Hello community,
here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2011-11-02 12:18:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shorewall (Old)
and /work/SRC/openSUSE:Factory/.shorewall.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall", Maintainer is ""
Changes:
--------
--- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2011-10-16 12:59:16.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shorewall.new/shorewall.changes 2011-11-02 12:18:21.000000000 +0100
@@ -1,0 +2,47 @@
+Tue Nov 1 18:16:52 UTC 2011 - toganm@opensuse.org
+
+- Update to 4.4.25.1 For more details see changelog.txt and
+ releasenotes.txt
+
+ * A'refresh' command with no chains or tables specified will
+ now reload chains created by entries in the BLACKLIST section of
+ the rules file.
+ * The rules compiler previously failed to detect the 'Flow
+ Filter' capability. That capability is now correctly detected.
+ * The IN_BANDWIDTH handling changes in 4.4.25 was incompatible
+ with moribund distributions such as RHEL4. Restoring IN_BANDWIDTH
+ functionality on those releases required a new 'Basic Filter'
+ capability.
+
+
+-------------------------------------------------------------------
+Sun Oct 30 09:47:11 UTC 2011 - toganm@opensuse.org
+
+- Update to 4.4.25 For more details see changelog.txt and
+ releasenotes.txt
+
+ * A defect in the optimizer that allowed incompatible rules to be
+ combined has been corrected.
+ * Routes and rules added as a result of entries in
+ /etc/shorewall6/providers were previously not deleted by
+ 'stop' or 'restart'. Repeated 'restart' commands could
+ therefore lead to an incorrect routing configuration.
+ * Previously, capital letters were disallowed in IPv6 addresses.
+ They are now permitted.
+ * If the COPY column in /etc/shorewall6/providers was non-empty,
+ previously a run-time error could occur when copying a table.
+ The diagnostic produced by ip was:
+
+ Either "to" is duplicate, or "cache" is garbage
+
+ * When copying IPv6 routes, the generated script previously
+ attempted to copy 'cache' entries. Those entries are now omitted.
+ * Previously, the use of large provider numbers could cause some
+ Shorewall-generated routing rules to be ineffective.
+ * In some contexts, IPv6 addresses of the form ::i.j.k.l were
+ incorrectly classified as invalid by the configuration compile
+ * New blacklisting facility implemented. For this and other new
+ features please refer to the releasenotes.txt
+
+
+-------------------------------------------------------------------
Old:
----
shorewall-4.4.24.1.tar.bz2
shorewall-docs-html-4.4.24.1.tar.bz2
shorewall-init-4.4.24.1.tar.bz2
shorewall-lite-4.4.24.1.tar.bz2
shorewall6-4.4.24.1.tar.bz2
shorewall6-lite-4.4.24.1.tar.bz2
New:
----
shorewall-4.4.25.1.tar.bz2
shorewall-docs-html-4.4.25.1.tar.bz2
shorewall-init-4.4.25.1.tar.bz2
shorewall-lite-4.4.25.1.tar.bz2
shorewall6-4.4.25.1.tar.bz2
shorewall6-lite-4.4.25.1.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shorewall.spec ++++++
--- /var/tmp/diff_new_pack.Afk44c/_old 2011-11-02 12:18:24.000000000 +0100
+++ /var/tmp/diff_new_pack.Afk44c/_new 2011-11-02 12:18:24.000000000 +0100
@@ -18,7 +18,7 @@
Name: shorewall
-Version: 4.4.24.1
+Version: 4.4.25.1
Release: 1
License: GPL-2.0
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems
++++++ shorewall-4.4.24.1.tar.bz2 -> shorewall-4.4.25.1.tar.bz2 ++++++
++++ 4706 lines of diff (skipped)
++++++ shorewall-docs-html-4.4.24.1.tar.bz2 -> shorewall-docs-html-4.4.25.1.tar.bz2 ++++++
++++ 6779 lines of diff (skipped)
++++++ shorewall-init-4.4.24.1.tar.bz2 -> shorewall-init-4.4.25.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/changelog.txt new/shorewall-init-4.4.25.1/changelog.txt
--- old/shorewall-init-4.4.24.1/changelog.txt 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-init-4.4.25.1/changelog.txt 2011-11-01 16:35:31.000000000 +0100
@@ -1,19 +1,46 @@
-Changes in 4.4.24.1
+Changes in 4.4.25.1
-1) Restore complex TC functionality.
+1) Reload 'blacklistsection' chains during 'refresh'.
-Changes in 4.4.24 Final
+Changes in 4.4.25 Final
-1) Clone TTL support to provide HL support in Shorewall6.
+1) Evaluate a variable at compile-time rather than run-time.
-Changes in 4.4.24 RC 2
+Changes in 4.4.25 RC 1
-1) Fix 'fallback' without =<weight>.
+1) Add MARK column to the route_rules file.
-2) Add BALANCE_TABLE
+2) Place all ip-address route rules at priority 20000.
-3) Fix RC 1 bugs reported by Steven Springl
+3) Ensure that a 'lookup default prio 32767' rule exists.
+4) Correct validation of 4in6 addresses.
+
+Changes in 4.4.25 Beta 4
+
+1) Fix optimizer bug.
+
+2) Fix 'undo' of Shorewall6 routing.
+
+3) Don't copy cache routes.
+
+4) Balance and Fallback routes in Shorewall6.
+
+5) enable/disable in Shorewall6.
+
+Changes in 4.4.25 Beta 3
+
+1) Allow explicit rate estimation.
+
+Changes in 4.4.25 Beta 2
+
+1) Add rate estimation to input bandwidth policing.
+
+Changes in 4.4.25 Beta 1
+
+1) Add BLACKLIST section to the rules file.
+
+2) Add '6in4' as a synonym for '6to4'.
Changes in 4.4.24 RC 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/install.sh new/shorewall-init-4.4.25.1/install.sh
--- old/shorewall-init-4.4.24.1/install.sh 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-init-4.4.25.1/install.sh 2011-11-01 16:35:31.000000000 +0100
@@ -23,7 +23,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.4.24.1
+VERSION=4.4.25.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/releasenotes.txt new/shorewall-init-4.4.25.1/releasenotes.txt
--- old/shorewall-init-4.4.24.1/releasenotes.txt 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-init-4.4.25.1/releasenotes.txt 2011-11-01 16:35:31.000000000 +0100
@@ -1,6 +1,6 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 4 . 2 4 . 1
+ S H O R E W A L L 4 . 4 . 2 5 . 1
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,20 +14,82 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.4.24.1
+4.4.25.1
-1) When the logical and physical name of an interface were different,
- including the logical name in the tcdevices file caused the
- device's classes to be ignored. This defect was introduced in
- Shorewall 4.4.23.
+1) A 'refresh' command with no chains or tables specified will now
+ reload chains created by entries in the BLACKLIST section of the
+ rules file.
+
+2) The 'refresh' command did not automatically reload the rules from
+ the BLACKLIST section of the rules file. Now such rules are
+ reloaded by 'refresh'.
+
+3) The rules compiler previously failed to detect the 'Flow Filter'
+ capability. That capability is now correctly detected.
+
+4) The IN_BANDWIDTH handling changes in 4.4.25 was incompatible with
+ moribund distributions such as RHEL4. Restoring IN_BANDWIDTH
+ functionality on those releases required a new 'Basic Filter'
+ capability.
+
+4.4.25
+
+1) A defect in the optimizer that allowed incompatible rules to be
+ combined has been corrected.
+
+ Example:
+
+ Rule1: -i eth1 -j chainx
+ Rule in chainx: -i eth2 -j ACCEPT
+ Incorrect result: -i eth2 -j ACCEPT
+
+ With the change in this release, Rule1 will remain as it is.
+
+2) Routes and rules added as a result of entries in
+ /etc/shorewall6/providers were previously not deleted by
+ 'stop' or 'restart'. Repeated 'restart' commands could therefore
+ lead to an incorrect routing configuration.
+
+3) Previously, capital letters were disallowed in IPv6 addresses. They
+ are now permitted.
+
+4) If the COPY column in /etc/shorewall6/providers was non-empty,
+ previously a run-time error could occur when copying a table. The
+ diagnostic produced by ip was:
+
+ Either "to" is duplicate, or "cache" is garbage
+
+5) When copying IPv6 routes, the generated script previously attempted
+ to copy 'cache' entries. Those entries are now omitted.
+
+6) Previously, the use of large provider numbers could cause some
+ Shorewall-generated routing rules to be ineffective.
+
+ Example (provider numbers 110 and 120):
+
+ 0: from all lookup local
+ 10109: from all fwmark 0x6e/0xff lookup 110
+ 10119: from all fwmark 0x78/0xff lookup 120
+ 11000: from 2001:470:1f04:262::1/64 lookup 110
+ 11001: from 2001:470:c:316::1/64 lookup 120
+ 32766: from all lookup main
+ 47904: from 2001:470:8388::1 lookup 110 <===========
+ 50464: from 2001:470:f032::1 lookup 120 <===========
+
+ Now, all routing rules generated by provider interface IP (and IP6)
+ addresses are created at priority 20000.
+
+ 0: from all lookup local
+ 10109: from all fwmark 0x6e/0xff lookup 110
+ 10119: from all fwmark 0x78/0xff lookup 120
+ 11000: from 2001:470:1f04:262::1/64 lookup 110
+ 11001: from 2001:470:c:316::1/64 lookup 120
+ 20000: from 2001:470:8388::1 lookup 110 <===========
+ 20000: from 2001:470:f032::1 lookup 120 <===========
+ 32766: from all lookup main
-4.4.24
-
-1) This release includes all problem corrections from releases
- 4.4.23.1-4.4.23.3.
-
-2) The 'fallback' option without =<weight> previously produced invalid
- 'ip' commands.
+7) In some contexts, IPv6 addresses of the form ::i.j.k.l were
+ incorrectly classified as invalid by the configuration compiler.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -40,49 +102,128 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Stateless NAT is now available in Shorewall6. See
- shorewall6-netmap(5) for details. Beta 2 added the ability to use
- exclusion in the NET1 column.
+1) The original static blacklisting implementation was
+ interface-oriented and only handled blacklisting by source
+ address. In Shorewall 4.4.12, the ability to blacklist by
+ destination address was added and blacklisting could be specified
+ as a ZONE option. This change, plus additional changes in
+ subsequent releases has lead to an implementation that is complex
+ and hard to extend.
+
+ In this release, a new static blacklisting facility has been
+ implemented. This facility is separate from the legacy facility, so
+ existing configurations will continue to work without change.
+
+ A BLACKLIST section has been added to the rules file. This section
+ is now the first section, having been added ahead of the ALL
+ section. The set of packets that are subject to blacklisting is
+ still governed by the setting of BLACKLISTNEWONLY in
+ shorewall.conf. The settings of BLACKLIST_LOGLEVEL and
+ BLACKLIST_DISPOSITION are not relevant to the new implementation.
+ Most of the actions available in other sections of the rules file
+ are available in the BLACKLIST section and logging is specified on
+ a rule-by-rule basis in the normal way.
+
+ In addition to the other actions available, a WHITELIST action has
+ been added which exempts matching packets from being passed to the
+ remaining rules in the section.
+
+ Each "zone2zone" chain (e.g., net2fw) that has blacklist rules has
+ a companion blacklisting chain. The name of the blacklisting chain
+ is formed by appending "~" to the zone2zone chain. For example,
+ 'net2fw' blacklist rules appear in the chain net2fw~.
+
+ There is a likelihood that multiple blacklisting chains will have
+ exactly the same rules. This is especially true when 'all' is used
+ as the zone name in the SOURCE and/or DEST columns. When
+ optimization level 8 is used, these identical chains are combined
+ into a single chain with the name ~blacklistN, where N is a number
+ (possibly with multiple digits).
+
+ The 'nosurfs' and 'tcpflags' interface options generate rules that
+ will be traversed prior to those in the BLACKLIST section. If you
+ want similar rules to be travered on packets that were not dropped
+ or rejected in the BLACKLIST chain, you can use the new
+ 'DropSmurfs' and/or 'TCPFlags' standard actions.
+
+ The DropSmurfs action has a single parameter whose default value
+ is '-'. The action silently drops smurfs without auditing. If you
+ want to audit these drops, use DropSmurfs(audit). Logging can be
+ specified in the normal way (e.g., DropSmurfs:info).
+
+ The TCPFlags action has two parameters whose default values are
+ DROP and -. The first action determines what is to be done with
+ matching packets and can have the values DROP, REJECT or ACCEPT. If
+ you want the action to be audited, pass 'audit' in the second
+ parameter.
+
+ Example: TCPFlags(REJECT,audit)
+
+ Again, logging is specified in the normal way.
+
+ The 'maclist' interface option can also generate rules that are
+ traversed prior to those in the BLACKLIST section. If you want them
+ to come after the the blacklist rules, simply recode your maclist
+ rules in the NEW section of the rules file. The 'macipmap' ipset
+ type is ideally suited for this task.
+
+ Example: assumes the ipset name is macipmap and that the
+ zone to be verified is named wlan
+
+ /etc/shorewall/rules:
+
+ SECTION NEW
+ DROP:info wlan:!+macipmap all
+
+2) '6in4' has been added as a synonum for '6to4' in the TYPE column of
+ the tunnels file.
+
+3) The handling of IN_BANDWIDTH in both /etc/shorewall/tcdevices and
+ /etc/shorewall/tcinterfaces has been changed. Previously:
+
+ a) Simple rate/burst policing was applied using the value(s)
+ supplied.
+
+ b) IPv4 and IPv6 were policed separately.
+
+ Beginning with this release, you have the option of configuring a
+ rate estimated policing filter. This type of filter is discussed at
+ http://ace-host.stuart.id.au/russell/files/tc/doc/extimators.txt.
+
+ You specify an estimeting filter by preceding the IN-BANDWIDTH with
+ a tilde ('~').
+
+ Example: ~40mbit
+
+ This example limits incoming traffic to an *average* rate of 40mbit.
+
+ There are two other other parameters that can be specified, in
+ addition to the average rate - <interval> and
+ . There is an excellent description of these
+ parameters in the document referenced above.
+
+ Example: ~40mbit:1sec:8sec
+
+ In that example, the <interval> is 1 second and the
+ is 8 seconds. If not given, the default values are
+ 250ms and 4 seconds. Both parameters must be supplied if either is
+ supplied.
+
+ Also in this release, the policing of IPv4 and IPv6 has been
+ combined so a single filter is applied to all traffic on a
+ configured interface.
+
+4) Shorewall6 now supports the 'balance' and 'fallback' provider
+ options. These options are restricted to one interface per
+ configuration for each option.
-2) /sbin/shorewall6 now supports the 'show rawpost' command.
-
-3) This release includes support for 'Condition Match' which is
- included in xtables-addons. Condition match allows rules to be
- predicated on the setting of a named switch in
- /proc/net/nf_condition/.
+5) The scripts generated by Shorewall6 now support the 'enable' and
+ 'disable' commands.
- See
- http://www.shorewall.net/configuration_file_basics.htm#Switches
- for details.
-
-4) With the preceding change, the rules file now has 14 columns. That
- makes it awkward to specify the last column as you have to insert
- the correct number of '-' to get the right column.
-
- To make that easier, Shorewall now allows you to specify columns
- using several (column-name,value) formats. See
- http://www.shorewall.net/configuration_file_basics.htm#Pairs for
+6) A 'MARK' column has been added to the route_rules file. See
+ shorewall-route_rules (5) and shorewall6-route_rules (5) for
details.
-5) The generated script will now use the iptables/ip6tables -S command
- if available.
-
-6) The implementation of USE_DEFAULT_RT=Yes has been changed
- significantly. These changes include:
-
- a) A new BALANCE routing table with number 250 has been added.
- b) Routes to providers with the 'balance' option are added to the
- BALANCE table rather than the default table.
- c) This allows 'fallback' to work with USE_DEFAULT_RT.
- d) For optional interfaces, the 'fallback' option without a value
- now works the same as if 'fallback=1' had been specified.
-
- This change also corrected several problems with 'fallback' and
- enable/disable.
-
-7) Support has been added for TTL manipulation (HL in Shorewall6).
- See shorewall-tcrules(5) or shorewall6-tcrules(5) for details.
-
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------
@@ -318,7 +459,63 @@
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S
-------------------------------------------------------------------------------
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 4
+----------------------------------------------------------------------------
+
+1) Includes all problem corrections from versions 4.4.23.1 - 4.4.23.3.
+
+2) The 'fallback' option without =<weight> previously produced invalid
+ 'ip' commands.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 4 . 2 4
+----------------------------------------------------------------------------
+
+1) Stateless NAT is now available in Shorewall6. See
+ shorewall6-netmap(5) for details. Beta 2 added the ability to use
+ exclusion in the NET1 column.
+
+2) /sbin/shorewall6 now supports the 'show rawpost' command.
+
+3) This release includes support for 'Condition Match' which is
+ included in xtables-addons. Condition match allows rules to be
+ predicated on the setting of a named switch in
+ /proc/net/nf_condition/.
+
+ See
+ http://www.shorewall.net/configuration_file_basics.htm#Switches
+ for details.
+
+4) With the preceding change, the rules file now has 14 columns. That
+ makes it awkward to specify the last column as you have to insert
+ the correct number of '-' to get the right column.
+
+ To make that easier, Shorewall now allows you to specify columns
+ using several (column-name,value) formats. See
+ http://www.shorewall.net/configuration_file_basics.htm#Pairs for
+ details.
+
+5) The generated script will now use the iptables/ip6tables -S command
+ if available.
+
+6) The implementation of USE_DEFAULT_RT=Yes has been changed
+ significantly. These changes include:
+
+ a) A new BALANCE routing table with number 250 has been added.
+ b) Routes to providers with the 'balance' option are added to the
+ BALANCE table rather than the default table.
+ c) This allows 'fallback' to work with USE_DEFAULT_RT.
+ d) For optional interfaces, the 'fallback' option without a value
+ now works the same as if 'fallback=1' had been specified.
+
+ This change also corrected several problems with 'fallback' and
+ enable/disable.
+
+7) Support has been added for TTL manipulation (HL in Shorewall6).
+ See shorewall-tcrules(5) or shorewall6-tcrules(5) for details.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 3
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/shorewall-init.spec new/shorewall-init-4.4.25.1/shorewall-init.spec
--- old/shorewall-init-4.4.24.1/shorewall-init.spec 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-init-4.4.25.1/shorewall-init.spec 2011-11-01 16:35:31.000000000 +0100
@@ -1,5 +1,5 @@
%define name shorewall-init
-%define version 4.4.24
+%define version 4.4.25
%define release 1
Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
@@ -119,12 +119,20 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Sun Oct 30 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-1
+* Thu Oct 27 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0base
+* Sun Oct 23 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0RC1
+* Sat Oct 22 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0Beta4
+* Tue Oct 18 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0Beta3
* Tue Oct 11 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.24-1
-* Sun Oct 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.24-0base
-* Sun Oct 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.24-0RC2
+- Updated to 4.4.25-0Beta2
+* Tue Oct 04 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0Beta1
* Sat Oct 01 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.24-0RC1
* Mon Sep 26 2011 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-4.4.24.1/uninstall.sh new/shorewall-init-4.4.25.1/uninstall.sh
--- old/shorewall-init-4.4.24.1/uninstall.sh 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-init-4.4.25.1/uninstall.sh 2011-11-01 16:35:31.000000000 +0100
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.24.1
+VERSION=4.4.25.1
usage() # $1 = exit status
{
++++++ shorewall-lite-4.4.24.1.tar.bz2 -> shorewall-lite-4.4.25.1.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/changelog.txt new/shorewall-lite-4.4.25.1/changelog.txt
--- old/shorewall-lite-4.4.24.1/changelog.txt 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/changelog.txt 2011-11-01 16:35:31.000000000 +0100
@@ -1,19 +1,46 @@
-Changes in 4.4.24.1
+Changes in 4.4.25.1
-1) Restore complex TC functionality.
+1) Reload 'blacklistsection' chains during 'refresh'.
-Changes in 4.4.24 Final
+Changes in 4.4.25 Final
-1) Clone TTL support to provide HL support in Shorewall6.
+1) Evaluate a variable at compile-time rather than run-time.
-Changes in 4.4.24 RC 2
+Changes in 4.4.25 RC 1
-1) Fix 'fallback' without =<weight>.
+1) Add MARK column to the route_rules file.
-2) Add BALANCE_TABLE
+2) Place all ip-address route rules at priority 20000.
-3) Fix RC 1 bugs reported by Steven Springl
+3) Ensure that a 'lookup default prio 32767' rule exists.
+4) Correct validation of 4in6 addresses.
+
+Changes in 4.4.25 Beta 4
+
+1) Fix optimizer bug.
+
+2) Fix 'undo' of Shorewall6 routing.
+
+3) Don't copy cache routes.
+
+4) Balance and Fallback routes in Shorewall6.
+
+5) enable/disable in Shorewall6.
+
+Changes in 4.4.25 Beta 3
+
+1) Allow explicit rate estimation.
+
+Changes in 4.4.25 Beta 2
+
+1) Add rate estimation to input bandwidth policing.
+
+Changes in 4.4.25 Beta 1
+
+1) Add BLACKLIST section to the rules file.
+
+2) Add '6in4' as a synonym for '6to4'.
Changes in 4.4.24 RC 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/install.sh new/shorewall-lite-4.4.25.1/install.sh
--- old/shorewall-lite-4.4.24.1/install.sh 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/install.sh 2011-11-01 16:35:31.000000000 +0100
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.4.24.1
+VERSION=4.4.25.1
usage() # $1 = exit status
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/lib.base new/shorewall-lite-4.4.25.1/lib.base
--- old/shorewall-lite-4.4.24.1/lib.base 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/lib.base 2011-11-01 16:35:31.000000000 +0100
@@ -28,7 +28,7 @@
#
SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40424
+SHOREWALL_CAPVERSION=40425
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/lib.cli new/shorewall-lite-4.4.25.1/lib.cli
--- old/shorewall-lite-4.4.24.1/lib.cli 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/lib.cli 2011-11-01 16:35:31.000000000 +0100
@@ -1733,6 +1733,7 @@
AUDIT_TARGET=
CONDITION_MATCH=
IPTABLES_S=
+ BASIC_FILTER=
chain=fooX$$
@@ -1891,6 +1892,7 @@
qt $IPTABLES -X $chain1
[ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+ [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes
[ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
CAPVERSION=$SHOREWALL_CAPVERSION
@@ -1981,6 +1983,7 @@
report_capability "ipset V5" $IPSET_V5
report_capability "Condition Match" $CONDITION_MATCH
report_capability "iptables -S" $IPTABLES_S
+ report_capability "Basic Filter" $BASIC_FILTER
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2053,6 +2056,7 @@
report_capability1 IPSET_V5
report_capability1 CONDITION_MATCH
report_capability1 IPTABLES_S
+ report_capability1 BASIC_FILTER
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/manpages/shorewall-lite-vardir.5 new/shorewall-lite-4.4.25.1/manpages/shorewall-lite-vardir.5
--- old/shorewall-lite-4.4.24.1/manpages/shorewall-lite-vardir.5 2011-10-15 15:59:12.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/manpages/shorewall-lite-vardir.5 2011-11-01 16:40:54.000000000 +0100
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/
-.\" Date: 10/15/2011
+.\" Date: 11/01/2011
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\-VAR" "5" "10/15/2011" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE\-VAR" "5" "11/01/2011" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/manpages/shorewall-lite.8 new/shorewall-lite-4.4.25.1/manpages/shorewall-lite.8
--- old/shorewall-lite-4.4.24.1/manpages/shorewall-lite.8 2011-10-15 15:59:14.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/manpages/shorewall-lite.8 2011-11-01 16:40:56.000000000 +0100
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/
-.\" Date: 10/15/2011
+.\" Date: 11/01/2011
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE" "8" "10/15/2011" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE" "8" "11/01/2011" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/manpages/shorewall-lite.conf.5 new/shorewall-lite-4.4.25.1/manpages/shorewall-lite.conf.5
--- old/shorewall-lite-4.4.24.1/manpages/shorewall-lite.conf.5 2011-10-15 15:59:10.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/manpages/shorewall-lite.conf.5 2011-11-01 16:40:52.000000000 +0100
@@ -2,12 +2,12 @@
.\" Title: shorewall-lite.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.75.2 http://docbook.sf.net/
-.\" Date: 10/15/2011
+.\" Date: 11/01/2011
.\" Manual: [FIXME: manual]
.\" Source: [FIXME: source]
.\" Language: English
.\"
-.TH "SHOREWALL\-LITE\&.CO" "5" "10/15/2011" "[FIXME: source]" "[FIXME: manual]"
+.TH "SHOREWALL\-LITE\&.CO" "5" "11/01/2011" "[FIXME: source]" "[FIXME: manual]"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/modules.tc new/shorewall-lite-4.4.25.1/modules.tc
--- old/shorewall-lite-4.4.24.1/modules.tc 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/modules.tc 2011-11-01 16:35:31.000000000 +0100
@@ -22,4 +22,5 @@
loadmodule cls_u32
loadmodule cls_fw
loadmodule cls_flow
+loadmodule cls_basic
loadmodule act_police
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/releasenotes.txt new/shorewall-lite-4.4.25.1/releasenotes.txt
--- old/shorewall-lite-4.4.24.1/releasenotes.txt 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/releasenotes.txt 2011-11-01 16:35:31.000000000 +0100
@@ -1,6 +1,6 @@
----------------------------------------------------------------------------
- S H O R E W A L L 4 . 4 . 2 4 . 1
+ S H O R E W A L L 4 . 4 . 2 5 . 1
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,20 +14,82 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-4.4.24.1
+4.4.25.1
-1) When the logical and physical name of an interface were different,
- including the logical name in the tcdevices file caused the
- device's classes to be ignored. This defect was introduced in
- Shorewall 4.4.23.
+1) A 'refresh' command with no chains or tables specified will now
+ reload chains created by entries in the BLACKLIST section of the
+ rules file.
+
+2) The 'refresh' command did not automatically reload the rules from
+ the BLACKLIST section of the rules file. Now such rules are
+ reloaded by 'refresh'.
+
+3) The rules compiler previously failed to detect the 'Flow Filter'
+ capability. That capability is now correctly detected.
+
+4) The IN_BANDWIDTH handling changes in 4.4.25 was incompatible with
+ moribund distributions such as RHEL4. Restoring IN_BANDWIDTH
+ functionality on those releases required a new 'Basic Filter'
+ capability.
+
+4.4.25
+
+1) A defect in the optimizer that allowed incompatible rules to be
+ combined has been corrected.
+
+ Example:
+
+ Rule1: -i eth1 -j chainx
+ Rule in chainx: -i eth2 -j ACCEPT
+ Incorrect result: -i eth2 -j ACCEPT
+
+ With the change in this release, Rule1 will remain as it is.
+
+2) Routes and rules added as a result of entries in
+ /etc/shorewall6/providers were previously not deleted by
+ 'stop' or 'restart'. Repeated 'restart' commands could therefore
+ lead to an incorrect routing configuration.
+
+3) Previously, capital letters were disallowed in IPv6 addresses. They
+ are now permitted.
+
+4) If the COPY column in /etc/shorewall6/providers was non-empty,
+ previously a run-time error could occur when copying a table. The
+ diagnostic produced by ip was:
+
+ Either "to" is duplicate, or "cache" is garbage
+
+5) When copying IPv6 routes, the generated script previously attempted
+ to copy 'cache' entries. Those entries are now omitted.
+
+6) Previously, the use of large provider numbers could cause some
+ Shorewall-generated routing rules to be ineffective.
+
+ Example (provider numbers 110 and 120):
+
+ 0: from all lookup local
+ 10109: from all fwmark 0x6e/0xff lookup 110
+ 10119: from all fwmark 0x78/0xff lookup 120
+ 11000: from 2001:470:1f04:262::1/64 lookup 110
+ 11001: from 2001:470:c:316::1/64 lookup 120
+ 32766: from all lookup main
+ 47904: from 2001:470:8388::1 lookup 110 <===========
+ 50464: from 2001:470:f032::1 lookup 120 <===========
+
+ Now, all routing rules generated by provider interface IP (and IP6)
+ addresses are created at priority 20000.
+
+ 0: from all lookup local
+ 10109: from all fwmark 0x6e/0xff lookup 110
+ 10119: from all fwmark 0x78/0xff lookup 120
+ 11000: from 2001:470:1f04:262::1/64 lookup 110
+ 11001: from 2001:470:c:316::1/64 lookup 120
+ 20000: from 2001:470:8388::1 lookup 110 <===========
+ 20000: from 2001:470:f032::1 lookup 120 <===========
+ 32766: from all lookup main
-4.4.24
-
-1) This release includes all problem corrections from releases
- 4.4.23.1-4.4.23.3.
-
-2) The 'fallback' option without =<weight> previously produced invalid
- 'ip' commands.
+7) In some contexts, IPv6 addresses of the form ::i.j.k.l were
+ incorrectly classified as invalid by the configuration compiler.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
@@ -40,49 +102,128 @@
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) Stateless NAT is now available in Shorewall6. See
- shorewall6-netmap(5) for details. Beta 2 added the ability to use
- exclusion in the NET1 column.
+1) The original static blacklisting implementation was
+ interface-oriented and only handled blacklisting by source
+ address. In Shorewall 4.4.12, the ability to blacklist by
+ destination address was added and blacklisting could be specified
+ as a ZONE option. This change, plus additional changes in
+ subsequent releases has lead to an implementation that is complex
+ and hard to extend.
+
+ In this release, a new static blacklisting facility has been
+ implemented. This facility is separate from the legacy facility, so
+ existing configurations will continue to work without change.
+
+ A BLACKLIST section has been added to the rules file. This section
+ is now the first section, having been added ahead of the ALL
+ section. The set of packets that are subject to blacklisting is
+ still governed by the setting of BLACKLISTNEWONLY in
+ shorewall.conf. The settings of BLACKLIST_LOGLEVEL and
+ BLACKLIST_DISPOSITION are not relevant to the new implementation.
+ Most of the actions available in other sections of the rules file
+ are available in the BLACKLIST section and logging is specified on
+ a rule-by-rule basis in the normal way.
+
+ In addition to the other actions available, a WHITELIST action has
+ been added which exempts matching packets from being passed to the
+ remaining rules in the section.
+
+ Each "zone2zone" chain (e.g., net2fw) that has blacklist rules has
+ a companion blacklisting chain. The name of the blacklisting chain
+ is formed by appending "~" to the zone2zone chain. For example,
+ 'net2fw' blacklist rules appear in the chain net2fw~.
+
+ There is a likelihood that multiple blacklisting chains will have
+ exactly the same rules. This is especially true when 'all' is used
+ as the zone name in the SOURCE and/or DEST columns. When
+ optimization level 8 is used, these identical chains are combined
+ into a single chain with the name ~blacklistN, where N is a number
+ (possibly with multiple digits).
+
+ The 'nosurfs' and 'tcpflags' interface options generate rules that
+ will be traversed prior to those in the BLACKLIST section. If you
+ want similar rules to be travered on packets that were not dropped
+ or rejected in the BLACKLIST chain, you can use the new
+ 'DropSmurfs' and/or 'TCPFlags' standard actions.
+
+ The DropSmurfs action has a single parameter whose default value
+ is '-'. The action silently drops smurfs without auditing. If you
+ want to audit these drops, use DropSmurfs(audit). Logging can be
+ specified in the normal way (e.g., DropSmurfs:info).
+
+ The TCPFlags action has two parameters whose default values are
+ DROP and -. The first action determines what is to be done with
+ matching packets and can have the values DROP, REJECT or ACCEPT. If
+ you want the action to be audited, pass 'audit' in the second
+ parameter.
+
+ Example: TCPFlags(REJECT,audit)
+
+ Again, logging is specified in the normal way.
+
+ The 'maclist' interface option can also generate rules that are
+ traversed prior to those in the BLACKLIST section. If you want them
+ to come after the the blacklist rules, simply recode your maclist
+ rules in the NEW section of the rules file. The 'macipmap' ipset
+ type is ideally suited for this task.
+
+ Example: assumes the ipset name is macipmap and that the
+ zone to be verified is named wlan
+
+ /etc/shorewall/rules:
+
+ SECTION NEW
+ DROP:info wlan:!+macipmap all
+
+2) '6in4' has been added as a synonum for '6to4' in the TYPE column of
+ the tunnels file.
+
+3) The handling of IN_BANDWIDTH in both /etc/shorewall/tcdevices and
+ /etc/shorewall/tcinterfaces has been changed. Previously:
+
+ a) Simple rate/burst policing was applied using the value(s)
+ supplied.
+
+ b) IPv4 and IPv6 were policed separately.
+
+ Beginning with this release, you have the option of configuring a
+ rate estimated policing filter. This type of filter is discussed at
+ http://ace-host.stuart.id.au/russell/files/tc/doc/extimators.txt.
+
+ You specify an estimeting filter by preceding the IN-BANDWIDTH with
+ a tilde ('~').
+
+ Example: ~40mbit
+
+ This example limits incoming traffic to an *average* rate of 40mbit.
+
+ There are two other other parameters that can be specified, in
+ addition to the average rate - <interval> and
+ . There is an excellent description of these
+ parameters in the document referenced above.
+
+ Example: ~40mbit:1sec:8sec
+
+ In that example, the <interval> is 1 second and the
+ is 8 seconds. If not given, the default values are
+ 250ms and 4 seconds. Both parameters must be supplied if either is
+ supplied.
+
+ Also in this release, the policing of IPv4 and IPv6 has been
+ combined so a single filter is applied to all traffic on a
+ configured interface.
+
+4) Shorewall6 now supports the 'balance' and 'fallback' provider
+ options. These options are restricted to one interface per
+ configuration for each option.
-2) /sbin/shorewall6 now supports the 'show rawpost' command.
-
-3) This release includes support for 'Condition Match' which is
- included in xtables-addons. Condition match allows rules to be
- predicated on the setting of a named switch in
- /proc/net/nf_condition/.
+5) The scripts generated by Shorewall6 now support the 'enable' and
+ 'disable' commands.
- See
- http://www.shorewall.net/configuration_file_basics.htm#Switches
- for details.
-
-4) With the preceding change, the rules file now has 14 columns. That
- makes it awkward to specify the last column as you have to insert
- the correct number of '-' to get the right column.
-
- To make that easier, Shorewall now allows you to specify columns
- using several (column-name,value) formats. See
- http://www.shorewall.net/configuration_file_basics.htm#Pairs for
+6) A 'MARK' column has been added to the route_rules file. See
+ shorewall-route_rules (5) and shorewall6-route_rules (5) for
details.
-5) The generated script will now use the iptables/ip6tables -S command
- if available.
-
-6) The implementation of USE_DEFAULT_RT=Yes has been changed
- significantly. These changes include:
-
- a) A new BALANCE routing table with number 250 has been added.
- b) Routes to providers with the 'balance' option are added to the
- BALANCE table rather than the default table.
- c) This allows 'fallback' to work with USE_DEFAULT_RT.
- d) For optional interfaces, the 'fallback' option without a value
- now works the same as if 'fallback=1' had been specified.
-
- This change also corrected several problems with 'fallback' and
- enable/disable.
-
-7) Support has been added for TTL manipulation (HL in Shorewall6).
- See shorewall-tcrules(5) or shorewall6-tcrules(5) for details.
-
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------
@@ -318,7 +459,63 @@
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S
-------------------------------------------------------------------------------
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 4
+----------------------------------------------------------------------------
+
+1) Includes all problem corrections from versions 4.4.23.1 - 4.4.23.3.
+
+2) The 'fallback' option without =<weight> previously produced invalid
+ 'ip' commands.
+
+----------------------------------------------------------------------------
+ N E W F E A T U R E S I N 4 . 4 . 2 4
+----------------------------------------------------------------------------
+
+1) Stateless NAT is now available in Shorewall6. See
+ shorewall6-netmap(5) for details. Beta 2 added the ability to use
+ exclusion in the NET1 column.
+
+2) /sbin/shorewall6 now supports the 'show rawpost' command.
+
+3) This release includes support for 'Condition Match' which is
+ included in xtables-addons. Condition match allows rules to be
+ predicated on the setting of a named switch in
+ /proc/net/nf_condition/.
+
+ See
+ http://www.shorewall.net/configuration_file_basics.htm#Switches
+ for details.
+
+4) With the preceding change, the rules file now has 14 columns. That
+ makes it awkward to specify the last column as you have to insert
+ the correct number of '-' to get the right column.
+
+ To make that easier, Shorewall now allows you to specify columns
+ using several (column-name,value) formats. See
+ http://www.shorewall.net/configuration_file_basics.htm#Pairs for
+ details.
+
+5) The generated script will now use the iptables/ip6tables -S command
+ if available.
+
+6) The implementation of USE_DEFAULT_RT=Yes has been changed
+ significantly. These changes include:
+
+ a) A new BALANCE routing table with number 250 has been added.
+ b) Routes to providers with the 'balance' option are added to the
+ BALANCE table rather than the default table.
+ c) This allows 'fallback' to work with USE_DEFAULT_RT.
+ d) For optional interfaces, the 'fallback' option without a value
+ now works the same as if 'fallback=1' had been specified.
+
+ This change also corrected several problems with 'fallback' and
+ enable/disable.
+
+7) Support has been added for TTL manipulation (HL in Shorewall6).
+ See shorewall-tcrules(5) or shorewall6-tcrules(5) for details.
+
+----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 3
----------------------------------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/shorewall-lite.spec new/shorewall-lite-4.4.25.1/shorewall-lite.spec
--- old/shorewall-lite-4.4.24.1/shorewall-lite.spec 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/shorewall-lite.spec 2011-11-01 16:35:31.000000000 +0100
@@ -1,5 +1,5 @@
%define name shorewall-lite
-%define version 4.4.24
+%define version 4.4.25
%define release 1
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -103,12 +103,20 @@
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Sun Oct 30 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-1
+* Thu Oct 27 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0base
+* Sun Oct 23 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0RC1
+* Sat Oct 22 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0Beta4
+* Tue Oct 18 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0Beta3
* Tue Oct 11 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.24-1
-* Sun Oct 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.24-0base
-* Sun Oct 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.24-0RC2
+- Updated to 4.4.25-0Beta2
+* Tue Oct 04 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.25-0Beta1
* Sat Oct 01 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.24-0RC1
* Mon Sep 26 2011 Tom Eastep tom@shorewall.net
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-4.4.24.1/uninstall.sh new/shorewall-lite-4.4.25.1/uninstall.sh
--- old/shorewall-lite-4.4.24.1/uninstall.sh 2011-10-15 15:53:53.000000000 +0200
+++ new/shorewall-lite-4.4.25.1/uninstall.sh 2011-11-01 16:35:31.000000000 +0100
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.24.1
+VERSION=4.4.25.1
usage() # $1 = exit status
{
++++++ shorewall-4.4.24.1.tar.bz2 -> shorewall6-4.4.25.1.tar.bz2 ++++++
++++ 98282 lines of diff (skipped)
++++++ shorewall-lite-4.4.24.1.tar.bz2 -> shorewall6-lite-4.4.25.1.tar.bz2 ++++++
++++ 9651 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org