Red Hat Bugzilla – Bug 321691
Review Request: shorewall-common - Common files for the shorewall firewall compilers
Last modified: 2007-11-30 17:12:17 EST
Spec URL: http://jgu.fedorapeople.org/shorewall-common.spec
SRPM URL: http://jgu.fedorapeople.org/shorewall-common-4.0.4-1.fc7.src.rpm
The Shoreline Firewall, more commonly known as "Shorewall", is a
Netfilter (iptables) based firewall that can be used on a dedicated
firewall system, a multi-function gateway/ router/server or on a
standalone GNU/Linux system.
The version 3 release series of Shorewall is already available in Fedora. With the release of version 4, upstream has added a new perl based rule compiler and completely changed the way the package is distributed. The shell-based and perl-based compilers are each distributed as individual tarballs, and files required to run shorewall with either compiler are packaged as a third tarball, shorewall-common.
The shorewall-perl compilers is suggested for new
installed systems and shorewall-shell is provided for backwards
compatibility and smooth legacy system upgrades because shorewall perl
is not fully compatible with all legacy configurations.
This package contains the files required by shorewall-perl and
shorewall-shell to run. You need to install the shorewall-perl and/or
shorewall-shell package(s) for a functional firewall.
shorewall-common is also required by shorewall-lite, a light-weight Shorewall version that will run compiled firewall scripts generated on a system with one of the compiler packages installed.
$ rpmlint -i ../RPMS/noarch/shorewall-common-4.0.4-1.fc7.noarch.rpm
shorewall-common.noarch: W: service-default-enabled /etc/rc.d/init.d/shorewall
The service is enabled by default after "chkconfig --add"; for security
reasons, most services should not be. Use "-" as the default runlevel in the
init script's "chkconfig:" line and/or remove the "Default-Start:" LSB keyword
to fix this if appropriate for this service.
-->This one is bogus - the startup script has an empty entry for Default-Start.
Removing the Default-Start entry makes the warning go away, but it is fine to
have an empty one there.
shorewall-common.noarch: E: subsys-not-used /etc/rc.d/init.d/shorewall
While your daemon is running, you have to put a lock file in
/var/lock/subsys/. To see an example, look at this directory on your
machine and examine the corresponding init scripts.
--> Also bogus - shorewall creates a lock file itself, there's no need for the
startup script to generate one.
shorewall-common.noarch: W: incoherent-init-script-name shorewall
The init script name should be the same as the package name in lower case,
or one with 'd' appended if it invokes a process by that name.
--> Also bogus - this goes away if I rename the startup script shorewall-common,
which is an awkward name.
Added current shorewall package owner to cc.
Robert - I'm not trying to usurp your package here, but I thought that because
upstream has changed so much, and because Id done the packaging work for other
reasons, it would be useful to put them into BZ for review. I am more than happy
if you want to continue owning this package. Am also happy to co-maintain
shorewall with you, if you like.
$ rpmlint -i ../RPMS/noarch/shorewall-perl-4.0.4-1.fc7.noarch.rpm
shorewall-perl.noarch: E: useless-explicit-provides perl(Shorewall::Ports)
This package provides 2 times the same capacity. It should only provide it
--> This is bogus, and is caused by a problem with the way rpm generates
automatic Provides. The package contains a perl script (buildports.pl) which
parses /etc/services and /etc/protocols to generate a module Ports.pm. This is
done at package build time. Because buildports.pl contains the text "package
Shorewall::Ports;" which it echo's out to Ports.pm during generation, RPM
believes that both Ports.pm and buildports.pl provide Shorewall::Ports. This
could be solved by not including buildports.pl in the package, but this file has
utility for people who make local mods to /etc/services or /etc/protocols.
shorewall-perl.noarch: W: empty-%pre
shorewall-perl.noarch: W: empty-%post
shorewall-perl.noarch: W: empty-%preun
--> These 3 can be ignored.
Crap, please ignore Comment #3 - this was meant to go into the BZ for
shorewall-perl (BZ #321711).
Following discussion with Robert, and also on #fedora-devel, consensus seems to
be that it is better to have a single package with all tarballs. Therefore, I'm
closing this review, and discussion of the multitarball package will continue in
> This one is bogus - the startup script has an empty entry for Default-Start.
> Removing the Default-Start entry makes the warning go away, but it is fine to
> have an empty one there.