baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.7.1 For more details see changelog.txt and
  releasenotes.txt
  * When using IPSEC in a multi-ISP configuration, it is possible
    for the kernel to mis-route ESP packets. To date, this problem
    has only been observed on a system running a 3.5 kernel where
    traffic is being tunneled through GRE which is in turn being
    tunneled via IPSEC.
    This Shorewall release includes a low-cost workaround.
  * The Netfilter team have announced their intention to remove the
    NOTRACK target in favor of 'CT --notrack'. Shorewall will now
    map  NOTRACK to 'CT --notrack' if the CT Target is available.
  * Previously, the current COMMENT was not being cleared after the
    blrules file was processed, causing that COMMENT to be used on
    entries in the rules file. That defect has been corrected.
- Add a note to the spec for reviewer explaining the configure
  command usage
- Removed following opensuse specific patches as they are merged to
  upstream now
   + shorewall-lite-4.5.2-init.patch
   + shorewall6-4.5.2-init.patch
   + shorewall6-lite-4.5.2-init.patch
   + shorewall-init-4.4.21_init_sh.patch
- Added 001-required-stop-fix patch for shorewall-lite/init.suse.sh

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.7 For more details see changelog.txt and
  releasenotes.txt
  * This release includes the defect repair from Shorewall 4.5.6.2.
  * The command 'shorewall enable pppX' could fail with the ip
    diagnostic Error: either "to" is duplicate, or "weight" is a
    garbage.
     Shorewall now generates the correct ip command.
  * Optimize level 4 could previously combine two rules that each
    specified the 'policy' match, leading to this iptables-restore
    failure:
        policy match: multiple elements but no --strict
     The optimizer now avoids combining such rules.
     While this is a long-standing defect in the optimizer, it was
     exposed by changes in Shorewall 4.5.6.
   * There were several cases where hard-wired directory names
     appeared in the tarball installers. These have been replaced
     with the appropriate shorewallrc variables.
   * A defect in RHEL 6.3 and derivatives causes 'shorewall show
     capabilities' to leave an empty ipset in the configuration. The
     same defect can cause the Shorewall compiler to similarly leave
     an empty ipset behind.
     This Shorewall release has a workaround for this problem.
-  Added Bash >= 4 to BuildRequires
-  Fix builds for Fedora

    compiler. It now causes following lines to be omitted.
  releasenotes.txt
    required.
     failure. Shorewall now uses the physical name.
    impossible to set SYSCONFDIR.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.6.2 For more details see changelog.txt and
  releasenotes.txt
  * The compiler now generates an error when a SOURCE interface is
    specified in a rule where the SOURCE zone is the firewall
    itself.
  * Previously, entries in /etc/shorewall/notrack that specified a
    Vserver zone in the SOURCE column were omitted from the
    generated  ruleset.
  * The set of helpers available in the notrack file and in the
    HELPER column of the tcrules file was incorrect:
     - The Amanda helper requires a UDP port -- Shorewall was
       requiring
       TCP.
     - The H323 module supplies two helpers: 'RAW' and 'Q.931';
       Shorewall only accepted 'h323'.
     - The Netbios NS module supplies the 'netbios-ns' helper;
       Shorewall
       only accepted 'netbios_ns'.
  * The conditional directive '?IF 0' generated an error from the
    compiler. It now causes following lines to be omitted.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.6 For more details see changelog.txt and
  releasenotes.txt 
  * This release includes the defect repairs from Shorewall 4.5.5.1
     through 4.5.5.4.
  * Previously, the tcrules file was not processed when
    TC_ENABLED=No. That meant that to use features like TPROXY, it
    was  necessary to set TC_ENABLED=Yes and create a dummy
    /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is
    required.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.5.3 For more details see changelog.txt and
  releasenotes.txt
  * When logical interface names were used, an entry in tcrules
    that included a classid could result in the compiler failing with
    this Perl diagnostic:
      Can't use an undefined value as an ARRAY reference at
      /usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile>
      line 20.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.5.1 For more details see changelog.txt and
  releasenotes.txt
  * The change in Shorewall 4.5.4 that cleared the 'default' table
    if there were no 'fallback' providers broke multiple 'fallback'
    providers that don't supply a weight. The symptoms were that
    there were host routes to the default gateways in the 'default'
    routing table but no default routes through those gateways.
    This has now been corrected and multiple 'fallback' routes are
    once again supported.
   * When a logical device name was specified in the REDIRECTED
     INTERFACES column of /etc/shorewall/tcdevices, that name was
     used in the generated script rather than the devices's physical
     name. Unless the two were the same, this caused start/restart
     failure. Shorewall now uses the physical name.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.5 For more details see changelog.txt and
  releasnotes.txt
  * This release includes all defect repair from Shorewall 4.5.4.1
     and 4.5.4.2.
  * The Shorewall compiler sometimes must defer generating a rule
    until runtime. This is done by placing shell commands in its
    internal representation of a chain. These commands are then
    executed at run time to create the final rule.
    If all of the following were true, then an incorrect ruleset
    could be generated:
    + Optimization level 4 was set.
    + A chain (chain A) containing shell commands had three or
      fewer rules and commands.
    + The last rule in a second chain was a conditional jump to
     chain A.
     Under these conditions, the rules and commands in Chain A
  * The Shorewall-core configure and configure.pl script were
    treating SYSCONFDIR as a synonym for CONFDIR making it
    impossible to set SYSCONFDIR.

• Files Changed
• Browse Source

- Update to 4.5.4.2 For more details see changelog.txt and
  releasenotes.txt
  * The problems corrected section of the 4.5.4.1 release notes was
    missing the third problem corrected in the release. It has now
    been added.
  * A number of problems in Shorewall-init have been corrected:
     + If more than one product was listed in the PRODUCTS setting
       in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init)
       then the second product would not be started/stopped.
     + Shorewall-init used 'restart' in response to an optional
       provider interface coming up. If the interface has been
       marked unusable (1 in the interface's .status file), then the
       'restart' would not enable the interface.
     + Shorewal-init produced a lot of clutter on the console
       during boot. You may now specify a LOGFILE in
       /etc/default/shorewall-init (/etc/sysconfig/shorewall-init)
       and all output produced by up and down events will be sent to
       that log. If no log is specified, this output is sent to
       /dev/null.
   * The order in which the compiler processes line-continuation
     (line ending in '\') and conditional-inclusion directives (?IF,
     ?ELSE, and ?ENDIF) has been reversed.
     Previously, the compiler built a concatenated line, then
     checked to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the
     compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents
     those lines from becoming part of the concatenation.
   * Two issues with the shorecap programs have been corrected:
     + The Shorewall6-lite version failed to run with the message:
        /usr/share/shorewall6-lite/lib.cli: No such file or
        directory

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.4.1 For more details see changelog.txt and
  releasenotes.txt
  * Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type
    has been configured as a PPTP client running on the firewall
    rather than as a server on the firewall. It is now correctly
    configured as  a server.
  * The shorewall-accounting (5) and shorewall6-accounting (5)
    documentation for the IPSEC column is incorrect. Rather than
    'accountin' and 'accountout', the chain names should be
    'accipsecin' and 'accipsecout'.
  *  IPSEC accounting did not work if the accounting file was
     sectioned. Beginning with this release, the IPSEC column can
     be specified in any section. As always, the IPSEC column
     contains a comma-separated  list of items. In the FORWARD
     chain, the first (or only) item in the list must be either
     'in' or 'out' to indicate whether the rule  matches incoming
     packets that have been decrypted ('in') or outgoing packets
     that will be encrypted ('out'). There are no restrictions with
     respect to which chain IPSEC rules can appear in  a sectioned
     file.

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 4.5.4 For more details see changelog.txt and
  releasenotes.txt
  * When EXPORTMODULES=No in shorewall.conf, the error messages
    have been eliminated
  * If the configuration settings in the PACKET MARK LAYOUT section
    of shorewall.conf (shorewall6.conf) had empty settings, the
    'update' command would previously set them to their default
    settings. It now  leaves them empty.
  * Previously, Shorewall used 'unreachable' routes to null-route
    the RFC1918 subnets. This approach has two drawbacks:
     - It can cause problems for IPSEC in that it can cause packets
       to be rejected rather than encrypted and forwarded.
     - It can return 'host unreachable' ICMPs to other systems that
       attempt to route RFC1918 addresses through the firewall.
     To eliminate these problems, Shorewall now uses 'blackhole'
     routes. 
     Such routes don't interfere with IPSEC and silently drop
     packets  rather than return an ICMP.
  * The 'default' routing table is now cleared if there are no
     'fallback' providers. 
  * Tproxy implementation has been reworked. For more details
    please consult the releasenotes.txt and changelog.txt

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source