No migration to manage nft will happen upstream.
Be prepared to package removal, and migrate to firewalld.
- Add shorewall-fix-install-manpages.patch fix boo#1203006
- Update spec copyright and macros
- Move /etc to /usr for Networkmanager and logrotate
- Update rpmlint check list
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=281
- Update to version 5.2.7
+ **Upgrade your configuration**
https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.7/releasenotes.txt
+ Previously, it was not possible to classify traffic by destination
IP address when using an Intermediate Functional Block (IFB) for
traffic shaping. This is because such classification takes place
before the traffic passes through the mangle PREROUTING chain.
Such filtering is now possible by setting the 'connmark' option in
the tcdevices file. This option causes the current connection mark
to be copied to the packet mark prior to filtering, thus allowing
the packet mark to be used for classification.
This change adds a new CONNMARK_ACTION capability which is
required to be able to specify the 'connmark' option.
+ The tcpri file now supports ?FORMAT 2 which inserts an SPORT
column directly to the right of the PORT column. As part of this
change, the PORT column is renamed to DPORT while allowing both
'port' and 'dport' to be used in the alternate input format. See
shorewall-tcpri(5) and
http://shorewall.org/simple_traffic_shaping.html for additional
information.
+ The Simple TC document is now linked to FAQs 97 and 97a.
OBS-URL: https://build.opensuse.org/request/show/828661
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=274
- Update to version 5.2.6
+ **Upgrade your configuration**
https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.6/releasenotes.txt
+ When compiling for export, the compiler generates a firewall.conf
file which is later installed on the remote firewall system as
${VARDIR}/firewall.conf. Previously, the CLI on that firewall was
not processing the file, resulting in some features not being
available:
- Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
DYNAMIC_BLACKLIST and PAGER are not supplied.
- scfilter file supplied at compile time.
- dumpfilter file supplied at compile time.
That has been corrected.
+ A bug in iptables (see
https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1)
prevents the '--queue-cpu-fanout' option from being applied unless
that option is the last one specified. Unfortunately, Shorewall
places the '--queue-bypass' option last if that option is also
specified.
This release works around this issue by ensuring that the
'--queue-cpu-fanout' option appears last.
+ The -D 'compile', 'check', 'reload' and 'Restart' option was
previously omitted from the output of 'shorewall help'. It is now
included. As part of this change, an incorrect and conflicting
description of the -D option was removed from the 'remote-restart'
section of shorewall(8).
+ Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT
policies were not completely optimized by optimize level 2 (ACCEPT
rules preceding the final unconditional ACCEPT were not
OBS-URL: https://build.opensuse.org/request/show/819214
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=272
+ The description of the 'optional' option has been expanded in
shorewall-interfaces(5).
+ Previously, the AUTOMAKE option did not work properly when
/etc/shorewall[6] was a symbolic link. That has been corrected.
- Packaging
+ Remove broken %pretrans, move content to %pre
+ Remove use of %release in rpm scriptlet
+ This will avoid constant rebuild.
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=268
+ When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in
shorewall[6].conf, 'shorewall[6] start' could hang. Fixed.
+ 'shorewall[6] start' would not automatically create dynamic
blacklisting ipsets. That has been corrected.
- This version will served also as maintenance upgrade for Leap
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=266
https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.4/releasenotes.txt
+ Fixes for debian
- Update to version 5.2.4.1
+ Fixes for openSUSE shorewall-init
will now ignore 'start' and 'stop' commands, for running firewalls
+ Spurious messages have been removed
- Packaging
+ Move /usr/sbin/shorewall to shorewall-core so -lite version
doesn't need main shorewall package
+ To make shorewall remote-* command working we patch lib.cli-std
to use /usr/sbin instead of /sbin + commented spec
+ Desactivate for the moment the upgrade warning. we need to
find a 100% working solution.
+ use %{var} form everywhere
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=264
- Update to version 5.2.4
https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.4/releasenotes.txt
+ Previously, when a Shorewall6 firewall was placed into the
'stopped' state, ICMP6 packets required by RFC 4890 were not
automatically accepted by the generated ruleset.
Beginning with this release, those packets are automatically
accepted.
+ Previously, the output of 'shorewall[6] help' displayed the
superseded 'load' command. That text has been deleted.
+ The QOSExample.html file in the documentation and on the web site
previously showed tcrules content for the /etc/shorewall/mangle
file (recall that 'mangle' superseded 'tcrules'). That page has
been corrected.
+ The 'Starting and Stopping' and 'Configuration file basics'
documents have been updated to align them with the current product
behavior.
+ The 'ipsets' document has been updated to clarify the use of
ipsets in the stoppedrules file.
- Packaging
+ shorewall-init package has a removed %service_del_postun
macro to close bug boo#1166114 Restarting this service can
lock down admin out of the system.
+ shorewall(6) and shorewall(6)-lite conflict has they shouldn't
be installed together on the same system.
+ conf_update flag is set to 1 to activate update reminder
+ Adjust and cleanup requires
OBS-URL: https://build.opensuse.org/request/show/790648
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=259
- Update to minor bugfix version 5.2.3.7
+ When DOCKER=Yes, if both the DOCKER-ISOLATE and
DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-*
chains were not preserved through shorewall state changes.
That has been corrected so that both chains are preserved if
present.
+ Previously, the compiler always detected the OLD_CONNTRACK_MATCH
capability as being available in IPv6. When OLD_CONNTRACK_MATCH
was available, the compiler also mishandled inversion ('!') in the
ORIGDEST columns, leading to an assertion failure.
Both the incorrect capability detection and the mishandled
inversion have been corrected.
+ During 'enable' processing, if address variables associated with
the interface have values different than those when the firewall
was last started/restarted/reloaded, then a 'reload' is performed
rather than a simple 'enable'. The logic that checks for those
changes was incorrect in some configurations, leading to unneeded
reload operations. That has been corrected.
+ When MANGLE_ENABLED=No in shorewall[6].conf, some features
requiring use of the mangle table can be allowed, even though the
mangle table is not updated. That has been corrected such that use
of such features will raise an error.
+ When the IfEvent(...,reset) action was invoked, the compiler
previously emitted a spurious "Resetting..." message. That message
has been suppressed.
- Packaging
+ Do not provide anymore unsused notrack file
+ Introduce define conf_need_update to track when we activate the
+ Add version to requires in -lite version
OBS-URL: https://build.opensuse.org/request/show/785384
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=257
- Update to bugfix minor 5.2.3.5
+ A typo in the FTP documentation has been corrected.
+ The recommended mss setting when using IPSec with ipcomp
has been corrected.
+ A number of incorrect links in the manpages have been
corrected.
+ The 'bypass' option is now allowed when specifying an
NFQUEUE policy. Previously, specifying that option resulted
in an error.
+ Corrected IPv6 Address Range parsing.
+ Previously, such ranges were required to be of the form
[<addr1>-<addr2>] rather than the more standard form
[<addr1>]-[<addr2>]. In the snat file (and in nat actions),
the latter form was actually flagged as an error while in
other contexts, it resulted in a less obvious error being
raised.
+ The manpages have been updated to refer to
https://shorewall.org rather than http://www.shorewall.org.
- Refresh spec file
OBS-URL: https://build.opensuse.org/request/show/766493
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=251
- Update to bugfix minor 5.2.3.3
Previously, if an ipset was specified in an SPORT column, the
compiler would raise an error similar to:
ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
- Update to bugfix minor 5.2.3.2
Shorewall 5.2 automatically converts an existing 'masq' file to an
equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
automatic update, such that the following error message was issued:
Use of uninitialized value $Shorewall::Nat::raw::currentline in
pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
line 511, <$currentfile> line nnn. and the generated 'masq'
file contains only initial comments. That has been corrected.
OBS-URL: https://build.opensuse.org/request/show/694183
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=247
- spec :
+ Minimal changes with spec-cleaner
+ Stop conflicting with other firewall (SuSEFirewall2, firewalld)
User can have several management tools, and it help preparing
a migration
- Run shorewall(6) update -A to update your configurations
Check and adapt them before restarting.
- Changes in 5.1.12.3
+ Update release documents.
+ Ensure that mutex gets released at exit.
- Changes in 5.1.12.2
+ Alter documentation to prefer ';;' over ';' in INLINE and
IP[6]TABLES rules.
+ Make 'update' convert ';' to ';;' in INLINE, IPTABLES and
IP6TABLES rules.
+ Correct typo that resulted in an "unknown function" Perl
diagnostic.
+ Correct "Invalid policy" message.
+ Fix omitted SYN limiting.
- Changes in 5.1.12.1
+ Replace macro.SSDPServer with corrected macro.SSDPserver.
- Changes in 5.1.12 Final
+ Update release documents.
+ Add INLINE_MATCHES=Yes to the deprecated list.
- Changes in 5.1.12 RC 1
+ Update release documents.
+ Minor performance enhancements to Optimize Category 8.
+ Always report IPSET_MATCH.
- Changes in 5.1.12 Beta 2
+ Delete undocumented OPTIMIZE_USE_FIRST option.
OBS-URL: https://build.opensuse.org/request/show/587096
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=237
- spec :
+ use new %_fillupdir macro with env DIRFILLUP in build
* Redone patches *-fillup-install.patch to use ${DIRFILLUP}
* use new %_fillupdir macro in files
+ change require perl to perl-base
+ Added conflict with firewalld
+ Refresh list of files and modules
- Run shorewall(6) update -A to update your configurations
Check and adapt them before restarting.
- 5.1.8.1 release - Recommended action :
+ Update release documents
+ Make persistent routes and rules independent of 'autosrc'
+ Correct 'delete_default_routes()'
+ Delete default routes from 'main' when a fallback provider is
successfully enabled
+ Don't restore default route when a fallback provider is enabled
+ Issue a warning when 'persistent' is used with
RESTORE_DEFAULT_ROUTE=Yes
+ Don't dump SPD entries for the other address family
+ Fix 'persistent' provider issues
+ Treat LOG_TARGET the same as all other capabilities
+ Allow merging of rules with IPSEC policies
- 5.1.7.2 release
- 5.1.6 release
...
OBS-URL: https://build.opensuse.org/request/show/541200
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=235
- This stable branch 5.1x will be the new default for Leap 42.3.
Remember that each time you have an upgrade with changes in Major
or Major,Minor it is mandatory you upgrade your configuration
with shorewall(6) update -a /etc/shorewall(6) command.
- Packaging : use pretrans and posttrans to inform user about
configuration upgrade.
- Bugfix release 5.1.4.3. Problem Corrected:
When running on prior-generation distributions such as RHEL6,
IPv6 multi-ISP configurations failed to start due to an error
such as the following:
ERROR: Command "ip -6 -6 route replace default scope global
table 250 nexthop via ::192.88.99.1 dev tun6to4 weight 1"
Failed
Such configurations now start successfully.
OBS-URL: https://build.opensuse.org/request/show/505369
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=226
- Bugfix and enhancement release 5.1.4.2
complete changelog is available
http://shorewall.net/pub/shorewall/5.1/shorewall-5.1.4/releasenotes.txt
- Main changes
All IPv6 standard actions have been deleted and their logic
has been added to their IPv4 counterparts who can now handle
both address families.
Previously, ?error and ?require messages as well as verbose ?info
and ?warning messages (those that report the file and line numbers)
generated from an action file would report the action file name and
line number rather than the file and line number where the action
was invoked. The file and line number where the action was invoked
were listed second. Beginning with this release, the invoking file
and line number are listed first and the action file and line number
are not reported. This allows for creation of clearer messages.
IPv6 UPnP support (including MINIUPNPD) is now available.
A PERL_HASH_SEED option has been added to allow the Perl hash seed
to be specified. See shorewall.conf(5) and perlsec(1) for details.
OBS-URL: https://build.opensuse.org/request/show/503677
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=224
- Bugfix release 5.1.3.2
Previously, if a Shorewall Variable (e.g., @chain) was the target
of a conditional ?RESET directive (one that was enclosed in ?if.
?else...?endif logic), the compiler could incorrectly use an
existing chain created from the action rather than creating a new
(and different) chain. That has been corrected.
Previously, if alternate input format specified a column that had
already been specified, the contents of that column were silently
overwritten. Now, a warning message is issued stating that the
prior value has been replaced by the newer value.
OBS-URL: https://build.opensuse.org/request/show/482666
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=222
- Upgrade to last stable 5.1.3
For details see changelog.txt and releasenotes.txt containing all
informations for a correct upgrade path.
- Packaging Redone patches for var-fillup
+ shorewall-fillup-install.patch
+ shorewall-init-fillup-install.patch
+ shorewall-lite-fillup-install.patch
- Upgrade to stable 5.1.1
For details see changelog.txt and releasenotes.txt containing all
informations for a correct upgrade path.
- Packaging:
+ use proper %{} syntax
+ Adjust year copyright
+ Remove attr on sbindir symlink
+ Move Samples and Contrib to doc package
OBS-URL: https://build.opensuse.org/request/show/479769
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=216
- Upgrade to last stable of 5.0.x version 5.0.15
For details see changelog.txt and releasenotes.txt containing all
informations for a correct upgrade path.
- Packaging :
+ Remove all non suse %if
+ Cleanup older non supported version
+ Remove upstream merged patch
* 0001-remote_fs.patch
* 0001-required-stop-fix.patch
+ Remove 0001-fillup-install.patch replaced by specific product
patch for correct usage of var-fillup
+ Added patches for var-fillup when not specific %name6 is also
supported
* shorewall-fillup-install.patch
* shorewall-init-fillup-install.patch
* shorewall-lite-fillup-install.patch
+ spec-cleaner minimal
OBS-URL: https://build.opensuse.org/request/show/445338
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=214
- Update to version 4.6.13 For more details see changelog.txt and
realeasenotes.txt
* The 'rules' file manpages have been corrected regarding the
packets that are processed by rules in the NEW section.
* Parsing of IPv6 address ranges has been corrected. Previously,
use of ranges resulted in 'Invalid IPv6 Address' errors.
* The shorewall6-hosts man page has been corrected to show the
proper contents of the HOST(S) column.
* Previously, INLINE statements in the mangle file were not
recognized if a chain designator (:F, :P, etc.) followingowed
INLINE(...). As a consequence, additional matches following
a semicolon were interpreted as column/value pairs unless
INLINE_MATCHES=Yes, resulting in compilation failure.
* Inline matches on IP[6]TABLE rules could be ignored if
INLINE_MATCHES=No. They are now recognized.
* Specifying an action with a logging level in one of the
_DEFAULT options in shorewall[6].conf
(e.g., REJECT_DEFAULT=Reject:info) produced a compilation error:
ERROR: Invalid value (:info) for first Reject parameter
/usr/share/shorewall/action.Rejectect (line 52)
That has been corrected. Note, however, that specifying logging
with a default action tends to defeat one of the main purposes
of default actions which is to suppress logging.
* Previously, it was necessary to set TC_EXPERT=Yes to have full
access to the user mark in fw marks. That has been corrected so
that any place that a mark or mask can be specified, both the
TC mark and the User mark are accessible.
OBS-URL: https://build.opensuse.org/request/show/331029
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=210
- Update to version 4.6.11 For more details see changelog.txt and
releasenotes.txt
* Previously, when the -c option was given to the 'compile'
command, the progress message "Compiling..." was issued before
it was determined if compilation was necessary. Now, that message
is suppressed when re-compilation is not required.
* Previously, when the -c option was given to the 'compile'
command, the 'postcompile' extension script was executed even when
there was no (re-)compilation. Now, the 'postcompile' script is
only invoked when a new script is generated.
* If CONFDIR was other than /etc, then ordinary users would not
receive a clear error message when they attempted to execute
one of the commands that change the firewall state.
* Previously, IPv4 DHCP client broadcasts were blocked by the
'rpfilter' interface option. That has been corrected.
* The 'update' command incorrectly added the INLINE_MATCHES
option to shorewall6.conf with a default value of 'Yes'. This
caused 'start' to fail with invalid ip6tables rules when the alternate
input format using ';' is used.
Note: This last issue is not documented in the release notes
included with the release.
OBS-URL: https://build.opensuse.org/request/show/316607
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=208
- Update to version 4.6.9 For more details see changelog.txt and
releasenotes.txt
* This release contains defect repair from Shorewall 4.6.8.1 and
earlier releases.
* The means for preventing loading of helper modules has been
clarified in the documentation.
* The SetEvent and ResetEvent actions previously set/reset the
event even if the packet did not match the other specified
columns. This has been corrected.
* Previously, the 'show capabilities' command was ignoring the
HELPERS setting. This resulted in unwanted modules being
autoloaded and, when the -f option was given, an incorrect
capabilities file was generated.
* Previously, when 'wait' was specified for an interface, the
generated script erroneously checked for required interfaces on
all commands rather than just start, restart and restore.
OBS-URL: https://build.opensuse.org/request/show/305794
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=204
- Update to version 4.6.8.1 For more details see changnlog.txt and
releasenotes.txt
* Previously, when servicd was installed and there were one or
more required interfaces, the firewall would fail to start at
boot.This has been corrected by Tuomo Soini.
* Some startup logic in lib.cli has been deleted. A bug prevented
the code from working as intended, so there is no loss of
functionality resulting from deletion of the code.
OBS-URL: https://build.opensuse.org/request/show/296592
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=202
- Update to version 4.6.8 For more details see changelog.txt and
releasenotes.txt
* This release includes defect repair from Shorewall 4.6.6.2 and
earlier releases.
* Previously, when the -n option was specified and NetworkManager
was installed on the target system, the Shorewall-init installer
would still create
${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless
of the setting of $CONFDIR. That has been corrected such that
the directory
${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
is created instead.
* Previously, handling of the IPTABLES and IP6TABLES actions in
the conntrack file was broken. nfw provided a fix on IRC.
* The Shorewall-core and Shorewall6 installers would previously
report incorrectly that the product release was not installed.
Matt Darfeuille provided fixes.
OBS-URL: https://build.opensuse.org/request/show/294498
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=200
- Update to version 4.6.7 For more details see changelog.txt and
releasenotes.txt
* This release includes defect repair from Shorewall 4.6.6.2 and
earlier releases.
* The 'tunnels' file now supports 'tinc' tunnels.
* Previously, the SAME action in the mangle file had a fixed
timeout of 300 seconds (5 minutes). That action now allows
specification of a different timeout.
* It is now possible to add or delete addresses from an ipset
with entries in the mangle file. The ADD and DEL actions have
the same behavior in the mangle file as they do in the rules
file.
- Added systemd_version macro in anticipation of detecting the
correct service file when systemd version is >= 214
OBS-URL: https://build.opensuse.org/request/show/290980
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=198
- Update to version 4.6.6.2 For more details see changelog.txt and
releasenotes.txt
* The compiler failed to parse the construct +<ipset>[n] where n is
an integer (e.g., +bad[2]).
* Orion Paplawski has provided a patch that adds 'ko.xz' to the
default MODULE_SUFFIX setting. This change deals with recent
Fedora releases where the module names now end with ".ko.xz".
In addition to Orion's patch, the sample configurations have
been modified to specify MODULE_SUFFIX="ko ko.xz".
OBS-URL: https://build.opensuse.org/request/show/284604
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/shorewall?expand=0&rev=196
