- Update to version 4.6.2.1 For more details see changelog.txt and
  releasenotes.txt
  * Two issues with tcrules processing have been corrected:
    + SAVE and RESTORE generated fatal compilation errors.
    + '|' and '&' were ignored. That issue is also present in the
      processing of the mangle file
  * Version 4.6.2 changes
    + The DSCP match in the mangle and tcrules files didn't work
      with service class names such as EF, BE, CS1, ... 
    + The SAVE and RESTORE actions were disallowed in the OUTPUT
      chain in tcrules and mangle; this was a regression from 4.5.21.
    + Additional ports required by Asus, Supermicro and Dell have
      beenadded to the IPMI macro (Tuomo Soini).
    +  Some issues regarding install under Cygwin64 have been
       addressed.
      - configure.pl did not understand CYGWIN returned from `uname`
      - Shorewall-core install.sh did not understand CYGWIN returned
        from  `uname`.
      - The Shorewall and Shorewall6 installers tried to run the
        command 'mkdir -p //etc/shorewall[6]' which is broken in the
        current Cygwin64. (forwarded request 241675 from toganm)

• Files Changed
• Browse Source

Automatic submission by obs-autosubmit

• Files Changed
• Browse Source

- Update to version 4.6.1.3 For more details see changelog.txt and
  releasenotes.txt
  * Use of the 'IfEvent' action resulted in a compilation failure:
     ERROR: -j is only allowed when the ACTION is INLINE with no
     parameter /usr/share/shorewall/action.IfEvent (line 139)
     from /etc/shorewall/action.SSHKnock (line 8)
     from /etc/shorewall/rules (line 31) (forwarded request 239257 from toganm)

• Files Changed
• Browse Source

- Update to version 4.6.1.1 For more details see changelog.txt and
  releasenotes.txt
  * An improved error message is generatred when a server address
    list is specified in the DEST colume of a DNAT or REDIRECT
    rule. At one time, iptables supported such lists, but now only
    a single address or an address range is supported.
    The previous error message was:
    ERROR: Unkknown Host (192.168.1.4,192.168.1.22)
    The new error message is:
    ERROR: An address list (192.168.1.4,192.1688.1.22) is not
       allowed in the DEST column of a xxx RULE
    whenere xxx is DNAT or REDIRECT as appropriate.
  * Two problems have been corrected in the Shorewall-init Debian
    init script.
   + A cosmetic problem which releasenotessulted in 'echo_notdone'
     being displayed on failure rather than 'nott done'.
   + More seriously, the test for the existance of compiled
     firewall scripts was incorrect, with the result that the
     firewallingall scripts were not executed.
     These defects, introduced in Shorewall 4.5.17, have now been
     corrected. 
- Restating that CHECKSUM.patch is removed since braindead
  factory-auto scripts do not understand previous comment (forwarded request 238054 from toganm)

• Files Changed
• Browse Source

- Update to version 4.6.0.3 For more details see changelog.txt and
  releasenotes.txt
  * 1:1 NAT is now enabled in IPv6.
  * subtle interaction between NAT and sub-zones is explained in
    shorewall-nat.
  * The 'show filters' command now works with Simple TC. (forwarded request 236003 from toganm)

• Files Changed
• Browse Source

- Update to version 4.6.0.2 For more details see changelog.txt and
  releasenotes.txt
  * The 'upgrade -A' command now converts the tcrules file to a
    mangle file. Previously, that didn't happen.
  * The install components now support RHEL7.
  * Whitespace issues in the skeleton configuration files have been
    corrected (Tuomo Soini).
  * FAQ 2e has been added which describes additional steps required
    to achieve hairpin NAT on a bridge where the modified packets are
    to go out the same bridge port as they entered.
  * shorewall-masq(5) has been corrected to include the word SOURCE
    on the description of that column. Previously, the description
    read '(formerly called SUBNET)'.
  * The output of 'shorewall show filters' once again shows ingress
    (policing) filters. This works around undocumented changes to
    the behavior of the 'tc' utility. 
- removed backported CHECKSUM.patch (forwarded request 235532 from toganm)

• Files Changed
• Browse Source

- Update to version 4.6.0. For more details see changelog.txt and
  releasenotes.txt. Since this is a major release for those who are
  migrating from previous version, it is important to read the
  above mentioned notes.
  * This release includes all defect repair from releases up through
    4.5.21.9.
- Backported CHECKSUM.patch (forwarded request 234820 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21.9 For more details see changelog.txt and
  releasenotes.txt
  * The output of 'shorewall show capabilities' always showed the
    'Recent match --reap option' as 'Not Available'. 'shorewall
    show -fcapabilities' correctly reported the capability.
  * When a rules file section other than NEW began with a ?COMMENT
    directive, the comment would erroneously appear in the rule
    which jumps to the section chain as well as in the rules directly
    related to the following entries.
  * Rule comments were omitted from the compiler's 'trace' output
    in some cases.
  * When FASTACCEPT=Yes, ESTABLISHED,RELATED accept rules were
    incorrectly omitted from an interfaces's _in and _fwd chains
    when 'rpfilter' was specified in the interfaces's entry in
    /etc/shorewall[6]/interfaces. (forwarded request 228395 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21.8 For more details see changelog.txt and
  releasenotes.txt
  * If an rtrules entry duplicated a Shorewall-generated route rule but
    had a lower priority than the generated one has (20000), then a
    disable/enable sequence on the provider would result in
    duplicate rules with priority 20000.
  *  When 'shorewall[6] debug [re]start' was run, any error messages
    generated because of ip[6]tables command errors would not
    include '-t table'. 
- Remove 0001-fix-release-version.patch (forwarded request 226841 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21.7 For more details see changelog.txt and
  releasenotes.txt
  * The help text for the 'dump' command has been updated to
    include all valid options.
  * The behavior of ADMINISABSENTMINDED=No is corrected.
    Previously, 'shorewall stop' would not block existing connections
    regardless of the setting of this option. Beginning with this
    release, the behavior of ADMINISABSENTMINDED=No depends on whether
    the  routestopped or the stoppedrules file defines the allow
    connections while the firewall is stopped.
    If there are entries in /etc/shorewall[6]/routestopped or if
    there are no entries in /etc/shorewall[6]/stoppedrules, then the
    behavior of ADMINISABSENTMINDED=No is as documented (existing
    connections are blocked unles they are allowed by
    /etc/shorewall[6]/routestopped).  If there are no entries in
    /etc/shorewall[6]/stoppedrules, then the behavior is as if
    ADMINISABSENTMINDED=Yes and a warning message is generated. 
- Add 0001-fix-release-version.patch to correct version info of the
  releasenotes.txt (forwarded request 225409 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21.6 For more details see changelog.txt and
  releasenotes.txt
  * When a non-terminating target specified logging, the compiler
    would erroneously generate a 'goto' (-g) iptables command rather
    than a 'jump' (-j) command. This caused the wrong set of rules
    to be traversed, usually the catchall 'REJECT' or 'DROP' rule
    at theend of the INPUT or FORWARD chain.
    The compiler now generates a 'jump' rule in these cases.
   * When an interface containing a period (such as a VLAN
     interfaceterface) was used in an 'add' or 'delete' command,
     the wrong ipset name was generated, resulting in failure of
     the command. (forwarded request 220673 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21.5 For more details see changelog.txt and
  releasenotes.txt
  * A number of minor updates have been made to the documentation
    and manpages.
  * The 'postcompile' extension script is now documented at
    http://www.shorewall.org/shorewall_extension_scripts.htm
  * The 'add' command previously failed if 'IPSET=' appeared in the
    shorewall.conf file. This has been corrected. (forwarded request 214539 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21.4 For more details see changelog.txt and
  releasenotes.txt
  * The Broadcast actions have been corrected:
    - --dst-type BROADCAST has been removed from the IPv6 version
    - A superfluous DROP rule in the IPv4 version has been
      suppressed.
  * Previously, if an HFSC class was specified with dmax but not
     umax, then the firewall would fail to start with the messages:
      Nov 14 13:42:42 Setting up Traffic Control...
      HFSC: Illegal "umax"
      HFSC: Illegal "sc"
      ERROR: Command "tc class add dev eth1 parent 1:1 classid
      1:110  hfsc sc umax b dmax 150ms rate 1575kbit ul rate 3150kbit"
      Failed
    That problem has been corrected.
  * The tcrules file now supports DROP entries to allow early
    dropping of DOS packets. (forwarded request 208194 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21.2 For more details see changelog.txt and
  releasenotes.txt
  * Previously, the AutoBL action would fail if the kernel and
    iptables did not support the Recent Match '--reap' option. A new
    REAP_OPTION  capability has been added to work around this issue.
  * The Shorewall-core installer no longer reports an error from
    'cp' stating that it could not stat the shorewallrc file.
  * When a non-root user attempts to execute 'version -a', the CLI
    no longer attempts to get the version of the compiled
    firewall. Previously, the command issued the following
    diagnostic when run by non-root:
     /sbin/shorewall: /var/lib/shorewallhorewall/firewall:
     Permission denied
  * Shorewall no longer uses 'fgrep' thus allowing for use on
    systems without that utility. All uses of 'fgrep' have been
    replaced by 'grep -F'.
  * Placing |<mark> in the ACTION column of the tcrules file no
    longer raises a fatal compilation error. (forwarded request 204237 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21.1 For more details see changelog.txt and
  releasenotes.txt
  * Problems with the Shorewall Init installer (install.sh) were
    corrected. These problems affected initial Gentoo and Debian
    installs.
  * A problem that prevented multiple ICMP/ICMP6 types to be
    specified in a rule has been corrected.
  * Previously, an attempt to specify RAS or Q.931 in the HELPER
    column  was rejected with an error.
  * The 'nohostroute' provider option was not honored in the
    default table when USE_DEFAULT_RT=Yes. (forwarded request 202675 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.21 For more details see changelog.txt and
  releasenotes.txt
  * ip[6]tables 1.4.20 introduced an incompatible change that
    causes the program to fail if there is another instance of either
    iptables or ip6tables already running. This behavior can be avoided
    if the new -w option is specified.
    To work around this problem, the compiler now uses the -w
    option (when available) during capabilities determination so that
    shorewall and shorewall6 compilations can proceed in parallel.
  * Previously, the Shorewall-init installer unconditionally
    installed the sysconfig file even when a different SYSCONFFILE was
    specified. (Thomas D).
  * /sbin/shorewall-init now includes the correct SYSCONFDIR name
    in its error message that reports the absense of
     ${SYSCONFDIR}/shorewall-init. (Thomas D).
  * /sbin/shorewall-init and the Shorewall-init SysV init scripts
    now honor the setting of $OPTIONS.
  * The -lite installers now look in ${SHAREDIR} for the
    coreversion file rather than in /usr/share/.
  * If a Shorewall-lite installation used an 
    /etc/shorewall-lite/vardir file to set a non-standard state
    directory, the administrative system would send the firewall
    and firewall.conf files to the wrong directory on the firewall
    system.
  * Previously, the compiler verified 'monthdays' specifications in
    the rules TIME column, but failed to include --monthdays in the
    generated rule. That omission has been corrected.
  * The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
    non-priv port range (1024-65535) for the the dynamic unicast
    port. Previously, only the Linux 2.6+ dynamic port range (forwarded request 202077 from toganm)

• Files Changed
• Browse Source

Split 13.1 from Factory

• Files Changed
• Browse Source

- Update to version 4.5.20 For more details see changelog.txt and
  releasenotes.txt
  * A typographical error in the usage text produced by the -h
    command in the compiled firewall script has been corrected.
  * The handling of INITSOURCE is now uniform between the standard
    and the -lite installers.
  * Previously, when SYSCONFFILE was specified in shorewallrc, the
    installers would always install default.debian rather than the
    named file. That has been corrected.
- Spec file changes
  * removed the following pathces:
    0001-Os-release.patch 
    0001-Fix-Exec-directory.patch (forwarded request 196693 from toganm)

• Files Changed
• Browse Source

- Update to version 4.5.19 For more details see changelog.txt and
  releasenotes.txt
  * Previously, the '-q' option did not suppress all output from
    certain commands such as 'check'. (forwarded request 184206 from toganm)

• Files Changed
• Browse Source

- Spec file changes
  * Added 0001-Fix-Exec-directory.patch which fixes ExecStart
    ExecStop path of systemd shorewall-init.service (bnc#827524)
  * removed  systemd.patch (forwarded request 181606 from toganm)

• Files Changed
• Browse Source