Hello community,
here is the log from the commit of package SuSEfirewall2.1187 for
openSUSE:12.2:Update checked in at 2012-12-27 13:43:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/SuSEfirewall2.1187 (Old)
and /work/SRC/openSUSE:12.2:Update/.SuSEfirewall2.1187.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SuSEfirewall2.1187", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2012-12-21 01:49:00.356010756 +0100
+++
/work/SRC/openSUSE:12.2:Update/.SuSEfirewall2.1187.new/SuSEfirewall2.changes
2012-12-27 13:43:16.000000000 +0100
@@ -0,0 +1,1227 @@
+-------------------------------------------------------------------
+Thu Dec 13 16:03:18 UTC 2012 - [email protected]
+
+- just CT instead of NOTRACK (bnc#793459)
+
+-------------------------------------------------------------------
+Tue Sep 11 08:29:41 UTC 2012 - [email protected]
+
+- getdevinfo is gone as per commit 0c5ac93 (bnc#777271)
+
+-------------------------------------------------------------------
+Fri Jul 13 12:43:17 UTC 2012 - [email protected]
+
+- honor FW_IPv6 setting also in debug mode (bnc#769411)
+
+-------------------------------------------------------------------
+Tue Jun 19 11:38:32 UTC 2012 - [email protected]
+
+- fix logging in test mode
+
+-------------------------------------------------------------------
+Mon Jun 18 09:30:51 UTC 2012 - [email protected]
+
+- allow icmpv6 in FW_SERVICES_*_*
+
+-------------------------------------------------------------------
+Mon Jun 18 09:24:18 UTC 2012 - [email protected]
+
+- allow ICMPv6 Multicast Listener Query (bnc#767392)
+
+-------------------------------------------------------------------
+Tue May 29 13:16:20 UTC 2012 - [email protected]
+
+- fix typo spotted by Frederic
+
+-------------------------------------------------------------------
+Wed Jan 18 14:17:19 UTC 2012 - [email protected]
+
+- assume all interface names are correct (bnc#739084)
+
+-------------------------------------------------------------------
+Wed Dec 14 16:55:43 UTC 2011 - [email protected]
+
+- fix forward masquerading (bnc#736205)
+- compat syntax for negated options no longer works (bnc#660156, bnc#731088)
+- enhance debug mode
+
+-------------------------------------------------------------------
+Mon Nov 7 10:56:04 UTC 2011 - [email protected]
+
+- use /sbin/rpcinfo as /usr/sbin/rpcinfo is gone (bnc#727438)
+
+-------------------------------------------------------------------
+Wed Nov 2 15:27:04 UTC 2011 - [email protected]
+
+- set SYSTEMD_NO_WRAP for status (bnc#727445)
+
+-------------------------------------------------------------------
+Fri Oct 14 09:46:33 UTC 2011 - [email protected]
+
+- fix manual rcSuSEfirewall2 stop with sytemd (bnc#717583)
+
+-------------------------------------------------------------------
+Tue Oct 4 14:53:13 UTC 2011 - [email protected]
+
+- fix typo (bnc#721845)
+- atomic zone status writing
+
+-------------------------------------------------------------------
+Sat Sep 17 10:25:23 UTC 2011 - [email protected]
+
+- Remove redundant tags/sections from specfile
+
+-------------------------------------------------------------------
+Wed Sep 7 11:38:14 UTC 2011 - [email protected]
+
+- sanitize FW_ZONE_DEFAULT (bnc#716013)
+- add warning about iptables-batch to SuSEfirewall2-custom
+- fix warning about /proc/net/ip_tables_names not readable
+- don't install input rules for interfaces in default zone
+- Add hook fw_custom_after_finished
+- update FAQ (bnc#694464)
+- clean up overrides when stopping the firewall (bnc#630961)
+- change default FW_LOG_ACCEPT_CRIT to "no"
+- allow redir without port specification
+- make FW_SERVICES_{REJECT,DROP}_* take precedende before ACCEPT (bnc#671997)
+- fix zonein and zoneout parameters
+- fix reverse direction of forwarding rules (bnc#679192)
+
+-------------------------------------------------------------------
+Tue Feb 1 13:16:53 UTC 2011 - [email protected]
+
+- introduce rpcusers file to allow statd to run as non-root
+ (bnc#668553)
+
+-------------------------------------------------------------------
+Wed Jan 19 14:04:48 UTC 2011 - [email protected]
+
+- add zonein and zoneout parameters for FW_FORWARD
+- fix typos
+
+-------------------------------------------------------------------
+Mon Jan 10 13:15:05 UTC 2011 - [email protected]
+
+- don't start in runlevel 4 by default (bnc#656520)
+- cut off long zone names (bnc#644527)
+- fix and enhance output of log command (bnc#663262)
+
+-------------------------------------------------------------------
+Thu Dec 2 13:33:59 UTC 2010 - [email protected]
+
+- don't unload rules when using systemd
+
+-------------------------------------------------------------------
+Tue Nov 16 15:01:04 UTC 2010 - [email protected]
+
+- list some known rpc services as Should-Start
+- don't filter outgoing packets at all
+- fix an example (bnc#641907)
+- fix status check in SuSEfirewall2_init (bnc#628751)
+
+-------------------------------------------------------------------
+Mon Aug 16 07:32:31 UTC 2010 - [email protected]
+
+- don't use fillup anymore as it keeps corrupting the config file
+ (bnc#340926)
+
+-------------------------------------------------------------------
+Tue Jun 29 12:20:30 UTC 2010 - [email protected]
+
+- remove "batch committing..." message
+- read defaults from separate file
+- warn if highports config options are set
+- finally drop 'highports' misfeature
+- remove kernel ipv6 module detection (bnc#617033)
+- silence warning about default zone (bnc#616841)
+- SuSEfirewall2-open: don't add values multiple times
+- Use multiprotocol xt_conntrack
+
+-------------------------------------------------------------------
+Mon May 31 08:11:54 UTC 2010 - [email protected]
+
+- only directories in /sys/class/net are real interfaces (bnc#609810)
+
+-------------------------------------------------------------------
+Fri Mar 19 13:34:10 UTC 2010 - [email protected]
+
+- add entry about drbd to FAQ
+- update docu
+- implement FW_BOOT_FULL_INIT
+
+-------------------------------------------------------------------
+Tue Feb 16 13:51:48 UTC 2010 - [email protected]
+
+- use new versioning scheme after switch of repo to git
+- update and rebuild docu
+- remove really old rc.config conversion code from spec file
+
+-------------------------------------------------------------------
+Tue Sep 15 13:33:06 UTC 2009 - [email protected]
+
+- fix spelling error in sysconfig file (bnc#537427)
+- polishing of log drop policy (bnc#538053)
+ * drop multicast packets silently
+ * separate drop rule for broadcast packets at end of chain
+ * only consider NEW udp packets as critical
+ * don't log INVALID packets as critical
+
+-------------------------------------------------------------------
+Fri Aug 21 11:09:40 UTC 2009 - [email protected]
+
+- implement runtime override of interface zones
+- allow disabling NOTRACK rules on lo (bnc#519526)
+
+-------------------------------------------------------------------
+Fri Jul 17 10:04:48 UTC 2009 - [email protected]
+
+- remove chkconfig calls (bnc#522268)
+
+-------------------------------------------------------------------
+Thu Jul 9 13:50:47 UTC 2009 - [email protected]
+
+- add note about use as bridging firewall
+- allow to set FW_ZONE_DEFAULT via config file
+- deprecate fw_custom_before_antispoofing and
+ fw_custom_after_antispoofing, use fw_custom_after_chain_creation
+ instead
+
+-------------------------------------------------------------------
+Tue Jun 9 14:19:27 UTC 2009 - [email protected]
+
+- add note that ulog doesn't work with IPv6 (bnc#442756)
+- fix version number in help text
+- allow service files to specify kernel modules and allow related packets
+- silence an error from bash if a service config file is not available
(bnc#487870)
+- better wording for BROADCAST in template
+- update firewall hook script (patch by Marius)
++++ 1030 more lines (skipped)
++++ between /dev/null
++++ and
/work/SRC/openSUSE:12.2:Update/.SuSEfirewall2.1187.new/SuSEfirewall2.changes
New:
----
SuSEfirewall2-3.6.295.tar.bz2
SuSEfirewall2-just-CT-instead-of-NOTRACK-bnc-793459.diff
SuSEfirewall2.changes
SuSEfirewall2.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ SuSEfirewall2.spec ++++++
#
# spec file for package SuSEfirewall2
#
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# icecream 0
Name: SuSEfirewall2
Version: 3.6.295
Release: 0
Url: http://en.opensuse.org/SuSEfirewall2
PreReq: %fillup_prereq %insserv_prereq /bin/sed textutils fileutils
grep filesystem
Requires: coreutils
Requires: iptables
Requires: perl
Requires: sysconfig
Summary: Stateful Packet Filter Using iptables and netfilter
License: GPL-2.0+
Group: Productivity/Networking/Security
Source: SuSEfirewall2-%{version}.tar.bz2
Patch0: SuSEfirewall2-just-CT-instead-of-NOTRACK-bnc-793459.diff
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
SuSEfirewall2 implements a packet filter that protects hosts and
routers by limiting which services or networks are accessible on the
host or via the router.
SuSEfirewall2 uses the iptables/netfilter packet filtering
infrastructure to create a flexible rule set for a stateful firewall.
%prep
%setup
%patch0 -p1
# please send patches to lnussel for inclusion in git first
# http://gitorious.org/opensuse/susefirewall2
%build
%install
make DESTDIR="%{buildroot}" install install_doc
install -d -m 755 %{buildroot}/var/adm/fillup-templates/
install -m 644 SuSEfirewall2.sysconfig
%{buildroot}/var/adm/fillup-templates/sysconfig.SuSEfirewall2
install -D -m 644 SuSEfirewall2.sysconfig
%{buildroot}/etc/sysconfig/SuSEfirewall2
install -d -m 755 %{buildroot}%{_datadir}/susehelp/meta/Manuals/Productivity
install -m 644 doc/SuSEfirewall2-doc.desktop \
%{buildroot}%{_datadir}/susehelp/meta/Manuals/Productivity/SuSEfirewall2.desktop
#
%files
%defattr(-, root, root)
%doc %{_docdir}/%{name}
%doc %{_datadir}/susehelp
%config(noreplace) /etc/sysconfig/scripts/SuSEfirewall2-custom
%config(noreplace) /etc/sysconfig/SuSEfirewall2
%config /etc/init.d/SuSEfirewall2_init
%config /etc/init.d/SuSEfirewall2_setup
/etc/sysconfig/SuSEfirewall2.d/services/*
/etc/sysconfig/scripts/SuSEfirewall2-rpcinfo
/etc/sysconfig/scripts/SuSEfirewall2-showlog
/etc/sysconfig/scripts/SuSEfirewall2-open
/etc/sysconfig/scripts/SuSEfirewall2-batch
/etc/sysconfig/scripts/SuSEfirewall2-qdisc
/etc/sysconfig/scripts/SuSEfirewall2-oldbroadcast
/etc/sysconfig/network/scripts/SuSEfirewall2
/etc/sysconfig/network/scripts/firewall
/etc/sysconfig/network/if-up.d/SuSEfirewall2
/sbin/rcSuSEfirewall2
/sbin/SuSEfirewall2
%dir /usr/share/SuSEfirewall2
%dir /usr/share/SuSEfirewall2/defaults
/usr/share/SuSEfirewall2/defaults/50-default.cfg
/usr/share/SuSEfirewall2/rpcusers
/var/adm/fillup-templates/sysconfig.SuSEfirewall2
%postun
%insserv_cleanup
%post
# SuSEfirewall2_init is no longer a boot.d script, need to remove
# and add it again
for i in etc/init.d/boot.d/S??SuSEfirewall2_init; do
if [ -e "$i" ]; then
/sbin/insserv -r -f SuSEfirewall2_init
/sbin/insserv -f SuSEfirewall2_init
break
fi
done
if [ -e etc/sysconfig/SuSEfirewall2 ] \
&& grep -q '^FW_MASQ_DEV="\$FW_DEV_EXT"$' etc/sysconfig/SuSEfirewall2;
then
sed 's/^FW_MASQ_DEV="\$FW_DEV_EXT"$/FW_MASQ_DEV="zone:ext"/' \
< etc/sysconfig/SuSEfirewall2 \
> etc/sysconfig/SuSEfirewall2.new \
&& mv etc/sysconfig/SuSEfirewall2.new
etc/sysconfig/SuSEfirewall2 \
&& echo "FW_MASQ_DEV converted"
fi
#
%insserv_cleanup
#
exit 0
%changelog
++++++ SuSEfirewall2-just-CT-instead-of-NOTRACK-bnc-793459.diff ++++++
>From f6db3cde6de19431d187b4c18fcd1f1a732ade55 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <[email protected]>
Date: Wed, 12 Dec 2012 16:27:33 +0100
Subject: [PATCH 2/2] just CT instead of NOTRACK (bnc#793459)
---
SuSEfirewall2 | 8 ++++----
1 Datei geändert, 4 Zeilen hinzugefügt(+), 4 Zeilen entfernt(-)
diff --git a/SuSEfirewall2 b/SuSEfirewall2
index 1aa2724..ebb4b97 100755
--- a/SuSEfirewall2
+++ b/SuSEfirewall2
@@ -721,8 +721,8 @@ function set_basic_rules()
$iptables -A INPUT -j "$ACCEPT" -i lo
$iptables -A OUTPUT -j "$ACCEPT" -o lo
if [ "$FW_LO_NOTRACK" != 'no' ]; then
- $iptables -t raw -A PREROUTING -j NOTRACK -i lo
- $iptables -t raw -A OUTPUT -j NOTRACK -o lo
+ $iptables -t raw -A PREROUTING -j CT --notrack -i lo
+ $iptables -t raw -A OUTPUT -j CT --notrack -o lo
fi
done
@@ -1480,8 +1480,8 @@ protect_from_internal()
eval devs="\$FW_DEV_$zone"
for dev in $devs; do
for iptables in "$IPTABLES" "$IP6TABLES"; do
- $iptables -t raw -i $dev -I PREROUTING -j NOTRACK
- $iptables -t raw -o $dev -I OUTPUT -j NOTRACK
+ $iptables -t raw -i $dev -I PREROUTING -j CT --notrack
+ $iptables -t raw -o $dev -I OUTPUT -j CT --notrack
$iptables -i $dev -I INPUT -j ACCEPT
$iptables -o $dev -I OUTPUT -j ACCEPT
done
--
1.7.10.4
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
