Hello community, here is the log from the commit of package SuSEfirewall2.1187 for openSUSE:12.2:Update checked in at 2012-12-27 13:43:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/SuSEfirewall2.1187 (Old) and /work/SRC/openSUSE:12.2:Update/.SuSEfirewall2.1187.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "SuSEfirewall2.1187", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-12-21 01:49:00.356010756 +0100 +++ /work/SRC/openSUSE:12.2:Update/.SuSEfirewall2.1187.new/SuSEfirewall2.changes 2012-12-27 13:43:16.000000000 +0100 @@ -0,0 +1,1227 @@ +------------------------------------------------------------------- +Thu Dec 13 16:03:18 UTC 2012 - lnussel@suse.de + +- just CT instead of NOTRACK (bnc#793459) + +------------------------------------------------------------------- +Tue Sep 11 08:29:41 UTC 2012 - lnussel@suse.de + +- getdevinfo is gone as per commit 0c5ac93 (bnc#777271) + +------------------------------------------------------------------- +Fri Jul 13 12:43:17 UTC 2012 - lnussel@suse.de + +- honor FW_IPv6 setting also in debug mode (bnc#769411) + +------------------------------------------------------------------- +Tue Jun 19 11:38:32 UTC 2012 - lnussel@suse.de + +- fix logging in test mode + +------------------------------------------------------------------- +Mon Jun 18 09:30:51 UTC 2012 - lnussel@suse.de + +- allow icmpv6 in FW_SERVICES_*_* + +------------------------------------------------------------------- +Mon Jun 18 09:24:18 UTC 2012 - lnussel@suse.de + +- allow ICMPv6 Multicast Listener Query (bnc#767392) + +------------------------------------------------------------------- +Tue May 29 13:16:20 UTC 2012 - lnussel@suse.de + +- fix typo spotted by Frederic + +------------------------------------------------------------------- +Wed Jan 18 14:17:19 UTC 2012 - lnussel@suse.de + +- assume all interface names are correct (bnc#739084) + +------------------------------------------------------------------- +Wed Dec 14 16:55:43 UTC 2011 - lnussel@suse.de + +- fix forward masquerading (bnc#736205) +- compat syntax for negated options no longer works (bnc#660156, bnc#731088) +- enhance debug mode + +------------------------------------------------------------------- +Mon Nov 7 10:56:04 UTC 2011 - lnussel@suse.de + +- use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438) + +------------------------------------------------------------------- +Wed Nov 2 15:27:04 UTC 2011 - lnussel@suse.de + +- set SYSTEMD_NO_WRAP for status (bnc#727445) + +------------------------------------------------------------------- +Fri Oct 14 09:46:33 UTC 2011 - lnussel@suse.de + +- fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583) + +------------------------------------------------------------------- +Tue Oct 4 14:53:13 UTC 2011 - lnussel@suse.de + +- fix typo (bnc#721845) +- atomic zone status writing + +------------------------------------------------------------------- +Sat Sep 17 10:25:23 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile + +------------------------------------------------------------------- +Wed Sep 7 11:38:14 UTC 2011 - lnussel@suse.de + +- sanitize FW_ZONE_DEFAULT (bnc#716013) +- add warning about iptables-batch to SuSEfirewall2-custom +- fix warning about /proc/net/ip_tables_names not readable +- don't install input rules for interfaces in default zone +- Add hook fw_custom_after_finished +- update FAQ (bnc#694464) +- clean up overrides when stopping the firewall (bnc#630961) +- change default FW_LOG_ACCEPT_CRIT to "no" +- allow redir without port specification +- make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997) +- fix zonein and zoneout parameters +- fix reverse direction of forwarding rules (bnc#679192) + +------------------------------------------------------------------- +Tue Feb 1 13:16:53 UTC 2011 - lnussel@suse.de + +- introduce rpcusers file to allow statd to run as non-root + (bnc#668553) + +------------------------------------------------------------------- +Wed Jan 19 14:04:48 UTC 2011 - lnussel@suse.de + +- add zonein and zoneout parameters for FW_FORWARD +- fix typos + +------------------------------------------------------------------- +Mon Jan 10 13:15:05 UTC 2011 - lnussel@suse.de + +- don't start in runlevel 4 by default (bnc#656520) +- cut off long zone names (bnc#644527) +- fix and enhance output of log command (bnc#663262) + +------------------------------------------------------------------- +Thu Dec 2 13:33:59 UTC 2010 - lnussel@suse.de + +- don't unload rules when using systemd + +------------------------------------------------------------------- +Tue Nov 16 15:01:04 UTC 2010 - lnussel@suse.de + +- list some known rpc services as Should-Start +- don't filter outgoing packets at all +- fix an example (bnc#641907) +- fix status check in SuSEfirewall2_init (bnc#628751) + +------------------------------------------------------------------- +Mon Aug 16 07:32:31 UTC 2010 - lnussel@suse.de + +- don't use fillup anymore as it keeps corrupting the config file + (bnc#340926) + +------------------------------------------------------------------- +Tue Jun 29 12:20:30 UTC 2010 - lnussel@suse.de + +- remove "batch committing..." message +- read defaults from separate file +- warn if highports config options are set +- finally drop 'highports' misfeature +- remove kernel ipv6 module detection (bnc#617033) +- silence warning about default zone (bnc#616841) +- SuSEfirewall2-open: don't add values multiple times +- Use multiprotocol xt_conntrack + +------------------------------------------------------------------- +Mon May 31 08:11:54 UTC 2010 - lnussel@suse.de + +- only directories in /sys/class/net are real interfaces (bnc#609810) + +------------------------------------------------------------------- +Fri Mar 19 13:34:10 UTC 2010 - lnussel@suse.de + +- add entry about drbd to FAQ +- update docu +- implement FW_BOOT_FULL_INIT + +------------------------------------------------------------------- +Tue Feb 16 13:51:48 UTC 2010 - lnussel@suse.de + +- use new versioning scheme after switch of repo to git +- update and rebuild docu +- remove really old rc.config conversion code from spec file + +------------------------------------------------------------------- +Tue Sep 15 13:33:06 UTC 2009 - lnussel@suse.de + +- fix spelling error in sysconfig file (bnc#537427) +- polishing of log drop policy (bnc#538053) + * drop multicast packets silently + * separate drop rule for broadcast packets at end of chain + * only consider NEW udp packets as critical + * don't log INVALID packets as critical + +------------------------------------------------------------------- +Fri Aug 21 11:09:40 UTC 2009 - lnussel@suse.de + +- implement runtime override of interface zones +- allow disabling NOTRACK rules on lo (bnc#519526) + +------------------------------------------------------------------- +Fri Jul 17 10:04:48 UTC 2009 - lnussel@suse.de + +- remove chkconfig calls (bnc#522268) + +------------------------------------------------------------------- +Thu Jul 9 13:50:47 UTC 2009 - lnussel@suse.de + +- add note about use as bridging firewall +- allow to set FW_ZONE_DEFAULT via config file +- deprecate fw_custom_before_antispoofing and + fw_custom_after_antispoofing, use fw_custom_after_chain_creation + instead + +------------------------------------------------------------------- +Tue Jun 9 14:19:27 UTC 2009 - lnussel@suse.de + +- add note that ulog doesn't work with IPv6 (bnc#442756) +- fix version number in help text +- allow service files to specify kernel modules and allow related packets +- silence an error from bash if a service config file is not available (bnc#487870) +- better wording for BROADCAST in template +- update firewall hook script (patch by Marius) ++++ 1030 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.SuSEfirewall2.1187.new/SuSEfirewall2.changes New: ---- SuSEfirewall2-3.6.295.tar.bz2 SuSEfirewall2-just-CT-instead-of-NOTRACK-bnc-793459.diff SuSEfirewall2.changes SuSEfirewall2.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ # # spec file for package SuSEfirewall2 # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # icecream 0 Name: SuSEfirewall2 Version: 3.6.295 Release: 0 Url: http://en.opensuse.org/SuSEfirewall2 PreReq: %fillup_prereq %insserv_prereq /bin/sed textutils fileutils grep filesystem Requires: coreutils Requires: iptables Requires: perl Requires: sysconfig Summary: Stateful Packet Filter Using iptables and netfilter License: GPL-2.0+ Group: Productivity/Networking/Security Source: SuSEfirewall2-%{version}.tar.bz2 Patch0: SuSEfirewall2-just-CT-instead-of-NOTRACK-bnc-793459.diff BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description SuSEfirewall2 implements a packet filter that protects hosts and routers by limiting which services or networks are accessible on the host or via the router. SuSEfirewall2 uses the iptables/netfilter packet filtering infrastructure to create a flexible rule set for a stateful firewall. %prep %setup %patch0 -p1 # please send patches to lnussel for inclusion in git first # http://gitorious.org/opensuse/susefirewall2 %build %install make DESTDIR="%{buildroot}" install install_doc install -d -m 755 %{buildroot}/var/adm/fillup-templates/ install -m 644 SuSEfirewall2.sysconfig %{buildroot}/var/adm/fillup-templates/sysconfig.SuSEfirewall2 install -D -m 644 SuSEfirewall2.sysconfig %{buildroot}/etc/sysconfig/SuSEfirewall2 install -d -m 755 %{buildroot}%{_datadir}/susehelp/meta/Manuals/Productivity install -m 644 doc/SuSEfirewall2-doc.desktop \ %{buildroot}%{_datadir}/susehelp/meta/Manuals/Productivity/SuSEfirewall2.desktop # %files %defattr(-, root, root) %doc %{_docdir}/%{name} %doc %{_datadir}/susehelp %config(noreplace) /etc/sysconfig/scripts/SuSEfirewall2-custom %config(noreplace) /etc/sysconfig/SuSEfirewall2 %config /etc/init.d/SuSEfirewall2_init %config /etc/init.d/SuSEfirewall2_setup /etc/sysconfig/SuSEfirewall2.d/services/* /etc/sysconfig/scripts/SuSEfirewall2-rpcinfo /etc/sysconfig/scripts/SuSEfirewall2-showlog /etc/sysconfig/scripts/SuSEfirewall2-open /etc/sysconfig/scripts/SuSEfirewall2-batch /etc/sysconfig/scripts/SuSEfirewall2-qdisc /etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast /etc/sysconfig/network/scripts/SuSEfirewall2 /etc/sysconfig/network/scripts/firewall /etc/sysconfig/network/if-up.d/SuSEfirewall2 /sbin/rcSuSEfirewall2 /sbin/SuSEfirewall2 %dir /usr/share/SuSEfirewall2 %dir /usr/share/SuSEfirewall2/defaults /usr/share/SuSEfirewall2/defaults/50-default.cfg /usr/share/SuSEfirewall2/rpcusers /var/adm/fillup-templates/sysconfig.SuSEfirewall2 %postun %insserv_cleanup %post # SuSEfirewall2_init is no longer a boot.d script, need to remove # and add it again for i in etc/init.d/boot.d/S??SuSEfirewall2_init; do if [ -e "$i" ]; then /sbin/insserv -r -f SuSEfirewall2_init /sbin/insserv -f SuSEfirewall2_init break fi done if [ -e etc/sysconfig/SuSEfirewall2 ] \ && grep -q '^FW_MASQ_DEV="\$FW_DEV_EXT"$' etc/sysconfig/SuSEfirewall2; then sed 's/^FW_MASQ_DEV="\$FW_DEV_EXT"$/FW_MASQ_DEV="zone:ext"/' \ < etc/sysconfig/SuSEfirewall2 \ > etc/sysconfig/SuSEfirewall2.new \ && mv etc/sysconfig/SuSEfirewall2.new etc/sysconfig/SuSEfirewall2 \ && echo "FW_MASQ_DEV converted" fi # %insserv_cleanup # exit 0 %changelog ++++++ SuSEfirewall2-just-CT-instead-of-NOTRACK-bnc-793459.diff ++++++

From f6db3cde6de19431d187b4c18fcd1f1a732ade55 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel@suse.de> Date: Wed, 12 Dec 2012 16:27:33 +0100 Subject: [PATCH 2/2] just CT instead of NOTRACK (bnc#793459)

--- SuSEfirewall2 | 8 ++++---- 1 Datei geändert, 4 Zeilen hinzugefügt(+), 4 Zeilen entfernt(-) diff --git a/SuSEfirewall2 b/SuSEfirewall2 index 1aa2724..ebb4b97 100755 --- a/SuSEfirewall2 +++ b/SuSEfirewall2 @@ -721,8 +721,8 @@ function set_basic_rules() $iptables -A INPUT -j "$ACCEPT" -i lo $iptables -A OUTPUT -j "$ACCEPT" -o lo if [ "$FW_LO_NOTRACK" != 'no' ]; then - $iptables -t raw -A PREROUTING -j NOTRACK -i lo - $iptables -t raw -A OUTPUT -j NOTRACK -o lo + $iptables -t raw -A PREROUTING -j CT --notrack -i lo + $iptables -t raw -A OUTPUT -j CT --notrack -o lo fi done @@ -1480,8 +1480,8 @@ protect_from_internal() eval devs="\$FW_DEV_$zone" for dev in $devs; do for iptables in "$IPTABLES" "$IP6TABLES"; do - $iptables -t raw -i $dev -I PREROUTING -j NOTRACK - $iptables -t raw -o $dev -I OUTPUT -j NOTRACK + $iptables -t raw -i $dev -I PREROUTING -j CT --notrack + $iptables -t raw -o $dev -I OUTPUT -j CT --notrack $iptables -i $dev -I INPUT -j ACCEPT $iptables -o $dev -I OUTPUT -j ACCEPT done -- 1.7.10.4 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org