----------------------------------------------------------------------------
	             S H O R E W A L L  5 . 0 . 1 2 . 1
                        -----------------------------
                        O c t o b e r  1 0 ,  2 0 1 6
----------------------------------------------------------------------------

I.    PROBLEMS CORRECTED IN THIS RELEASE
II.   KNOWN PROBLEMS REMAINING
III.  NEW FEATURES IN THIS RELEASE
IV.   MIGRATION ISSUES
V.    PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

5.0.12.1

1)  The first example in New Feature 1) below has been corrected.

2)  The wording in the description of DYNAMIC_BLACKLISTING in
    shorewall[6].conf(5) has been corrected.

3)  Typos in shorewall[6]-mangle(5) have been corrected (Roberto
    C. Sánchez).

4)  The options in shorewall[6].conf have been reordered to put them
    in ASCII collating sequence within the FIREWALL OPTIONS section.

5)  A defect introduced in Shorewall 5.0.12 could cause a runtime
    failure during start:

      /var/lib/shorewall/.start: 614: return: Illegal number: status

    That has been corrected.

5.0.12

1)  Minor cleanup, mostly commentary, in the Rules.pm module.

2)  In Shorewall 5.0.7, The assumed 'use Shorewall::Config(shorewall)'
    statement in ?PERL and ?BEGIN PERL...?END PERL handling was
    inadvertently removed. This results in Perl compilation errors if
    the 'shorewall' function is invoked. The statement has now been
    restored.

3)  Previously, the firewall would fail to start if the configuration
    contained a CHECKSUM rule without a chain designator and
    MARK_IN_FORWARD_CHAIN=No. Now, the compiler defaults these rules to
    the POSTROUTING chain and forbids them in the PREROUTING chain.

4)  Recently, a case was observed where certain incoming packets had a
    non-zero packet mark in the raw PREROUTING chain, causing them to
    be misrouted. To guard against this issue, packet marks are now
    cleared at the top of the PREROUTING and OUTPUT mangle chains when
    the new ZERO_MARKS option is set to yes. Note that ZERO_MARKS=Yes
    can break IPSEC in multi-ISP configurations.

5)  Two distinct problems have been corrected in the 'disable'
    command logic:

    a)  If a balanced or fallback interface was down or had been
    	deleted, then the 'disable' command could fail.

    b)  If a persistent optional interface was down, then the
        generated script would fail when it attempted to add routes out
        of the interface.

6)  Previously, the generated script would attempt to reenable a
    disabled persistent provider at each 'start', 'reload' or
    'restart'. Now, disabled persistent providers are handled the same
    as other providers and require the 'enable' or 'reenable' command
    to enable them.

7)  Previously, the generated script assumed that all
    probability-balanced providers (those with the 'load' option
    specified) were optional. That assumption has been removed.

8)  Previously, the permissions of files created by the 'save' command
    were more relaxed than necessary. This has been corrected. 

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No and optional
    providers listed in the DUPLICATE column.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  You may now place comma-separated zone lists in the SOURCE and DEST
    columns in /etc/shorewall[6]/policy.

    Example:

    #SOURCE		DEST		POLICY	...
    loc,dmz		net		REJECT

    That line is equivalent to:

    #SOURCE		DEST		POLICY	...
    loc			net		REJECT
    dmz			net		REJECT

    If the same zone appears in both columns, the default ACCEPT
    intrazone policy is not overridden unless the list is followed
    immediately by '+'.

    Example:

    #SOURCE		DEST		POLICY	...
    dmz,loc		loc,dmz+	REJECT

    That line is equivalent to:

    #SOURCE		DEST		POLICY	...
    dmz			loc		REJECT
    dmz			dmz		REJECT
    loc			loc		REJECT
    loc			dmz		REJECT

    Without the plus sine, it would be equivalent to

    #SOURCE		DEST		POLICY	...
    dmz			loc		REJECT
    loc			dmz		REJECT

2)  Distribution maintainers may now set a default pager via the
    configure and configure.pl programs in Shorewall-core to set
    DEFAULT_PAGER in the generated shorewallrc file. The
    Shorewall-provided shorewallrc files for Debian currently specify
    'less' for DEFAULT_PAGER. The other shorewallrc files do not
    specify DEFAULT_PAGER.

    If shorewall[6].conf does not specify PAGER then the DEFAULT_PAGER
    setting is used.

3)  The 'contiguous' option is now supported in TIME columns. When the
    'timestop' value  is smaller than the 'timestart' value, match this
    as a  single  time  period  instead  distinct intervals.

    Example:

            weekdays=Mo&timestart=23:00&timestop=01:00

        Will match Monday, for one hour from midnight  to 1 a.m., and
  	then again for another hour from 23:00 onwards. If this is
  	unwanted, e.g. if you would like 'match for two hours from
  	Monday 23:00 onwards' you need to also specify the 'contiguous'
  	option in the example above.

    See http://www.shorewall.org/configuration_file_basics.htm#TIME for
    additional TIME column examples.

----------------------------------------------------------------------------
                  I V.  M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

1)  If you are migrating from Shorewall 4.4.x or earlier, please see
    http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt

2)  It is strongly recommended that you first upgrade your installation
    to a 4.6 release >= 4.6.12 prior to upgrading to Shorewall 5.0.

    Once you are on the Shorewall 4.6 release:

    - shorewall update -A

    If you also run Shorewall6:
    
    - shorewall6 update -A

    These steps are necessary because Shorewall 5.0:

    - Does not contain support for the 'tcrules' and 'tos' files --
      existing 'tcrules' and 'tos' files must be converted to an
      equivalent set of 'mangle' file entries.

    - Does not contain support for the 'blacklist' file -- it must
      be converted to an equivalent 'blrules' file.

    - Does not contain support for the 'notrack' file -- it must be
      converted to an equivalent 'conntrack' file.

    - Does not contain support for the 'routestopped' file -- it must
      be converted to an equivalent 'stoppedrules' file.

    Note that you can run the update command(s) after you upgrade to
    Shorewall 5 but your firewall will not work correctly until
    you do those update(s).

3)  The following configuration options have been eliminated:

    - EXPORTPARAMS
    - IPSECFILE
    - LEGACY_FASTSTART
    - LOGRATE *
    - LOGBURST *
    - WIDE_TC_MARKS *
    - HIGH_ROUTE_MARKS *
    - BLACKLISTNEWONLY *

    A fatal error results if those flagged with an asterisk ("*")
    appear in the .conf file -- run the 'shorewall[6] update' command
    to convert their settings to use supported options.

    A warning is issued if any of the rest appear in the .conf file.
    'shorewall[6] update' will drop them from the file.

4)  To make the command names more accurately reflect what they do,
    several changes have been included:

    a)  Beginning with this release, the 'restart' command now does a
    	true restart and is equivalent to a 'stop' followed by a
    	'start'.

    b)  The pre-5.0.0 'load' command has been renamed 'remote_start'.

    c)  The pre-5.0.0 'reload' command has been renamed 'remote_reload'.

    c)  The 'reload' command now performs the same function as the
    	pre-5.0.0 'restart' command.

    d)  A 'remote_restart' command has been added to Shorewall and
    	Shorewall6 to allow a remote 'restart' after updating the
    	remote firewall system's compiled script.

    For those that can't get used to the idea of using 'reload' in
    place of 'restart', a RESTART option has been added. The
    option defaults to 'reload' for compatibility with earlier
    releases. If set to 'restart', then the 'restart' command
    does a true restart (stop followed by start)

5)  While the WORKAROUNDS setting is still present in the
    shorewall[6].conf file:

    a)  It's default setting has been changed to No.
    
    b)  All workarounds for old distributions have been eliminated.

6)  Beginning with Shorewall 5.0.0, all macros and actions are assumed
    to be FORMAT-2.  FORMAT-1 macros and actions are no longer supported
    and will be silently processed as if they were FORMAT-2. For most
    macros and actions, this change will be of no concern, but may cause
    compilation errors in rare cases.

    To review, FORMAT-1 actions have the following columns:

       TARGET
       SOURCE
       DEST
       PROTO
       DEST PORT(S)
       SOURCE PORT(S)
       RATE
       USER/GROUP
       MARK

    FORMAT-1 macros have these columns:

       TARGET
       SOURCE
       DEST
       PROTO
       DEST PORT(S)
       SOURCE PORT(S)
       RATE
       USER/GROUP

    FORMAT-2 actions and macros, on the other hand, have:

       TARGET
       SOURCE
       DEST
       PROTO
       DEST PORT(S)
       SOURCE PORT(S)
       ORIGINAL DEST
       RATE
       USER/GROUP
       MARK
       CONNLIMIT
       TIME
       HEADERS (Only valid for IPv6)
       SWITCH
       HELPER

    To summarize, if your action or macro only uses the first 6
    columns (which most do), then it will process fine as
    FORMAT-2. Otherwise, it must be modified to place specifications in
    the proper columns.

7)  COMMENT, FORMAT and SECTION lines must now begin with a question
    mark ("?"). The 'update' command will change all bare COMMENT,
    FORMAT and SECTION lines to include the question mark.

8)  Beginning with Shorewall 5.0.8, the IPv6 default treatment of Auth
    (TCP 113) is now consistent with IPv4; nothing special is done with
    these requests, so they are simply logged and dropped.

    IMPORTANT: If you want to continue to reject Auth requests, you
    can do so by changing your DROP_DEFAULT setting to make the second
    parameter REJECT. For example, if you currently have:

        DROP_DEFAULT=Drop

    you can change it to:

    	DROP_DEFAULT="Drop(-,REJECT)"

----------------------------------------------------------------------------
         V.  N O T E S  F R O M  O T H E R  5 . 0  R E L E A S E S
----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 1 1
----------------------------------------------------------------------------

1)  This release contains defect repair through Shorewall 5.0.10.1.

2)  In Shorewall 5.0, the default chain for DSCP rules was
    inadvertently chained to PREROUTING (FORWARD, if
    MARK_IN_FORWARD_CHAIN=Yes).

    The default is now restored to POSTROUTING, its earlier value.

3)  When 'trace' was specified, previously the output of ip[6]tables
    rules containing a comment were displayed incorrectly. The "-m
    comment --comment" specification was missing and the comment was
    not enclosed in double quotes. This has been corrected.

4)  Previously, if a provider interface matched only a wildcard entry
    (one whose physical interface name ended in '+'), then the
    generated script would always find the interface to be
    unusable. That has been corrected.

5)  A change released in 5.0.9.1 and that allowed simple traffic
    shaping to support more than 9 interfaces prevented some users'
    configurations from starting. That has been corrected.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 1 1
----------------------------------------------------------------------------

1)  When using the alternate input form, it is now possible to specify
    a comment to be attached to the generated ip[6]tables rule. Simply
    use the 'comment' keyword. If the comment contains embedded white
    space,  then it must be enclosed in double quotes. Any double
    quotes embedded in the comment must be escaped using a backslash.

    Example:

    ACCEPT net $FW { proto=tcp, dport=22, comment="Accept \"SSH\"" }

2)  OPTIMIZE level 16 no longer deletes duplicate COUNT rules, allowing
    multiple similar COUNT rules in a chain.

3)  Beginning with this release, source RPMs are available on the
    download sites.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 1 0
----------------------------------------------------------------------------

5.0.10.1

1)  Several issues with the Debian SysV init scripts have been
    corrected:

    a) The scripts now issue progress messages for the 'stop' command
       based on the setting of SAFESTOP in /etc/default/shorewall*.

    b) The firewall is now stopped or cleared in runlevel 1 (minimal),
       based on the setting of SAFESTOP.

    c) A typo in the Shorewall init script prevented the force-stop
       command from working correctly.

    Roberto Sánchez.

5.0.10

1)  This release includes defect repair through Shorewall 5.0.9.2.

2)  Previously, the 'update' commmand could result in updated files
    having the user's default permissions rather than the permissions
    of the original file. That has been corrected.

3)  A number of update and update-compatibility issues have been
    corrected:

    a)  <user>: (e.g., "fred:") is once again accepted in USER columns.
    b)  The USER column in the mangle file can once again be specified
        when :T is the chain designator.
    c)  The 'notrack' file is now correctly appended to the 'mangle'
        file during update.
    d)  IPMARK entries in 'tcrules' are now correctly converted into
        the 'mangle' file.

4)  When multiple zones are configured on an interface, the 'tcpflags',
    'nosmurfs' and 'maclist' options could previously result in silly
    duplicate rules. That problem has been corrected.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 1 0
----------------------------------------------------------------------------

5.0.10.1

1)  You can now specify LOGFILE=systemd to cause 'journelctl -r' to be
    used to read the system log (journel).

    Scott Sumate.

5.0.10

1)  The 'allow' command can now remove entries from the ipset-based
    dynamic blacklists.

      allow <address> ...

2)  A new 'dbl' (Dynamic Blacklist) option is now available in the
    'interfaces' file. Possible settings are:

    none    - equivalent to specifying 'nodbl'.
    src     - packets entering the firewall on the interface have their
    	      source IP address checked against the ipset-based
    	      blacklist.
    dst     - packets entering the firewall on the interface have their
              destination IP address checked against the ipset-based
    	      blacklist.
    src-dst - packets entering the firewall on the interface have their
    	      source IP address checked against the ipset-based
    	      blacklist. Packets originating on the fireawll and
    	      leaving through the interface have their destination IP
    	      address checked against the ipset-based blacklist.

    The normal setting for an internet-facing interface will be either
    'src' or 'src-dst'. The normal setting for an internal interface
    will be either 'none' or 'dst'.

3)  The RPMs from shorewall.net are now created to assume that systemd
    is being used. They are targeted specifically at OpenSuSE and have
    been verified on OpenSuSE 42.1.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 9
----------------------------------------------------------------------------

1)  This release contains defect repair through Shorewall 5.0.8.2.

2)  Previously, if:

    - DOCKER=Yes
    - docker0 was defined in /etc/shorewall/interfaces
    - Docker was not running

    then Shorewall would fail to start with an error similar to this

      iptables-restore v1.4.21: Couldn't load target `DOCKER':
           No such file or directory
      Error occurred at line: 29
      Try `iptables-restore -h' or
           'iptables-restore --help' for more information.
      ERROR: /sbin/iptables-restore Failed.

    This has been corrected such that Shorewall starts correctly under
    these conditions.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 9
----------------------------------------------------------------------------

1)  The file 'lib.core' has been renamed 'lib.runtime' to more
    accurately reflect the file's role.

2)  The CLI now produces helpful error messages rather than simply
    dumping out the complete usage syntax.

3)  The 'status' and 'version -a" command outputs now include the time
    and date when the current firewall script was compiled.

    This feature implements a new 'info' command that is recognized by
    the compiled script. That command produces output similar to the
    following:

      compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9

    Note 1: The time and date of compilation will only be displayed
    after the firewall script has been compiled using this or a later
    Shorewall release.

    Note 2: Information about the current firewall script is only
    displayed by the 'version -a' command when the command is executed
    by root.

    Caution: If you execute 'shorewall compile', a subsequent 'status'
    command will display the compilation information for the newly
    compiled script and not for the one that was used to instantiate
    the running firewall configuration. Note that the compilation
    date/time, in this case, will be later than the started date/time:

    Example:

      State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/
         (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016
	  by Shorewall version 5.0.9)

4)  The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include
    the current filename and line number in the generated message. That
    behavior can be suppressed by using ?INFO! AND ?WARNING!
    instead. Additionally, the default behavior can be changed by
    setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case,
    including the exclaimation point causes the filename and line
    number to be included.

5)  NFLOG(...) is now supported in the mangle files.

6)  The compiler now checks the version of the installed Shorewall-core
    and issues a warning message if there is a mis-match.

    Example (folded to fit within 72 columns):

      WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2,
               while the Shorewall version is 5.0.9-Beta2

    When compiling for IPv6, the Shorewall6 version is also verified
    and a similar warning is issued in the case of a mismatch.

7)  The sample configurations now have AUTOMAKE enabled.

8)  Full date and time strings generated by the compiler are now in
    'date' format rather than Perl's 'localtime' format.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 8
----------------------------------------------------------------------------

1)  This release includes defect repair through Shorewall 5.0.7.2

2)  If a physical interface name was used in the INTERFACE column of an
    entry in /etc/shorewall/masq, then previously a Perl diagnostic was
    issued as the masq rule was being processed and the iptables rule
    and its containing chain were dropped by the optimizer. That has
    been corrected so that physical interface names are handled
    correctly.

    Similar issues with physical names in the INTERFACE column of the
    nat, netmap and ecn files have also been resolved.

3)  The optional plus sign ('+') in the MODULESDIR setting, added in
    Shorewall 5.0.3, is now documented in the shorewall[6].conf
    manpages.

4)  Address variables that specified the physical interface name
    previously caused Perl diagnostics to be issued and wrong code
    to be generated. That has been corrected.

5)  The IPv6 default treatment of Auth (TCP 113) is now consistent with
    IPv4; nothing special is done with these requests, so they are
    simply logged and dropped or rejected.

    IMPORTANT: If you want to continue to silengly reject Auth
    requests, you can do so by changing your xxx_DEFAULT settings to
    make the second parameter 'Reject'. For example, if you currently
    have:

        DROP_DEFAULT=Drop
	REJECT_DEFAULT=Reject

    you can change it to:

    	DROP_DEFAULT="Drop(-,REJECT)"
    	REJECT_DEFAULT="Reject(-,REJECT)"

6)  Previously, if a zone had two or more interfaces, then the
    interfaces' option rules (DHCP, dynamic blacklisting, etc.) could
    be moved into the fw->zone chain without being restricted to their
    respective interfaces. This could result in needless duplication of
    rules. These rules are now kept in separate chains which, if they
    are identical, will be combined by the optimizer if OPTIMIZE level 8
    is enabled.

7)  A number of issues have been resolved with saving/restoring ipsets
    in Shorewall and Shorewall6.

    - Even if Shorewall's SAVE_IPSETS was set to ipv4, restarting one
      configuration would attempt to flush/destroy the ipsets for the
      other address family.

    - The same set could be saved multiple times, with the result
      that ipset error messages were issued during 'shorewall[6]
      start'.

    - Needless repetition of code was generated due to the use of
      compile-time loops rather than run-time loops.

8)  Previously, when AUTOMAKE=Yes, the 'start' command would not
    regenerate an out-of-date firewall script.

9)  A couple of recent changes have resulted in file name collisions
    on Cygwin with its underlying case-insensitive filesystem. To avoid
    these collisions.

    - /usr/share/shorewall/deprecated and
      /usr/share/shorewall6/deprecated directories have been created.

    - When a name collision occurs, the file with the older name is
      moved to the deprecated directory

    - The compiler automatically searches the deprecated directory
      (both directories in the case of Shorewall6) for files.

    In this release, macro.SNMPTraps and action.A_Reject were moved to
    /usr/share/shorewall/deprecated/. Note that both are deprecated -
    Reject accepts an 'audit' parameter, and macro.SNMPTraps has been
    superseded by macro.SNMPtraps.

10) Previously, the 'reload' command did not produce a system log
    message when it succeeded. That has been corrected.

11) Previously, when compilation was done as part of a reload or
    restart operation, compiler logging to the STARTUP_LOG was
    suppressed. Such logging is now enabled.

12) The compiler now uses a uniform format for timestamps in the
    STARTUP_LOG and on standard output (when the -t option is
    specified). Previously, some messages suppressed a leading zero in
    the hour where others did not. Now, the leading zero is never
    suppressed for compatibility with the timestamps produced by the
    generated script.

13) Previously, the compiler would allow 0 to be specified in the MARK
    column of the tcclasses file, resulting in a run-time failure:

    Setting up Traffic Control...
    RTNETLINK answers: Invalid argument
    We have an error talking to the kernel
       ERROR: Command "tc filter add dev eth0 protocol all parent 1:0
                       prio 276 handle 0 fw classid 1:10" Failed

    Now, the following error is generated by the compiler:

       ERROR: MARK value must be non-zero

    As part of this change, the shorewall[6]-tcclasses(5) manpages have
    been updated:

    - Specifity a filter priority in the MARK column is now documented
      (this feature has been in the code for several years)

    - The default priorities of the filters for tos= and tcp-ack have
      been correcgted.

14) For consistency with Docker, when bridge docker0 is listed in
    /etc/shorewall/interfaces, the following rule is now generated:

        -A FORWARD -o docker0 -m conntrack \
                --ctstate RELATED,ESTABLISHED -j ACCEPT

15)  Previously, the safe-* commands did not direct the compiler to
     write to the STARTUP_LOG. That has been corrected. The commands
     which direct the compiler to write to that log are now:

       start
       try
       refresh
       reload
       restart
       safe-*

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 8
----------------------------------------------------------------------------

1)  Support for later versions of miniupnpd has been added in the form
    of a MINIUPNPD option in shorewall.conf. If set to Yes, Shorewall
    will create a chain in the nat table named MINIUPNPD-POSTROUTING
    and will add jumps from POSTROUTING to that chain for each
    interface with the upnpd option specified.  Default is No.
    The contents of the chain are preserved over 'shorewall reload' and
    'shorewall restart' operations.

2)  The REJECT and A_REJECT actions may now take an optional parameter
    that specifies the way in which the packet is to be rejected. See
    shorewall[6]-rules(5) for details.

3)  The standard action files and shell libraries now have a uniform
    format for their header comments (Tuomo Soini).

4)  The compiler now uses the iptables goto (-g) parameter rather than
    the jump (-j) parameter, when the target is a terminating chain
    (does not have any rules with the RETURN target and the last rule
    in the chain is an unconditional jump to a terminating target or
    chain).

5)  The compiler now raises an error if the target of a chain's rule is
    the chain itself.

6)  The compiler now raises an error if the action specified in
    REJECT_ACTION contains a RETURN (CONTINUE) jump or if the last rule
    in the action is not an unconditional jump to a terminating target.

7)  The Drop and Reject default actions now accept a sixth parameter
    that specifies the action to be taken on UPnP packets. Previously,
    the same action was performed on UPnP as was performed on late DNS
    replies. The default is DROP in both cases.

8)  Heretofore, when DYNAMIC_BLACKLISTING=Yes, blacklists were checked
    on packets arriving and leaving on all interfaces. Now, individual
    interfaces may be exempted from dynamic blacklisting through use of
    the "nodbl" interface option.

9)  Prior to this release, dynamic blacklisting has been implemented
    using rules in an ip[6]tables chain. This scales poorly when there
    are a large number of blacklisted addresses.

    Beginning with this release, dynamic blacklisting can be ipset-
    based. See DYNAMIC_BLACKLIST in shorewall.conf(5) and
    shorewall6.conf(5) and the 'blacklist' command in shorewall(8) and
    shorewall6(8).

    As part of this change, ipsets created by Shorewall are now of type
    hash:net with the 'timeout 0 counters' options, rather than
    hash:ip with no options. This allows both network and individual
    host addresses to be added to these ipsets, a timeout to be
    specified when addresses are added to the ipsets, and visibility
    into matches on individual members of the ipset.

10) New new Redis macros have been added, one for Redis Cluster and the
    other for Redis Sentinal (Tuomo Soini).

11) The system log messages created by Shorewall via the 'logger'
    utility may now be augmented using logger's -t (--tag) option
    through use of the SW_LOGGERTAG environmental variable. If this
    variable is set to a non-empty value, then its contents will be
    passed as the -t option (e.g. logger -t "$SW_LOGGERTAG" ...).

12) Similar to ?ERROR, which was introduced in Shorewall 5.0.7, this
    release supports additional ?WARNING and ?INFO directives

      ?ERROR <message>
      ?WARNING <message>
      ?INFO <message>

    The <message> is written to STDERR prefaced by the directive name
    (WARNING or INFO) followed by a colon (':'). It is also written to the
    STARTUP_LOG if:

    - A STARTUP_LOG has been configured
    - The command is start, try, restart, reload, refresh or one of the
      safe-* commands

    Unlike ?ERROR, ?WARNING and ?INFO do not cause compilation to be
    aborted.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 7
----------------------------------------------------------------------------

5.0.7.2

1)  When using older versions of Perl, the following warnings were
    generated with 5.0.7 and 5.0.7.1.

    Found = in conditional, should be == at
       /usr/share/perl5/Shorewall/Chains.pm line 8630.
    Found = in conditional, should be == at
       /usr/share/perl5/Shorewall/Chains.pm line 8635.

    That has been corrected.

    (Tuomo Soini)

2)  Several typos in the manpages have been corrected (Roberto
    Sánchez).

3)  Previously, if an inline match was used in the last line of an
    action, then the inline match could also be applied to the jump to
    the action's chain. That has been corrected so that the jump to the
    chain contains the correct set of matches. 

5.0.7.1

1)  In 5.0.6.2 and 5.0.7, use of an inline match in a rule that
    generated multiple ip[6]tables rules caused only the first
    generated rule to contain the inline match.  That has been
    corrected.

2)  In 5.0.7, if ':R' was specified with the DIVERT action, an error
    message was erroneously generated. That has been corrected.

5.0.7

1)  This release includes defect repair from Shorewall 5.0.6.2.

2)  Previously, the compiler failed to catch invalid action/chain
    combinations which caused iptables-restore failures when such
    combinations were present in the configuration. That has been
    corrected.

3)  An issue involving nested inlined action and macro invocations has
    been resolved.

4)  The '&' (and) and '|' (or) symbols were previously ignored when
    the action was CONNMARK (mangle file). These symbols now work as
    documented.

5)  When 'DOCKER=Yes', 'check -r' would previously fail. The command
    now works correctly.

6)  Previously, the specified linklayer, overhead, mtu, mpu and tsize
    were not applied to ingress qdiscs that provide IN-BANDWIDTH
    limiting. That has been corrected so that these options also apply
    to inbound traffic.

    IMPORTANT: If you have specified linklayer, overhead, etc., then
    after this fix is installed, your inbound speed will be less than
    it was before the fix. You are advised to re-test and possibly
    adjust your IN-BANDWIDTH accordingly.

7)  The syntax which Shorewall previously used to define ingress
    filters is misinterpreted by the tc utility, with the result that
    rather than dropping packets exceeding the IN-BANDWIDTH, the filter
    instead reclassified them. That caused 'packet reclassify loop'
    errors during periods of high inbound traffic. The compiler now
    generates the options in the 'tc add filter' command in an order
    that tc handles correctly.

8)  If a log level was specified in one of the *_DEFAULT options,
    the compiler would previously raise a fatal error when applying the
    default action. That has been corrected.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 7
----------------------------------------------------------------------------

1)  Actions may now be used in the mangle file. To be used in the
    mangle file, an action must be declared in the actions file with
    the 'mangle' option. Actions with this option may only be used in
    the mangle file (or in other actions with the mangle option); they
    may not be used in the rules file. Mangle actions may be inlined
    using the 'inline' option in the actions file.

    A new template file (/usr/share/shorewall/action.mangletemplate) is
    included in the release for use in creating mangle actions.

2)  The 'check -r' command now uses the PAGER program unless the -d
    option is also specified. Additionally, when the compiler runs with
    'trace', the PAGER program is used unless -d is set.

3)  It is now possible to raise an error if a condition isn't met using
    the ?ERROR directive.

    	?ERROR <message>

    The text after ?ERROR is displayed in a standard Shorewall error
    message.

4)  Using the new ?ERROR directive, embedded Perl has been eliminated
    from a number of standard actions.


    Example from action.GlusterFS:

    ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
        ?error Invalid value for Bricks (@1)
    ?elsif @2 !~ /^[01]$/
        ?error Invalid value for IB (@2)
    ?endif

    The above logic insures that the first action paramater is a
    non-zero number <= 1024 and that the second parameter is either 0
    or 1. If 2000 is passed for the first parameter, the following
    error message is generated:

    ERROR: Invalid value for Bricks (2000)
      /usr/share/shorewall/action.GlusterFS (line 15)
      from /etc/shorewall/rules (line 45)

5)  Previously, inline matches were placed after column-generated
    matches in the generated rule. This meant that "-p' could not be
    used in inline matches. Beginning with this release, if the first
    non-blank characters in an inline match is '+', then the remainder
    of the inline matches are placed at the front of the generated
    rule.

    There are a couple of restrictions:

    a. When -p is used  in an inline match and the PROTO column is
       supplied, then an error is generated unless the resolved
       contents of the column matches the protocol specified in the
       inline match. This means that only protocol numbers should
       appear in the inline match.

    b. Use of -i, -s, -o, or -d (or their long-form equivalents) in an
       inline match will result in a compilation error if the contents
       of the columns generates the same match.

6)  The TCPFlags action has been modified to use '+' in inline matches
    rather than embedded Perl with perl_action_tcp_handler() calls.

7)  A new 'audit' action option has been added. Such actions are
    expected to have at least two parameters; the first is a
    target and the second is either omitted or is 'audit'.
    Two existing standard actions (RST and NotSyn) have this
    characteristic and they have been converted to use the 'audit'
    option, eliminating embedded Perl within their bodies.

8)  Within an action body, if a parameter is omitted in a DEFAULTS
    statement, then the value of the corresponding action and Shorewall
    variables is '-', while if the parameter is specified as '-' in
    the parameter list, the value of the variables is '' if
    expanded before the DEFAULTS statement.

    Additionally, when an expression is evaluated, the value 0
    evaluates as false; so '?IF @n' and 'IF $n' both fail if the nth
    parameter is passed with value zero.

    To make testing of the presense of parameters more efficient and
    uniform, an new function has been added for use in ?IF and
    ?ELSEIF:

        ?IF [!] passed(<variable>)

    where <variable> is an action or Shoreall variable.

    'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter
    is not empty and its contents are other than '-'. If '!' is
    present, the result is inverted.

    In this simple form, the expression is evaluated by the compiler
    without having to invoke the (expensive) Perl exec() function. The
    'passed' function may also be used in more complex expressions, but
    exec() will be invoked to evaluate those expressions.

9)  The MARK and CONNMARK targets are now available in the rules file,
    macros, and actions. Mark ranges are not currently supported with
    these targets.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 6
----------------------------------------------------------------------------

1)  This release includes defect repair through Shorewall 5.0.5.1.

2)  Previously, the generated function define_firewall() contained
    logic for handling the 'stop' and 'clear' commands. Beginning with
    this release, the function will no longer include that logic, since
    the function is not called when processing those commands.

3)  The 'persistent' option on a provider previously resulted in
    a duplicate routing rule was created each time that the provider
    was disabled. This has been corrected so that duplicate rules are
    not created. 

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 6
----------------------------------------------------------------------------

1)  The GATEWAY column in /etc/shorewall[6]/providers may now contain
    the keyword 'none'. This will create a routing table with no
    default route, to allow handling policy-routing senarios where a
    default route is not required.

2)  Previously, when both Shorewall and Docker were used on the same
    system, one of two approaches had to be followed:

    a)  Run docker with --iptables=false and use Shorewall to
        configure Netfilter.

    b)  Run docker with ---iptables=true and use extension scripts to
    	save/restore the Docker-generated rules.

    The first is complex and the second is difficult to do in a way
    that insures that changes to the Shorewall configuration aren't
    lost during restart/reload.

    In this release, a new DOCKER option is available in
    shorewall.conf. When DOCKER=Yes, the generated script takes
    responsibility for saving and restoring the Docker-generated rules.

    The Shorewall implementation assumes that the default 'docker0'
    bridge is being used.
    
    It is recommended that docker0 be assigned to a zone in
    /etc/shorewall/interfaces. When you do that, the setting
    of 'routeback' for that interface determines whether
    inter-container communication is allowed. If docker0 is not listed
    in the interfaces file, then the generated script will save/restore
    the FORWARD chain rules for that interface.

    If you are using Docker's network features where bridges with names
    of the form br-xxxxxxxxxxxx are created, those bridges should not
    be defined to Shorewall.

    Note that DOCKER=Yes is currently supported only in Shorewall and
    not in Shorewall6.

3)  A new SNMPtrap macro has been added and is intended to supersede
    SNMPTrap. The latter is now deprecated, but is still available for
    use.

4)  As an alternative to entries in the ecn file, the IPv4 mangle file
    now supports an ECN target for clearing the ECN flags in the TCP
    header. See shorewall-mangle(8) for details.

5)  The remainder of the documentation has been updated to use the new
    column headings.

6)  Beginning with this release, voluminous CLI output to terminals from 'show'
    and 'dump' commands may be automatically paged using a program like
    'less' or 'more'. The pager program to be used, if any, is
    specified using the PAGER option in shorewall[6].conf.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 5
----------------------------------------------------------------------------

1)  Previously, an interface could be erroneously assigned to two
    different providers and the compiler did not flag that as an error.

    The compiler now correctly catches this violation.

2)  The alignment of the output of the 'shorewall[6] show macros'
    command has been corrected.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 5
----------------------------------------------------------------------------

1)  The .ip[6]tables-restore-input file may now include comments which
    indicate the origin of the rules, similar to the ip[6]tables
    comments that are generated when TRACK_RULES=Yes in
    shorewall[6].conf. This additional information is added when
    TRACK_RULES=File.

    Note: This change also enhances TRACK_RULES=Yes by adding tracking
    comments to additional generated ip[6]tables rules.

2)  The output of 'shorewall[6] show actions' is now sorted.

3)  The macro file headers have been updated to use the new
    column names. Also, some macros now invoke other macros rather than
    duplicating their rules. This is intended to ease future
    maintenance (Tuomo Soini).

4)  Additional documentation articles have been updated to use the new
    column names (Tuomo Soini).

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 4
----------------------------------------------------------------------------

1)  There previously existed a slight possibility that starting both
    Shorewall and Shorewall6 simultaneously could lead to a failure
    such as this one:

    Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Loading Modules...
    Dec 18 13:18:38 elmo.example.com shorewall6[1889]: Another app is
       currently holding the xtables lock. Perhaps you want to use 
       the -w option?
    Dec 18 13:18:40 elmo.example.com shorewall6[1889]:
       ERROR: Cannot Create Mangle chain fooX2349
    Dec 18 13:18:40 elmo.example.com systemd[1]: shorewall6.service:
        main process exited, code=exited, status=255/n/a

    That problem can no longer occur.

2)  Previously, when a source- or destination-specific RATE was
    specified on a logging rule (LOG, ULOG or NFLOG), the compiler
    incorrectly applied both the specified RATE as well as the global
    LOGLIMIT. That has been corrected so that only the specified RATE
    is applied.

3)  Previously, when @caller was used within an action body, the
    compiler would not create unique ip[6]tables chains for each
    invocation of the action, even though the invocations had different
    values of @caller. Now, each invocation of such an action creates a
    separate ip[6]tables chain for each unique caller.

4)  Previously, the 'status -i' command produced error output when
    there were no optional interfaces. That erroneous output is no
    longer produced.

5)  Traffic shaping configurations that use red or codel will now
    produce consistent compiled scripts. Previously, these
    configurations could produce equivalent but different scripts on
    consecutive compilations.

6)  Previously, the Shoreall compiler enforced old rules about where
    country codes could appear. As those restrictions have now been
    removed, the compiler no longer issues messages such as these:

      ERROR: A countrycode list may not be used in this context

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 4
----------------------------------------------------------------------------

1)  Shorewall Init is now supported on OpenWRT.

2)  The IPTABLES and IP6TABLES actions in the rules and mangle files
    can now correctly handle logging targets (LOG, ULOG and
    NFLOG). Previously, an attempt to use these targets would result in
    an error similar to:

       ERROR: LOG requires a level

3)  To further reduce the possibility of failures caused by Shorewall
    and Shorewall6 starting concurrently, a new WAIT_OPTION capability
    has been implemented. On systems with that capability, all
    'iptables' and 'ip6tables' commands will use the --wait option.

4)  The .214.service files have been removed and the .service files
    (with the exception of Debian) have been updated to use the
    network-pre.target (Tuomo Soini).

5)  Shorewall, Shorewall6, Shorewall-lite and Shorewall6-lite now
    install /etc/sysconfig/<product> files for specifying
    start/restart/reload options on those distributions that use
    /etc/sysconfig.

6)  The mangle file now supports an DIVERTHA action that provides
    support for HAProxy.

    To setup the HAProxy configuration described at
    http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x,
    place this entry in shorewall-providers(5):
    

      #NAME	NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY   OPTIONS
      TProxy    1        -       -          lo          -         tproxy 

      and use this DIVERTHA entry:

      #ACTION         SOURCE          DEST            PROTO  ...
      DIVERTHA        -               -               tcp

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 3
----------------------------------------------------------------------------

1)  This release includes defect repair through Shorewall 5.0.2.1.

2)  To avoid interference with other subsystem settings, all released
    shorewall6.conf files now specify IP_FORWARDING=keep. Previously,
    the settings were inconsistent among the various sample files.

3)  This release includes more fixes to the configure, install and
    uninstall scripts (Matt Darfeuille).

4)  Previously, Shorewall6 rejected rules in which the SOURCE contained
    both an interface name and a MAC address (in Shorewall
    format). That defect has been corrected so that such rules are now
    accepted.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 3
----------------------------------------------------------------------------

1)  The MODULESDIR option in shorewall[6].conf has been extended to
    allow specification of additional directories to be added to those
    defaulted by Shorewall. If the specified value begins with "+",
    then the remainder of the value is assumed to be a colon-separated
    list of directory names that are relative to /lib/modules/`uname
    -r`.

    For example, to load the xt_RTPENGINE module, you would create
    /etc/shorewall/modules as follows:

        INCLUDE /usr/share/shorewall/modules
	loadmodule xt_RTPENGINE

    You would then set MODULESDIR as:

    	MODULESDIR="+extra/rtpengine"

2)  Previously, some of the column headings in the configuration files
    required two lines to display. For example, in the rules file:

    #ACTION  SOURCE    DESTINATION PROTOCOL	DEST      SOURCE
    #                                           PORT(S)   PORT(S)

    To use the alternative input format for such two-word columns, a
    one-word abbreviation was required. For example, DEST PORTS(S) is
    abbreviated as 'dport' and SOURCE PORT(S) is abbreviated as
    'sport'.

    The two-line column headings are also a nuisance for Emacs users
    because when the <tab> key is struck, Emacs positions the cursor
    based on the white space in the preceding line. So if an ACTION is
    typed and the <tab> key is then depressed, rather than position the
    cursor in the SOURCE column, Emacs positions it in the DEST PORT(S)
    column.

    To eliminate these issues, the multi-word columns have been
    relabled to use their abbreviated names. Note that this relabelling
    does not require modification of existing configurations. It simply
    means that the sample files released with Shorewall and the
    manpages that describe column-oriented files now use the
    abbreviated names rather than the previous names (Tuomo Soini and
    Tom Eastep).

3)  ADD rules may now include a timeout value which will override
    any timeout that was specified when the related ipset was created.


4)  Commas are now allowed in log tags when LOGTAGONLY=Yes. Previously,
    characters after the first comma in a log tag were discarded when
    LOGTAGONLY=Yes.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 2
----------------------------------------------------------------------------
5.0.2.1

1)  When processing the 'dump' command, the CLI now uses 'netstat' to
    print socket information when the 'ss' utility is not installed.

2)  Several defects in the installers/uninstallers have been corrected
    (Matt Darfeuille).

5.0.2

1)  This release includes defect repair up through Shoreall 5.0.1.1.

2)  The MSSQL macro now allows UDP port 1434 (Tuomo Soini).

3)  A number of issues with param file processing on Cygwin have been
    corrected. The most serious of these issues was introduction of
    syntax errors into the generated firewall script.

4)  More version numbers have been removed from configuration files
    and Macros (Tuomo Soini).

5)  The check for use of a circular kernel log buffer (as opposed to a
    log file) has been improved.

6)  Previously, HOST=default was accepted by configure[.pl], but the
    generated shorewallrc file was unusable. Now, HOST=default is
    equivalent to HOST=linux.

7)  Previously, if a circular log buffer was being used, the output of
    various commands still displayed '/var/log/messages' as the log
    file. Now, it is displayed as 'logread'.

8)  The 'remote-*' commands now return correct exit status.

9)  Previously, if LOCKFILE specified a file in a directory other than
    $VARDIR, and that directory did not exist, it was not created
    automatically.

10) Previously, optional interfaces were not enabled during 'start' and
    'restart' unless there was at least one entry in the 'providers'
    file.  This resulted in these interfaces not appearing in the
    output of 'shorewall[6] status -i'.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 2
----------------------------------------------------------------------------

1)  The providers file now supports a 'persistent' option. When
    specified, this option removes the need to configure host routes to
    systems used as the 'checkip' in LSM.

    As part of this change, two other configuration files have changed:

    a) The 'rtrules' file now allows the rule priority to be followed
       by an exclaimation mark ("!").

    b) An OPTION column has been added to the 'routes' file. The only
       option currently supported is 'persistent'.

    The option affects the routing configuration when the provider is
    disabled:

    - The provider's routing table still exists and contains the
      provider's default route.

    - Unless 'noautosrc' is specified, connections originating from the
      interfaces IP address(es) are routed via the provider's default
      gateway.

    - Routing rules for the provider that specify '!' after the
      priority are left in place.

    - 'persistent' routes for the provider are left in place, allowing
      communication with local networks that are still accessible.

2)  It is now possible to replace any function in the CLI libraries
    except for get_config(). This is accomplished by placing the
    replacement function(s) in a shell library named 'lib.cli-user' in
    a directory on the CONFIG_PATH. This allows for customization of
    commands as well as working around distribution-specific issues.

3)  Support for OpenWRT versions BB and later has been added. Included
    in this support are:

    - The log display commands (show log, logwatch, etc.) no longer
      depend on the 'tac' utility (although it will be used if it is
      installed).

    - Shorewall-core's 'configure' script detects OpenWRT and accepts
      HOST=openwrt as an argument.
      
    - Shorewall-core, Shorewall-lite and Shoreawll6-lite installers
      support openwrt. Additionally, those installers no longer depend
      on the 'install' utility.

    - Shorewall[6]-lite will use OpenWRT's 'lock' utility to create the
      LOCKFILE.

    A special thanks to Matt Darfeuille for his help in making this
    support possible.

4)  Configuration files and extension scripts now have uniform
    introductory comments (Tuomo Soini).

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 1
----------------------------------------------------------------------------

1)  Previously, if statistical load balancing was used in the providers
    file, the default route in the main table was not deleted during
    firewall start/restart. That route is now correctly deleted.

2)  Certain files in /etc/shorewall[6] previously had permissions 644.
    Those have been changed to 600 to match the other files in the
    directories.

3)  Previously, the CLI programs did not deal properly with the absense
    of the 'hostname' utility. Now, if that utility is not present, the
    programs look for 'uname' and if it is present, they use the 'uname
    -n' command. If neither 'hostname' nor 'uname' are installed, the
    programs display 'localhost' as the system name.                 

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 1
----------------------------------------------------------------------------

1)  'second' and 'minute' are now allowed in the LOGLIMIT
    specification in place of 'sec' and 'min' respectively. This
    enhancement was present in Shorewall 4.6.13 but was not available
    in Shoreall 5.0.0.

2)  The LEGACY_RESTART option has been superseded by the RESTART
    option. RESTART may be set as follows:

      RESTART=reload

	Causes the 'restart' command to perform the same action as the
	'reload' command. This is the default if RESTART is not set.

      RESTART=restart

	Causes the 'restart' command to perform a true restart (stop
	followed by start).

    If LEGACY_RESTART is present in shorewall[6].conf and RESTART is
    not, then its setting will govern the behavior of 'restart'. The
    'update' command will convert the LEGACY_RESTART setting to the
    equivalent RESTART setting.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 0
----------------------------------------------------------------------------

1)  This release includes defect repair up through Shorewall 4.6.13.1.

2)  The compiled script now uses the %e date format rather than %_d,
    for Busybox compatibilty. (Erich Titl)

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 0
----------------------------------------------------------------------------

1)  To make the command names more accurately reflect what they do,
    several changes have been included:

    a)  Beginning with this release, the 'restart' command now does a
    	true restart and is equivalent to a 'stop' followed by a
    	'start'.

    b)  The pre-5.0.0 'load' command has been renamed 'remote_start'.

    c)  The pre-5.0.0 'reload' command has been renamed 'remote_reload'.

    c)  The 'reload' command now performs the same function as the
    	pre-5.0.0 'restart' command.

    d)  A 'remote_restart' command has been added to Shorewall and
    	Shorewall6 to allow a remote 'restart' after updating the
    	remote firewall system's compiled script.

2)  For those that can't get used to the idea of using 'reload' in
    place of 'restart', a LEGACY_RESTART option has been added. The
    option defaults to No but if set to Yes, then the 'restart' command
    does what it has always done. 

3)  It is now possible to limit connections by destination address in
    the rules file by prefixing the CONNLIMIT setting with 'd:'.

4)  While the WORKAROUNDS setting is still present in the
    shorewall[6].conf files:

    a)  Its default setting has been changed to No.
    
    b)  All workarounds for old distributions have been eliminated. See
    	the Migration Issues for additional information.

5)  A number of configuration options have been eliminated:

    - EXPORTPARAMS
    - IPSECFILE
    - LEGACY_FASTSTART
    - LOGRATE *
    - LOGBURST *
    - WIDE_TC_MARKS *
    - HIGH_ROUTE_MARKS *
    - BLACKLISTNEWONLY *

    A fatal error results if those flagged with an asterisk ("*")
    appear in the .conf file -- run the 'shorewall[6] update' command
    to convert their settings to use supported options.

    A warning is issued if any of the rest appear in the .conf file.
    'shorewall[6] update' will drop them from the file.

7)  The -b, -D, -r, -s, -t and -n options have been removed from the
    'update' command. The command now behaves as if all of those
    options had been specified.

6)  Support has been removed for the 'blacklist', 'tcrules',
    'routestopped', 'notrack' and 'tos' files.

    The 'update' command will:

    - convert the 'tcrules' and 'tos' files to the equivalent 'mangle'
      file.

    - convert the 'blacklist' file into an equivalent 'blrules' file.

    - convert the routestopped' file into the equivalent 'stoppedrules'
      file.

    - convert a 'notrack' file to the equivalent 'conntrack' file.

7)  Beginning with this release, all macros and actions are assumed
    to be FORMAT-2. FORMAT-1 macros and actions are no longer supported
    and will be silently processed as if they were FORMAT-2. For most
    macros and actions, this change will be of no concern, but may cause
    compilation errors in rare cases.

8)  Beginning with this release, COMMENT, FORMAT and SECTION lines must
    begin with a question mark ("?"). The 'update' command makes these
    changes for you.

9)  As an alternative to INLINE_MATCHES=Yes, you may now specify inline
    matches (raw ip[6]tables text) after a double semicolon (';;').

    Example from the 'masq' file to split SNAT between two public
    addresses on eth1:

      #INTERFACE SOURCE ADDRESS
      eth1       -      1.2.3.1 ;; -m statistic --mode random --probability 0.50
      eth1	 -	1.2.3.2

10) Options in shorewall[6].conf that accept a log level now also allow
    specification of a log tag.

    Example:

      TCP_FLAGS_LOG_LEVEL=info:,tcpflags

11) A PROBABILITY column has been added to the masq file. One usage
    scenario is to balance SNAT between two or more IP addresses on a
    WAN interface:

        #INTERFACE	SOURCE		ADDRESS
    	eth1		-		1.2.3.4 { probability=0.50 }
	eth2		-		1.2.3.5

12) Previously, when chain names were included in a 'reset' command,
    they were assumed to be filter table chains. Now, both a table name
    and a chain name can be given (e.g., mangle:PREROUTING). The
    specified table remains the default for the remainder of the
    command unless a following entry also includes a table name.

13) An action for Gluster FS (action.GlusterFS) has been added. See the
    action file for a description of the parameters.

