Hello community,
here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2015-06-24 21:01:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2015-05-10 10:46:55.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2015-06-24 21:01:35.000000000 +0200
@@ -1,0 +2,14 @@
+Wed Jun 17 06:43:22 UTC 2015 - toganm@opensuse.org
+
+- Update to version 4.6.10.1 For more details see changelog.txt and
+ releasenotes.txt
+
+ * Indentation is now consistent in lib.core (Tuomo Soini).
+
+ * The first problem corrected in 4.6.10 below was incomplete. It
+ is now complete (Tuomo Soini).
+
+ * Similarly, the second fix was also incomplete and is now
+ completed (Tuomo Soini).
+
+-------------------------------------------------------------------
Old:
----
shorewall-4.6.9.tar.bz2
shorewall-core-4.6.9.tar.bz2
shorewall-docs-html-4.6.9.tar.bz2
shorewall-init-4.6.9.tar.bz2
shorewall-lite-4.6.9.tar.bz2
shorewall6-4.6.9.tar.bz2
shorewall6-lite-4.6.9.tar.bz2
New:
----
shorewall-4.6.10.1.tar.bz2
shorewall-core-4.6.10.1.tar.bz2
shorewall-docs-html-4.6.10.1.tar.bz2
shorewall-init-4.6.10.1.tar.bz2
shorewall-lite-4.6.10.1.tar.bz2
shorewall6-4.6.10.1.tar.bz2
shorewall6-lite-4.6.10.1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.OfDwoo/_old 2015-06-24 21:01:37.000000000 +0200
+++ /var/tmp/diff_new_pack.OfDwoo/_new 2015-06-24 21:01:37.000000000 +0200
@@ -20,19 +20,19 @@
%define have_systemd 1
Name: shorewall
-Version: 4.6.9
+Version: 4.6.10.1
Release: 0
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems
License: GPL-2.0
Group: Productivity/Networking/Security
Url: http://www.shorewall.net/
-Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-%version.tar.bz2
-Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-core-%version.tar.bz2
-Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-lite-%version.tar.bz2
-Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-init-%version.tar.bz2
-Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}6-lite-%version.tar.bz2
-Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}6-%version.tar.bz2
-Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.9/%{name}-docs-html-%version.tar.bz2
+Source: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-%version.tar.bz2
+Source1: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-core-%version.tar.bz2
+Source2: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-lite-%version.tar.bz2
+Source3: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-init-%version.tar.bz2
+Source4: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}6-lite-%version.tar.bz2
+Source5: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}6-%version.tar.bz2
+Source6: http://www.shorewall.net/pub/shorewall/4.6/shorewall-4.6.10/%{name}-docs-html-%version.tar.bz2
Source7: %{name}-4.4.22.rpmlintrc
Source8: README.openSUSE
# PATCH-FIX-UPSTREAM toganm@opensuse.org Shorewall-lite init.suse.sh Required Stop
++++++ shorewall-4.6.9.tar.bz2 -> shorewall-4.6.10.1.tar.bz2 ++++++
++++ 2792 lines of diff (skipped)
++++++ shorewall-core-4.6.9.tar.bz2 -> shorewall-core-4.6.10.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/changelog.txt new/shorewall-core-4.6.10.1/changelog.txt
--- old/shorewall-core-4.6.9/changelog.txt 2015-05-06 18:14:15.000000000 +0200
+++ new/shorewall-core-4.6.10.1/changelog.txt 2015-06-10 17:00:52.000000000 +0200
@@ -1,3 +1,52 @@
+Changes in 4.6.10.1
+
+1) Update release documents.
+
+2) Use consistent indentation in lib.core
+
+3) Complete Shorewall-init improvements
+
+4) Return exit status 6 when startup is disabled
+
+Changes in 4.6.10 Final
+
+1) Update release documents.
+
+2) Update Module Versions
+
+3) Tuomo Soini's fix to enable/disable.
+
+Changes in 4.6.10 RC 1
+
+1) Update release documents.
+
+2) load= enhancements
+
+3) Indicate success when no ipsets are saved by the script
+
+4) load= corrections.
+
+5) IPv6 findgw.
+
+Changes in 4.6.10 Beta 2
+
+1) Update release documents.
+
+2) Add queue-balance and queue-bypass options to NFQUEUE.
+
+3) Implement 'call' in the compiled program and externalize 'call' in
+ the CLI.
+
+Changes in 4.6.10 Beta 1
+
+1) Update release documents.
+
+2) Fix Shorewall-init bailing out when a product didn't start/stop
+
+3) Return exit status 6 for non-configured firewall.
+
+4) Don't require a helper for ctevents and expevents.
+
Changes in 4.6.9 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/configure new/shorewall-core-4.6.10.1/configure
--- old/shorewall-core-4.6.9/configure 2015-05-06 18:14:15.000000000 +0200
+++ new/shorewall-core-4.6.10.1/configure 2015-06-10 17:00:52.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.9
+VERSION=4.6.10.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/configure.pl new/shorewall-core-4.6.10.1/configure.pl
--- old/shorewall-core-4.6.9/configure.pl 2015-05-06 18:14:15.000000000 +0200
+++ new/shorewall-core-4.6.10.1/configure.pl 2015-06-10 17:00:52.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.9'
+ VERSION => '4.6.10.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/install.sh new/shorewall-core-4.6.10.1/install.sh
--- old/shorewall-core-4.6.9/install.sh 2015-05-06 18:14:15.000000000 +0200
+++ new/shorewall-core-4.6.10.1/install.sh 2015-06-10 17:00:52.000000000 +0200
@@ -22,7 +22,7 @@
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-VERSION=4.6.9
+VERSION=4.6.10.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/known_problems.txt new/shorewall-core-4.6.10.1/known_problems.txt
--- old/shorewall-core-4.6.9/known_problems.txt 2015-05-06 18:14:15.000000000 +0200
+++ new/shorewall-core-4.6.10.1/known_problems.txt 2015-06-10 17:00:52.000000000 +0200
@@ -1,11 +1,2 @@
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
-
-2) The SetEvent and ResetEvent actions currently set/reset the named
- event even if the packet does not match the other specified
- columns.
-
-3) The 'show capabilities' command ignores the HELPERS setting. This
- results in unwanted modules being autoloaded and, when the -f
- option is given, an incorrect capabilities file is generated.
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/lib.cli new/shorewall-core-4.6.10.1/lib.cli
--- old/shorewall-core-4.6.9/lib.cli 2015-05-05 20:28:13.000000000 +0200
+++ new/shorewall-core-4.6.10.1/lib.cli 2015-06-09 20:02:00.000000000 +0200
@@ -42,16 +42,6 @@
. ${SHAREDIR}/shorewall/lib.base
-
-#
-# Fatal Error
-#
-fatal_error() # $@ = Message
-{
- echo " ERROR: $@" >&2
- exit 2
-}
-
#
# Issue an error message and die
#
@@ -484,7 +474,7 @@
fi
fi
;;
- [Nn]o)
+ [Nn]o|ipv4|ipv6)
;;
*)
error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
@@ -1683,7 +1673,7 @@
if [ -z "$STARTUP_ENABLED" ]; then
error_message "ERROR: Startup is disabled"
- exit 2
+ exit 6
fi
g_restorepath=${VARDIR}/$RESTOREFILE
@@ -3680,7 +3670,7 @@
else
error_message "${VARDIR}/firewall is missing or is not executable"
logger -p kern.err "ERROR:$g_product start failed"
- rc=2
+ rc=6
fi
[ -n "$g_nolock" ] || mutex_off
@@ -3813,7 +3803,7 @@
else
error_message "${VARDIR}/firewall is missing or is not executable"
logger -p kern.err "ERROR:$g_product restart failed"
- rc=2
+ rc=6
fi
[ -n "$g_nolock" ] || mutex_off
@@ -4239,10 +4229,29 @@
get_config
[ -n "$g_debugging" ] && set -x
#
- # Undocumented way to call functions in the libraries directly
+ # Way to call functions in the libraries directly
#
shift
- $@
+
+ if [ $# -gt 0 ]; then
+ #
+ # First look for it here
+ #
+ if type $1 2> /dev/null | fgrep -q 'is a function'; then
+ #
+ # It's a shell function -- call it
+ #
+ $@
+ else
+ #
+ # It isn't a function visible to this script -- try
+ # the compiled firewall
+ #
+ run_it $g_firewall $g_debugging call $@
+ fi
+ else
+ usage 1
+ fi
;;
help)
shift
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/lib.common new/shorewall-core-4.6.10.1/lib.common
--- old/shorewall-core-4.6.9/lib.common 2015-05-05 20:28:13.000000000 +0200
+++ new/shorewall-core-4.6.10.1/lib.common 2015-06-09 20:02:00.000000000 +0200
@@ -71,6 +71,24 @@
}
#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+ echo " ERROR: $@" >&2
+ exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+ echo " ERROR: $@" >&2
+ exit 6
+}
+
+#
# Get the Shorewall version of the passed script
#
get_script_version() { # $1 = script
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/releasenotes.txt new/shorewall-core-4.6.10.1/releasenotes.txt
--- old/shorewall-core-4.6.9/releasenotes.txt 2015-05-06 18:14:15.000000000 +0200
+++ new/shorewall-core-4.6.10.1/releasenotes.txt 2015-06-10 17:00:52.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 9
+ S H O R E W A L L 4 . 6 . 1 0 . 1
----------------------------
- M a y 0 6 , 2 0 1 5
+ J u n e 1 0 , 2 0 1 5
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,24 +14,37 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) This release contains defect repair from Shorewall 4.6.8.1 and
- earlier releases.
+4.6.10.1
-2) The means for preventing loading of helper modules has been
- clarified in the documentation.
+1) Indentation is now consistent in lib.core (Tuomo Soini).
-3) The SetEvent and ResetEvent actions previously set/reset the event
- even if the packet did not match the other specified columns. This
- has been corrected.
+2) The first problem corrected in 4.6.10 below was incomplete. It is
+ now complete (Tuomo Soini).
-4) Previously, the 'show capabilities' command was ignoring the
- HELPERS setting. This resulted in unwanted modules being autoloaded
- and, when the -f option was given, an incorrect capabilities file
- was generated.
+3) Similarly, the second fix was also incomplete and is now completed
+ (Tuomo Soini).
+
+4.6.10
-6) Previously, when 'wait' was specified for an interface, the
- generated script erroneously checked for required interfaces on all
- commands rather than just start, restart and restore.
+1) On some distributions, Shorewall-init would fail if one of the
+ configured products had a problem. Now, Shorewall-init goes on to
+ the next product rather than stopping.
+
+2) Previously, when startup was disabled (STARTUP_ENABLED=No or no
+ compiled firewall on a -lite system), exit status 2 was
+ returned. Now, exit status 6 is returned.
+
+3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did
+ not use ipsets, then a superfluous warning message was issued:
+
+ WARNING: Invalid value (ipv4) for SAVE_IPSETS
+
+ That warning is now suppressed.
+
+4) Previously, the algorithm used to normalize the probabilities
+ defined in the 'load' provider option was incorrect and could
+ result in probabilities > 1.0. When this occurred, the firewall
+ would fail to start.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -44,36 +57,73 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your
- iptables and kernel must support this capability in order to use
- the CLAMPMSS option in shorewall.conf and the 'mss=' option in the
- zones, interfaces and hosts files. This capability was added when
- it was learned that Debian on ARM doesn't provide the feature.
+1) Previously, the 'ctevents' and 'expevents' options could only be
+ specified in the conntrack file if a helper was named. That is no
+ longer necessary.
- When using a capabilities file from at earlier release, the
- compiler assumes that this capability is available, since most
- distributions have traditionally provided the capability.
+ Example:
-2) The CLI manpages now state explicitly that 'list' and 'ls' are
- synonyms for 'show' and refer the reader to the description of
- 'show'.
+ #ACTION SOURCE DESTINATION PROTO DEST ...
+ # PORT(S) ...
+ #
+ CT:ctevents:assured,destroy\
+ all - -
-3) The complete syntax of each CLI command is now repeated in the
- detailed description of the command in the man pages.
+2) Two new options have been added to the NFQUEUE target.
-4) Tuomo Soini has contributed a QUIC macro.
+ - By default, if no userspace program is listening on an NFQUEUE,
+ then all packets that are to be queued are dropped. When the new
+ 'bypass' option is used, the NFQUEUE rule is silently bypassed
+ instead. The packet will move on to the next rule.
-5) The JabberSecure macro is now deprecated. Configure Jabber to use
- TLS and use the Jabber macro instead. (Tuomo Soini).
+ Examples:
-6) The enable and disable commands now execute more quickly on slow
- hardware.
+ NFQUEUE(bypass)
+ NFQUEUE(3,bypass)
-7) The CLI programs now support a 'reenable' command. This command is
- logically equivalent to a 'disable' command followed by an 'enable'
- command, with the exception that no error is generated if the
- specified interface or provider is disabled at the time the
- command is given.
+ - Now, a queue range of the form n:m may be specified. Packets are
+ then balanced across the given queues. This is useful for
+ multicore systems: start multiple instances of the userspace
+ program on queues x, x+1, .. x+n and use "x:x+n". Packets
+ belonging to the same connection are put into the same nfqueue.
+
+ Examples:
+
+ NFQUEUE(4:6)
+ NFQUEUE(4:6,bypass)
+
+ Queue ranges are also permitted in an NFQUEUE policy; the
+ 'bypass' option is not permitted there.
+
+3) The 'call' command is now documented. It provides a way to call
+ shell functions in the Shorewall libraries or in the generated
+ script.
+
+ call <function> [ <parameter> ... ]
+
+ <function> must name a shell function in one of the Shorewall
+ libraries or in the generated script. The function is first
+ searched for in lib.base, lib.common, lib.cli and lib.cli-std
+ (lib.cli-std is not searched by the '-lite' products). If the
+ function is found, it is called with any supplied <parameter>s.
+
+ If the function is not found in the libraries, the call command
+ is passed to the generated script for processing.
+
+4) Several changes have been made to the processing of the 'load'
+ option in provider files:
+
+ - load values are normalized to 8-digit precision and 10-byte
+ length.
+ - a warning is issued if the sum of the loads is not 1.000000.
+ - if the normalized probability for an interface is >=
+ 1.000000 then the probability match part of the generated rule is
+ omitted.
+
+5) There is now an ipv6 'findgw' skeleton file.
+
+6) The 'disable' and 'enable' commands now succed if the interface is
+ already disabled or enabled respectively. Tuomo Soini.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -266,7 +316,7 @@
See shorewall6(8) for limitations of 'update -t'.
-15) The default value LOAD_HELPERS_ONLY is now 'Yes'.
+15) The default value of LOAD_HELPERS_ONLY is now 'Yes'.
16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are
deprecated and a warning will be issued for each FORMAT-1 action
@@ -368,6 +418,64 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 9
+----------------------------------------------------------------------------
+
+1) This release contains defect repair from Shorewall 4.6.8.1 and
+ earlier releases.
+
+2) The means for preventing loading of helper modules has been
+ clarified in the documentation.
+
+3) The SetEvent and ResetEvent actions previously set/reset the event
+ even if the packet did not match the other specified columns. This
+ has been corrected.
+
+4) Previously, the 'show capabilities' command was ignoring the
+ HELPERS setting. This resulted in unwanted modules being autoloaded
+ and, when the -f option was given, an incorrect capabilities file
+ was generated.
+
+6) Previously, when 'wait' was specified for an interface, the
+ generated script erroneously checked for required interfaces on all
+ commands rather than just start, restart and restore.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 6 . 89
+----------------------------------------------------------------------------
+
+1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your
+ iptables and kernel must support this capability in order to use
+ the CLAMPMSS option in shorewall.conf and the 'mss=' option in the
+ zones, interfaces and hosts files. This capability was added when
+ it was learned that Debian on ARM doesn't provide the feature.
+
+ When using a capabilities file from at earlier release, the
+ compiler assumes that this capability is available, since most
+ distributions have traditionally provided the capability.
+
+2) The CLI manpages now state explicitly that 'list' and 'ls' are
+ synonyms for 'show' and refer the reader to the description of
+ 'show'.
+
+3) The complete syntax of each CLI command is now repeated in the
+ detailed description of the command in the man pages.
+
+4) Tuomo Soini has contributed a QUIC macro.
+
+5) The JabberSecure macro is now deprecated. Configure Jabber to use
+ TLS and use the Jabber macro instead. (Tuomo Soini).
+
+6) The enable and disable commands now execute more quickly on slow
+ hardware.
+
+7) The CLI programs now support a 'reenable' command. This command is
+ logically equivalent to a 'disable' command followed by an 'enable'
+ command, with the exception that no error is generated if the
+ specified interface or provider is disabled at the time the
+ command is given.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 6 . 8
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/shorewall-core.spec new/shorewall-core-4.6.10.1/shorewall-core.spec
--- old/shorewall-core-4.6.9/shorewall-core.spec 2015-05-06 18:14:15.000000000 +0200
+++ new/shorewall-core-4.6.10.1/shorewall-core.spec 2015-06-10 17:00:52.000000000 +0200
@@ -1,6 +1,6 @@
%define name shorewall-core
-%define version 4.6.9
-%define release 0base
+%define version 4.6.10
+%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -63,6 +63,16 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt
%changelog
+* Tue Jun 09 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.10-1
+* Fri May 29 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.10-0base
+* Mon May 25 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.10-0RC1
+* Sun May 17 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.10-0Beta2
+* Tue May 05 2015 Tom Eastep tom@shorewall.net
+- Updated to 4.6.10-0Beta1
* Tue May 05 2015 Tom Eastep tom@shorewall.net
- Updated to 4.6.9-0base
* Tue May 05 2015 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-4.6.9/uninstall.sh new/shorewall-core-4.6.10.1/uninstall.sh
--- old/shorewall-core-4.6.9/uninstall.sh 2015-05-06 18:14:15.000000000 +0200
+++ new/shorewall-core-4.6.10.1/uninstall.sh 2015-06-10 17:00:52.000000000 +0200
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.6.9
+VERSION=4.6.10.1
usage() # $1 = exit status
{
++++++ shorewall-docs-html-4.6.9.tar.bz2 -> shorewall-docs-html-4.6.10.1.tar.bz2 ++++++
++++ 7172 lines of diff (skipped)
++++++ shorewall-init-4.6.9.tar.bz2 -> shorewall-init-4.6.10.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/changelog.txt new/shorewall-init-4.6.10.1/changelog.txt
--- old/shorewall-init-4.6.9/changelog.txt 2015-05-06 18:14:16.000000000 +0200
+++ new/shorewall-init-4.6.10.1/changelog.txt 2015-06-10 17:00:53.000000000 +0200
@@ -1,3 +1,52 @@
+Changes in 4.6.10.1
+
+1) Update release documents.
+
+2) Use consistent indentation in lib.core
+
+3) Complete Shorewall-init improvements
+
+4) Return exit status 6 when startup is disabled
+
+Changes in 4.6.10 Final
+
+1) Update release documents.
+
+2) Update Module Versions
+
+3) Tuomo Soini's fix to enable/disable.
+
+Changes in 4.6.10 RC 1
+
+1) Update release documents.
+
+2) load= enhancements
+
+3) Indicate success when no ipsets are saved by the script
+
+4) load= corrections.
+
+5) IPv6 findgw.
+
+Changes in 4.6.10 Beta 2
+
+1) Update release documents.
+
+2) Add queue-balance and queue-bypass options to NFQUEUE.
+
+3) Implement 'call' in the compiled program and externalize 'call' in
+ the CLI.
+
+Changes in 4.6.10 Beta 1
+
+1) Update release documents.
+
+2) Fix Shorewall-init bailing out when a product didn't start/stop
+
+3) Return exit status 6 for non-configured firewall.
+
+4) Don't require a helper for ctevents and expevents.
+
Changes in 4.6.9 Final
1) Update release documents.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/configure new/shorewall-init-4.6.10.1/configure
--- old/shorewall-init-4.6.9/configure 2015-05-06 18:14:16.000000000 +0200
+++ new/shorewall-init-4.6.10.1/configure 2015-06-10 17:00:53.000000000 +0200
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=4.6.9
+VERSION=4.6.10.1
case "$BASH_VERSION" in
[4-9].*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/configure.pl new/shorewall-init-4.6.10.1/configure.pl
--- old/shorewall-init-4.6.9/configure.pl 2015-05-06 18:14:16.000000000 +0200
+++ new/shorewall-init-4.6.10.1/configure.pl 2015-06-10 17:00:53.000000000 +0200
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '4.6.9'
+ VERSION => '4.6.10.1'
};
my %params;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/init.debian.sh new/shorewall-init-4.6.10.1/init.debian.sh
--- old/shorewall-init-4.6.9/init.debian.sh 2015-05-05 20:28:13.000000000 +0200
+++ new/shorewall-init-4.6.10.1/init.debian.sh 2015-06-09 20:02:00.000000000 +0200
@@ -74,7 +74,9 @@
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || echo_notdone
+ ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+ else
+ return 0
fi
}
@@ -103,21 +105,17 @@
echo -n "Initializing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
- setstatedir
-
- if [ -x ${STATEDIR}/firewall ]; then
- #
- # Run in a sub-shell to avoid name collisions
- #
- (
- if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
- ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
- else
- echo_notdone
- fi
- )
- else
- echo_notdone
+ if setstatedir; then
+ if [ -x ${STATEDIR}/firewall ]; then
+ #
+ # Run in a sub-shell to avoid name collisions
+ #
+ (
+ if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+ ${STATEDIR}/firewall ${OPTIONS} stop
+ fi
+ )
+ fi
fi
done
@@ -144,10 +142,10 @@
echo -n "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
- setstatedir
-
- if [ -x ${STATEDIR}/firewall ]; then
- ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
+ if setstatedir; then
+ if [ -x ${STATEDIR}/firewall ]; then
+ ${STATEDIR}/firewall ${OPTIONS} clear
+ fi
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/init.sh new/shorewall-init-4.6.10.1/init.sh
--- old/shorewall-init-4.6.9/init.sh 2015-05-05 20:28:13.000000000 +0200
+++ new/shorewall-init-4.6.10.1/init.sh 2015-06-09 20:02:00.000000000 +0200
@@ -69,10 +69,10 @@
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
- if [ ! -x $STATEDIR/firewall ]; then
- if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
- fi
+ if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+ ${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+ else
+ return 0
fi
}
@@ -83,11 +83,11 @@
echo -n "Initializing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
- setstatedir
-
- if [ -x ${STATEDIR}/firewall ]; then
- if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
- ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
+ if setstatedir; then
+ if [ -x ${STATEDIR}/firewall ]; then
+ if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+ ${STATEDIR}/firewall ${OPTIONS} stop
+ fi
fi
fi
done
@@ -106,10 +106,10 @@
echo -n "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
- setstatedir
-
- if [ -x ${STATEDIR}/firewall ]; then
- ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
+ if setstatedir; then
+ if [ -x ${STATEDIR}/firewall ]; then
+ ${STATEDIR}/firewall ${OPTIONS} clear
+ fi
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/init.suse.sh new/shorewall-init-4.6.10.1/init.suse.sh
--- old/shorewall-init-4.6.9/init.suse.sh 2015-05-05 20:28:13.000000000 +0200
+++ new/shorewall-init-4.6.10.1/init.suse.sh 2015-06-09 20:02:00.000000000 +0200
@@ -80,7 +80,9 @@
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit
+ ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+ else
+ return 0
fi
}
@@ -91,14 +93,12 @@
echo -n "Initializing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
- setstatedir
-
- if [ -x $STATEDIR/firewall ]; then
- if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
- $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop || exit
+ if setstatedir; then
+ if [ -x $STATEDIR/firewall ]; then
+ if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+ $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+ fi
fi
- else
- exit 6
fi
done
@@ -114,12 +114,10 @@
echo -n "Clearing \"Shorewall-based firewalls\": "
for PRODUCT in $PRODUCTS; do
- setstatedir
-
- if [ -x ${STATEDIR}/firewall ]; then
- ${STATEDIR}/firewall ${OPTIONS} clear || exit
- else
- exit 6
+ if setstatedir; then
+ if [ -x ${STATEDIR}/firewall ]; then
+ ${STATEDIR}/firewall ${OPTIONS} clear
+ fi
fi
done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/install.sh new/shorewall-init-4.6.10.1/install.sh
--- old/shorewall-init-4.6.9/install.sh 2015-05-06 18:14:16.000000000 +0200
+++ new/shorewall-init-4.6.10.1/install.sh 2015-06-10 17:00:53.000000000 +0200
@@ -27,7 +27,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.6.9
+VERSION=4.6.10.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/releasenotes.txt new/shorewall-init-4.6.10.1/releasenotes.txt
--- old/shorewall-init-4.6.9/releasenotes.txt 2015-05-06 18:14:16.000000000 +0200
+++ new/shorewall-init-4.6.10.1/releasenotes.txt 2015-06-10 17:00:53.000000000 +0200
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 6 . 9
+ S H O R E W A L L 4 . 6 . 1 0 . 1
----------------------------
- M a y 0 6 , 2 0 1 5
+ J u n e 1 0 , 2 0 1 5
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,24 +14,37 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) This release contains defect repair from Shorewall 4.6.8.1 and
- earlier releases.
+4.6.10.1
-2) The means for preventing loading of helper modules has been
- clarified in the documentation.
+1) Indentation is now consistent in lib.core (Tuomo Soini).
-3) The SetEvent and ResetEvent actions previously set/reset the event
- even if the packet did not match the other specified columns. This
- has been corrected.
+2) The first problem corrected in 4.6.10 below was incomplete. It is
+ now complete (Tuomo Soini).
-4) Previously, the 'show capabilities' command was ignoring the
- HELPERS setting. This resulted in unwanted modules being autoloaded
- and, when the -f option was given, an incorrect capabilities file
- was generated.
+3) Similarly, the second fix was also incomplete and is now completed
+ (Tuomo Soini).
+
+4.6.10
-6) Previously, when 'wait' was specified for an interface, the
- generated script erroneously checked for required interfaces on all
- commands rather than just start, restart and restore.
+1) On some distributions, Shorewall-init would fail if one of the
+ configured products had a problem. Now, Shorewall-init goes on to
+ the next product rather than stopping.
+
+2) Previously, when startup was disabled (STARTUP_ENABLED=No or no
+ compiled firewall on a -lite system), exit status 2 was
+ returned. Now, exit status 6 is returned.
+
+3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did
+ not use ipsets, then a superfluous warning message was issued:
+
+ WARNING: Invalid value (ipv4) for SAVE_IPSETS
+
+ That warning is now suppressed.
+
+4) Previously, the algorithm used to normalize the probabilities
+ defined in the 'load' provider option was incorrect and could
+ result in probabilities > 1.0. When this occurred, the firewall
+ would fail to start.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -44,36 +57,73 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your
- iptables and kernel must support this capability in order to use
- the CLAMPMSS option in shorewall.conf and the 'mss=' option in the
- zones, interfaces and hosts files. This capability was added when
- it was learned that Debian on ARM doesn't provide the feature.
+1) Previously, the 'ctevents' and 'expevents' options could only be
+ specified in the conntrack file if a helper was named. That is no
+ longer necessary.
- When using a capabilities file from at earlier release, the
- compiler assumes that this capability is available, since most
- distributions have traditionally provided the capability.
+ Example:
-2) The CLI manpages now state explicitly that 'list' and 'ls' are
- synonyms for 'show' and refer the reader to the description of
- 'show'.
+ #ACTION SOURCE DESTINATION PROTO DEST ...
+ # PORT(S) ...
+ #
+ CT:ctevents:assured,destroy\
+ all - -
-3) The complete syntax of each CLI command is now repeated in the
- detailed description of the command in the man pages.
+2) Two new options have been added to the NFQUEUE target.
-4) Tuomo Soini has contributed a QUIC macro.
+ - By default, if no userspace program is listening on an NFQUEUE,
+ then all packets that are to be queued are dropped. When the new
+ 'bypass' option is used, the NFQUEUE rule is silently bypassed
+ instead. The packet will move on to the next rule.
-5) The JabberSecure macro is now deprecated. Configure Jabber to use
- TLS and use the Jabber macro instead. (Tuomo Soini).
+ Examples:
-6) The enable and disable commands now execute more quickly on slow
- hardware.
+ NFQUEUE(bypass)
+ NFQUEUE(3,bypass)
-7) The CLI programs now support a 'reenable' command. This command is
- logically equivalent to a 'disable' command followed by an 'enable'
- command, with the exception that no error is generated if the
- specified interface or provider is disabled at the time the
- command is given.
+ - Now, a queue range of the form n:m may be specified. Packets are
+ then balanced across the given queues. This is useful for
+ multicore systems: start multiple instances of the userspace
+ program on queues x, x+1, .. x+n and use "x:x+n". Packets
+ belonging to the same connection are put into the same nfqueue.
+
+ Examples:
+
+ NFQUEUE(4:6)
+ NFQUEUE(4:6,bypass)
+
+ Queue ranges are also permitted in an NFQUEUE policy; the
+ 'bypass' option is not permitted there.
+
+3) The 'call' command is now documented. It provides a way to call
+ shell functions in the Shorewall libraries or in the generated
+ script.
+
+ call <function> [ <parameter> ... ]
+
+ <function> must name a shell function in one of the Shorewall
+ libraries or in the generated script. The function is first
+ searched for in lib.base, lib.common, lib.cli and lib.cli-std
+ (lib.cli-std is not searched by the '-lite' products). If the
+ function is found, it is called with any supplied <parameter>s.
+
+ If the function is not found in the libraries, the call command
+ is passed to the generated script for processing.
+
+4) Several changes have been made to the processing of the 'load'
+ option in provider files:
+
+ - load values are normalized to 8-digit precision and 10-byte
+ length.
+ - a warning is issued if the sum of the loads is not 1.000000.
+ - if the normalized probability for an interface is >=
+ 1.000000 then the probability match part of the generated rule is
+ omitted.
+
+5) There is now an ipv6 'findgw' skeleton file.
+
+6) The 'disable' and 'enable' commands now succed if the interface is
+ already disabled or enabled respectively. Tuomo Soini.
----------------------------------------------------------------------------
I V. M I G R A T I O N I S S U E S
@@ -266,7 +316,7 @@
See shorewall6(8) for limitations of 'update -t'.
-15) The default value LOAD_HELPERS_ONLY is now 'Yes'.
+15) The default value of LOAD_HELPERS_ONLY is now 'Yes'.
16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are
deprecated and a warning will be issued for each FORMAT-1 action
@@ -368,6 +418,64 @@
----------------------------------------------------------------------------
V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S
----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 6 . 9
+----------------------------------------------------------------------------
+
+1) This release contains defect repair from Shorewall 4.6.8.1 and
+ earlier releases.
+
+2) The means for preventing loading of helper modules has been
+ clarified in the documentation.
+
+3) The SetEvent and ResetEvent actions previously set/reset the event
+ even if the packet did not match the other specified columns. This
+ has been corrected.
+
+4) Previously, the 'show capabilities' command was ignoring the
+ HELPERS setting. This resulted in unwanted modules being autoloaded
+ and, when the -f option was given, an incorrect capabilities file
+ was generated.
+
+6) Previously, when 'wait' was specified for an interface, the
+ generated script erroneously checked for required interfaces on all
+ commands rather than just start, restart and restore.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 6 . 89
+----------------------------------------------------------------------------
+
+1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your
+ iptables and kernel must support this capability in order to use
+ the CLAMPMSS option in shorewall.conf and the 'mss=' option in the
+ zones, interfaces and hosts files. This capability was added when
+ it was learned that Debian on ARM doesn't provide the feature.
+
+ When using a capabilities file from at earlier release, the
+ compiler assumes that this capability is available, since most
+ distributions have traditionally provided the capability.
+
+2) The CLI manpages now state explicitly that 'list' and 'ls' are
+ synonyms for 'show' and refer the reader to the description of
+ 'show'.
+
+3) The complete syntax of each CLI command is now repeated in the
+ detailed description of the command in the man pages.
+
+4) Tuomo Soini has contributed a QUIC macro.
+
+5) The JabberSecure macro is now deprecated. Configure Jabber to use
+ TLS and use the Jabber macro instead. (Tuomo Soini).
+
+6) The enable and disable commands now execute more quickly on slow
+ hardware.
+
+7) The CLI programs now support a 'reenable' command. This command is
+ logically equivalent to a 'disable' command followed by an 'enable'
+ command, with the exception that no error is generated if the
+ specified interface or provider is disabled at the time the
+ command is given.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 6 . 8
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/shorewall-init new/shorewall-init-4.6.10.1/shorewall-init
--- old/shorewall-init-4.6.9/shorewall-init 2015-05-05 20:28:13.000000000 +0200
+++ new/shorewall-init-4.6.10.1/shorewall-init 2015-06-09 20:02:00.000000000 +0200
@@ -1,18 +1,19 @@
-#! /bin/bash
-# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#!/bin/bash
+# The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.6
#
-# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
#
-# On most distributions, this file should be called /etc/init.d/shorewall.
+# On most distributions, this file should be called
+# /etc/init.d/shorewall.
#
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at http://shorewall.net
#
-# This program is part of Shorewall.
+# This program is part of Shorewall.
#
# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by the
-# Free Software Foundation, either version 2 of the license or, at your
-# option, any later version.
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the license or,
+# at your option, any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -22,7 +23,7 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, see http://www.gnu.org/licenses/.
#
-#########################################################################################
+###############################################################################
# set the STATEDIR variable
setstatedir() {
local statedir
@@ -33,7 +34,9 @@
[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
- ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c || exit 1
+ ${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+ else
+ return 0
fi
}
@@ -46,7 +49,7 @@
if [ -f "$SYSCONFDIR/shorewall-init" ]; then
. $SYSCONFDIR/shorewall-init
if [ -z "$PRODUCTS" ]; then
- echo "ERROR: No products configured" >&2
+ echo "ERROR: No products configured" >&2
exit 1
fi
else
@@ -56,71 +59,66 @@
# Initialize the firewall
shorewall_start () {
- local PRODUCT
- local STATEDIR
+ local PRODUCT
+ local STATEDIR
- echo -n "Initializing \"Shorewall-based firewalls\": "
- for PRODUCT in $PRODUCTS; do
- setstatedir
-
- if [ -x ${STATEDIR}/firewall ]; then
- #
- # Run in a sub-shell to avoid name collisions
- #
- (
- if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
- ${STATEDIR}/firewall ${OPTIONS} stop || exit 1
- else
- exit 1
- fi
- )
- else
- echo ERROR: ${STATEDIR}/firewall does not exist or is not executable!
- exit 1
- fi
- done
-
- if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
- ipset -R < "$SAVE_IPSETS"
- fi
+ echo -n "Initializing \"Shorewall-based firewalls\": "
+ for PRODUCT in $PRODUCTS; do
+ if setstatedir; then
+ if [ -x ${STATEDIR}/firewall ]; then
+ #
+ # Run in a sub-shell to avoid name collisions
+ #
+ (
+ if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+ ${STATEDIR}/firewall ${OPTIONS} stop
+ fi
+ )
+ fi
+ fi
+ done
- return 0
+ if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+ ipset -R < "$SAVE_IPSETS"
+ fi
+
+ return 0
}
# Clear the firewall
shorewall_stop () {
- local PRODUCT
- local STATEDIR
+ local PRODUCT
+ local STATEDIR
- echo -n "Clearing \"Shorewall-based firewalls\": "
- for PRODUCT in $PRODUCTS; do
- setstatedir
-
- if [ -x ${STATEDIR}/firewall ]; then
- ${STATEDIR}/firewall ${OPTIONS} clear || exit 1
- fi
- done
-
- if [ -n "$SAVE_IPSETS" ]; then
- mkdir -p $(dirname "$SAVE_IPSETS")
- if ipset -S > "${SAVE_IPSETS}.tmp"; then
- grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
- fi
- fi
+ echo -n "Clearing \"Shorewall-based firewalls\": "
+ for PRODUCT in $PRODUCTS; do
+ if setstatedir; then
+ if [ -x ${STATEDIR}/firewall ]; then
+ ${STATEDIR}/firewall ${OPTIONS} clear
+ fi
+ fi
+ done
+
+ if [ -n "$SAVE_IPSETS" ]; then
+ mkdir -p $(dirname "$SAVE_IPSETS")
+ if ipset -S > "${SAVE_IPSETS}.tmp"; then
+ grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+ fi
+ fi
- return 0
+ return 0
}
case "$1" in
- start)
- shorewall_start
- ;;
- stop)
- shorewall_stop
- ;;
- *)
- echo "Usage: $0 {start|stop}"
- exit 1
+ start)
+ shorewall_start
+ ;;
+ stop)
+ shorewall_stop
+ ;;
+ *)
+ echo "Usage: $0 {start|stop}"
+ exit 1
esac
exit 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.6.9/shorewall-init.service new/shorewall-init-4.6.10.1/shorewall-init.service
--- old/shorewall-init-4.6.9/shorewall-init.service 2015-05-05 20:28:13.000000000 +0200
+++ new/shorewall-init-4.6.10.1/shorewall-init.service 2015-06-09 20:02:00.000000000 +0200
@@ -4,7 +4,7 @@
# Copyright 2011 Jonathan Underwood