Package Release Info

shorewall-5.1.12.4-bp151.3.1

Update Info: Base Release
Available in Package Hub : 15 SP1

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

shorewall
shorewall-core
shorewall-docs
shorewall-init
shorewall-lite
shorewall6
shorewall6-lite

Change Logs

Version: 5.1.12.4-bp150.2.4
* Sun Apr 15 2018 bruno@ioda-net.ch
- Changes in 5.1.12.3
  Problems Corrected:
  When 'reset' and 'dst' were specified to the IfEvent action,
  the action would incorrectly attempt to reset the event for the
  SOURCE IP address rather than the DEST address. That has been
  corrected.
* Mon Mar 05 2018 bruno@ioda-net.ch
- spec :
  + Minimal changes with spec-cleaner
  + Stop conflicting with other firewall (SuSEFirewall2, firewalld)
    User can have several management tools, and it help preparing
    a migration
- Run shorewall(6) update -A to update your configurations
  Check and adapt them before restarting.
- Changes in 5.1.12.3
  + Update release documents.
  + Ensure that mutex gets released at exit.
- Changes in 5.1.12.2
  + Alter documentation to prefer ';;' over ';' in INLINE and
    IP[6]TABLES rules.
  + Make 'update' convert ';' to ';;' in INLINE, IPTABLES and
    IP6TABLES rules.
  + Correct typo that resulted in an "unknown function" Perl
    diagnostic.
  + Correct "Invalid policy" message.
  + Fix omitted SYN limiting.
- Changes in 5.1.12.1
  + Replace macro.SSDPServer with corrected macro.SSDPserver.
- Changes in 5.1.12 Final
  + Update release documents.
  + Add INLINE_MATCHES=Yes to the deprecated list.
- Changes in 5.1.12 RC 1
  + Update release documents.
  + Minor performance enhancements to Optimize Category 8.
  + Always report IPSET_MATCH.
- Changes in 5.1.12 Beta 2
  + Delete undocumented OPTIMIZE_USE_FIRST option.
  + Merge 5.1.11.
  + Suppress trailing whitespace.
  + Avoid awkward blank lines.
- Changes in 5.1.12 Beta 1
  + Code and manpage cleanup.
  + Allow SNAT in the INPUT chain.
- Changes in 5.1.11 Final
  + Update release documents.
- Changes in 5.1.11 RC 1
  + Update versions and copyrights.
  + Clear the connection mark on forwarded IPSEC tunneled connections
  + Make TRACK_PROVIDERS=Yes the default.
- Changes in 5.1.11 Beta 2
  + Be selective about verification of the conntrack utility when
  + DYNAMIC_BLACKLIST=ipset,disconnect...
  + Don't require shorewall to be started for 'allow' with
    ipset-based DBL.
  + Make address variables play nice with the 'clear' command.
  + Don't unconditionally enable forwarding during 'clear'.
- Changes in 5.1.11 Beta 1
  + Allow non-root to run some 'show' commands.
  + Use synchain name in log messages rather than base chain name.
  + Assume :syn for TCP CT entries in the conntrack file and HELPER.
  + Limit depth of 'find' search when AUTOMAKE=Yes.
- Changes in 5.1.10.2
  + Limit 'find' to depth 1.
  + Don't run find in an empty entry in $CONFIG_PATH
- Changes in 5.1.10.1
  + Fix Shorewall-core installer for sandbox case.
  + Make /etc and /configfiles the same.
- Changes in 5.1.10 Final
  + Add warning re wildcard and OPTIONS.
  + Correct IPv6 Universal interfaces file.
- Changes in 5.1.10 RC 1
  + Correct ingress policing.
  + Fix Shorewall-init recompilation problem.
- Changes in 5.1.10 Beta 2
  + Allow a protocol to be associated with a regular action.
  + Remove the PSH flag from the FIN action.
- Changes in 5.1.10 Beta 1
  + Allow CONFIG_PATH setting to begin with ':' to allow dropping
    the first directory by non-root.
  + Correct several typos in the manpages (Roberto Sánchez).
  + Correct typo in 'dump' processing.
  + Reset all table counters during 'reset'.
- Changes in 5.1.9 Final
  + Use logical interface names in the Sample configs.
- Changes in 5.1.9 RC 1
  + Apply W Van den Akker's OpenWRT/Lede patches.
  + Don't verify IP and SHOREWALL_SHELL paths when compiling for
    export.
  + Support for Redfish remote console in macro.IPMI
- Changes in 5.1.9 Beta 2
  + Merge content from 5.1.8.
- Changes in 5.1.9 Beta 1
  + Update release documents.
  + Add TCPMSS action in the mangle file.
  + Inline the Broadcast action when ADDRTYPE match is available.
  + Support logging in the snat file.
  + Add shorewall-logging(5).
- Changes in 5.1.8 Final
  + Correct 'delete_default_routes()'.
  + Delete default routes from 'main' when a fallback provider is
    successfully enabled.
  + Don't restore default route when a fallback provider is enabled.
  + Issue a warning when 'persistent' is used with
    RESTORE_DEFAULT_ROUTE=Yes.
  + Don't dump SPD entries for the other address family.
  + Fix 'persistent' provider issues.
  + Treat LOG_TARGET the same as all other capabilities.
  + Allow merging of rules with IPSEC policies
* Sun Nov 12 2017 bruno@ioda-net.ch
- spec :
  + use new %_fillupdir macro with env DIRFILLUP in build
  * Redone patches *-fillup-install.patch to use ${DIRFILLUP}
  * use new %_fillupdir macro in files
  + change require perl to perl-base
  + Added conflict with firewalld
  + Refresh list of files and modules
- Run shorewall(6) update -A to update your configurations
  Check and adapt them before restarting.
- 5.1.8.1 release - Recommended action :
  + Update release documents
  + Make persistent routes and rules independent of 'autosrc'
  + Correct 'delete_default_routes()'
  + Delete default routes from 'main' when a fallback provider is
    successfully enabled
  + Don't restore default route when a fallback provider is enabled
  + Issue a warning when 'persistent' is used with
    RESTORE_DEFAULT_ROUTE=Yes
  + Don't dump SPD entries for the other address family
  + Fix 'persistent' provider issues
  + Treat LOG_TARGET the same as all other capabilities
  + Allow merging of rules with IPSEC policies
- 5.1.7.2 release
  Please refer to releasenote.txt for a detailled description.
  As always use shorewall [-6] update and revise your configuration
  + Features summary
  * Module loading streamlined, shorewall [-6] update will remove
    MODULE_SUFFIX configuration
  * Check route if detect is used in gateway column (dhcpd5 has
    now binary encoded .lease)
  * DNAT and REDIRECT support in ShorewallActions
  * Docker configuration support: DOCKER-INGRESS chain.
  + Fixes summary
  * Fix shorewall-snat(5) man page example, DEST column has to be
    read eth0:+myset[dst]
  * Fix invalid vlsm to ipcalc message
  * ADD_IP_ALIASES is set to NO for ipv6 while yes for ipv4
  * Cleanup .tmp in save ipset operations.
  * Command reenable fix for persistent and non-persistent
    interfaces
  * Warn if getattr failed (SeLinux)
- 5.1.6 release
  + Fixes summary
  * $SHAREDIR $CONFIGDIR available again
  * Fix compilation with optimize level 8
  * Be consistant with Netfilter interpretation of 'eth'='eth+'
  * RESTORE_WAIT_OPTION serialize start of ipv4/ipv6 with -w option
  * RDP macros handle also UDP part
  + Features summary
  * Sparse option (not implemented in our spec)
  * Add enable / disable runtime extension script
  * Check zone and subzone to share at least one interface
  * Runtime address and port variables
  * Iptables --wait option used for serialization
* Tue Aug 15 2017 bruno@ioda-net.ch
- Update to bugfix release 5.1.5.2
  + Make build reproducible boo#1047218
  + Fix upgrade from 4x version : dropBcast and dropBcasts are now
    supported boo#1053650
  + Perl 5.26 support
  + Fix for BASIC_FILTERS=Yes and tcfilters
  + Fix USER/GROUP messages
  + MAC address in OUTPUT col in accounting file error is raised
    at compile time
  + Fix port number 0 or > 65535 perl execption
* Sat Aug 12 2017 olaf@aepfle.de
- Update filename in /var/adm/update-messages to match documentation,
  and build-compare pattern
* Wed Jul 12 2017 bruno@ioda-net.ch
- bugfix release 5.1.4.4
  A defect in 5.1.4.3 caused a startup failure when two or more
  'fallback' providers were configured. That has been corrected.
* Thu Jun 29 2017 alarrosa@suse.com
- Fix a typo in %posttrans that would remove the wrong file and could
  cause a problem depending on the execution order of the %pretrans
  and %posttrans scripts for the shorewall and shorewall6 packages.
* Wed Jun 21 2017 bruno@ioda-net.ch
- This stable branch 5.1x will be the new default for Leap 42.3.
  Remember that each time you have an upgrade with changes in Major
  or Major,Minor it is mandatory you upgrade your configuration
  with shorewall(6) update -a /etc/shorewall(6) command.
- Packaging : use pretrans and posttrans to inform user about
  configuration upgrade.
- Bugfix release 5.1.4.3. Problem Corrected:
  When running on prior-generation distributions such as RHEL6,
  IPv6 multi-ISP configurations failed to start due to an error
  such as the following:
  ERROR: Command "ip -6 -6 route replace default scope global
    table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1"
    Failed
  Such configurations now start successfully.
* Wed Jun 14 2017 bruno@ioda-net.ch
- Bugfix and enhancement release 5.1.4.2
  complete changelog is available
  http://shorewall.net/pub/shorewall/5.1/shorewall-5.1.4/releasenotes.txt
- Main changes
  All IPv6 standard actions have been deleted and their logic
  has been added to their IPv4 counterparts who can now handle
  both address families.
  Previously, ?error and ?require messages as well as verbose ?info
  and ?warning messages (those that report the file and line numbers)
  generated from an action file would report the action file name and
  line number rather than the file and line number where the action
  was invoked. The file and line number where the action was invoked
  were listed second. Beginning with this release, the invoking file
  and line number are listed first and the action file and line number
  are not reported. This allows for creation of clearer messages.
  IPv6 UPnP support (including MINIUPNPD) is now available.
  A PERL_HASH_SEED option has been added to allow the Perl hash seed
  to be specified.  See shorewall.conf(5) and perlsec(1) for details.
* Sat Mar 25 2017 bruno@ioda-net.ch
- Bugfix release 5.1.3.2
  Previously, if a Shorewall Variable (e.g., @chain) was the target
  of a conditional ?RESET directive (one that was enclosed in ?if.
  ?else...?endif logic), the compiler could incorrectly use an
  existing chain created from the action rather than creating a new
  (and different) chain. That has been corrected.
  Previously, if alternate input format specified a column that had
  already been specified, the contents of that column were silently
  overwritten. Now, a warning message is issued stating that the
  prior value has been replaced by the newer value.
* Sun Mar 19 2017 bruno@ioda-net.ch
- Update to last bugfix version 5.1.3.1
  Problems Corrected:
  There was a typo in the BLACKLIST_DEFAULT settings in the 5.1.3
  sample config files, which resulted in a compilation error.
  That typo has been corrected.
  There was also a typo in the two-interface IPv4 sample snat file;
  192.168.0.0/16 was inadvertently entered as 92.168.0.0/16. That has
  been corrected.
  Previously, when processing the policy file, 'all+' was incorrectly
  treated the same as 'all'. That has been corrected so that 'all+'
  causes intra-zone traffic to be included in the policy.
* Wed Mar 15 2017 bruno@ioda-net.ch
- Upgrade to last stable 5.1.3
  For details see changelog.txt and releasenotes.txt containing all
  informations for a correct upgrade path.
- Packaging Redone patches for var-fillup
  + shorewall-fillup-install.patch
  + shorewall-init-fillup-install.patch
  + shorewall-lite-fillup-install.patch
* Sun Feb 12 2017 bruno@ioda-net.ch
- Upgrade to stable 5.1.1
  For details see changelog.txt and releasenotes.txt containing all
  informations for a correct upgrade path.
- Packaging:
  + use proper %{} syntax
  + Adjust year copyright
  + Remove attr on sbindir symlink
  + Move Samples and Contrib to doc package
* Wed Dec 07 2016 bruno@ioda-net.ch
- Upgrade to last stable of 5.0.x version 5.0.15
  For details see changelog.txt and releasenotes.txt containing all
  informations for a correct upgrade path.
- Packaging :
  + Remove all non suse %if
  + Cleanup older non supported version
  + Remove upstream merged patch
  * 0001-remote_fs.patch
  * 0001-required-stop-fix.patch
  + Remove 0001-fillup-install.patch replaced by specific product
    patch for correct usage of var-fillup
  + Added patches for var-fillup when not specific %name6 is also
    supported
  * shorewall-fillup-install.patch
  * shorewall-init-fillup-install.patch
  * shorewall-lite-fillup-install.patch
  + spec-cleaner minimal
* Sun Mar 06 2016 bruno@ioda-net.ch
- Update to last 4x bugfix version 4.6.13.4
  For details see changelog.txt and releasenotes.txt
  - 4.6.13.4
  * This release includes a couple of additional configure/install
    fixes from Matt Darfeuille.
  * The DROP command was previously rejected in the mangle file.
  That has been corrected.
  - 4.6.13.3
  * Previously, Shorewall6 rejected rules in which the SOURCE
  contained both an interface name and a MAC address (in
  Shorewall format). That defect has been corrected so that such
  rules are now accepted.
  * A number of corrections have been made to the install,
  uninstall and configure scripts (Matt Darfeuille).
  * Previously, optional interfaces were not enabled during 'start'
  and 'restart' unless there was at least one entry in the
  'providers' file.  This resulted in these interfaces not
  appearing in the output of 'shorewall[6] status -i'.
  * The check for use of a circular kernel log buffer (as opposed
  to a log file) has been improved.
  * Previously, if a circular log buffer was being used, the output
  of various commands still displayed '/var/log/messages' as the
  log file. Now, it is displayed as 'logread'.
  * When processing the 'dump' command, the CLI now uses 'netstat'
  to print socket information when the 'ss' utility is not
  installed.
  - 4.6.13.2
  * Previously, if statistical load balancing was used in the
  providers file, the default route in the main table was not
  deleted during firewall start/restart. That route is now
  correctly deleted.
  - 4.6.13.1
  * Previously, the 'reset' command would fail if chain names were
    included. Now, the command succeeds, provided that all of the
    specified chains exist in the filter table.
  * The TCP meta-connection is now supported by the Tinc macro and
    tunnel type. Previously, only the UDP data connection was
    supported.
* Tue Sep 15 2015 toganm@opensuse.org
- Update to version 4.6.13 For more details see changelog.txt and
  realeasenotes.txt
  * The 'rules' file manpages have been corrected regarding the
    packets that are processed by rules in the NEW section.
  * Parsing of IPv6 address ranges has been corrected. Previously,
    use of ranges resulted in 'Invalid IPv6 Address' errors.
  * The shorewall6-hosts man page has been corrected to show the
    proper contents of the HOST(S) column.
  * Previously, INLINE statements in the mangle file were not
    recognized if a chain designator (:F, :P, etc.) followingowed
    INLINE(...). As a consequence, additional matches following
    a semicolon were interpreted as column/value pairs unless
    INLINE_MATCHES=Yes, resulting in compilation failure.
  * Inline matches on IP[6]TABLE rules could be ignored if
    INLINE_MATCHES=No. They are now recognized.
  * Specifying an action with a logging level in one of the
    _DEFAULT options in shorewall[6].conf
    (e.g., REJECT_DEFAULT=Reject:info) produced a compilation error:
    ERROR: Invalid value (:info) for first Reject parameter
    /usr/share/shorewall/action.Rejectect (line 52)
    That has been corrected. Note, however, that specifying logging
    with a default action tends to defeat one of the main purposes
    of default actions which is to suppress logging.
  * Previously, it was necessary to set TC_EXPERT=Yes to have full
    access to the user mark in fw marks. That has been corrected so
    that any place that a mark or mask can be specified, both the
    TC mark and the User mark are accessible.
* Tue Jul 14 2015 toganm@opensuse.org
- Update to version 4.6.11 For more details see changelog.txt and
  releasenotes.txt
  * Previously, when the -c option was given to the 'compile'
    command, the progress message "Compiling..." was issued before
    it was determined if compilation was necessary.  Now, that message
    is suppressed when re-compilation is not required.
  * Previously, when the -c option was given to the 'compile'
    command, the 'postcompile' extension script was executed even when
    there was no (re-)compilation. Now, the 'postcompile' script is
    only invoked  when a new script is generated.
  * If CONFDIR was other than /etc, then ordinary users would not
    receive a clear error message when they attempted to execute
    one of the commands that change the firewall state.
  * Previously, IPv4 DHCP client broadcasts were blocked by the
    'rpfilter' interface option. That has been corrected.
  * The 'update' command incorrectly added the INLINE_MATCHES
    option to shorewall6.conf with a default value of 'Yes'. This
    caused 'start' to fail with invalid ip6tables rules when the alternate
    input format using ';' is used.
    Note: This last issue is not documented in the release notes
    included with the release.
* Wed Jun 17 2015 toganm@opensuse.org
- Update to version 4.6.10.1 For more details see changelog.txt and
  releasenotes.txt
  * Indentation is now consistent in lib.core (Tuomo Soini).
  * The first problem corrected in 4.6.10 below was incomplete. It
    is now complete (Tuomo Soini).
  * Similarly, the second fix was also incomplete and is now
    completed  (Tuomo Soini).
* Thu May 07 2015 toganm@opensuse.org
- Update to version 4.6.9 For more details see changelog.txt and
  releasenotes.txt
  * This release contains defect repair from Shorewall 4.6.8.1 and
    earlier releases.
  * The means for preventing loading of helper modules has been
    clarified in the documentation.
  * The SetEvent and ResetEvent actions previously set/reset the
    event even if the packet did not match the other specified
    columns. This has been corrected.
  * Previously, the 'show capabilities' command was ignoring the
    HELPERS setting. This resulted in unwanted modules being
    autoloaded  and, when the -f option was given, an incorrect
    capabilities file was generated.
  * Previously, when 'wait' was specified for an interface, the
    generated script erroneously checked for required interfaces on
    all commands rather than just start, restart and restore.
* Tue Apr 14 2015 toganm@opensuse.org
- Update to version 4.6.8.1 For more details see changnlog.txt and
  releasenotes.txt
  * Previously, when servicd was installed and there were one or
    more required interfaces, the firewall would fail to start at
    boot.This has been corrected by Tuomo Soini.
  * Some startup logic in lib.cli has been deleted. A bug prevented
    the code from working as intended, so there is no loss of
    functionality resulting from deletion of the code.