Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

shorewall-4.6.13.4-3.1 RPM for noarch

From OpenSuSE leap updates for 42.1 / oss / noarch

Name: shorewall Distribution: openSUSE Leap 42.1
Version: 4.6.13.4 Vendor: openSUSE
Release: 3.1 Build date: Sat Jul 23 13:57:52 2016
Group: Productivity/Networking/Security Build host: cloud128
Size: 2660717 Source RPM: shorewall-4.6.13.4-3.1.src.rpm
Packager: http://bugs.opensuse.org
Url: http://www.shorewall.net/
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems
The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
(iptables) based firewall that can be used on a dedicated firewall system,
a multi-function gateway/ router/server or on a standalone GNU/Linux system.

Provides

Requires

License

GPL-2.0

Changelog

* Sun Mar 06 2016 bruno@ioda-net.ch
  - Update to last 4x bugfix version 4.6.13.4
    For details see changelog.txt and releasenotes.txt
    - 4.6.13.4
    * This release includes a couple of additional configure/install
      fixes from Matt Darfeuille.
    * The DROP command was previously rejected in the mangle file.
    That has been corrected.
    - 4.6.13.3
    * Previously, Shorewall6 rejected rules in which the SOURCE
    contained both an interface name and a MAC address (in
    Shorewall format). That defect has been corrected so that such
    rules are now accepted.
    * A number of corrections have been made to the install,
    uninstall and configure scripts (Matt Darfeuille).
    * Previously, optional interfaces were not enabled during 'start'
    and 'restart' unless there was at least one entry in the
    'providers' file.  This resulted in these interfaces not
    appearing in the output of 'shorewall[6] status -i'.
    * The check for use of a circular kernel log buffer (as opposed
    to a log file) has been improved.
    * Previously, if a circular log buffer was being used, the output
    of various commands still displayed '/var/log/messages' as the
    log file. Now, it is displayed as 'logread'.
    * When processing the 'dump' command, the CLI now uses 'netstat'
    to print socket information when the 'ss' utility is not
    installed.
    - 4.6.13.2
    * Previously, if statistical load balancing was used in the
    providers file, the default route in the main table was not
    deleted during firewall start/restart. That route is now
    correctly deleted.
    - 4.6.13.1
    * Previously, the 'reset' command would fail if chain names were
      included. Now, the command succeeds, provided that all of the
      specified chains exist in the filter table.
    * The TCP meta-connection is now supported by the Tinc macro and
      tunnel type. Previously, only the UDP data connection was
      supported.
* Tue Sep 15 2015 toganm@opensuse.org
  - Update to version 4.6.13 For more details see changelog.txt and
    realeasenotes.txt
    * The 'rules' file manpages have been corrected regarding the
      packets that are processed by rules in the NEW section.
    * Parsing of IPv6 address ranges has been corrected. Previously,
      use of ranges resulted in 'Invalid IPv6 Address' errors.
    * The shorewall6-hosts man page has been corrected to show the
      proper contents of the HOST(S) column.
    * Previously, INLINE statements in the mangle file were not
      recognized if a chain designator (:F, :P, etc.) followingowed
      INLINE(...). As a consequence, additional matches following
      a semicolon were interpreted as column/value pairs unless
      INLINE_MATCHES=Yes, resulting in compilation failure.
    * Inline matches on IP[6]TABLE rules could be ignored if
      INLINE_MATCHES=No. They are now recognized.
    * Specifying an action with a logging level in one of the
      _DEFAULT options in shorewall[6].conf
      (e.g., REJECT_DEFAULT=Reject:info) produced a compilation error:
      ERROR: Invalid value (:info) for first Reject parameter
      /usr/share/shorewall/action.Rejectect (line 52)
      That has been corrected. Note, however, that specifying logging
      with a default action tends to defeat one of the main purposes
      of default actions which is to suppress logging.
    * Previously, it was necessary to set TC_EXPERT=Yes to have full
      access to the user mark in fw marks. That has been corrected so
      that any place that a mark or mask can be specified, both the
      TC mark and the User mark are accessible.
* Tue Jul 14 2015 toganm@opensuse.org
  - Update to version 4.6.11 For more details see changelog.txt and
    releasenotes.txt
    * Previously, when the -c option was given to the 'compile'
      command, the progress message "Compiling..." was issued before
      it was determined if compilation was necessary.  Now, that message
      is suppressed when re-compilation is not required.
    * Previously, when the -c option was given to the 'compile'
      command, the 'postcompile' extension script was executed even when
      there was no (re-)compilation. Now, the 'postcompile' script is
      only invoked  when a new script is generated.
    * If CONFDIR was other than /etc, then ordinary users would not
      receive a clear error message when they attempted to execute
      one of the commands that change the firewall state.
    * Previously, IPv4 DHCP client broadcasts were blocked by the
      'rpfilter' interface option. That has been corrected.
    * The 'update' command incorrectly added the INLINE_MATCHES
      option to shorewall6.conf with a default value of 'Yes'. This
      caused 'start' to fail with invalid ip6tables rules when the alternate
      input format using ';' is used.
      Note: This last issue is not documented in the release notes
      included with the release.
* Wed Jun 17 2015 toganm@opensuse.org
  - Update to version 4.6.10.1 For more details see changelog.txt and
    releasenotes.txt
    * Indentation is now consistent in lib.core (Tuomo Soini).
    * The first problem corrected in 4.6.10 below was incomplete. It
      is now complete (Tuomo Soini).
    * Similarly, the second fix was also incomplete and is now
      completed  (Tuomo Soini).
* Thu May 07 2015 toganm@opensuse.org
  - Update to version 4.6.9 For more details see changelog.txt and
    releasenotes.txt
    * This release contains defect repair from Shorewall 4.6.8.1 and
      earlier releases.
    * The means for preventing loading of helper modules has been
      clarified in the documentation.
    * The SetEvent and ResetEvent actions previously set/reset the
      event even if the packet did not match the other specified
      columns. This has been corrected.
    * Previously, the 'show capabilities' command was ignoring the
      HELPERS setting. This resulted in unwanted modules being
      autoloaded  and, when the -f option was given, an incorrect
      capabilities file was generated.
    * Previously, when 'wait' was specified for an interface, the
      generated script erroneously checked for required interfaces on
      all commands rather than just start, restart and restore.
* Tue Apr 14 2015 toganm@opensuse.org
  - Update to version 4.6.8.1 For more details see changnlog.txt and
    releasenotes.txt
    * Previously, when servicd was installed and there were one or
      more required interfaces, the firewall would fail to start at
      boot.This has been corrected by Tuomo Soini.
    * Some startup logic in lib.cli has been deleted. A bug prevented
      the code from working as intended, so there is no loss of
      functionality resulting from deletion of the code.
* Sat Apr 04 2015 toganm@opensuse.org
  - Update to version 4.6.8 For more details see changelog.txt and
    releasenotes.txt
    * This release includes defect repair from Shorewall 4.6.6.2 and
      earlier releases.
    * Previously, when the -n option was specified and NetworkManager
      was installed on the target system, the Shorewall-init installer
      would still create
      ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless
      of the setting of $CONFDIR. That has been corrected such that
      the directory
      ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
      is created instead.
    * Previously, handling of the IPTABLES and IP6TABLES actions in
      the conntrack file was broken. nfw provided a fix on IRC.
    * The Shorewall-core and Shorewall6 installers would previously
      report incorrectly that the product release was not installed.
      Matt Darfeuille provided fixes.
* Fri Mar 13 2015 toganm@opensuse.org
  - Update to version 4.6.7 For more details see changelog.txt and
    releasenotes.txt
    * This release includes defect repair from Shorewall 4.6.6.2 and
      earlier releases.
    * The 'tunnels' file now supports 'tinc' tunnels.
    * Previously, the SAME action in the mangle file had a fixed
      timeout of 300 seconds (5 minutes). That action now allows
      specification of a different timeout.
    * It is now possible to add or delete addresses from an ipset
      with entries in the mangle file. The ADD and DEL actions have
      the same behavior in the mangle file as they do in the rules
      file.
  - Added systemd_version macro in anticipation of detecting the
    correct service file when systemd version is >= 214
* Sat Feb 07 2015 toganm@opensuse.org
  - Update to version 4.6.6.2 For more details see changelog.txt and
    releasenotes.txt
    * The compiler failed to parse the construct +<ipset>[n] where n is
      an integer (e.g., +bad[2]).
    * Orion Paplawski has provided a patch that adds 'ko.xz' to the
      default MODULE_SUFFIX setting. This change deals with recent
      Fedora releases where the module names now end with ".ko.xz".
      In addition to Orion's patch, the sample configurations have
      been modified to specify MODULE_SUFFIX="ko ko.xz".
* Sat Jan 24 2015 toganm@opensuse.org
  - Update to version 4.6.6.1 For more details see changelog.txt and
    releasenotes.txt
    * Previously the SAVE and RESTORE actions were erroneously disallowed
      in the INPUT chain within the mangle file.
    * The manpage descriptions of the mangle SAVE and RESTORE actions
      incorrectly required a slash (/) prior to the mask value.
    * Race conditions could previously occur between the 'start'
      command and the 'enable' and 'disable' commands.
    * The 'update' command incorrectly added the INLINE_MATCHES
      option to shorewall.conf with a default value of 'Yes'. This
      caused 'start' to fail with invalid iptables rules when the
      alternate input format using ';' is used.
    * Previously the LOCKFILE setting was not propagated to the
      generated script. So when the script was run directly, the script
      unconditionally used ${VARDIR}/lock.
* Sat Jan 17 2015 toganm@opensuse.org
  - Update to version 4.6.6 For more details see changlelog.txt and
    releasenotes.txt As there are many new features with this release
    please consult the mentioned files.
    * Previously, a line beginning with 'shell' was interpreted as a
      shell script. Now, the line must begin with 'SHELL'
      (case-sensitive).
      Note that ?SHELL and BEGIN SHELL are still case-insensitive.
* Mon Jan 12 2015 toganm@opensuse.org
  - Update to version 4.6.5.5 For more details see changelog.txt and
    releasenotes.txt
    * This release adds Tuomo Soini's fix for Shorewall-init to 4.6.5.5.
      Previously, the ifupdown scripts were looking in the wrong
      directory for the firewall script.
* Sat Jan 10 2015 toganm@opensuse.org
  - Update to version 4.6.5.4 For more details see changelog.txt and
    releasenotes.txt
    * The '-c' option of the 'dump' and 'show routing' commands is
      now documented.
    * The handling of the 'DIGEST' environmental variable has been
      corrected in the Shorewall installer. Previously, specifying
      that option would not correctly update the Chains module which
      led to a Perl compilation failure.
    * Handling of ipset names in PORT columns has been corrected.
      Previously, such usage resulted in an invalid  iptables rule
      being generated.
* Thu Dec 18 2014 toganm@opensuse.org
  - Update to version 4.6.5.3 For more details see changelog.txt and
    releasenotes.txt
    * The Shorewall-init scripts were using the incorrect
      variable to set the state directory. Correction provided by
      Roberto Sanchez.
    * For normal dynamic zones, the 'add' command failed with a
      diagnostic such as:
      ERROR: Zone ast, interface net0 does not have a dynamic host
      list
    * When a mark range was used in the marks (tcrules) file, a
      run-time error occurred while attempting to load the generated
      ruleset.
* Thu Dec 11 2014 dimstar@opensuse.org
  - Do not buildrequire openSUSE-release: it's a daily changing
    package and causes thus frequent rebuilds for no reason.
    configure and install both try to guess the target from
    /etc/os-release. So we simply inject BUILD=suse for the openSUSE
    case.
* Sun Nov 23 2014 toganm@opensuse.org
  - Update to version 4.6.5.2 For more details see changelog.txt and
    releasenotes.txt
    * LOG_BACKEND=LOG failed at run-time for all but the most recent
      kernels.
  - Changes in 4.6.5.1
    * The generated script can now detect an gateway address assigned
      by later versions of that program (Alan Barrett).
    * In 4.6.5, the bash-based configure script would issue the
      following diagnostic if SERVICEDIR was not specified in the
      shorewallrc file:
      ./configure: line 199: [SERVICEDIR]=: command not found
      This was compounded by the fact that all of the released
      shorewallrc files still specified SYSTEMDDIR rather than
      SERVICEDIR (Evangelos Foutras)
    * The shorewallrc.archlinux file now reflects a change in SBINDIR
      that occurred in Arch Linux in mid 2013 (Evangelos Foutras).
* Wed Nov 05 2014 toganm@opensuse.org
  - Update to versioin 4.6.4.3 For more details see changelog.txt and
    releasenotes.txt
    * The fix for LOG_BACKEND in 4.6.4.2 worked on some older
      distributions but not on newer ones. This release fixes the
      problem in the remaining cases.
* Mon Sep 22 2014 toganm@opensuse.org
  - Update to version 4.6.3.4 For more details see changelog.txt and
    releasenotes.txt
    * The 'Universal' configurations previously failed to start with
      the diagnostic
      ERROR: No network interface available: Firewall state not
      changed
    * A defect introduced in 4.6.3 prevented Shorewall-init from
      starting when required interfaces were present.
    * Some defect repair from 4.6.2.5 was inadvertently omitted from
      4.6.3. In particular, the fix for Shorewall-init on systems
      running  systemd was omitted. Those fixes have now been merged
      into this release.
* Sat Sep 13 2014 toganm@opensuse.org
  - Update to version 4.6.3.3 For more details see changelog.txt and
    releasenotes.txt
    * Including a PREROUTING SECTION in the accounting file
      unconditionally resulted in a fatal error:
      ERROR: The PREROUTING SECTION is not allowed when
      ACCOUNTING_TABLE=filter
    * Previously, the compiler could generate many superfluous rules
      to enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface
      options.
* Thu Sep 04 2014 toganm@opensuse.org
  - Update to version 4.6.3.2 For more details see changelog.txt and
    releasenotes.txt
    * The shorewall[6]-actions manpages previously contained incorrect
      examples of the usage of table names with builtin actions.
      Incorrect:
      FOOBAR,filter,mangle
      Correct:
      FOOBAR   builtin,filters,mangle
    * Previously, if /etc/iproute2/rt_tables was not writeable, then
      KEEP_RT_TABLES=No behaved like KEEP_RT_TABLES=Yes. Now, a
      warning  message is issued if that file is not writeable and
      KEEP_RT_TABLES is set to No.
      WARNING: /etc/iproute2/rt_tables is missing or is not
      writeable
    * In earlier 4.6.3 versions, the help text from shorewall-lite
      and shorewall6-lite included two versions of the 'run' command.
      run <command> [ <parameter> ... ]
      ..
      run <function> [ <parameter> ... ]
      The second one has now been deleted.
    * New Features:
      Eric Teeter has contributed a Citrix Goto Meeting macro.
* Sun Aug 31 2014 toganm@opensuse.org
  - Update to version 4.6.3.1 For more details see changelog.txt and
    releasenotes.tx
    * The DNSAmp action released in 4.6.3 matched more packets than it
      should have. That has now been corrected.
    * The handling of REJECT in IP[6]TABLES rules has been clarified
      inthe shorewall-rules(5) and shorewall6-rules(5) manpages.
    * The following misleading error message has now been corrected:
      ERROR: The xxx TARGET is now allowed in the filter table
      The message now reads:
      ERROR: The xxx TARGET is not allowed in the filter table
  - Spec fixes
    * Fixed shorewall-init requires so it needs shoreline-firewall
      which is an alias for shorewall shorewall6 shorewall-lite and
      shorewall6-lite packages
    * shorewall-init package was missing a rc link
* Thu Aug 14 2014 toganm@opensuse.org
  - Update to version 4.6.2.5 For more details see changelog.txt and
    releasenotes.txt
    * Previously, when an interface specified the 'physical=' option and
      the physical interface name was specified in the INTERFACES
      column of the providers file, compilation would fail with diagnostics
      similar to the following:
      Use of uninitialized value $physicalal in pattern match
      (m//) at /usr/lib/perl5/vendor_perl/5.18.1/
      Shorewall/Providers.pm line 463, <$currentfile> line
      ERROR:ERROR A provider interface must have at least one
      associated zone /zoneopt/etc/shorewall/providers (line 2)
    * Shorewall-init now works correctly on systems with systemd.
      By Louis Lagendijk.
  - Remove backported patches
    * PHYSICALNAME.patch
    * 0001-Modify-the-preceding-fix-to-work-with-wildcard-inter.patch
* Wed Aug 13 2014 toganm@opensuse.org
  - Backport
    0001-Modify-the-preceding-fix-to-work-with-wildcard-inter.patch
    as the previous patch broke some configurations
* Mon Aug 11 2014 toganm@opensuse.org
  - Backported PHYSICALNAME.patch
* Fri Aug 08 2014 toganm@opensuse.org
  - Update to version 4.6.2.4 For more details see changelog.txt and
    releasenotes.txt
    + Previously, inline matches were not allowed in action files, even
      though the documentation stated that they were allowed.
* Tue Jul 29 2014 toganm@opensuse.org
  - Update to version 4.6.2.3 For more details see changelog.txt and
    releasenotes.txt
    * Previously, the compiler would fail with a Perl diagnostic if:
      + Optimize Level 8 was enabled.
      + Perl 5.20 was being used. This is the current Perl version on
      Arch Linux.
      The diagnostic was:
      Can't use string ("nat") as a HASH ref while "strict refs" in
      use at /usr/share/shorewall/Shorewall/Chains.pm line 3486.
* Fri Jul 25 2014 toganm@opensuse.org
  - Update to version 4.6.2.2 For more details see changelog.txt and
    releasenotes.txt
    * The compiler now correctly detects the IPv6 "Header Match"
      capability when LOAD_MODULES_ONLY=No.
    * The compiler now correctly detects the IPv6 "Ipset Match"
      capability on systems running a 3.14 or later kernel.
    * The compiler now correctly detects "Arptables JF" capability
      when LOAD_MODULES_ONLY=No.
    * The tcfilter manpages previously failed to mention that
      BASIC_FILTERS=Yes is required to use ipsets in the tcfilters
      files.
* Sun Jul 20 2014 toganm@opensuse.org
  - Update to version 4.6.2.1 For more details see changelog.txt and
    releasenotes.txt
    * Two issues with tcrules processing have been corrected:
      + SAVE and RESTORE generated fatal compilation errors.
      + '|' and '&' were ignored. That issue is also present in the
      processing of the mangle file
    * Version 4.6.2 changes
      + The DSCP match in the mangle and tcrules files didn't work
      with service class names such as EF, BE, CS1, ...
      + The SAVE and RESTORE actions were disallowed in the OUTPUT
      chain in tcrules and mangle; this was a regression from 4.5.21.
      + Additional ports required by Asus, Supermicro and Dell have
      beenadded to the IPMI macro (Tuomo Soini).
      +  Some issues regarding install under Cygwin64 have been
      addressed.
    - configure.pl did not understand CYGWIN returned from `uname`
    - Shorewall-core install.sh did not understand CYGWIN returned
      from  `uname`.
    - The Shorewall and Shorewall6 installers tried to run the
      command 'mkdir -p //etc/shorewall[6]' which is broken in the
      current Cygwin64.
* Sat Jul 05 2014 toganm@opensuse.org
  - Update to version 4.6.1.4 For more details see changelog.txt and
    releasenotes.txt
    * The DSCP match in the mangle and tcrles files didn't work with
      service class names such as EF, BE, CS1, ... (Thibaut Chèze)
    * The SAVE and RESTORE actions were disallowed in the OUTPUT
    chain in tcrules and mangle; this was a regression from 4.5.21.
* Wed Jul 02 2014 toganm@opensuse.org
  - Update to version 4.6.1.3 For more details see changelog.txt and
    releasenotes.txt
    * Use of the 'IfEvent' action resulted in a compilation failure:
      ERROR: -j is only allowed when the ACTION is INLINE with no
      parameter /usr/share/shorewall/action.IfEvent (line 139)
      from /etc/shorewall/action.SSHKnock (line 8)
      from /etc/shorewall/rules (line 31)
* Thu Jun 19 2014 toganm@opensuse.org
  - Update to version 4.6.1.1 For more details see changelog.txt and
    releasenotes.txt
    * An improved error message is generatred when a server address
      list is specified in the DEST colume of a DNAT or REDIRECT
      rule. At one time, iptables supported such lists, but now only
      a single address or an address range is supported.
      The previous error message was:
      ERROR: Unkknown Host (192.168.1.4,192.168.1.22)
      The new error message is:
      ERROR: An address list (192.168.1.4,192.1688.1.22) is not
      allowed in the DEST column of a xxx RULE
      whenere xxx is DNAT or REDIRECT as appropriate.
    * Two problems have been corrected in the Shorewall-init Debian
      init script.
    + A cosmetic problem which releasenotessulted in 'echo_notdone'
      being displayed on failure rather than 'nott done'.
    + More seriously, the test for the existance of compiled
      firewall scripts was incorrect, with the result that the
      firewallingall scripts were not executed.
      These defects, introduced in Shorewall 4.5.17, have now been
      corrected.
  - Restating that CHECKSUM.patch is removed since braindead
    factory-auto scripts do not understand previous comment
* Tue Jun 10 2014 toganm@opensuse.org
  - Update to version 4.6.1 For more details see changelog.txt and
    releasenotes.txt
    * The release notes in the packages mention a fix for
      'rpfilter'. That defect was actually corrected in 4.5.6.9 with
      a slightly different description in the release notes.
    * Tuomo Soini has provided new macros for AMOP, MongoDB, Redis,
    Sieve and IPMI (RMCP).
* Mon Jun 02 2014 toganm@opensuse.org
  - Update to version 4.6.0.3 For more details see changelog.txt and
    releasenotes.txt
    * 1:1 NAT is now enabled in IPv6.
    * subtle interaction between NAT and sub-zones is explained in
      shorewall-nat.
    * The 'show filters' command now works with Simple TC.
* Tue May 27 2014 toganm@opensuse.org
  - Update to version 4.6.0.2 For more details see changelog.txt and
    releasenotes.txt
    * The 'upgrade -A' command now converts the tcrules file to a
      mangle file. Previously, that didn't happen.
    * The install components now support RHEL7.
    * Whitespace issues in the skeleton configuration files have been
      corrected (Tuomo Soini).
    * FAQ 2e has been added which describes additional steps required
      to achieve hairpin NAT on a bridge where the modified packets are
      to go out the same bridge port as they entered.
    * shorewall-masq(5) has been corrected to include the word SOURCE
      on the description of that column. Previously, the description
      read '(formerly called SUBNET)'.
    * The output of 'shorewall show filters' once again shows ingress
      (policing) filters. This works around undocumented changes to
      the behavior of the 'tc' utility.
  - removed backported CHECKSUM.patch
* Fri May 16 2014 toganm@opensuse.org
  - Update to version 4.6.0. For more details see changelog.txt and
    releasenotes.txt. Since this is a major release for those who are
    migrating from previous version, it is important to read the
    above mentioned notes.
    * This release includes all defect repair from releases up through
      4.5.21.9.
  - Backported CHECKSUM.patch
* Tue Apr 01 2014 toganm@opensuse.org
  - Update to version 4.5.21.9 For more details see changelog.txt and
    releasenotes.txt
    * The output of 'shorewall show capabilities' always showed the
      'Recent match --reap option' as 'Not Available'. 'shorewall
      show -fcapabilities' correctly reported the capability.
    * When a rules file section other than NEW began with a ?COMMENT
      directive, the comment would erroneously appear in the rule
      which jumps to the section chain as well as in the rules directly
      related to the following entries.
    * Rule comments were omitted from the compiler's 'trace' output
      in some cases.
    * When FASTACCEPT=Yes, ESTABLISHED,RELATED accept rules were
      incorrectly omitted from an interfaces's _in and _fwd chains
      when 'rpfilter' was specified in the interfaces's entry in
      /etc/shorewall[6]/interfaces.
* Thu Mar 20 2014 toganm@opensuse.org
  - Update to version 4.5.21.8 For more details see changelog.txt and
    releasenotes.txt
    * If an rtrules entry duplicated a Shorewall-generated route rule but
      had a lower priority than the generated one has (20000), then a
      disable/enable sequence on the provider would result in
      duplicate rules with priority 20000.
    * When 'shorewall[6] debug [re]start' was run, any error messages
      generated because of ip[6]tables command errors would not
      include '-t table'.
  - Remove 0001-fix-release-version.patch
* Sat Mar 08 2014 toganm@opensuse.org
  - Update to version 4.5.21.7 For more details see changelog.txt and
    releasenotes.txt
    * The help text for the 'dump' command has been updated to
      include all valid options.
    * The behavior of ADMINISABSENTMINDED=No is corrected.
      Previously, 'shorewall stop' would not block existing connections
      regardless of the setting of this option. Beginning with this
      release, the behavior of ADMINISABSENTMINDED=No depends on whether
      the  routestopped or the stoppedrules file defines the allow
      connections while the firewall is stopped.
      If there are entries in /etc/shorewall[6]/routestopped or if
      there are no entries in /etc/shorewall[6]/stoppedrules, then the
      behavior of ADMINISABSENTMINDED=No is as documented (existing
      connections are blocked unles they are allowed by
      /etc/shorewall[6]/routestopped).  If there are no entries in
      /etc/shorewall[6]/stoppedrules, then the behavior is as if
      ADMINISABSENTMINDED=Yes and a warning message is generated.
  - Add 0001-fix-release-version.patch to correct version info of the
    releasenotes.txt
* Sun Feb 02 2014 toganm@opensuse.org
  - Update to version 4.5.21.6 For more details see changelog.txt and
    releasenotes.txt
    * When a non-terminating target specified logging, the compiler
      would erroneously generate a 'goto' (-g) iptables command rather
      than a 'jump' (-j) command. This caused the wrong set of rules
      to be traversed, usually the catchall 'REJECT' or 'DROP' rule
      at theend of the INPUT or FORWARD chain.
      The compiler now generates a 'jump' rule in these cases.
    * When an interface containing a period (such as a VLAN
      interfaceterface) was used in an 'add' or 'delete' command,
      the wrong ipset name was generated, resulting in failure of
      the command.
* Tue Jan 21 2014 toganm@opensuse.org
  - Update to version 4.5.21.5 For more details see changelog.txt and
    releasenotes.txt
    * A number of minor updates have been made to the documentation
      and manpages.
    * The 'postcompile' extension script is now documented at
      http://www.shorewall.org/shorewall_extension_scripts.htm
    * The 'add' command previously failed if 'IPSET=' appeared in the
      shorewall.conf file. This has been corrected.
* Sat Nov 23 2013 toganm@opensuse.org
  - Update to version 4.5.21.4 For more details see changelog.txt and
    releasenotes.txt
    * The Broadcast actions have been corrected:
    - --dst-type BROADCAST has been removed from the IPv6 version
    - A superfluous DROP rule in the IPv4 version has been
      suppressed.
    * Previously, if an HFSC class was specified with dmax but not
      umax, then the firewall would fail to start with the messages:
      Nov 14 13:42:42 Setting up Traffic Control...
      HFSC: Illegal "umax"
      HFSC: Illegal "sc"
      ERROR: Command "tc class add dev eth1 parent 1:1 classid
      1:110  hfsc sc umax b dmax 150ms rate 1575kbit ul rate 3150kbit"
      Failed
      That problem has been corrected.
    * The tcrules file now supports DROP entries to allow early
      dropping of DOS packets.
* Mon Oct 21 2013 toganm@opensuse.org
  - Update to version 4.5.21.2 For more details see changelog.txt and
    releasenotes.txt
    * Previously, the AutoBL action would fail if the kernel and
      iptables did not support the Recent Match '--reap' option. A new
      REAP_OPTION  capability has been added to work around this issue.
    * The Shorewall-core installer no longer reports an error from
      'cp' stating that it could not stat the shorewallrc file.
    * When a non-root user attempts to execute 'version -a', the CLI
      no longer attempts to get the version of the compiled
      firewall. Previously, the command issued the following
      diagnostic when run by non-root:
      /sbin/shorewall: /var/lib/shorewallhorewall/firewall:
      Permission denied
    * Shorewall no longer uses 'fgrep' thus allowing for use on
      systems without that utility. All uses of 'fgrep' have been
      replaced by 'grep -F'.
    * Placing |<mark> in the ACTION column of the tcrules file no
      longer raises a fatal compilation error.
* Wed Oct 09 2013 toganm@opensuse.org
  - Update to version 4.5.21.1 For more details see changelog.txt and
    releasenotes.txt
    * Problems with the Shorewall Init installer (install.sh) were
      corrected. These problems affected initial Gentoo and Debian
      installs.
    * A problem that prevented multiple ICMP/ICMP6 types to be
      specified in a rule has been corrected.
    * Previously, an attempt to specify RAS or Q.931 in the HELPER
      column  was rejected with an error.
    * The 'nohostroute' provider option was not honored in the
      default table when USE_DEFAULT_RT=Yes.
* Thu Oct 03 2013 toganm@opensuse.org
  - Update to version 4.5.21 For more details see changelog.txt and
    releasenotes.txt
    * ip[6]tables 1.4.20 introduced an incompatible change that
      causes the program to fail if there is another instance of either
      iptables or ip6tables already running. This behavior can be avoided
      if the new -w option is specified.
      To work around this problem, the compiler now uses the -w
      option (when available) during capabilities determination so that
      shorewall and shorewall6 compilations can proceed in parallel.
    * Previously, the Shorewall-init installer unconditionally
      installed the sysconfig file even when a different SYSCONFFILE was
      specified. (Thomas D).
    * /sbin/shorewall-init now includes the correct SYSCONFDIR name
      in its error message that reports the absense of
      ${SYSCONFDIR}/shorewall-init. (Thomas D).
    * /sbin/shorewall-init and the Shorewall-init SysV init scripts
      now honor the setting of $OPTIONS.
    * The -lite installers now look in ${SHAREDIR} for the
      coreversion file rather than in /usr/share/.
    * If a Shorewall-lite installation used an
      /etc/shorewall-lite/vardir file to set a non-standard state
      directory, the administrative system would send the firewall
      and firewall.conf files to the wrong directory on the firewall
      system.
    * Previously, the compiler verified 'monthdays' specifications in
      the rules TIME column, but failed to include --monthdays in the
      generated rule. That omission has been corrected.
    * The Multicast DNS macros (mDNS and mDNSbi) now allow the entire
      non-priv port range (1024-65535) for the the dynamic unicast
      port. Previously, only the Linux 2.6+ dynamic port range
      (32768-65535) were allowed.
  - Spec file changes
    * Add 0001-fillup-install.patch
    * Remove shorewall-init-4.5.15-install.patch
* Wed Aug 28 2013 toganm@opensuse.org
  - Update to version 4.5.20 For more details see changelog.txt and
    releasenotes.txt
    * A typographical error in the usage text produced by the -h
      command in the compiled firewall script has been corrected.
    * The handling of INITSOURCE is now uniform between the standard
      and the -lite installers.
    * Previously, when SYSCONFFILE was specified in shorewallrc, the
      installers would always install default.debian rather than the
      named file. That has been corrected.
  - Spec file changes
    * removed the following pathces:
      0001-Os-release.patch
      0001-Fix-Exec-directory.patch
* Thu Aug 08 2013 toganm@opensuse.org
  - Spec file changes
    * Add 0001-Os-release.patch Fixes bnc#833999
    * dropped 0001-Use-etc-os-release-as-of-release-13.1.patch
* Thu Aug 08 2013 toganm@opensuse.org
  - Spec file changes
    * Added 0001-Use-etc-os-release-as-of-release-13.1.patch
      Fixes bnc#833999 for /etc/os-release
* Wed Jul 24 2013 toganm@opensuse.org
  - Update to version 4.5.19 For more details see changelog.txt and
    releasenotes.txt
    * Previously, the '-q' option did not suppress all output from
      certain commands such as 'check'.
* Sun Jun 30 2013 toganm@opensuse.org
  - Spec file changes
    * Added 0001-Fix-Exec-directory.patch which fixes ExecStart
      ExecStop path of systemd shorewall-init.service (bnc#827524)
    * removed  systemd.patch
* Sun Jun 30 2013 toganm@opensuse.org
  - Update to version 4.5.18 For more details see changelog.txt and
    releasenotes.txt
    * This release includes all defect repair from Shorewall
      4.5.17.1.
    * The following warning message could be emitted inappropriately
      when running shorewall 4.5.17.
      The rule(s) generated by this entry are unreachable and have
      been discarded
      These warnings, which were disabled in Shorewall 4.5.17.1, are
      now only emitted where appropriate. The message has also been
      reworded to:
      One or more unreachable rules in chain <name> have been
      discarded
      The message is issued a maximum of once per Netfilter chain.
    * A problem that could cause the 'trace' compiler option to
      produce false error messages or to produce an altered generated
      firewall script has been corrected.
    * If the 'Owner Name Match' capability was not available, the
      following error message would previously appear during
      compilation:
      iptables: No chain/target/match by that name.
  - spec file changes
    * rebased systemd.patch
* Wed Jun 05 2013 toganm@opensuse.org
  - Update to version 4.5.17.1 For more details see changelog.txt and
    releasenotes.txt.
    * The following warning message may be emitted inappropriately
      when running shorewall 4.5.17. The message is no longer issued.
      The rule(s) generated by  this entry are unreachable and have
      been discarded
    * Rules intended to increment nfacct objects would previously be
      optimized away when they immediately preceded an unconditional
      jump to the same target. Such rules are now retained.
    * A bug in the optimizer in 4.5.17 can cause 'set' and 'geoip'
      matches to be dropped. That has been corrected.
  - spec file changes
    * rebased systemd.patch
* Thu Apr 04 2013 toganm@opensuse.org
  - Update to version 4.5.15 For more details see changelog.txt and
    releasenotes.txt
    * Previously, the Shorewall and Shorewall6 install.sh scripts did
      two things wrong with respect to the /etc/shorewall[6]/routes
      file:
      + The existing file was unconditionally removed.
      + A skeleton file was not installed when SPARSE was not set in
      the shorewallrc file.
      Additionally, the installer would remove /etc/shorewall[6]/tcstart
    * The Shorewall-init install.sh script previously refused to
      replace /sbin/ifup-local and /sbin/ifdown-local when those files has
      been installed by an earlier version of Shorewall-init.
    * Previously, Shorewall-init's integration with NetworkManager
      was incomplete on SuSE with the result that NetworkManager
      interface change events were not processed. That has been corrected.
    * Beginning with Shorewall 4.5.8, Shorewall6 has interpreted /32
      networks as hosts (/128). /32 IPv6 networks are once again
      handled correctly.
    * Using names such as such as EF, BE, CS1, ... for DSCP didn't
      work previously. Thibaut Chèze has provided a fix.
    * An incorrect range test prevented DSCP classes CS6 and CS7 from
      being accepted. The test has been corrected and those classes
      are now allowed.
  - spec file changes
    * rebased systemd.patch
    * added shorewall-init-4.5.15-install.patch and removed
      shorewall-init-4.5.2-install.patch
* Mon Mar 11 2013 toganm@opensuse.org
  - Update to version 4.5.14 For more details see changelog.txt and
    releasenotes.txt
    * Previously, a list of IPv6 host addresses where each address
      was enclosed in square brackets generated a fatal compile-time
      error.
      Such lists are now handled correctly.
    * The Shorewall 'load', 'reload' and 'export' commands have now
      been modified to use a shorewallrc file in a remote system's export
      directory. If the directory layout of the remote system differs
      from that of the administrative system, then the remote
      system's export directory should contains a copy of that system's
      shorewallrc file.
    * A syntax error in the Shorewall uninstall.sh file has been
      eliminated.
    * The contents of the various configpath files have been
      corrected.
    * The Shorewall uninstall.sh script previously failed to remove
      the  macro files from ${SHAREDIR}/shorewall. Those files are now
      removed.
    * The 'version -a' command now prints the correct shorewall-core
      version when it is run from shorewall6, shorewall-lite and
      shorewall6-lite.
    * It is now possible to specify a port or port range along with
      an address variable in the ADDRESSES column of/etc/shorewall/masq.
      Example:
      [#]INTERFACE      SOURCE          ADDRESS         PROTO   DEST
      [#]                                                       PORT(S)
      eth0            172.20.4.0/24   &eth0:44        tcp     45
      Previously, this usage generated a fatal compilation error.
    * Port numbers and service names may now be specified with the
      UDPLITE protocol.
    * The SUBSYSLOCK setting in the default shorewall6.conf file has
      been changed from /var/lock/subsys/shorewall to
      /var/lock/subsys/shorewall6.
  - rebased systemd.patch
* Wed Feb 13 2013 toganm@opensuse.org
  - Update to version 4.5.13 For more details see changelog.txt and
    releasenotes.txt
    * If a chain consisted of a single RETURN rule, optimize level 4
      would handle it incorrectly by moving the RETURN rule to the
      chain(s) that jumped to the single-rule chain. The optimizer
      now simply eliminates the chain and rule.
      As part of this change, the optimizer now deletes trailing
      RETURN  rules from chains.
    * If a default inline action was specified with parameters, the
      compiler would fail with an internal error.
    * The compiler was mis-handling simple arithmetic expressions
      consisting of a single number, evaluating the number as ''
      rather than as its numberic value.
  - Rebased systemd.patch
* Sun Jan 20 2013 toganm@opensuse.org
  - Update to version 4.5.12 For more details see changelog.txt and
    releasenotes.txt
    * This release contains the defect repairs from Shorewall
      4.5.11.1 and 4.5.11.2.
    * Two defects associated with 'update -D' have been corrected.
      + shorewall.conf.bak is no longer deleted.
      + files that are not changed no longer have their mtime updated.
    * Inline actions in the RELATED and ESTABLISHED sections now work
      correctly.
    * The 'dropInvalid' built-in function now works correctly.
    * The compiler now generates an error when a protocol list is
      used in a context where only a single protocol name/number is
      accepted.
    * The generated script now correctly deletes Traffic Control
      configurations when CLEAR_TC=Yes. Previously, the
      configurations on interfaces with a '@xxxxxx' suffix in their
      names were not cleared.
    * Under very rare circumstances, optimize level 4 could leave a
      rule that jumped to a non-existant chain, causing
      iptables-restore to fail.
    * If an error was raised while compiling a default action, a Perl
      diagnostic could appear and the Shorewall error message would
      not be printed.
    * It is once again possible to use DNS names in rules without an
      interface name.
* Tue Jan 15 2013 toganm@opensuse.org
  - Added systemd.patch to fix the exec path (bnc# 798525)
* Sat Jan 12 2013 toganm@opensuse.org
  - Update to 4.5.11.2 For more details see changelog.txt and
    releasenotes.txt
    * Corrected fix 2 from 4.5.11.1.
    * 4.5.11.1
    Beginning with Shorewall 4.5.10, if the name of an optional
    interface contained one or more characters that are not valid
    in a  shell function name, then the generated script would fail with
    a "syntax error: bad function name" shell diagnostic.
    That problem has been corrected so that a valid function name
    is generated.
    * The kernel modules supplied by xtables-addons are now listed in
      the modules.xtables files. They were previously omitted.
* Mon Dec 17 2012 toganm@opensuse.org
  - Update to 4.5.10.1 For more details see changelog.txt and
    releasenotes.txt
    * Correct typo in conntrack module
* Sun Dec 09 2012 toganm@opensuse.org
  - Update to 4.5.10 For more details see changelog.txt and
    releasenotes.txt
    * This release includes all defect repair included in
      4.5.9.1-4.5.9.3.
    * Under rare circumstances, optimize level 16 could produce
      invalid iptables-restore input which would cause start/restart
      to fail.
    * Before this release, the 'started' script was run prior to
      copying the temporary script file (e.g., /var/lib/shorewall/.start)
      to /var/dir/shorewall/firewall. If the script failed, the copy
      would not take place even though the firewall had started
      successfully. The script is now copied before running the
      'started' script.
      If you compare the script generated by this release with one
      generated by a prior release, We suggest that you ignore
      whitespace changes (e.g., use the '-w' option in diff); that way,
      you can see the actual change more clearly.
    * AUTOCOMMENT=No now works correctly; previously, it behaved the
      same as AUTOCOMMENT=Yes.
    * A harmless extraneous comma has been deleted from the rule
      generated by action.RST.
* Wed Nov 21 2012 toganm@opensuse.org
  - Update to 4.5.9.2 For more details see changelog.txt and
    releasenotes.txt
    * Previously, the rules in the 'routemark' chain did not specify
    a mask in the MARK target. While a mask isn't strictly necessary
    in those rules, one has been added to ally fears of those who read
    the  generated ruleset.
      Note: The 'routemark' chain is used to apply provider marks to
      packets received from 'track' provider interfaces. It is
      traversed  early in the mangle PREROUTING chain when no other
      marks have yet been applied to the packet.
    * If exclusion was used with TPROXY in the tcrules file, an
    invalid  iptables ruleset was generated causing start and
    restart commands  to fail when running iptables-restore.
    * Previously, if a provider and its interface had the same name,
    then the 'enable' command would not work on that interface.
* Sat Nov 10 2012 toganm@opensuse.org
  - Update to 4.5.9.1 For more details see changelog.txt and
    releasenotes.txt
    * Previously, using a wildcard interface name in a rule would
      result in this error:
      ERROR: Invalid ipset name (ppp+) : ...
      Such entries are now handled correctly.
    * The shorewall-masq(5) manpage incorrectly stated that the
      SOURCE column may use exclusion with an interface name (e.g.,
      eth1:!1.2.3.4). That hasn't been the case for some time. To
      accomplish the same thing, do this:
      eth0    1.2.3.4   NONAT
      eth0    eth1
      Note: Using an interface name in the SOURCE column is deprecated.
    * Previously, if a MARK was specified for a tc class that
      explicitly specified a class number, the following spurious
      warning message was issued:
      WARNING: Class NUMBER ignored --
      INTERFACE <name> does not have the 'classify' option
      That warning message is no longer issued.
    * With Shorewall 4.5.9, there were issues when the ipset utility
      was not installed, some of which prevented Shorewall from
      starting.
  - Adjust for the usr move
    * change /sbin/service to /usr/service in requires and setting links
* Tue Oct 30 2012 toganm@opensuse.org
  - Update to 4.5.9 For more details see changelog.txt and
    releasenotes.txt
    * This release contains all defect repair from Shorewall 4.5.8.2.
    * A typo has been corrected in the shorewallrc.default file.
    * Beginning with Shorewall 4.5.7.2, Shorewall unconditionally
      restores the provider mark as the first rule in the mangle
      table OUTPUT and PREROUTING chains. Previously, the provider
      mark was restored only if it was non-zero.
      It has become clear that some users need it one way while
      others need it the other way. To resolve this issue, a
      RESTORE_ROUTEMARKS option has been added to shorewall.conf and
      shorewall6.conf. When this option is set to Yes (the default),
      the 4.5.7.2 approach is used (always restore the mark, even if
      it is zero); when it is set to No, the pre-4.5.7.2 behavior is
      retained (only restore the mark if it is non-zero).
    * Two error messages produced by the RST action have been
      corrected. They previously referred to errors in the NotSyn
      action rather than RST.
* Wed Oct 10 2012 toganm@opensuse.org
  - Update to 4.5.8.2 For more details see changelog.txt and
    releasenotes.txt
    * The 'shorewall show' command previously produced no output.
      That command now works with ipset versions 4 and later.
    * The change in 4.5.8.1 that enabled industry-standard IPv4
      address representation broke the ability to place IP ranges or
      IPv6 ipsets in the hosts file. Those abilities have been
      restored.
    * The treatment of the SYSTEMD and INITFILE shorewallrc variables
      has been inconsistent. The -lite installers ignore INITFILE
      when SYSTEMD is specified, while the other installers do not.
      Now, the -lite installers install the .service file if SYSTEMD
      is specified and they install the sysv-init script if INITFILE
      is specified. That is consistent with the behavior of the other
      installers.
* Sun Oct 07 2012 toganm@opensuse.org
  - Update to 4.5.8.1 For more details see changelog.txt and
    releasenotes.txt
    * When ipset version 5 or later was installed, the 'shorewall show
      dynamic <zone>' command produced no outout and the 'add' command
      failed with this error message:
      Zone <zone>, interface <interface> does not have a dynamic
      host list"
    * When generating ipset names for dynamic zones, the compiler was
      dropping dashes ('-') from the interface name and adding a unique
      suffix. For example the ipset for zone 'foo' and interface 'bar-if'
      might be 'foo_barif_1'. Dashes are now retained so that the
      generated set name in this example will be 'foo_bar-if'. This change
      also allows the 'add' and 'delete' commands to work correctly when
      the interface name contains one or more dashes.
      Although dash is documented as being an accepted character in ipset
      names, names containing a dash would generate an error in some
      contexts. That has also been corrected.
    * In most contexts, Shorewall6 has required IPv6 addresses to be
      enclosed in either angled brackets ( <....> , deprecated) or in
      square brackets ([....]). This includes network addresses, where
      both the IPv6 address and the VLSM are required to be within the
      brackets (e.g., [2001;470:b:787::/64]). This differs from the
      industry-standard network form in which the IPv6 address is enclosed
      in square brackets and the VLSM is outside of the brackets (e.g.,
      [2001:470:b:787::]/64). Beginning with this release, the
      industry-standard representation is also accepted by Shorewall6.
      Note: Those of you who read the patches will probably have noticed
      that much of this change was actually in 4.5.8; because the change
      was commited late in the 4.5.8 release cycle, we chose not to
      document the change until it had undergone additional testing.
  -  Added 0001-remote_fs.patch for shorewall-init sysv-init scripts
    rebased patches to -p1 level
* Fri Oct 05 2012 toganm@opensuse.org
  - Update to 4.5.8 For more details see changelog.txt and
    releasenotes.txt
    * This release includes the defect repair from Shorewall 4.5.7.1.
    * The restriction that TTL and HL rules could only be placed in
      the FORWARD chain prevented these rules from being used to hide
      a router from traceroute[6]. It is now allowed to place these
      rules in the PREROUTING chain by following the specification
      with ':P' (e.g., 'TTL(+1):P').
    * Previously, the macro.SNMP macro opened both UDP ports 161 and
      162 from SOURCE to DEST. This is against the usual practice of
      opening these ports in the opposite direction. Beginning with
      this release, port 162 is opened in to SOURCE to DEST as
      before, while port 161 is opened from DEST to SOURCE.
    * Previously, when compiling for export, both
      /etc/shorewall/shorewall[6].conf and the shorewall[6].conf in
      the configuration directory were processed. Now, only the copy
      in the configuration directory is processed.
    * The 'iptables_raw' module has been added to the
      modules.essential file.
    * Several corrections have been made to the Fedora/Redhat init
      script for Shorewall-init.
    * The <directory> parameter to the 'try' command is now
      documented in the shorewall(8) and shorewall6(8) manpages.
    * Some redundant interface-option rules have been removed in
      configurations with multiple zones configured on a single
      interface.
    * Previously, when compiling for export, the compilation would
      fail if the setting of SHAREDIR in the firewall's shorewallrc
      was different from the setting on the admin system. Such
      compilations now succeed.
  - For openSUSE 12.3 provide only systemd and drop sysv-init scripts
* Mon Sep 24 2012 toganm@opensuse.org
  - Since shorewall executables are in /usr/sbin systemd service
    files now reflect the correct location
* Mon Sep 03 2012 toganm@opensuse.org
  - Update to 4.5.7.1 For more details see changelog.txt and
    releasenotes.txt
    * When using IPSEC in a multi-ISP configuration, it is possible
      for the kernel to mis-route ESP packets. To date, this problem
      has only been observed on a system running a 3.5 kernel where
      traffic is being tunneled through GRE which is in turn being
      tunneled via IPSEC.
      This Shorewall release includes a low-cost workaround.
    * The Netfilter team have announced their intention to remove the
      NOTRACK target in favor of 'CT --notrack'. Shorewall will now
      map  NOTRACK to 'CT --notrack' if the CT Target is available.
    * Previously, the current COMMENT was not being cleared after the
      blrules file was processed, causing that COMMENT to be used on
      entries in the rules file. That defect has been corrected.
  - Add a note to the spec for reviewer explaining the configure
    command usage
  - Removed following opensuse specific patches as they are merged to
    upstream now
    + shorewall-lite-4.5.2-init.patch
    + shorewall6-4.5.2-init.patch
    + shorewall6-lite-4.5.2-init.patch
    + shorewall-init-4.4.21_init_sh.patch
  - Added 001-required-stop-fix patch for shorewall-lite/init.suse.sh
* Tue Aug 21 2012 toganm@opensuse.org
  - Update to 4.5.7 For more details see changelog.txt and
    releasenotes.txt
    * This release includes the defect repair from Shorewall 4.5.6.2.
    * The command 'shorewall enable pppX' could fail with the ip
      diagnostic Error: either "to" is duplicate, or "weight" is a
      garbage.
      Shorewall now generates the correct ip command.
    * Optimize level 4 could previously combine two rules that each
      specified the 'policy' match, leading to this iptables-restore
      failure:
      policy match: multiple elements but no --strict
      The optimizer now avoids combining such rules.
      While this is a long-standing defect in the optimizer, it was
      exposed by changes in Shorewall 4.5.6.
    * There were several cases where hard-wired directory names
      appeared in the tarball installers. These have been replaced
      with the appropriate shorewallrc variables.
    * A defect in RHEL 6.3 and derivatives causes 'shorewall show
      capabilities' to leave an empty ipset in the configuration. The
      same defect can cause the Shorewall compiler to similarly leave
      an empty ipset behind.
      This Shorewall release has a workaround for this problem.
  -  Added Bash >= 4 to BuildRequires
  -  Fix builds for Fedora
* Wed Aug 08 2012 toganm@opensuse.org
  - Update to 4.5.6.2 For more details see changelog.txt and
    releasenotes.txt
    * The compiler now generates an error when a SOURCE interface is
      specified in a rule where the SOURCE zone is the firewall
      itself.
    * Previously, entries in /etc/shorewall/notrack that specified a
      Vserver zone in the SOURCE column were omitted from the
      generated  ruleset.
    * The set of helpers available in the notrack file and in the
      HELPER column of the tcrules file was incorrect:
    - The Amanda helper requires a UDP port -- Shorewall was
      requiring
      TCP.
    - The H323 module supplies two helpers: 'RAW' and 'Q.931';
      Shorewall only accepted 'h323'.
    - The Netbios NS module supplies the 'netbios-ns' helper;
      Shorewall
      only accepted 'netbios_ns'.
    * The conditional directive '?IF 0' generated an error from the
      compiler. It now causes following lines to be omitted.
* Tue Jul 10 2012 toganm@opensuse.org
  - Update to 4.5.6 For more details see changelog.txt and
    releasenotes.txt
    * This release includes the defect repairs from Shorewall 4.5.5.1
      through 4.5.5.4.
    * Previously, the tcrules file was not processed when
      TC_ENABLED=No. That meant that to use features like TPROXY, it
      was  necessary to set TC_ENABLED=Yes and create a dummy
      /etc/shorewall/tcstart file. Now, only MANGLE_ENABLED=Yes is
      required.
* Sun Jul 01 2012 toganm@opensuse.org
  - Update to 4.5.5.3 For more details see changelog.txt and
    releasenotes.txt
    * When logical interface names were used, an entry in tcrules
      that included a classid could result in the compiler failing with
      this Perl diagnostic:
      Can't use an undefined value as an ARRAY reference at
      /usr/share/shorewall/Shorewall/Tc.pm line nnn, <$currentfile>
      line 20.
* Fri Jun 15 2012 toganm@opensuse.org
  - Update to 4.5.5.1 For more details see changelog.txt and
    releasenotes.txt
    * The change in Shorewall 4.5.4 that cleared the 'default' table
      if there were no 'fallback' providers broke multiple 'fallback'
      providers that don't supply a weight. The symptoms were that
      there were host routes to the default gateways in the 'default'
      routing table but no default routes through those gateways.
      This has now been corrected and multiple 'fallback' routes are
      once again supported.
    * When a logical device name was specified in the REDIRECTED
      INTERFACES column of /etc/shorewall/tcdevices, that name was
      used in the generated script rather than the devices's physical
      name. Unless the two were the same, this caused start/restart
      failure. Shorewall now uses the physical name.
* Sat Jun 09 2012 toganm@opensuse.org
  - Update to 4.5.5 For more details see changelog.txt and
    releasnotes.txt
    * This release includes all defect repair from Shorewall 4.5.4.1
      and 4.5.4.2.
    * The Shorewall compiler sometimes must defer generating a rule
      until runtime. This is done by placing shell commands in its
      internal representation of a chain. These commands are then
      executed at run time to create the final rule.
      If all of the following were true, then an incorrect ruleset
      could be generated:
      + Optimization level 4 was set.
      + A chain (chain A) containing shell commands had three or
      fewer rules and commands.
      + The last rule in a second chain was a conditional jump to
      chain A.
      Under these conditions, the rules and commands in Chain A
    * The Shorewall-core configure and configure.pl script were
      treating SYSCONFDIR as a synonym for CONFDIR making it
      impossible to set SYSCONFDIR.
* Thu Jun 07 2012 toganm@opensuse.org
  - Update to 4.5.4.2 For more details see changelog.txt and
    releasenotes.txt
    * The problems corrected section of the 4.5.4.1 release notes was
      missing the third problem corrected in the release. It has now
      been added.
    * A number of problems in Shorewall-init have been corrected:
      + If more than one product was listed in the PRODUCTS setting
      in /etc/default/shorewall-init (/etc/sysconfig/shorewall-init)
      then the second product would not be started/stopped.
      + Shorewall-init used 'restart' in response to an optional
      provider interface coming up. If the interface has been
      marked unusable (1 in the interface's .status file), then the
      'restart' would not enable the interface.
      + Shorewal-init produced a lot of clutter on the console
      during boot. You may now specify a LOGFILE in
      /etc/default/shorewall-init (/etc/sysconfig/shorewall-init)
      and all output produced by up and down events will be sent to
      that log. If no log is specified, this output is sent to
      /dev/null.
    * The order in which the compiler processes line-continuation
      (line ending in '\') and conditional-inclusion directives (?IF,
      ?ELSE, and ?ENDIF) has been reversed.
      Previously, the compiler built a concatenated line, then
      checked to see if the line began with ?IF, ?ELSE or ?ENDIF. Now, the
      compiler checks for ?IF, ?ELSE or ?ENDIF first and prevents
      those lines from becoming part of the concatenation.
    * Two issues with the shorecap programs have been corrected:
      + The Shorewall6-lite version failed to run with the message:
      /usr/share/shorewall6-lite/lib.cli: No such file or
      directory
      + The Shorewall-lite version would not run if SHAREDIR was
      set to a value other than /usr/share in shorewallrc.
    * The Shorewall 4.5.2.3 fix for the Shorewall-core installer's
      handling of --host=linux was not brought forward into 4.5.3.
      It has been included again in this version.
    * Single-line embedded PERL and SHELL commands have been
      re-enabled.
* Fri Jun 01 2012 toganm@opensuse.org
  - Update to 4.5.4.1 For more details see changelog.txt and
    releasenotes.txt
    * Beginning with Shorewall 4.4.22, the 'pptpserver' tunnel type
      has been configured as a PPTP client running on the firewall
      rather than as a server on the firewall. It is now correctly
      configured as  a server.
    * The shorewall-accounting (5) and shorewall6-accounting (5)
      documentation for the IPSEC column is incorrect. Rather than
      'accountin' and 'accountout', the chain names should be
      'accipsecin' and 'accipsecout'.
    * IPSEC accounting did not work if the accounting file was
      sectioned. Beginning with this release, the IPSEC column can
      be specified in any section. As always, the IPSEC column
      contains a comma-separated  list of items. In the FORWARD
      chain, the first (or only) item in the list must be either
      'in' or 'out' to indicate whether the rule  matches incoming
      packets that have been decrypted ('in') or outgoing packets
      that will be encrypted ('out'). There are no restrictions with
      respect to which chain IPSEC rules can appear in  a sectioned
      file.
* Sat May 26 2012 toganm@opensuse.org
  - Update to 4.5.4 For more details see changelog.txt and
    releasenotes.txt
    * When EXPORTMODULES=No in shorewall.conf, the error messages
      have been eliminated
    * If the configuration settings in the PACKET MARK LAYOUT section
      of shorewall.conf (shorewall6.conf) had empty settings, the
      'update' command would previously set them to their default
      settings. It now  leaves them empty.
    * Previously, Shorewall used 'unreachable' routes to null-route
      the RFC1918 subnets. This approach has two drawbacks:
    - It can cause problems for IPSEC in that it can cause packets
      to be rejected rather than encrypted and forwarded.
    - It can return 'host unreachable' ICMPs to other systems that
      attempt to route RFC1918 addresses through the firewall.
      To eliminate these problems, Shorewall now uses 'blackhole'
      routes.
      Such routes don't interfere with IPSEC and silently drop
      packets  rather than return an ICMP.
    * The 'default' routing table is now cleared if there are no
      'fallback' providers.
    * Tproxy implementation has been reworked. For more details
      please consult the releasenotes.txt and changelog.txt
* Tue May 15 2012 toganm@opensuse.org
  - Update to 4.5.3.1 For more details see changelog.txt and
    releasenotes.txt
    * Previously, nested conditionals did not work correctly in all
    cases. In particular:
      ?IF $FALSE
      ?IF $FALSE
      foo
      bar
      ?ENDIF
      baz
      bop
      ?ENDIF
      In this case, the lines 'baz' and 'bodyp' were incorrectly
      included when they should have beeen omitted.
    * The 'balance' routing table is now cleared if there are no
      'balance' providers.
    * Previously, the compiler generated an invalid 'ip add route'
      command if an IPv6 provider had '-' in the GATEWAY column.
    * As noted in the Migration Considerations, the generated
      firewall script maintains the interface .status files used by
      LSM and SWPING. Up to now, however, the 'disable' command did
      not update the .status file. That has been corrected. As part
      of the change, the 'isusable' script is no longer consulted by
      the'enable' command.
* Fri May 11 2012 toganm@opensuse.org
  - Update to 4.5.3 For more details see changelog.txt and
    releasenotes.txt
    * The LOCKFILE setting in shorewall.conf and shorewall6.conf had
      inadvertently become undocumented. It is now documented again.
    * In an initial installation of Shorewall, Shorewall6, Shorewall
      Lite or Shorewall6 Lite was done under Shorewall 4.5.2, then the
      firewall would not start up at boot even though the installer
      indicated that it would. That defect has been corrected.
    * Previously, when per-IP rate limiting was invoked, the compiler
      would use the deprecated '--ratelimit' option, even if the
      preferred '--ratelimit-upto' option was available. Now, the
      compiler uses the preferred option if it is supported by the
      installed version of iptables.
    * Prior to this release, using a manual chain in the ACTION
      column of a macro body generated an error:
      ERROR: Invalid Action (mychain) in macro, macro.FOO (line ...)
      This now works correctly and generates a jump to the specified
      manual chain.
    * Previously, a line with the single word COMMENT in the tunnels
      file would generate the following error:
      ERROR: Zone must be specified
      Now, such a line correctly resets the current rule comment.
    * In Shorewall 4.5.2, the MARK column in the tcrules file was
      renamed to ACTION but only 'mark' was accepted in the alternate
      specification format. Now both 'mark' and 'action' are
      accepted.
    * The alternative method of provider balancing using the
      statistic match feature of iptables/Netfilter was missing some
      logic, with the result that it was ineffective.
    * If a logical interface name was used by itself in the SOURCE
      column of the rtrules file, the generated routing rule would
      contain the logical name rather than the physical name.
* Tue May 01 2012 toganm@opensuse.org
  - Update to 4.5.2.4 For more details see changelog.txt and
    releasenotes.txt
    * The 'shorewall reset' command now correctly resets the IPv4
      packet and byte counters; previously, it was resetting the IPv6
      counters.
    * The Shorewall installer now modifies the Chains.pm file for
      Digest::SHA depencency when $DESTDIR is set, provided that
      $BUILD = $HOST. This allows rpm to automatically generate the correct
      module dependency.
* Sun Apr 15 2012 toganm@opensuse.org
  - Update to 4.5.2.2 For more details see changelog.txt and
    releasenotes.txt
    * If a shorewallrc file is passed to the 4.5.2.1 Shorewall-core
      install.sh, subsequent compilations fail. The error message
      indicates that the compiler is looking for lib.core, but the
      pathname has embedded spaces.
    * The 4.5.2.1 Shorewall/Shorewall6 installer installs an
      incorrect file as /etc/shorewall[6]/Makefile.
* Sat Apr 14 2012 toganm@opensuse.org
  - Update to 4.5.2.1 For more details see changelog.txt and
    releasenotes.txt
    * In release 4.5.2, if an INCLUDE directive appeared inside a ?IF
      ... ?ENDIF sequence, then the following error would be
      generated after the included file had been read:
      ERROR: Missing ?ENDIF to match the ?IF at line ...
    * An error in the shorewallrc.apple file has been corrected.
    * The shorewallrc.redhat file has been change to conform to
      Fedora packaging guidelines.
    * The output of the 'version -a' command reflected incorrect
      versions when Shorewall-core 4.5.2 was installed. That has been
      corrected.
* Fri Apr 13 2012 toganm@opensuse.org
  - Update to 4.5.2 For more details see changelog.txt and
    releasenotes.txt
    * The generated firewall script includes code to automatically
      create ipsets that are referenced but that don't exist. That code
      was broken in releases 4.4.22 and later. This defect has been
      corrected. As part of the fix, the generated script will now
      issue a warning message when it creates an ipset.
    * The 'mss' option is now supported in the /etc/shorewall[6]/hosts
      files. See the manpages for details.
    * It is now possible to conditionally include or omit
      configuration entries based on the settings of shell variables.
      See  http://www.shorewall.net/configuration_file_basics.htm
      for details.
    * The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been
      renamed ACTION to reflect the expanded set of actions that can
      be specified in the column.
    * Some users are finding these ipset warnings objectionable:
      + Warning when a referenced ipset does not exist.
      + Warning when using [src] in a destination column or [dst] in
      a source column.
      These warnings may now be suppressed by setting
      IPSET_WARNINGS=No  in shorewall.conf and/or shorewall6.conf.
* Tue Mar 20 2012 toganm@opensuse.org
  - Update to 4.5.1.1 For more details see changelog.txt and
    releasenotes.txt
    * When checking or compiling for export (-e option),
      /sbin/shorewall would previously issue a warning message if
      the SHOREWALL_SHELL specified in the remote
      firewall's shorewall.conf did not exist.
    * The changes to TOS handling in 4.5.1 are incompatible with
      older releases such as RHEL5 and derivatives. That has been
      corrected.
    * The rules compiler now verifies that the protocol is TCP, UDP,
      SCTP or DCCP when checking a port range (low:high or low-high).
    * Previously, start or restart using the init script would fail
      with an error message referencing 'SHOREWALL_INIT_SCRIPT'.
      This defect was not visible to users that set AUTOMAKE=Yes or
      that run Shorewall-init.
* Fri Mar 16 2012 toganm@opensuse.org
  - Update to 4.5.1 For more details see changelog.txt and
    releasenotes.txt
    * This release includes all defect repair from versions
      4.5.0.1-4.5.0.3.
    * A typo has been corrected in the blrules man pages.
    * Previously, if the interface appearing in the HOSTS column of
      /etc/shorewall6/hosts was not defined in
      /etc/shorewall6/interfaces, then the compiler would terminate
      with a Perl diagnostic:
      Can't use an undefined value as a HASH reference at
      /usr/share/shorewall/Shorewall/Zones.pm line 1817,
      <$currentfile> line ...
    * The compiler was previously failing to validate the contents of
      the LENGTH and TOS columns in /etc/shorewall/tcrules. The
      contents of those columns are now validated by the compiler and
      an appropriate  error message is issued if validation fails.
    * The column headings in the tos files are now in the proper
      order. Previously, the SOURCE PORT and DEST PORT columns were
      reversed.
* Sun Feb 26 2012 toganm@opensuse.org
  - Update to 4.5.1-Beta2 For more details see changelog.txt and
    releasenotes.txt
    * A typo has been corrected in the blrules man pages.
      Previously, if the interface appearing in the HOSTS column of
      /etc/shorewall6/hosts was not defined in
      /etc/shorewall6/interfaces, then the compiler would terminate
      with  a Perl diagnostic:
      Can't use an undefined value as a HASH reference at
      /usr/share/shorewall/Shorewall/Zones.pm line 1817,
      <$currentfile> line ...
* Wed Feb 22 2012 toganm@opensuse.org
  - Update to 4.5.1-Beta For more details see changelog.txt and
    releasenotes.txt
    * The packing of the Shorewall products has been changed. Beginning
      with this release, the packages are:
      + Shorewall Core  -- Core libraries installed in
      /usr/share/shorewall/
      + Shorewall       -- Requires Shorewall Core. Together with
      Shorewall Core, provides IPv4 firewalling.
      + Shorewall6      -- Requires Shorewall. Provides IPv6
      firewalling.
      + Shorewall Lite  -- Requires Shorewall Core. As before.
      + Shorewall6 Lite -- Requires Shorewall Core. As before.
      + Shorewall Init  -- As before
* Sat Jan 21 2012 toganm@opensuse.org
  - Update to 4.4.27.3 For more details see changelog.txt and
    releasenotes.txt
    * Previously, if USE_DEFAULT_RT=Yes and 'loose' was specified on
      all providers, then no routing rule targeting the main routing
      table was generated. This has been corrected so that
      USE_DEFAULT_RT=Yes always results in such a rule at
      priority 999.
    * Shorewall 4.4.27 broke Shorewall-init functionality. It is
      restored in this release.
* Mon Jan 16 2012 toganm@opensuse.org
  - Update to 4.4.27.2. For more details see changelog.txt and
    releasenotes.txt
    * A long-standing problem with Shorewall's 'save' facility has
      been discovered. The defect can cause rules to be dropped during
      'save' so that they are not available to be reapplied during
      'restore'. This can occur in 'safe-restart' when the prompt is
      not acknowledged or when it is acknowledged with 'n'.
      The problem can occur when:
      a)  There are IPSEC zones or hosts present; and
      b)  GOTO Target support is available in the kernel and
      iptables.
      Example of rule that will be dropped:
    - A eth2_fwd -m policy --dir in --pol ipsec -g AAA_frwd
      The defective code has been corrected so that rules are no
      longer dropped.
* Thu Jan 12 2012 toganm@opensuse.org
  - Update to 4.4.27.1. For more details see changelog.txt and
    releasenotes.txt
    * When optimization category 4 is used, unconditional jumps at
      the end of chains are replaced with the rules in the target
      chain. This can result in rulesets that are considerably larger
      than necessary. Beginning with this release, replacement will
      only occur if:
      a) The jump is the only reference to the target chain; or
      b) The target chain contains 3 or less rules.
    * The feature introduced in 4.4.25 that allowed provider names in
      the  'enable' and 'disable' commands was only implemented for
      'enable'. It is now implemented for 'disable' as well.
    * When detecting IPv6 global addresses through an interface,
      Shorewall6-generated scripts were ignoring addresses beginning
      with '3'.
    * A typo in /usr/share/shorewall/prog.header caused an 'awk' script
      to fail when saving a multi-hop default route during 'start'.
    * The value '0' is once again accepted in the IN_BANDWIDTH
      columns of tcinterfaces and tcrules, and causes no ingress
      policing to be configured.
    * MARK_IN_FORWARD_CHAIN=Yes no longer generates an error when
      $FW:<address> is entered in the SOURCE column of the tcrules
      file.
    * In most Shorewall 4.4 versions, if an exported params file
      (EXPORTPARAMS=Yes in shorewall.conf) generates any output to
      stdout, then the following messages would appear during
      start/restart:
      Compiling /etc/shorewall/routestopped...
      Shorewall configuration compiled to
      /var/lib/shorewall/.restart
      printf: 214: Build: expected numeric value
      printf: 214: ipset: expected numeric value
      printf: 214: of: expected numeric value
      Processing /etc/shorewall/params ...
      Build ipset of blacklisted addresses
      Usage: /var/lib/shorewall/.restart [ options ] <command>
      <command> is one of:
      start
      stop
      ...
      This has now been corrected.
* Wed Dec 14 2011 toganm@opensuse.org
  - Update to 4.4.26.1 For more details see changelog.txt and
    releasenotes.txt
    * The Perl module version numbers have now been updated to
    reflect changes in 4.4.26.
    * The 4.4.26 rules compiler does not issue a warning when a
    capabilities file was generated with Shorewall 4.4.25, even
    though new capabilities were added in 4.4.26. This has been
    corrected so that a warning is generated.
    * When TC_ENABLED=Shared, CLASSIFY rules could not be used in the
    tcrules file. Thanks to a patch from Chris Boot, this now works
    as expected.
    * The quoted part of the progress message 'Provider "..."
    compiled' was inadvertently omitted by a change in Shorewall 4.4.23.
    That text has now been restored.
* Sat Dec 03 2011 toganm@opensuse.org
  - Update to 4.4.26 For more details see changelog.txt and
    releasenotes.txt
    * This release includes all corrections included in 4.4.25.1
      through .3.
    * In 4.4.25, ACCEPT behaved in the BLACKLIST section the same way
      as in the other rules file sections. This could lead to
      connections  being accepted inadvertently.
      Now, ACCEPT behaves like WHITELIST; that is, it exempts the
      packet from the remaining rules in the BLACKLIST section.
    * Previously, Shorewall did not detect the ULOG and NFLOG
      capabilities. This lead to run-time failures during 'start' and
      'restart' as well as confusing error messages during
      compilation  when ULOG or NFLOG was used when the LOG target was
      not available.
      ULOG and NFLOG are now detected capabilities so, if you use a
      capabilities file, you will need to regenerate it in order to
      use these log levels.
    * The SAME tcrules target was broken in Shorewall 4.4.22. It now
      works correctly again.
    * Previously, 'shorewall6 update' did not update shorewall6.conf.
      The command now works as expected.
    * In earlier releases, the compiler was attempting to process the
      params file before it was aware of the setting of CONFIG_PATH.
      This could cause the params file to be missed if it was not located
      in /etc/shorewall[6] or in the directory named in the start
      (restart,compile,check,...) command.
      Now, /sbin/shorewall[6] passes $CONFIG_PATH to the compiler
      (/usr/share/shorewall/compiler.pl) in the new '--config_path'
      option.
* Sat Nov 12 2011 toganm@opensuse.org
  - Update to 4.4.25.3  For more details see changelog.txt and
    releasenotes.txt
    * Correction of the produced ruleset when wildchars are used in
      the zone configuration
* Sun Nov 06 2011 toganm@opensuse.org
  -  Update to 4.4.25.2 For more details see changelog.txt and
    releasenotes.txt
    * Previously, if all the following were true:
    - AUTOMAKE=Yes
    - Current compiled script (/var/lib/shorewall/firewall or
      /var/lib/shorewall6/firewall) up to date
    - LEGACY_FASTSTART=No
    - There was a saved configuration
      then rather than start the current configuration, 'shorewall
      start -f' or 'shorewall6 start -f' would incorrectly restore
      the saved  configuration.
    * The DropSmurfs and TCPFlags actions are now available in
      Shorewall6. They were previously omitted from the IPv6
      actions.std file.
    * The 'rawpost' table was previously omitted from the output of
      the 'dump' command. It is now displayed.
    * Previously, if a configuration contained more than one wildcard
      interface (physical name ending in '+'), then the generated script
      might not work properly with Shorewall-init. This defect dates back
      to the introduction of Shorewall-init.
* Tue Nov 01 2011 toganm@opensuse.org
  - Update to 4.4.25.1 For more details see changelog.txt and
    releasenotes.txt
    * A'refresh' command with no chains or tables specified will
      now reload chains created by entries in the BLACKLIST section of
      the rules file.
    * The rules compiler previously failed to detect the 'Flow
      Filter' capability. That capability is now correctly detected.
    * The IN_BANDWIDTH handling changes in 4.4.25 was incompatible
      with moribund distributions such as RHEL4. Restoring IN_BANDWIDTH
      functionality on those releases required a new 'Basic Filter'
      capability.
* Sun Oct 30 2011 toganm@opensuse.org
  - Update to 4.4.25 For more details see changelog.txt and
    releasenotes.txt
    * A defect in the optimizer that allowed incompatible rules to be
    combined has been corrected.
    * Routes and rules added as a result of entries in
    /etc/shorewall6/providers were previously not deleted by
    'stop' or 'restart'. Repeated 'restart' commands could
    therefore  lead to an incorrect routing configuration.
    * Previously, capital letters were disallowed in IPv6 addresses.
    They are now permitted.
    * If the COPY column in /etc/shorewall6/providers was non-empty,
    previously a run-time error could occur when copying a table.
    The diagnostic produced by ip was:
      Either "to" is duplicate, or "cache" is garbage
    * When copying IPv6 routes, the generated script previously
    attempted to copy 'cache' entries. Those entries are now omitted.
    * Previously, the use of large provider numbers could cause some
    Shorewall-generated routing rules to be ineffective.
    * In some contexts, IPv6 addresses of the form ::i.j.k.l were
    incorrectly classified as invalid by the configuration compile
    * New blacklisting facility implemented. For this and other new
    features please refer to the releasenotes.txt
* Sat Oct 15 2011 toganm@opensuse.org
  - Update to 4.4.24.1
    * When the logical and physical name of an interface were
      different, including the logical name in the tcdevices file
      caused the device's classes to be ignored. This defect was
      introduced in  Shorewall 4.4.23.
    * Remove the ExecReload from all services, since systemd
      doesn't allow an ExecReload for OneShot services. Also, add a
      missing After=network.target to shorewall.service.
  - Fixed Url typo in the spec
* Mon Oct 10 2011 toganm@opensuse.org
  - Update to 4.4.24. For more details see changelog.txt and
    releasenotes.txt
    * This release includes all problem corrections from releases
      4.4.23.1-4.4.23.3.
    * The 'fallback' option without =<weight> previously produced
      invalid  'ip' commands.
* Thu Sep 29 2011 toganm@opensuse.org
  - reworked systemd related rpm macros for 12.1
* Sat Sep 17 2011 toganm@opensuse.org
  - Update to 4.4.23.3
    * When providers were present that specify neither 'balance' nor
      'fallback', then the following message was issued during
      compilation and 'enable' of the interface would fail.
      Use of uninitialized value $weight in concatenation (.) or
      string  at /usr/share/shorewall/Shorewall/Providers.pm line 644.
    * TC_ENABLED=Shared was broken in Shorewall 4.4.23, 4.4.23.1 and
      4.4.23.2. It produced a  shell script with syntax errors.
  - Backported patches removed.
* Fri Sep 16 2011 toganm@opensuse.org
  - Update to 4.4.23.2  For more details see changelog.txt and
    releasenotes.txt
  - Support of systemd for openSUSE 12.1
  - Backported patches WEIGHT.patch and SHARED.patch fixing a
    harmless message and traffic shaping issues respectively
* Sat Aug 20 2011 toganm@opensuse.org
  - Update to 4.4.22.3. Corrections in this release are below.
    * On older distributions where 'shorewall show capabilities'
      indicates 'Connection Tracking Match: Not Available', harmless
      Perl diagnostics like the following could be issued:
      Use of uninitialized value $list in pattern match (m//)
      at /usr/share/shorewall/Shorewall/Config.pm line 1273,
      <$currentfile> line 14.
      Use of uninitialized value $list in split
      at /usr/share/shorewall/Shorewall/Config.pm line 1275,
      <$currentfile> line 14.
    * On older distributions where 'shorewall show capabilities'
      indicates 'Mangle FORWARD Chain: Not Available', entries in the
      ecn file generated the following Perl Diagnostic:
      Use of uninitialized value in hash element
      at /usr/share/shorewall/Shorewall/Chains.pm line 1119.
    * Previously, if a provider interface was derived from an optional
      wildcard entry in /etc/shorewall/providers, then the interface
      was never considered to be usable.
      Example:
      /etc/shorewall/interfaces:
      [#]ZONE    INTERFACE   BROADCAST    OPTIONS
      net ppp+     -  optionsl
      /etc/shorewall/providers:net
      [#]PROVIDER  NUMBER  MARK  INTERFACE ...
      ISP1   1   1 ppp0
    * When 'shorewall update' or 'shorewall6 update' results in no change
      to the .conf file, a message is issued, the .bak file is removed
      and the command terminates without error.
* Fri Aug 12 2011 toganm@opensuse.org
  -  patch the Perl diagnostic with a WARNING  message.
* Tue Aug 09 2011 toganm@opensuse.org
  - Update to 4.4.22.2
    * On older distributions where 'shorewall show capabilities'
      indicates 'Connection Tracking Match: Not Available', Shorewall
      4.4.22 and 4.4.22.1 generated invalid iptables-restore input.
    * Previously, the compiler always placed '#!/bin/sh' on the first
      line of the generated script. It now uses the setting of
      SHOREWALL_SHELL on that line rather than '/bin/sh'. Note that
      SHOREWALL_SHELL defaults to '/bin/sh' so this change only affects
      those who specify a different shell.
  - Patched REDIRECT rule
* Thu Aug 04 2011 toganm@opensuse.org
  - Update to 4.4.22.1
    * Previously, if the name of a zone began with 'all', then entries
      for that zone in /etc/shorewall/rules and /etc/shoreawll6/rules
      treated the name the same as 'all'.
      This defect is present in Shorewall 4.4.13 through 4.4.22.
    * Previously, when LOAD_HELPERS_ONLY=No, harmless
      iptables-restore  warnings as follows could be generated:
      ...
      Running   /usr/local/sbin/iptables-restore...
    - -set option deprecated, please use --match-set
    - -set option deprecated, please use --match-set
      IPv4 Forwarding Enabled
* Wed Aug 03 2011 toganm@opensuse.org
  - Update to 4.4.22. For more details see changelog.txt and
    releasenotes.txt
    * Under rare conditions, long port lists (>15 ports) could result in
    the following failure when optimization level 4 was enabled.
      Use of uninitialized value in numeric gt (>)
      at /usr/share/shorewall/Shorewall/Chains.pm line 1264.
      ERROR: Internal error in
      Shorewall::Chains::decrement_reference_count at
      /usr/share/shorewall/Shorewall/Chains.pm line 1264
    * All corrections included in Shorewall 4.4.21.1.
  - A bug in recent versions of Shorewall that could result in rules
    that are  wider in scope than intended was fixed by applying a patch
    by the upstream.
* Tue Jul 19 2011 toganm@opensuse.org
  - Update to 4.4.21.1 Changes in this release are:
    * A harmless Perl run-time "uninitialized variable" diagnostic has
    been eliminated from the compiler. The diagnostic was issued while
    displaying the capabilities.
    * As the result of a typo, an orphan filter chain named FORWAR
    could be created under rare circumstances. This chain was deleted
    by OPTIMIZE level 4.
    * The SNAT options --persistent and --randomize now work properly
    (/etc/shorewall/masq).
    * The LOGMARK log level was previously generated invalid iptables
    input making it unusable. That has been corrected.
    The syntax for LOGMARK is now:
    LOGMARK(<priority>) where <priority> is a syslog priority (1-7 or debug,
    info, notice,  etc.).
    Example rule:
      [#]ACTION           SOURCE  DEST   PROTO   DEST
      [#]                        PORT(S)
      LOG:LOGMARK(info)  lan    dmz    udp     1234
* Mon Jul 11 2011 toganm@opensuse.org
  - Update to 4.4.21 For more details see changelog.txt and
    releasenotes.txt
    * The Shorewall and Shorewall6 'load' and 'reload' commands
    now use the .conf file in the current working directory.
    * The 'balance' and 'fallback' options in /etc/shorewall/providers
    have always been mutually exclusive but the compiler previously
    didn't enforce that restriction. Now it does.
    * The ipset modules are now automatically loaded by Shorewall6 when
    LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally,
    there is now a /usr/share/shorewall6/modules.ipset file that
    lists  all of the required modules.
    * TPROXY descriptions have been added to shorewall-tcrules(5) and
    shorewall6-tcrules(5).
* Thu Jun 16 2011 toganm@opensuse.org
  - Update to 4.4.20.3. Changes in this release are
    * Deprecated options have been removed from the .conf files.
    They remain in the man pages.
    * A simple configuration like the 'Universal' sample that includes a
    single wildcard interface ('+' in the INTERFACE column) produces a
    ruleset that blocks all incoming packets.
    As part of correcting this defect, which was introduced in
    4.4.20.2, one or more superfluous rules (which could never
    match) have been eliminated from most configurations.
* Wed Jun 15 2011 toganm@opensuse.org
  - Update to 4.4.20.2
    * A defect introduced in 4.4.20 could cause the following failure at
      start/restart:
      ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1:
      sfq quantum 12498 limit 127 perturb 10" failed
    * The 'sfilter' interface option introduced in 4.4.20 was only
      applied to forwarded traffic. Now it is also applied to traffic
      addressed to the firewall itself.
    * Issues with iptables-restore is corrected
    * IPSEC traffic is now (correctly) excluded from sfilter.
    * The following incorrect warning message has been eliminated:
      WARNING: sfilter is ineffective with FASTACCEPT=Yes
* Tue Jun 07 2011 toganm@opensuse.org
  - Update to 4.4.20.1
    * The address of the Free Software Foundation has been corrected in
    the License files.
    * The shorewall[6].conf file installed in
      /usr/share/shorewall[6]/configfiles is no longer modified for use
      with Shorewall[6]-lite. When creating a new configuration for a
      remote forewall, two lines need to be modified in the copy
      CONFIG_PATH=/usr/share/shorewall (or shorewall6)
      STARTUP_LOG=/var/log/shorewall-lite-init.log
      (or shorewall6-lite-init.log)
* Mon Jun 06 2011 toganm@opensuse.org
  - Update to 4.4.20
    * Removed backported patches for openSUSE specific locations as
    they are incorporated in upstream.
  - Changes in 4.4.20 (for more read changelog.txt and releasenotes.txt)
    * Support for the AUDIT target has been added. AUDIT is a feature of
    the 2.6.39 kernel and iptables 1.4.10 that allows security auditing
    of access decisions.
* Wed May 18 2011 toganm@opensuse.org
  - Update to 4.4.19.4
    * Previously, the compiler would allow a degenerate entry (only the
    BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
    compilation error.
    * Previously, it was possible to specify tcfilters and tcrules that
    classified traffic with the class-id of a non-leaf HFSC class. Such
    classes are not capabable of handling packets.
    Shorewall now generates a compile-time warning in this case and
    ignores the entry.
    If a non-leaf class is specified as the default class, then
    Shorewall now generates a compile-time error since that
    configuration allows no network traffic to flow.
    * Traditionally, Shorewall has not checked for the existance of
    ipsets mentioned in the configuration, potentially resulting in a
    run-time start/restart failure. Now, the compiler will issue a
    WARNING if:
    a) The compiler is being run by root.
    b) The compilation isn't producing a script to run on a remote
    system under a -lite product.
    c) An ipset appearing in the configuration does not exist on the
    local system.
    * As previously implemented, the 'refresh' command could fail or
    could result in a ruleset other than what was intended. If there
    had been changes in the ruleset since it was originally
    started/restarted/restored that added or deleted sequenced chains
    (chains such as ~lognnn and ~exclnnn), the resulting ruleset could
    jump to the wrong such chains or could fail to 'refresh'
    successfully.
    This issue has been corrected as follows. When a 'refresh' is done
    and individual chains are involved, then each table that contains
    both sequenced chains and one of the chains being refreshed is
    refreshed in its entirety.
    For example, if 'shorwall refresh foo' is issued and the filter
    table (which is the default) contains any sequenced chains, then
    the entire table is reloaded. Note that this reload operation is
    atomic so no packets are passed through an inconsistent
    configuration.
    * When 'shorewall6 refresh' was run previously, a harmless
    'ip6tables: Chain exists' message was generated.
  - Reworked backported patches so shorewall still uses openSUSE specific
    locations
  - Fix the zone definitions in shorewall6/Samples6/zones examples
* Wed May 11 2011 toganm@opensuse.org
  - Update to 4.4.19.3
    * incompatibility with gawk has been corrected
    * Previously, an entry in the USER/GROUP column in the rules and
    tcrules files could cause run-time start/restart failures if the
    rule(s) being added did not have the firewall as the source (rules
    file) and were not being added to the POSTROUTING chain (:T
    designator in the tcrules file). This error is now caught by
    the compiler.
    * Shorewall now insures that a route to a default gateway exists in
    the main table before it attempts to add a default route through
    that gateway in a provider table. This prevents start/restart
    failures in the rare event that such a route does not exist.
    * CLASSIFY TC rules can apply to traffic exiting only the interface
    associated with the class-id specified in the first column.
    * Fixes start of shorewall6 (bnc#693162)
* Fri May 06 2011 toganm@opensuse.org
  - Update to 4.4.19.2 For more details see changelog.txt and
    releasenotes.txt
    * In Shorewall-shell, there was the ability to specify IPSET names in
      the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability,
      inadvertently dropped in Shorewall-perl, has been restored
    * Several problems with complex TC have been corrected:
    * Double exclusion involving ipset lists was previously not detected,
      resulting in anomalous behavior.
* Mon Apr 18 2011 toganm@opensuse.org
  - Update to 4.4.19.1
    * Eliminate silly duplicate rule when stopped.
    * Don't believe that all nexthop routes are default routes.
    * Restore :<low port>-<high port> in masq file.
    * Correct default route safe/restore.
  - backported paths related patches from git as they are in mainstream
    now
* Wed Apr 13 2011 toganm@opensuse.org
  - Shorewall packages have their openSUSE specific locations now
    * Executable files in /usr/lib/shorewall*. These include;
      getparams
      compiler.pl
      wait4ifup
      shorecap
      ifupdown
    * Perl Modules in /usr/lib/perl5/vendor_perl/PERL_VERSION/Shorewall.
  - Updated to 4.4.19 (for more info please consult changelog.txt and
    releasenotes.txt)
    * Corrected a problem in optimize level 4 that resulted in the following
    compile-time failure
    Can't use an undefined value as an ARRAY reference at
      /usr/share/shorewall/Shorewall/Chains.pm line 862.
    * If a DNAT or REDIRECT rule applied to a source zone with an interface
    defined with 'physical=+', then the nat table 'dnat' chain might have
    been created but not referenced. This prevented the DNAT or REDIRECT
    rule from working correctly.
    * Previously, if a variable set in /etc/shorewall/params was given a value
    containing shell metacharacters, then the compiled script would contain
    syntax errors.
    * The pathname of the 'conntrack' binary was erroneously printed in the
    output of 'shorewall6 show connections'.
    * Correct a problem whereby incorrect Netfilter rules were generated when
    a bridge with ports was given a logical name.
    * If a bridge interface had subordinate ports defined in
    /etc/shorewall/interface, then an ipsec entry (either ipsec zone or the
    'ipsec' option specified) in /etc/shorewall/hosts resulted in the
    compiler generating an incorrect Netfilter configuration.
    * A fatal error is now raised if '!0' appears in the PROTO column of files
    that have that column. This avoids an iptables-restore failure at run time.
* Mon Apr 04 2011 toganm@opensuse.org
  - Updated to 4.4.18.2
    * SAVE_IPSETS=Yes didn't work unless there is a dynamic zone defined.
    * If a logical name was given to a bridge and the ports on the bridge
    were defined in /etc/shorewall/interfac, then the compiler could
    generate matches that used the logical name rather than the
    physical name.
* Mon Mar 21 2011 toganm@opensuse.org
  - Updated to 4.4.18.1
    * An issue with params processing on RHEL6 has been corrected. The
    problem manifested as the following type of warning:
      WARNING: Param line (export OLDPWD) ignored at
      /usr/share/shorewall/Shorewall/Config.pm line 2993.
    * The editing of the value of the TC_PRIOMAP option has been
    tightened. Previously, many invalid settings were allowed,
    resulting in run-time tc command failures.
    * The Shorewall Lite and Shorewall6 Lite installers now install the
    'helpers' modules file. Previously, this file was not installed
    with the result that both 'shorewall[6]-lite show capabilities' and
    'shorecap' failed.
    * Previously, if an icmp or icmp6 type which included both a type and
    a code was used in the tcfilters file, 'start' and 'restart' would
    fail with a 'tc' error.
* Fri Mar 11 2011 toganm@opensuse.org
  - Updated to 4.4.18
    * for accounting modules xtables-addons must be installed
  - Changes in 4.4.18 (for more read changelog.txt and releasenotes.txt)
    * The modules files are now just a driver that INCLUDEs several new
      files and one old file:
    * Beginning with Shorewall 4.4.18, the accounting structure can be
      created with three root chains:
    - accountin:  Rules that are valid in the INPUT chain (may not
      specify an output interface).
    - accountout: Rules that are valid in the OUTPUT chain (may not
      specify an input interface or a MAC address).
    - accountfwd: Other rules.
    * Internals Change: The Policy.pm module has been merged into the
      Rules.pm module.
* Thu Feb 10 2011 toganm@opensuse.org
  - Updated to 4.4.17
    * This release adds support for per-IP accounting using the ACCOUNT
      target. That target is only available when xtables-addons is
      installed.
  - Changes in 4.4.17 (for more read changelog.txt and releasenotes.txt)
    * Previously, Shorewall did not check the length of the names of
      accounting chains and manual chains. This could result in
      errors when loading the resulting ruleset. Now, the compiler issues
      an error for chain names longer than 29 characters.
      Additionally, the compiler now ensures that these chain names are
      composed only of letters, digits, underscores ('_') and dashes
      ("-"). This eliminates Perl runtime errors or other failures when a
      chain name is embedded within a regular expression.
    * Several issues with complex traffic shaping have been resolved:
      a) Specifying IPv6 network addresses in the SOURCE or DEST columns
      of /etc/shorewall6/tcfilters now works correctly. Previously,
      Perl runtime warnings occurred and an invalid tc command was
      generated.
      b) Previously, if flow= was specified on a parent class, a perl
      runtime warning occurred and an invalid tc command was
      generated. This combination is now flagged as an error at
      compile time.
    c) There is now an ipv6 tcfilters skeleton included with
      Shorewall6.
    * Several issues with accounting are corrected.
      a)  If an accounting rule of the form:
      chain1        chain2
      was configured and neither chain was referenced again in the
      configuration, then an internal error was generated when
      optimize level 4 was selected and OPTIMIZE_ACCOUNTING=Yes.
      b)  If there was only a single accounting rule and that rule
      specified an interface in the SOURCE or DEST columns, then the
      generated ruleset would fail to load when
      OPTIMIZE_ACCOUNTING=Yes.
      c)  If a per-IP accounting table name appeared in more than one
      rule and the specified network was not the same in all
      occurrences, then the generated ruleset would fail to load.
      This is now flagged as an error at compile time.
    * Two defects in compiler module loading have been corrected:
      a) Previously, the kernel/net/ipv6/netfilter/ directory was not
      searched.
      b) A Perl diagnostic was issued when running on a monolithic kernel
      when the modutils package was installed.
    * A line containing only 'INCLUDE' appearing in an extension script
      now generates a compile-time diagnostic rather than a run-time
      diagnostic.
    * Previously, the uninstall.sh scripts used insserv (if installed) on
      Debian-based systems. These scripts now use the preferred tool
      (updaterc.d).
    * Beginning with 4.4.16, compilation would fail if an empty shell
      variable was referenced in a config file on a system where /bin/sh
      is the Bourne Again Shell (bash).
    * In earlier versions. if OPTIMIZE=8 then the ruleset displayed by
      'check -r' was the same as when OPTIMIZE=0 (unoptimized).
      Similarly, if OPTIMIZE=9 then the ruleset displayed was the same
      as when OPTIMIZE=1.
    * Startup could previously fail on a system where kernel module
      autoloading was not available and where TC_ENABLED=Simple was
      specified in shorewall.conf or shorewall6.conf.
    * Previously, a 'done.' message could be printed at the end of
      command processing even when the command had failed. Now, such a
      message only appears if the command completed successfully.
* Sat Jan 22 2011 toganm@opensuse.org
  - Updated to 4.4.16.1
    * Beginning with 4.4.16, compilation would fail if an empty shell
      variable was referenced in a config file on a system where /bin/sh
      is the Bourne Again Shell (bash).
* Wed Jan 12 2011 toganm@opensuse.org
  - fix fillup for shorewall-init so it will be copied to sysconfig
    directory
  - link network/scripts/shorewall to if-up.d and if-down.d
  - Changes in 4.4.16 (for more read changelog.txt and releasenotes.txt)
    +  If the output of 'env' contained a multi-line value, then
      compilation failed with an Internal Error. The code has been
      changed so that the compiler now handles multi-line values
      correctly.
    * In 4.4.15, output to Standard Out (FD 1) generated by
      /etc/shorewall/params (/etc/shorewall6/params) was redirected to
      /dev/null. It is now redirected to Standard Error (FD 2).
    * If a params file did not appear in the CONFIG_PATH, compilation
      failed with the error:
      .: 31: Can't open /etc/shorewall6/params
      ERROR: Processing of /etc/shorewall6/params failed
    * Previously, proxy ARP with logical interface names did not
      work. Symptoms included numerous Perl runtime error messages.
    * Previously, the root of a wildcard name erroneously matched that
      name. For example 'eth' matched 'eth+'. Now there must be at least
      one additional character (e.g., 'eth4').
    * Use of logical interface names in the notrack and ecn files
      resulted in perl runtime warning messages.
    * The use of wildcard-matching names in certain contexts would result
      in anomalous behavior. Among the symptoms were:
    - Perl run-time messages similar to this one:
      Use of uninitialized value in numeric comparison (<=>)
      at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
    - Failure to treat the interface as optional or required.
    * Where two ISPs share the same interface, if one of the ISPs was not
      reachable, an iptables-restore error such as this occurred:
      iptables-restore v1.4.10: Bad mac address "-j"
    * Previously, under very rare circumstances, a chain would be
      optimized away while there were still jumps to the chain. This caused
      Shorewall start/restart to fail during iptables-restore.
    11) Previously, the setting of BLACKLIST_DISPOSITION was not
      validated. Now, an error is raised unless the value is DROP or REJECT.
* Mon Jan 03 2011 toganm@opensuse.org
  - Update to version 4.4.15.3
  - Changes in 4.4.15.3
    * Previously, the root of a wildcard name erroneously matched that
      name. For example 'eth' matched 'eth+'. Now there must be at least
      one additional character (e.g., 'eth4').
    * Use of logical interface names in the notrack and ecn files
      resulted in perl runtime warning messages.
    * The use of wildcard-matching names in certain contexts would result
      in perl run-time messages similar to this one:
      Use of uninitialized value in numeric comparison (<=>)
      at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
    * Under very rare circumstances, a chain could be optimized away
      even when there are jumps to the chain. This resulted in a
      start/restart failure.
  - Changes in 4.4.15.2
    * Previously, proxy ARP with logical interface names did not
      work. Symptoms included numerous Perl runtime error messages.
    * Previously, unknown interface names in the proxyarp and
      tcinterfaces files resulted in Perl runtime errors.
* Thu Dec 02 2010 toganm@opensuse.org
  - Upgrade to version 4.4.15.1
  - Changes in version 4.4.15.1
    1)  If the output of 'env' contained a multi-line value, then
      compilation failed with an Internal Error. The code has been
      changed to ignore all but the first line of a multi-line value.
    2)  If a params file did not appear in the CONFIG_PATH, compilation
      failed with the error:
      .: 31: Can't open /etc/shorewall6/params
      ERROR: Processing of /etc/shorewall6/params failed
* Thu Dec 02 2010 toganm@opensuse.org
  - Update to version 4.4.15
  - Changes in Shorewall 4.4.15
    1)  Add macros from Tuomo Soini.
    2)  Corrected macro.JAP.
    3)  Added fatal_error() functions to the -lite CLIs.
    RC 1
    1)  Another Perl 5.12 warning.
    2)  Avoid anomalous behavior regarding syn flood chains.
    3)  Add HEADERS column for IPv6
    Beta 2
    1)  Tweaks to IPv6 tcfilters
    2)  Add support for explicit provider routes
    3)  Fix shared TC tcfilters handling.
    Beta 1
    1)  Handle exported VERBOSE.
    2)  Modernize handling of the params file.
    3)  Fix NULL_ROUTE_RFC1918
    4)  Fix problem of appending incorrect files.
    5)  Implement shared TC.
* Thu Nov 25 2010 toganm@opensuse.org
  - Added README.openSUSE which warns the user
* Wed Nov 24 2010 toganm@opensuse.org
  - Fix init-4.4.14.patch
  - Cleaned spec file
  - Removed Provides shoreline_firewall
  - Until upstream clarifies non-executable scripts put them under rpmlintrc
  - TODO
    * the code files should  go into %_libexecdir/shorewall, only non-executable
    data is for  %_datadir/shorewall.
* Wed Nov 24 2010 toganm@opensuse.org
  - Included docs-html to the packaging as well
  - Patches have the version number reflecting the diff to the original
* Thu Nov 11 2010 toganm@opensuse.org
  - Initial packaging of shorewall for opensuse

Files

/etc/logrotate.d/shorewall
/etc/shorewall
/etc/shorewall/Makefile
/etc/shorewall/accounting
/etc/shorewall/actions
/etc/shorewall/arprules
/etc/shorewall/blrules
/etc/shorewall/clear
/etc/shorewall/conntrack
/etc/shorewall/ecn
/etc/shorewall/findgw
/etc/shorewall/hosts
/etc/shorewall/init
/etc/shorewall/initdone
/etc/shorewall/interfaces
/etc/shorewall/isusable
/etc/shorewall/lib.private
/etc/shorewall/maclist
/etc/shorewall/mangle
/etc/shorewall/masq
/etc/shorewall/nat
/etc/shorewall/netmap
/etc/shorewall/notrack
/etc/shorewall/params
/etc/shorewall/policy
/etc/shorewall/providers
/etc/shorewall/proxyarp
/etc/shorewall/refresh
/etc/shorewall/refreshed
/etc/shorewall/restored
/etc/shorewall/routes
/etc/shorewall/rtrules
/etc/shorewall/rules
/etc/shorewall/scfilter
/etc/shorewall/secmarks
/etc/shorewall/shorewall.conf
/etc/shorewall/start
/etc/shorewall/started
/etc/shorewall/stop
/etc/shorewall/stopped
/etc/shorewall/stoppedrules
/etc/shorewall/tcclasses
/etc/shorewall/tcclear
/etc/shorewall/tcdevices
/etc/shorewall/tcfilters
/etc/shorewall/tcinterfaces
/etc/shorewall/tcpri
/etc/shorewall/tos
/etc/shorewall/tunnels
/etc/shorewall/zones
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/ARP.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Accounting.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Chains.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Compiler.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Config.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/IPAddrs.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Misc.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Nat.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Proc.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Providers.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Proxyarp.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Raw.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Rules.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Tc.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Tunnels.pm
/usr/lib/perl5/vendor_perl/5.18.2/Shorewall/Zones.pm
/usr/lib/shorewall
/usr/lib/shorewall/compiler.pl
/usr/lib/shorewall/getparams
/usr/lib/systemd/system/shorewall.service
/usr/sbin/rcshorewall
/usr/sbin/shorewall
/usr/share/doc/packages/shorewall
/usr/share/doc/packages/shorewall/COPYING
/usr/share/doc/packages/shorewall/Contrib
/usr/share/doc/packages/shorewall/Contrib/ipsecvpn
/usr/share/doc/packages/shorewall/Contrib/swping
/usr/share/doc/packages/shorewall/Contrib/swping.init
/usr/share/doc/packages/shorewall/Contrib/tunnel
/usr/share/doc/packages/shorewall/README.openSUSE
/usr/share/doc/packages/shorewall/Samples
/usr/share/doc/packages/shorewall/Samples/LICENSE
/usr/share/doc/packages/shorewall/Samples/README.txt
/usr/share/doc/packages/shorewall/Samples/Universal
/usr/share/doc/packages/shorewall/Samples/Universal/interfaces
/usr/share/doc/packages/shorewall/Samples/Universal/interfaces.annotated
/usr/share/doc/packages/shorewall/Samples/Universal/policy
/usr/share/doc/packages/shorewall/Samples/Universal/policy.annotated
/usr/share/doc/packages/shorewall/Samples/Universal/rules
/usr/share/doc/packages/shorewall/Samples/Universal/rules.annotated
/usr/share/doc/packages/shorewall/Samples/Universal/shorewall.conf
/usr/share/doc/packages/shorewall/Samples/Universal/shorewall.conf.annotated
/usr/share/doc/packages/shorewall/Samples/Universal/zones
/usr/share/doc/packages/shorewall/Samples/Universal/zones.annotated
/usr/share/doc/packages/shorewall/Samples/one-interface
/usr/share/doc/packages/shorewall/Samples/one-interface/README.txt
/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
/usr/share/doc/packages/shorewall/Samples/one-interface/interfaces.annotated
/usr/share/doc/packages/shorewall/Samples/one-interface/policy
/usr/share/doc/packages/shorewall/Samples/one-interface/policy.annotated
/usr/share/doc/packages/shorewall/Samples/one-interface/rules
/usr/share/doc/packages/shorewall/Samples/one-interface/rules.annotated
/usr/share/doc/packages/shorewall/Samples/one-interface/shorewall.conf
/usr/share/doc/packages/shorewall/Samples/one-interface/shorewall.conf.annotated
/usr/share/doc/packages/shorewall/Samples/one-interface/zones
/usr/share/doc/packages/shorewall/Samples/one-interface/zones.annotated
/usr/share/doc/packages/shorewall/Samples/three-interfaces
/usr/share/doc/packages/shorewall/Samples/three-interfaces/README.txt
/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/three-interfaces/interfaces.annotated
/usr/share/doc/packages/shorewall/Samples/three-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/three-interfaces/masq.annotated
/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy
/usr/share/doc/packages/shorewall/Samples/three-interfaces/policy.annotated
/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/three-interfaces/rules.annotated
/usr/share/doc/packages/shorewall/Samples/three-interfaces/shorewall.conf
/usr/share/doc/packages/shorewall/Samples/three-interfaces/shorewall.conf.annotated
/usr/share/doc/packages/shorewall/Samples/three-interfaces/stoppedrules
/usr/share/doc/packages/shorewall/Samples/three-interfaces/stoppedrules.annotated
/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones
/usr/share/doc/packages/shorewall/Samples/three-interfaces/zones.annotated
/usr/share/doc/packages/shorewall/Samples/two-interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/README.txt
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
/usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces.annotated
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq
/usr/share/doc/packages/shorewall/Samples/two-interfaces/masq.annotated
/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy
/usr/share/doc/packages/shorewall/Samples/two-interfaces/policy.annotated
/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules
/usr/share/doc/packages/shorewall/Samples/two-interfaces/rules.annotated
/usr/share/doc/packages/shorewall/Samples/two-interfaces/shorewall.conf
/usr/share/doc/packages/shorewall/Samples/two-interfaces/shorewall.conf.annotated
/usr/share/doc/packages/shorewall/Samples/two-interfaces/stoppedrules
/usr/share/doc/packages/shorewall/Samples/two-interfaces/stoppedrules.annotated
/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones
/usr/share/doc/packages/shorewall/Samples/two-interfaces/zones.annotated
/usr/share/doc/packages/shorewall/changelog.txt
/usr/share/doc/packages/shorewall/releasenotes.txt
/usr/share/man/man5/shorewall-accounting.5.gz
/usr/share/man/man5/shorewall-actions.5.gz
/usr/share/man/man5/shorewall-arprules.5.gz
/usr/share/man/man5/shorewall-blacklist.5.gz
/usr/share/man/man5/shorewall-blrules.5.gz
/usr/share/man/man5/shorewall-conntrack.5.gz
/usr/share/man/man5/shorewall-ecn.5.gz
/usr/share/man/man5/shorewall-exclusion.5.gz
/usr/share/man/man5/shorewall-hosts.5.gz
/usr/share/man/man5/shorewall-interfaces.5.gz
/usr/share/man/man5/shorewall-ipsets.5.gz
/usr/share/man/man5/shorewall-maclist.5.gz
/usr/share/man/man5/shorewall-mangle.5.gz
/usr/share/man/man5/shorewall-masq.5.gz
/usr/share/man/man5/shorewall-modules.5.gz
/usr/share/man/man5/shorewall-nat.5.gz
/usr/share/man/man5/shorewall-nesting.5.gz
/usr/share/man/man5/shorewall-netmap.5.gz
/usr/share/man/man5/shorewall-params.5.gz
/usr/share/man/man5/shorewall-policy.5.gz
/usr/share/man/man5/shorewall-providers.5.gz
/usr/share/man/man5/shorewall-proxyarp.5.gz
/usr/share/man/man5/shorewall-routes.5.gz
/usr/share/man/man5/shorewall-routestopped.5.gz
/usr/share/man/man5/shorewall-rtrules.5.gz
/usr/share/man/man5/shorewall-rules.5.gz
/usr/share/man/man5/shorewall-secmarks.5.gz
/usr/share/man/man5/shorewall-stoppedrules.5.gz
/usr/share/man/man5/shorewall-tcclasses.5.gz
/usr/share/man/man5/shorewall-tcdevices.5.gz
/usr/share/man/man5/shorewall-tcfilters.5.gz
/usr/share/man/man5/shorewall-tcinterfaces.5.gz
/usr/share/man/man5/shorewall-tcpri.5.gz
/usr/share/man/man5/shorewall-tcrules.5.gz
/usr/share/man/man5/shorewall-tos.5.gz
/usr/share/man/man5/shorewall-tunnels.5.gz
/usr/share/man/man5/shorewall-vardir.5.gz
/usr/share/man/man5/shorewall-zones.5.gz
/usr/share/man/man5/shorewall.conf.5.gz
/usr/share/man/man8/shorewall.8.gz
/usr/share/shorewall
/usr/share/shorewall/Shorewall
/usr/share/shorewall/action.A_Drop
/usr/share/shorewall/action.A_Reject
/usr/share/shorewall/action.AutoBL
/usr/share/shorewall/action.AutoBLL
/usr/share/shorewall/action.Broadcast
/usr/share/shorewall/action.DNSAmp
/usr/share/shorewall/action.Drop
/usr/share/shorewall/action.DropSmurfs
/usr/share/shorewall/action.Established
/usr/share/shorewall/action.IfEvent
/usr/share/shorewall/action.Invalid
/usr/share/shorewall/action.New
/usr/share/shorewall/action.NotSyn
/usr/share/shorewall/action.RST
/usr/share/shorewall/action.Reject
/usr/share/shorewall/action.Related
/usr/share/shorewall/action.ResetEvent
/usr/share/shorewall/action.SetEvent
/usr/share/shorewall/action.TCPFlags
/usr/share/shorewall/action.Untracked
/usr/share/shorewall/action.allowInvalid
/usr/share/shorewall/action.dropInvalid
/usr/share/shorewall/action.template
/usr/share/shorewall/actions.std
/usr/share/shorewall/configfiles
/usr/share/shorewall/configfiles/Makefile
/usr/share/shorewall/configfiles/accounting
/usr/share/shorewall/configfiles/accounting.annotated
/usr/share/shorewall/configfiles/actions
/usr/share/shorewall/configfiles/actions.annotated
/usr/share/shorewall/configfiles/arprules
/usr/share/shorewall/configfiles/arprules.annotated
/usr/share/shorewall/configfiles/blrules
/usr/share/shorewall/configfiles/blrules.annotated
/usr/share/shorewall/configfiles/clear
/usr/share/shorewall/configfiles/conntrack
/usr/share/shorewall/configfiles/conntrack.annotated
/usr/share/shorewall/configfiles/ecn
/usr/share/shorewall/configfiles/ecn.annotated
/usr/share/shorewall/configfiles/findgw
/usr/share/shorewall/configfiles/hosts
/usr/share/shorewall/configfiles/hosts.annotated
/usr/share/shorewall/configfiles/init
/usr/share/shorewall/configfiles/initdone
/usr/share/shorewall/configfiles/interfaces
/usr/share/shorewall/configfiles/interfaces.annotated
/usr/share/shorewall/configfiles/isusable
/usr/share/shorewall/configfiles/lib.private
/usr/share/shorewall/configfiles/maclist
/usr/share/shorewall/configfiles/maclist.annotated
/usr/share/shorewall/configfiles/mangle
/usr/share/shorewall/configfiles/mangle.annotated
/usr/share/shorewall/configfiles/masq
/usr/share/shorewall/configfiles/masq.annotated
/usr/share/shorewall/configfiles/nat
/usr/share/shorewall/configfiles/nat.annotated
/usr/share/shorewall/configfiles/netmap
/usr/share/shorewall/configfiles/netmap.annotated
/usr/share/shorewall/configfiles/params
/usr/share/shorewall/configfiles/params.annotated
/usr/share/shorewall/configfiles/policy
/usr/share/shorewall/configfiles/policy.annotated
/usr/share/shorewall/configfiles/providers
/usr/share/shorewall/configfiles/providers.annotated
/usr/share/shorewall/configfiles/proxyarp
/usr/share/shorewall/configfiles/proxyarp.annotated
/usr/share/shorewall/configfiles/refresh
/usr/share/shorewall/configfiles/refreshed
/usr/share/shorewall/configfiles/restored
/usr/share/shorewall/configfiles/routes
/usr/share/shorewall/configfiles/routes.annotated
/usr/share/shorewall/configfiles/rtrules
/usr/share/shorewall/configfiles/rtrules.annotated
/usr/share/shorewall/configfiles/rules
/usr/share/shorewall/configfiles/rules.annotated
/usr/share/shorewall/configfiles/scfilter
/usr/share/shorewall/configfiles/secmarks
/usr/share/shorewall/configfiles/secmarks.annotated
/usr/share/shorewall/configfiles/shorewall.conf
/usr/share/shorewall/configfiles/shorewall.conf.annotated
/usr/share/shorewall/configfiles/start
/usr/share/shorewall/configfiles/started
/usr/share/shorewall/configfiles/stop
/usr/share/shorewall/configfiles/stopped
/usr/share/shorewall/configfiles/stoppedrules
/usr/share/shorewall/configfiles/stoppedrules.annotated
/usr/share/shorewall/configfiles/tcclasses
/usr/share/shorewall/configfiles/tcclasses.annotated
/usr/share/shorewall/configfiles/tcclear
/usr/share/shorewall/configfiles/tcdevices
/usr/share/shorewall/configfiles/tcdevices.annotated
/usr/share/shorewall/configfiles/tcfilters
/usr/share/shorewall/configfiles/tcfilters.annotated
/usr/share/shorewall/configfiles/tcinterfaces
/usr/share/shorewall/configfiles/tcinterfaces.annotated
/usr/share/shorewall/configfiles/tcpri
/usr/share/shorewall/configfiles/tcpri.annotated
/usr/share/shorewall/configfiles/tos
/usr/share/shorewall/configfiles/tos.annotated
/usr/share/shorewall/configfiles/tunnels
/usr/share/shorewall/configfiles/tunnels.annotated
/usr/share/shorewall/configfiles/zones
/usr/share/shorewall/configfiles/zones.annotated
/usr/share/shorewall/configpath
/usr/share/shorewall/helpers
/usr/share/shorewall/lib.cli-std
/usr/share/shorewall/lib.core
/usr/share/shorewall/macro.AMQP
/usr/share/shorewall/macro.A_AllowICMPs
/usr/share/shorewall/macro.A_DropDNSrep
/usr/share/shorewall/macro.A_DropUPnP
/usr/share/shorewall/macro.ActiveDir
/usr/share/shorewall/macro.AllowICMPs
/usr/share/shorewall/macro.Amanda
/usr/share/shorewall/macro.Auth
/usr/share/shorewall/macro.BGP
/usr/share/shorewall/macro.BLACKLIST
/usr/share/shorewall/macro.BitTorrent
/usr/share/shorewall/macro.BitTorrent32
/usr/share/shorewall/macro.CVS
/usr/share/shorewall/macro.Citrix
/usr/share/shorewall/macro.DAAP
/usr/share/shorewall/macro.DCC
/usr/share/shorewall/macro.DHCPfwd
/usr/share/shorewall/macro.DNS
/usr/share/shorewall/macro.Distcc
/usr/share/shorewall/macro.Drop
/usr/share/shorewall/macro.DropDNSrep
/usr/share/shorewall/macro.DropUPnP
/usr/share/shorewall/macro.Edonkey
/usr/share/shorewall/macro.FTP
/usr/share/shorewall/macro.Finger
/usr/share/shorewall/macro.GNUnet
/usr/share/shorewall/macro.GRE
/usr/share/shorewall/macro.Git
/usr/share/shorewall/macro.Gnutella
/usr/share/shorewall/macro.Goto-Meeting
/usr/share/shorewall/macro.HKP
/usr/share/shorewall/macro.HTTP
/usr/share/shorewall/macro.HTTPS
/usr/share/shorewall/macro.ICPV2
/usr/share/shorewall/macro.ICQ
/usr/share/shorewall/macro.ILO
/usr/share/shorewall/macro.IMAP
/usr/share/shorewall/macro.IMAPS
/usr/share/shorewall/macro.IPIP
/usr/share/shorewall/macro.IPMI
/usr/share/shorewall/macro.IPP
/usr/share/shorewall/macro.IPPbrd
/usr/share/shorewall/macro.IPPserver
/usr/share/shorewall/macro.IPsec
/usr/share/shorewall/macro.IPsecah
/usr/share/shorewall/macro.IPsecnat
/usr/share/shorewall/macro.IRC
/usr/share/shorewall/macro.JAP
/usr/share/shorewall/macro.Jabber
/usr/share/shorewall/macro.JabberPlain
/usr/share/shorewall/macro.JabberSecure
/usr/share/shorewall/macro.Jabberd
/usr/share/shorewall/macro.Jetdirect
/usr/share/shorewall/macro.Kerberos
/usr/share/shorewall/macro.L2TP
/usr/share/shorewall/macro.LDAP
/usr/share/shorewall/macro.LDAPS
/usr/share/shorewall/macro.MSNP
/usr/share/shorewall/macro.MSSQL
/usr/share/shorewall/macro.Mail
/usr/share/shorewall/macro.MongoDB
/usr/share/shorewall/macro.Munin
/usr/share/shorewall/macro.MySQL
/usr/share/shorewall/macro.NNTP
/usr/share/shorewall/macro.NNTPS
/usr/share/shorewall/macro.NTP
/usr/share/shorewall/macro.NTPbi
/usr/share/shorewall/macro.NTPbrd
/usr/share/shorewall/macro.OSPF
/usr/share/shorewall/macro.OpenVPN
/usr/share/shorewall/macro.PCA
/usr/share/shorewall/macro.POP3
/usr/share/shorewall/macro.POP3S
/usr/share/shorewall/macro.PPtP
/usr/share/shorewall/macro.Ping
/usr/share/shorewall/macro.PostgreSQL
/usr/share/shorewall/macro.Printer
/usr/share/shorewall/macro.Puppet
/usr/share/shorewall/macro.QUIC
/usr/share/shorewall/macro.RDP
/usr/share/shorewall/macro.RIPbi
/usr/share/shorewall/macro.RNDC
/usr/share/shorewall/macro.Razor
/usr/share/shorewall/macro.Rdate
/usr/share/shorewall/macro.Redis
/usr/share/shorewall/macro.Reject
/usr/share/shorewall/macro.Rfc1918
/usr/share/shorewall/macro.Rsync
/usr/share/shorewall/macro.SANE
/usr/share/shorewall/macro.SIP
/usr/share/shorewall/macro.SMB
/usr/share/shorewall/macro.SMBBI
/usr/share/shorewall/macro.SMBswat
/usr/share/shorewall/macro.SMTP
/usr/share/shorewall/macro.SMTPS
/usr/share/shorewall/macro.SNMP
/usr/share/shorewall/macro.SNMPTrap
/usr/share/shorewall/macro.SPAMD
/usr/share/shorewall/macro.SSH
/usr/share/shorewall/macro.SVN
/usr/share/shorewall/macro.Sieve
/usr/share/shorewall/macro.SixXS
/usr/share/shorewall/macro.Squid
/usr/share/shorewall/macro.Submission
/usr/share/shorewall/macro.Syslog
/usr/share/shorewall/macro.TFTP
/usr/share/shorewall/macro.Telnet
/usr/share/shorewall/macro.Telnets
/usr/share/shorewall/macro.Teredo
/usr/share/shorewall/macro.Time
/usr/share/shorewall/macro.Tinc
/usr/share/shorewall/macro.Trcrt
/usr/share/shorewall/macro.VNC
/usr/share/shorewall/macro.VNCL
/usr/share/shorewall/macro.VRRP
/usr/share/shorewall/macro.Web
/usr/share/shorewall/macro.Webcache
/usr/share/shorewall/macro.Webmin
/usr/share/shorewall/macro.Whois
/usr/share/shorewall/macro.Xymon
/usr/share/shorewall/macro.Zabbix
/usr/share/shorewall/macro.mDNS
/usr/share/shorewall/macro.mDNSbi
/usr/share/shorewall/macro.template
/usr/share/shorewall/modules
/usr/share/shorewall/modules.essential
/usr/share/shorewall/modules.extensions
/usr/share/shorewall/modules.ipset
/usr/share/shorewall/modules.tc
/usr/share/shorewall/modules.xtables
/usr/share/shorewall/prog.footer
/usr/share/shorewall/version
/var/lib/shorewall


Generated by rpm2html 1.8.1

Fabrice Bellet, Mon Dec 10 02:03:42 2018