Jonathan Underwood
2008-Jan-06 00:06 UTC
Missing patch for shorewall-shell in 4.0.7 errata?
Hi Tom, In the release notes for Shorewall 4.0 Patch release 7.2, it says that "Shorewall 4.0.7.2 removes the incorrect syntax in both Shorewall-perl and in Shorewall-shell." in reference to the fix regarding police filters. But in the errata directory, there are only patches for shorewall-perl. Should there not also be a patch against shorewall-shell? Cheers, Jonathan. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jonathan Underwood wrote:> Hi Tom, > > In the release notes for Shorewall 4.0 Patch release 7.2, it says that > "Shorewall 4.0.7.2 removes the incorrect syntax in both Shorewall-perl > and in Shorewall-shell." in reference to the fix regarding police > filters. But in the errata directory, there are only patches for > shorewall-perl. Should there not also be a patch against > shorewall-shell?I just uploaded the patch. But if Fedora isn''t going to release the broken iproute2 package, there is no reason to release the Shorewall workarounds. The workarounds are primarily for Debian users who are using the Testing repository. The iproute2 package has been determined to be broken and the upstream maintainer has already backed out the change. I''ve already backed the workaround out of both my 4.0 and 4.1 trees. On a related note, you should be using the patches in the release subvolume rather than those in the errata. The latter are intended to be installed into a runnning system while the former can be applied during package build. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jonathan Underwood
2008-Jan-06 11:57 UTC
Re: Missing patch for shorewall-shell in 4.0.7 errata?
On 06/01/2008, Tom Eastep <teastep@shorewall.net> wrote:> I just uploaded the patch. >Thanks very much.> But if Fedora isn''t going to release the broken iproute2 package, there > is no reason to release the Shorewall workarounds. The workarounds are > primarily for Debian users who are using the Testing repository. > > The iproute2 package has been determined to be broken and the upstream > maintainer has already backed out the change. I''ve already backed the > workaround out of both my 4.0 and 4.1 trees. >OK, understood, I won''t apply anything regarding iproute2. Presumably the following hunk is still useful though: diff -Naur -X /home/teastep/shorewall/trunk/tools/build/exclude.txt shorewall-perl-4.0.7.1/Shorewall/Chains.pm shorewall-perl-4.0.7.2/Shorewall/Chains.pm --- shorewall-perl-4.0.7.1/Shorewall/Chains.pm 2007-12-28 21:38:42.000000000 -0800 +++ shorewall-perl-4.0.7.2/Shorewall/Chains.pm 2008-01-02 08:07:57.000000000 -0800 @@ -1131,7 +1131,7 @@ validate_mark $testval; - $testval .= ''/0xFF'' unless ( $testval =~ ''/'' ); + $testval = join( ''/'', $testval, in_hex( $mask ) ) unless ( $testval =~ ''/'' ); "$match $testval ";> On a related note, you should be using the patches in the release > subvolume rather than those in the errata. The latter are intended to be > installed into a runnning system while the former can be applied during > package build. >OK, thanks for the clarification. J. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jonathan Underwood wrote:> > OK, understood, I won''t apply anything regarding iproute2. > > Presumably the following hunk is still useful though: > > diff -Naur -X /home/teastep/shorewall/trunk/tools/build/exclude.txt > shorewall-perl-4.0.7.1/Shorewall/Chains.pm > shorewall-perl-4.0.7.2/Shorewall/Chains.pm > --- shorewall-perl-4.0.7.1/Shorewall/Chains.pm 2007-12-28 > 21:38:42.000000000 -0800 > +++ shorewall-perl-4.0.7.2/Shorewall/Chains.pm 2008-01-02 > 08:07:57.000000000 -0800 > @@ -1131,7 +1131,7 @@ > > validate_mark $testval; > > - $testval .= ''/0xFF'' unless ( $testval =~ ''/'' ); > + $testval = join( ''/'', $testval, in_hex( $mask ) ) unless ( > $testval =~ ''/'' ); > > "$match $testval "; >Yes. The following is the only hunk which should be omitted: diff -Naur -X /home/teastep/shorewall/trunk/tools/build/exclude.txt shorewall-perl-4.0.7.1/Shorewall/Tc.pm shorewall-perl-4.0.7.2/Shorewall/Tc.pm --- shorewall-perl-4.0.7.1/Shorewall/Tc.pm 2007-11-16 07:57:37.000000000 -0800 +++ shorewall-perl-4.0.7.2/Shorewall/Tc.pm 2008-01-02 08:02:43.000000000 -0800 @@ -458,7 +458,7 @@ if ( $inband ) { emit ( "run_tc qdisc add dev $device handle ffff: ingress", - "run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" + "run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop" ); } -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jonathan Underwood
2008-Jan-06 18:50 UTC
Re: Missing patch for shorewall-shell in 4.0.7 errata?
On 06/01/2008, Tom Eastep <teastep@shorewall.net> wrote:> Yes. The following is the only hunk which should be omitted: > > diff -Naur -X /home/teastep/shorewall/trunk/tools/build/exclude.txt shorewall-perl-4.0.7.1/Shorewall/Tc.pm shorewall-perl-4.0.7.2/Shorewall/Tc.pm > --- shorewall-perl-4.0.7.1/Shorewall/Tc.pm 2007-11-16 07:57:37.000000000 -0800 > +++ shorewall-perl-4.0.7.2/Shorewall/Tc.pm 2008-01-02 08:02:43.000000000 -0800 > @@ -458,7 +458,7 @@ > > if ( $inband ) { > emit ( "run_tc qdisc add dev $device handle ffff: ingress", > - "run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" > + "run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop" > ); > } >OK thanks. Actually, looking a bit closer, it appears that shorewall-perl-4.0.7.tar.bz2 from the base directory already has patch-perl-4.0.7.1 applied, which is very confusing. From the previous discussoin, I had understood that the point release patches were to be applied in increasing order to the tarballs in base. Did I totally misunderstand? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jonathan Underwood wrote:> On 06/01/2008, Tom Eastep <teastep@shorewall.net> wrote: >> Yes. The following is the only hunk which should be omitted: >> >> diff -Naur -X /home/teastep/shorewall/trunk/tools/build/exclude.txt shorewall-perl-4.0.7.1/Shorewall/Tc.pm shorewall-perl-4.0.7.2/Shorewall/Tc.pm >> --- shorewall-perl-4.0.7.1/Shorewall/Tc.pm 2007-11-16 07:57:37.000000000 -0800 >> +++ shorewall-perl-4.0.7.2/Shorewall/Tc.pm 2008-01-02 08:02:43.000000000 -0800 >> @@ -458,7 +458,7 @@ >> >> if ( $inband ) { >> emit ( "run_tc qdisc add dev $device handle ffff: ingress", >> - "run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1" >> + "run_tc filter add dev $device parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop" >> ); >> } >> > > OK thanks. > > Actually, looking a bit closer, it appears that > shorewall-perl-4.0.7.tar.bz2 from the base directory already has > patch-perl-4.0.7.1 applied, which is very confusing. From the previous > discussoin, I had understood that the point release patches were to be > applied in increasing order to the tarballs in base. Did I totally > misunderstand?I have no clue how that happened. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jonathan Underwood
2008-Jan-06 19:05 UTC
Re: Missing patch for shorewall-shell in 4.0.7 errata?
On 06/01/2008, Tom Eastep <teastep@shorewall.net> wrote:> I have no clue how that happened. >Oh well, no harm done (except me wondering if I was going mad for a few seconds). :). J. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jonathan Underwood wrote:> On 06/01/2008, Tom Eastep <teastep@shorewall.net> wrote: >> I have no clue how that happened. >> > > Oh well, no harm done (except me wondering if I was going mad for a > few seconds). :).It appears that I miss-ran the upload script on 12/28 (the day that I build .1). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/