than encrypted and forwarded. - It can return 'host unreachable' ICMPs to other systems that attempt to route RFC1918 addresses through the firewall. To eliminate these problems, Shorewall now uses 'blackhole' routes. Such routes don't interfere with IPSEC and silently drop packets rather than return an ICMP. * The 'default' routing table is now cleared if there are no 'fallback' providers. * Tproxy implementation has been reworked. For more details please consult the releasenotes.txt and changelog.txt
buildservice-autocommit
accepted
request 121134
from
Togan Muftuoglu (toganm)
(revision 70)
baserev update by copy to link target
Displaying revisions 201 - 220 of 289