SuSEfirewall2-3.6.378-bp153.1.68

- Fixed a regression in setting up the final LOG/DROP/REJECT rules for IPv6 (bnc#1075251)
- Set RPC related rules also for IPv6 (bnc#1074933)

- logging: correctly set the PID of the logging process

- main script: remove duplicate rules in the rpc rules area (bnc#1069760)
- main script: support --trace messages

- Replace references to /var/adm/fillup-templates with new
  %_fillupdir macro (boo#1069468)

- rpcinfo: recognize execution errors of the perl script and terminate accordingly
- rpcinfo: fixed security issue with too open implicit portmapper rules
  (bnc#1064127): A source net restriction for _rpc_ services was not taken
  into account for the implicitly added rules for port 111, making the portmap
  service accessible to everyone in the affected zone.

- Removed bogus nfs alias units, added correct nfs-client target in
  SuSEfirewall2.service (bnc#946325).
  The nfs alias units are false friends, because they don't fix the startup
  ordering between nfs and SuSEfirewall2.
  The missing nfs-client target could cause nfs mounts for nfs versions < 4.1
  to be unable to receive callbacks from the server, when the nfs client was
  started before the SuSEfirewall2 was started on boot.

- sysctl settings: make list of sysctl.d directories configurable via
  FW_SYSCTL_PATHS (bnc#1044523)

- clarified warning message about FW_ROUTE being enabled but ip_forwarding not configured
- sysctl.d: avoid error messages if no /etc/sysctl.d/*.conf files are existing (bnc#1044523)

- Only consider *.conf files to ignore backup files and similar (bnc#1044523)

- Also check /etc/sysctl.d for custom sysctl overrides (bnc#1044523)
- improved documentation of FW_SERVICES_DROP_... to mention "all" protocols

- implementation of feature FATE#316295: allow incremental update of rpc
  rules:
  By calling "/usr/sbin/SuSEfirewall2 update-rpc [-s service]" you can now
  cause SuSEfirewall to update its rpc related firewall rules to reflect the
  current portmapper state in the system, without affecting the rest of the
  firewall rule set.
  This can for example be put in systemd unit files as ExecStartPost
  directives, to always keep port mapping rules up to date, for certain rpc
  services. Note that you still need to configure the rpc rules in
  /etc/sysconfig/SuSEfirewall2 to make this work. See configuration variables:
  FW_SERVICES_DROP_{EXT,INT,DMZ}
  FW_SERVICES_ACCEPT_{EXT,INT,DMZ}
  FW_SERVICES_{EXT,INT,DMZ}_RPC
- conntrack helpers: explicitly load kernel module to make sure conntrack
  helper rules can be applied and to avoid errors messages if kernel module is
  not loaded

Update to new git release 3.6.351:
- ship ftp-client service file for allowing active ftp client connections
  easily. Also fix use of connection tracker helper on kernel >= 4.7 for ftp.
  (boo#1034341)

Update to new git release 3.6.346:
- harmonized the logic of setting IPv4/IPv6 forwarding when FW_ROUTE is set to
  "yes". Previously only IPv4 forwarding was exclusively set by SuSEfirewall2,
  while IPv6 forwarding could only be set via "yast2 firewall". With this
  update you should always configure IPv4/IPv6 forwarding with yast.
  SuSEfirewall2 will still provide backwards compatibility to temporarily
  enable IPv4/IPv6 forwarding if not already enabled system wide. Also
  forwarding can now be configured separately for IPv4/IPv6 if only one of
  both is required. See FW_ROUTE documentation. (bnc#572202)
- ignore the bootlock when incremental updates for hotplugged or virtual
  devices are coming in during boot. This prevents lockups for example when
  drbd is used with FB_BOOT_FULL_INIT. (bnc#785299)
- fixed a race condition in systemd unit files that could cause the
  SuSEfirewall2_init unit to sporadically fail, because /tmp was not
  there/writable yet. (bnc#1014987)
- support new kernels >= 4.7 that run with
  net.netfilter.nf_conntrack_helper = 0
  by default. Currently only netbios/samba is fully covered. (bnc#986527)
- allow mdns multicast packets input in unconfigured firewall setups (no zones
  configured) to make zeroconf setups (like avahi) work out of the box for
  typical desktops connecting via DSL/WiFi router scenarios. (bnc#959707)
- refurbished the documentation in /usr/share/doc. (bnc#884037)
- updated GPL license texts with the current address from FSF
- support for IPv6 in FW_TRUSTED_NETS config variable. (bnc#841046)
- don't log dropped broadcast IPv6 broadcast/multicast packets by default to
  avoid cluttering the kernel log. (bnc#847193)
- recognize a running libvirtd instance and cause it to recreate its custom
  firewall rules on SuSEfirewall2 reload, to not break VM networking.
  (bnc#884398)
- only apply FW_KERNEL_SECURITY proc settings, if not overriden by the
  administrator in /etc/sysctl.conf (bnc#906136). This allows you to benefit
  from some of the kernel security settings, while overwriting others.
- don't enable FW_LO_NOTRACK by default any more, because it breaks expected
  behaviour in some scenarios (bnc#916771)
- increase security when sourcing external script files by checking file
  ownership and permissions first (to avoid sourcing untrusted files owned by
  non-root or world-writable)
- fixed "/usr/sbin/SUSEfirewall log" pretty logfile parsing functionality when
  running under systemd with journald.

- Install symlink to SuSEfirewall2 with the updated SUSE spelling
  (bsc#938727, FATE#316521)
- Added rpmlintrc file to suppress some bogus warnings during building

- Remove unused PreReq for insserv and fillup

:
- add nfs-server.service too as dependency, remove default.target again
  as it makes trouble (bsc#963740)
- basic.target and SuSEfirewall2 have a loop, remove it bsc#961258

- change dependencies of SUSEfirewall2_init, so it gets run after systemd
  version update brought new dependencies somehow (bsc#963969)

- add default.target, so SuSEfirewall2 final will be started after
  all other services. This is relevant for rpc services like the NFS rpc
  process group, where ports are opened dynamically. bsc#963740

- Merge pull request #5 from hwoarang/firewalld-conflict
- SuSEfirewall2{,_init}.service: Conflict with firewalld service

- basic.service -> basic.target (bsc#961258)