Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

shorewall6-5.2.8-5.4 RPM for noarch

From OpenSuSE Ports Tumbleweed for noarch

Name: shorewall6 Distribution: openSUSE Tumbleweed
Version: 5.2.8 Vendor: openSUSE
Release: 5.4 Build date: Thu Feb 1 03:24:20 2024
Group: Productivity/Networking/Security Build host: i03-ch2a
Size: 476489 Source RPM: shorewall-5.2.8-5.4.src.rpm
Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems
The Shoreline Firewall 6, more commonly known as "Shorewall6", is a Netfilter
(ip6tables) based IPv6 firewall that can be used on a dedicated firewall system,
a multi-function gateway/ router/server or on a standalone GNU/Linux system.






* Thu Jun 15 2023 Dominique Leuenberger <>
  - Fix parameters to systemd_postun: this macro still takes the
    service names as parameters.
* Thu Dec 08 2022 Thorsten Kukuk <>
  - Add /etc/sysconfig/network hierachy, as this don't exist by
    default anymore
* Sat Sep 03 2022 Bruno Friedmann <>
  - Add %dir %{_distconfdir} stop build failing on Leap
* Thu Sep 01 2022 Bruno Friedmann <>
  - **Warning** this is the last patch revision to shorewall.
    No migration to manage nft will happen upstream.
    Be prepared to package removal, and migrate to firewalld.
  - Add shorewall-fix-install-manpages.patch fix boo#1203006
  - Update spec copyright and macros
  - Move /etc to /usr for Networkmanager and logrotate
  - Update rpmlint check list
* Mon Nov 09 2020 Bruno Friedmann <>
  - Rework xt_geo_ip fixes by using dynamic patching with find
    which is less burden and confusing than manual patches series.
  - Add dynamic patching for *.service with removing like upstream
    the obsolete StandardOutput=syslog until new release
* Sun Nov 08 2020 Togan Muftuoglu <>
  - Correct the xt_geo_ip locations
  - Correct output to journal
* Sat Sep 26 2020 Bruno Friedmann <>
  - Update to version 5.2.8 (Upgrade your configuration)
    + Certain restrictions that apply to wildcard interfaces (interface
      name ends in '+') were previously not enforced when the logical
      interface name did not end in '+' but the physical interface name
      did end in '+'.  That has been corrected.
    + To ensure that error messages appear in the correct place in the
      output stream, stderr is now redirected to stdout when the
      configured PAGER is used by a command.
    + Since Shorewall 5.1.0, the Shorewall script has
      incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core script has failed to remove that file. Both scripts
      have been corrected.
    + Previously, the Shorewall CLI included a spurious hyphen ('-')
      between the product name (e.g., 'Shorewall6') and the version when
      printing a command output banner.
    + The shorewall-snat(5) manpage previously stated that a
      comma-separated list of IP address could be specified for
      SNAT. That statement was in error and has been removed. As part of
      this change, IPv4 Example 6 has been updated to use the
      PROBABILITY column.
    - New features
      + 'show tc' command now shows the classifiers associated with
      each interface (as displayed by the 'show classifiers'
      command). This integrated qdisc/filter information is also included
      in the output of the 'dump' command. This change deprecates the
      'show classifiers' ('show filters') command, as that command's
      output is now included in the 'show tc' output.
      + Shorewall6 has traditionally generated rules for IPv6 anycast
      addresses. These rules include:
      a)  Packets with these destination IP addresses are dropped by
      REJECT rules.
      b)  Packets with these source IP addresses are dropped by the
      'nosmurfs' interface option and by the 'dropSmurfs' action.
      c)  Packets with these destination IP addresses are not logged
      during policy enforcement.
      d)  Packets with these destination IP addresses are processes by
      the 'Broadcast' action.
      Beginning with this release, individual network interfaces can be
      excluded from this treatment through use of the 'omitanycast'
      option in /etc/shorewall6/interfaces.
      Note: This option was named 'noanycast' in earlier Beta releases.
      + Duplicate function names have been eliminated between the
      Shorewall-core lib.cli shell library and the Shorewall lib.cli-std
      + The 'status' command in Shorewall[6]-lite now precedes the
      configuration directory name with the administrative host name
      separated with a colon (":").
      + Tuomo Soini has contributed a macro that handles NFS v1.4 (no
      dynamic ports).
  - Packaging:
    + Add buildrequires for pkgconfig (missing)
    + Use macro for sbindir
* Sat Aug 22 2020 Bruno Friedmann <>
  - Update to version 5.2.7
    + **Upgrade your configuration**
    + Previously, it was not possible to classify traffic by destination
      IP address when using an Intermediate Functional Block (IFB) for
      traffic shaping. This is because such classification takes place
      before the traffic passes through the mangle PREROUTING chain.
      Such filtering is now possible by setting the 'connmark' option in
      the tcdevices file. This option causes the current connection mark
      to be copied to the packet mark prior to filtering, thus allowing
      the packet mark to be used for classification.
      This change adds a new CONNMARK_ACTION capability which is
      required to be able to specify the 'connmark' option.
    + The tcpri file now supports ?FORMAT 2 which inserts an SPORT
      column directly to the right of the PORT column. As part of this
      change, the PORT column is renamed to DPORT while allowing both
      'port' and 'dport' to be used in the alternate input format. See
      shorewall-tcpri(5) and for additional
    + The Simple TC document is now linked to FAQs 97 and 97a.
* Tue Jul 07 2020 Bruno Friedmann <>
  - Update to version 5.2.6
    + **Upgrade your configuration**
    + When compiling for export, the compiler generates a firewall.conf
      file which is later installed on the remote firewall system as
      ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was
      not processing the file, resulting in some features not being
    - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
      DYNAMIC_BLACKLIST and PAGER are not supplied.
    - scfilter file supplied at compile time.
    - dumpfilter file supplied at compile time.
      That has been corrected.
    + A bug in iptables (see
      prevents the '--queue-cpu-fanout' option from being applied unless
      that option is the last one specified. Unfortunately, Shorewall
      places the '--queue-bypass' option last if that option is also
      This release works around this issue by ensuring that the
      '--queue-cpu-fanout' option appears last.
    + The -D 'compile', 'check', 'reload' and 'Restart'  option was
      previously omitted from the output of 'shorewall help'. It is now
      included. As part of this change, an incorrect and conflicting
      description of the -D option was removed from the 'remote-restart'
      section of shorewall(8).
    + Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT
      policies were not completely optimized by optimize level 2 (ACCEPT
      rules preceding the final unconditional ACCEPT were not
      deleted). That has been corrected such that these rules are now
* Thu Jul 02 2020 Bruno Friedmann <>
  - Update to version
      Previously, ";;+" was mishandled in the snat file; the generated
      rule incorrectly included the leading "+". That has been corrected
      so that the generated rule is now correct.
      Example (SNAT OpenVPN server traffic leaving on eth0):
      SNAT(    -      eth0     ;;+ -p udp --sport 1194
    - The change in 5.2.5 base which changed the 'user' facility to the
      'daemon' facility in Shorewall syslog messages did not change the
      messages with severity 'err'. That has been corrected such that
      all syslog messages now use the 'daemon' facility.
    - The actions.std file contains "?IF...?ELSE...?ENDIF" sequences
      that provide different action options depending on the availabilty
      of certain capabilities. This has resulted in the Broadcast and
      Multicast options being listed twice in the output of
      "shorewall[6] show actions". Beginning with this release, this
      duplication is eliminated. Note, however, that the options shown
      will be incomplete if they were continued onto another line, and
      may be incorrect for Broadcast and Multicast.
    - A typo in shorewall-providers(5) has been corrected.
    + 5.2.5 Base
    - Previously, Shorewall-init installed a 'shorewall' script in
      /etc/network/if-down.d on Debian and derivatives. This script was
      unnecessary and required Debian-specific code in the generated
      firewall script. The Shorewall-init script is no longer installed
      and the generated firewall script is now free of
      distribution-specific code.
    - Also on Debian and derivatives, Shorewall-init installed
      /etc//NetworkManager/dispatcher.d/01-shorewall which was also
      unnecessary.  Beginning with this release, that file is no longer
    - Previously, if the dynamic-blacklisting default timeout was set in
      a variable in the params file and the variable was used in setting
      DYNAMIC_BLACKLIST, then the 'allow' command would fail with
      the message:
      ERROR: Invalid value (ipset-only,disconnect,timeout=) for
      That has been corrected.
    - When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex
      rulesets are enforced in chains such as 'net-all' and
      'all-all'. Previously, these chains included redundant
      state-oriented rules. In addition to being redundant. these rules
      could actually break complex IPv6 configurations. The extra rules are
      now omitted.



Generated by rpm2html 1.8.1

Fabrice Bellet, Sun Feb 25 23:30:03 2024