----------------------------------------------------------------------------
	           S H O R E W A L L  5 . 0 . 7  . 2
                       ----------------------------
                        M a r c h  3 1 ,  2 0 1 6
----------------------------------------------------------------------------

I.    PROBLEMS CORRECTED IN THIS RELEASE
II.   KNOWN PROBLEMS REMAINING
III.  NEW FEATURES IN THIS RELEASE
IV.   MIGRATION ISSUES
V.    PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

5.0.7.2

1)  When using older versions of Perl, the following warnings were
    generated with 5.0.7 and 5.0.7.1.

    Found = in conditional, should be == at
       /usr/share/perl5/Shorewall/Chains.pm line 8630.
    Found = in conditional, should be == at
       /usr/share/perl5/Shorewall/Chains.pm line 8635.

    That has been corrected.

    (Tuomo Soini)

2)  Several typos in the manpages have been corrected (Roberto
    Sánchez).

3)  Previously, if an inline match was used in the last line of an
    action, then the inline match could also be applied to the jump to
    the action's chain. That has been corrected so that the jump to the
    chain contains the correct set of matches. 

5.0.7.1

1)  In 5.0.6.2 and 5.0.7, use of an inline match in a rule that
    generated multiple ip[6]tables rules caused only the first
    generated rule to contain the inline match.  That has been
    corrected.

2)  In 5.0.7, if ':R' was specified with the DIVERT action, an error
    message was erroneously generated. That has been corrected.

5.0.7

1)  This release includes defect repair from Shorewall 5.0.6.2.

2)  Previously, the compiler failed to catch invalid action/chain
    combinations which caused iptables-restore failures when such
    combinations were present in the configuration. That has been
    corrected.

3)  An issue involving nested inlined action and macro invocations has
    been resolved.

4)  The '&' (and) and '|' (or) symbols were previously ignored when
    the action was CONNMARK (mangle file). These symbols now work as
    documented.

5)  When 'DOCKER=Yes', 'check -r' would previously fail. The command
    now works correctly.

6)  Previously, the specified linklayer, overhead, mtu, mpu and tsize
    were not applied to ingress qdiscs that provide IN-BANDWIDTH
    limiting. That has been corrected so that these options also apply
    to inbound traffic.

    IMPORTANT: If you have specified linklayer, overhead, etc., then
    after this fix is installed, your inbound speed will be less than
    it was before the fix. You are advised to re-test and possibly
    adjust your IN-BANDWIDTH accordingly.

7)  The syntax which Shorewall previously used to define ingress
    filters is misinterpreted by the tc utility, with the result that
    rather than dropping packets exceeding the IN-BANDWIDTH, the filter
    instead reclassified them. That caused 'packet reclassify loop'
    errors during periods of high inbound traffic. The compiler now
    generates the options in the 'tc add filter' command in an order
    that tc handles correctly.

8)  If a log level was specified in one of the *_DEFAULT options,
    the compiler would previously raise a fatal error when applying the
    default action. That has been corrected.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Actions may now be used in the mangle file. To be used in the
    mangle file, an action must be declared in the actions file with
    the 'mangle' option. Actions with this option may only be used in
    the mangle file (or in other actions with the mangle option); they
    may not be used in the rules file. Mangle actions may be inlined
    using the 'inline' option in the actions file.

    A new template file (/usr/share/shorewall/action.mangletemplate) is
    included in the release for use in creating mangle actions.

2)  The 'check -r' command now uses the PAGER program unless the -d
    option is also specified. Additionally, when the compiler runs with
    'trace', the PAGER program is used unless -d is set.

3)  It is now possible to raise an error if a condition isn't met using
    the ?ERROR directive.

    	?ERROR <message>

    The text after ?ERROR is displayed in a standard Shorewall error
    message.

4)  Using the new ?ERROR directive, embedded Perl has been eliminated
    from a number of standard actions.


    Example from action.GlusterFS:

    ?if @1 !~ /^\d+/ || ! @1 || @1 > 1024
        ?error Invalid value for Bricks (@1)
    ?elsif @2 !~ /^[01]$/
        ?error Invalid value for IB (@2)
    ?endif

    The above logic insures that the first action paramater is a
    non-zero number <= 1024 and that the second parameter is either 0
    or 1. If 2000 is passed for the first parameter, the following
    error message is generated:

    ERROR: Invalid value for Bricks (2000)
      /usr/share/shorewall/action.GlusterFS (line 15)
      from /etc/shorewall/rules (line 45)

5)  Previously, inline matches were placed after column-generated
    matches in the generated rule. This meant that "-p' could not be
    used in inline matches. Beginning with this release, if the first
    non-blank characters in an inline match is '+', then the remainder
    of the inline matches are placed at the front of the generated
    rule.

    There are a couple of restrictions:

    a. When -p is used  in an inline match and the PROTO column is
       supplied, then an error is generated unless the resolved
       contents of the column matches the protocol specified in the
       inline match. This means that only protocol numbers should
       appear in the inline match.

    b. Use of -i, -s, -o, or -d (or their long-form equivalents) in an
       inline match will result in a compilation error if the contents
       of the columns generates the same match.

6)  The TCPFlags action has been modified to use '+' in inline matches
    rather than embedded Perl with perl_action_tcp_handler() calls.

7)  A new 'audit' action option has been added. Such actions are
    expected to have at least two parameters; the first is a
    target and the second is either omitted or is 'audit'.
    Two existing standard actions (RST and NotSyn) have this
    characteristic and they have been converted to use the 'audit'
    option, eliminating embedded Perl within their bodies.

8)  Within an action body, if a parameter is omitted in a DEFAULTS
    statement, then the value of the corresponding action and Shorewall
    variables is '-', while if the parameter is specified as '-' in
    the parameter list, the value of the variables is '' if
    expanded before the DEFAULTS statement.

    Additionally, when an expression is evaluated, the value 0
    evaluates as false; so '?IF @n' and 'IF $n' both fail if the nth
    parameter is passed with value zero.

    To make testing of the presense of parameters more efficient and
    uniform, an new function has been added for use in ?IF and
    ?ELSEIF:

        ?IF [!] passed(<variable>)

    where <variable> is an action or Shoreall variable.

    'passed(@n)' and 'passed($n)' evaluate to true if the nth parameter
    is not empty and its contents are other than '-'. If '!' is
    present, the result is inverted.

    In this simple form, the expression is evaluated by the compiler
    without having to invoke the (expensive) Perl exec() function. The
    'passed' function may also be used in more complex expressions, but
    exec() will be invoked to evaluate those expressions.

9)  The MARK and CONNMARK targets are now available in the rules file,
    macros, and actions. Mark ranges are not currently supported with
    these targets.

----------------------------------------------------------------------------
                  I V.  M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

1)  If you are migrating from Shorewall 4.4.x or earlier, please see
    http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt

2)  It is strongly recommended that you first upgrade your installation
    to a 4.6 release >= 4.6.12 prior to upgrading to Shorewall 5.0.

    Once you are on the Shorewall 4.6 release:

    - shorewall update -A

    If you also run Shorewall6:
    
    - shorewall6 update -A

    These steps are necessary because Shorewall 5.0:

    - Does not contain support for the 'tcrules' and 'tos' files --
      existing 'tcrules' and 'tos' files must be converted to an
      equivalent set of 'mangle' file entries.

    - Does not contain support for the 'blacklist' file -- it must
      be converted to an equivalent 'blrules' file.

    - Does not contain support for the 'notrack' file -- it must be
      converted to an equivalent 'conntrack' file.

    - Does not contain support for the 'routestopped' file -- it must
      be converted to an equivalent 'stoppedrules' file.

    Note that you can run the update command(s) after you upgrade to
    Shorewall 5 but your firewall will not work correctly until
    you do those update(s).

3)  The following configuration options have been eliminated:

    - EXPORTPARAMS
    - IPSECFILE
    - LEGACY_FASTSTART
    - LOGRATE *
    - LOGBURST *
    - WIDE_TC_MARKS *
    - HIGH_ROUTE_MARKS *
    - BLACKLISTNEWONLY *

    A fatal error results if those flagged with an asterisk ("*")
    appear in the .conf file -- run the 'shorewall[6] update' command
    to convert their settings to use supported options.

    A warning is issued if any of the rest appear in the .conf file.
    'shorewall[6] update' will drop them from the file.

4)  To make the command names more accurately reflect what they do,
    several changes have been included:

    a)  Beginning with this release, the 'restart' command now does a
    	true restart and is equivalent to a 'stop' followed by a
    	'start'.

    b)  The pre-5.0.0 'load' command has been renamed 'remote_start'.

    c)  The pre-5.0.0 'reload' command has been renamed 'remote_reload'.

    c)  The 'reload' command now performs the same function as the
    	pre-5.0.0 'restart' command.

    d)  A 'remote_restart' command has been added to Shorewall and
    	Shorewall6 to allow a remote 'restart' after updating the
    	remote firewall system's compiled script.

    For those that can't get used to the idea of using 'reload' in
    place of 'restart', a RESTART option has been added. The
    option defaults to 'reload' for compatibility with earlier
    releases. If set to 'restart', then the 'restart' command
    does a true restart (stop followed by start)

5)  While the WORKAROUNDS setting is still present in the
    shorewall[6].conf file:

    a)  It's default setting has been changed to No.
    
    b)  All workarounds for old distributions have been eliminated. See
    	the Migration Issues for additional information.

6)  Beginning with Shorewall 5.0.0, all macros and actions are assumed
    to be FORMAT-2.  FORMAT-1 macros and actions are no longer supported
    and will be silently processed as if they were FORMAT-2. For most
    macros and actions, this change will be of no concern, but may cause
    compilation errors in rare cases.

    To review, FORMAT-1 actions have the following columns:

       TARGET
       SOURCE
       DEST
       PROTO
       DEST PORT(S)
       SOURCE PORT(S)
       RATE
       USER/GROUP
       MARK

    FORMAT-1 macros have these columns:

       TARGET
       SOURCE
       DEST
       PROTO
       DEST PORT(S)
       SOURCE PORT(S)
       RATE
       USER/GROUP

    FORMAT-2 actions and macros, on the other hand, have:

       TARGET
       SOURCE
       DEST
       PROTO
       DEST PORT(S)
       SOURCE PORT(S)
       ORIGINAL DEST
       RATE
       USER/GROUP
       MARK
       CONNLIMIT
       TIME
       HEADERS (Only valid for IPv6)
       SWITCH
       HELPER

    To summarize, if your action or macro only uses the first 6
    columns (which most do), then it will process fine as
    FORMAT-2. Otherwise, it must be modified to place specifications in
    the proper columns.

7)  COMMENT, FORMAT and SECTION lines must now begin with a question
    mark ("?"). The 'update' command will change all bare COMMENT,
    FORMAT and SECTION lines to include the question mark.

----------------------------------------------------------------------------
         V.  N O T E S  F R O M  O T H E R  5 . 0  R E L E A S E S
----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 6
----------------------------------------------------------------------------
1)  This release includes defect repair through Shorewall 5.0.5.1.

2)  Previously, the generated function define_firewall() contained
    logic for handling the 'stop' and 'clear' commands. Beginning with
    this release, the function will no longer include that logic, since
    the function is not called when processing those commands.

3)  The 'persistent' option on a provider previously resulted in
    a duplicate routing rule was created each time that the provider
    was disabled. This has been corrected so that duplicate rules are
    not created. 

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 6
----------------------------------------------------------------------------

1)  The GATEWAY column in /etc/shorewall[6]/providers may now contain
    the keyword 'none'. This will create a routing table with no
    default route, to allow handling policy-routing senarios where a
    default route is not required.

2)  Previously, when both Shorewall and Docker were used on the same
    system, one of two approaches had to be followed:

    a)  Run docker with --iptables=false and use Shorewall to
        configure Netfilter.

    b)  Run docker with ---iptables=true and use extension scripts to
    	save/restore the Docker-generated rules.

    The first is complex and the second is difficult to do in a way
    that insures that changes to the Shorewall configuration aren't
    lost during restart/reload.

    In this release, a new DOCKER option is available in
    shorewall.conf. When DOCKER=Yes, the generated script takes
    responsibility for saving and restoring the Docker-generated rules.

    The Shorewall implementation assumes that the default 'docker0'
    bridge is being used.
    
    It is recommended that docker0 be assigned to a zone in
    /etc/shorewall/interfaces. When you do that, the setting
    of 'routeback' for that interface determines whether
    inter-container communication is allowed. If docker0 is not listed
    in the interfaces file, then the generated script will save/restore
    the FORWARD chain rules for that interface.

    If you are using Docker's network features where bridges with names
    of the form br-xxxxxxxxxxxx are created, those bridges should not
    be defined to Shorewall.

    Note that DOCKER=Yes is currently supported only in Shorewall and
    not in Shorewall6.

3)  A new SNMPtrap macro has been added and is intended to supersede
    SNMPTrap. The latter is now deprecated, but is still available for
    use.

4)  As an alternative to entries in the ecn file, the IPv4 mangle file
    now supports an ECN target for clearing the ECN flags in the TCP
    header. See shorewall-mangle(8) for details.

5)  The remainder of the documentation has been updated to use the new
    column headings.

6)  Beginning with this release, voluminous CLI output to terminals from 'show'
    and 'dump' commands may be automatically paged using a program like
    'less' or 'more'. The pager program to be used, if any, is
    specified using the PAGER option in shorewall[6].conf.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 5
----------------------------------------------------------------------------

1)  Previously, an interface could be erroneously assigned to two
    different providers and the compiler did not flag that as an error.

    The compiler now correctly catches this violation.

2)  The alignment of the output of the 'shorewall[6] show macros'
    command has been corrected.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 5
----------------------------------------------------------------------------

1)  The .ip[6]tables-restore-input file may now include comments which
    indicate the origin of the rules, similar to the ip[6]tables
    comments that are generated when TRACK_RULES=Yes in
    shorewall[6].conf. This additional information is added when
    TRACK_RULES=File.

    Note: This change also enhances TRACK_RULES=Yes by adding tracking
    comments to additional generated ip[6]tables rules.

2)  The output of 'shorewall[6] show actions' is now sorted.

3)  The macro file headers have been updated to use the new
    column names. Also, some macros now invoke other macros rather than
    duplicating their rules. This is intended to ease future
    maintenance (Tuomo Soini).

4)  Additional documentation articles have been updated to use the new
    column names (Tuomo Soini).

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 4
----------------------------------------------------------------------------

1)  There previously existed a slight possibility that starting both
    Shorewall and Shorewall6 simultaneously could lead to a failure
    such as this one:

    Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Loading Modules...
    Dec 18 13:18:38 elmo.example.com shorewall6[1889]: Another app is
       currently holding the xtables lock. Perhaps you want to use 
       the -w option?
    Dec 18 13:18:40 elmo.example.com shorewall6[1889]:
       ERROR: Cannot Create Mangle chain fooX2349
    Dec 18 13:18:40 elmo.example.com systemd[1]: shorewall6.service:
        main process exited, code=exited, status=255/n/a

    That problem can no longer occur.

2)  Previously, when a source- or destination-specific RATE was
    specified on a logging rule (LOG, ULOG or NFLOG), the compiler
    incorrectly applied both the specified RATE as well as the global
    LOGLIMIT. That has been corrected so that only the specified RATE
    is applied.

3)  Previously, when @caller was used within an action body, the
    compiler would not create unique ip[6]tables chains for each
    invocation of the action, even though the invocations had different
    values of @caller. Now, each invocation of such an action creates a
    separate ip[6]tables chain for each unique caller.

4)  Previously, the 'status -i' command produced error output when
    there were no optional interfaces. That erroneous output is no
    longer produced.

5)  Traffic shaping configurations that use red or codel will now
    produce consistent compiled scripts. Previously, these
    configurations could produce equivalent but different scripts on
    consecutive compilations.

6)  Previously, the Shoreall compiler enforced old rules about where
    country codes could appear. As those restrictions have now been
    removed, the compiler no longer issues messages such as these:

      ERROR: A countrycode list may not be used in this context

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 4
----------------------------------------------------------------------------

1)  Shorewall Init is now supported on OpenWRT.

2)  The IPTABLES and IP6TABLES actions in the rules and mangle files
    can now correctly handle logging targets (LOG, ULOG and
    NFLOG). Previously, an attempt to use these targets would result in
    an error similar to:

       ERROR: LOG requires a level

3)  To further reduce the possibility of failures caused by Shorewall
    and Shorewall6 starting concurrently, a new WAIT_OPTION capability
    has been implemented. On systems with that capability, all
    'iptables' and 'ip6tables' commands will use the --wait option.

4)  The .214.service files have been removed and the .service files
    (with the exception of Debian) have been updated to use the
    network-pre.target (Tuomo Soini).

5)  Shorewall, Shorewall6, Shorewall-lite and Shorewall6-lite now
    install /etc/sysconfig/<product> files for specifying
    start/restart/reload options on those distributions that use
    /etc/sysconfig.

6)  The mangle file now supports an DIVERTHA action that provides
    support for HAProxy.

    To setup the HAProxy configuration described at
    http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x,
    place this entry in shorewall-providers(5):
    

      #NAME	NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY   OPTIONS
      TProxy    1        -       -          lo          -         tproxy 

      and use this DIVERTHA entry:

      #ACTION         SOURCE          DEST            PROTO  ...
      DIVERTHA        -               -               tcp

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 3
----------------------------------------------------------------------------

1)  This release includes defect repair through Shorewall 5.0.2.1.

2)  To avoid interference with other subsystem settings, all released
    shorewall6.conf files now specify IP_FORWARDING=keep. Previously,
    the settings were inconsistent among the various sample files.

3)  This release includes more fixes to the configure, install and
    uninstall scripts (Matt Darfeuille).

4)  Previously, Shorewall6 rejected rules in which the SOURCE contained
    both an interface name and a MAC address (in Shorewall
    format). That defect has been corrected so that such rules are now
    accepted.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 3
----------------------------------------------------------------------------

1)  The MODULESDIR option in shorewall[6].conf has been extended to
    allow specification of additional directories to be added to those
    defaulted by Shorewall. If the specified value begins with "+",
    then the remainder of the value is assumed to be a colon-separated
    list of directory names that are relative to /lib/modules/`uname
    -r`.

    For example, to load the xt_RTPENGINE module, you would create
    /etc/shorewall/modules as follows:

        INCLUDE /usr/share/shorewall/modules
	loadmodule xt_RTPENGINE

    You would then set MODULESDIR as:

    	MODULESDIR="+extra/rtpengine"

2)  Previously, some of the column headings in the configuration files
    required two lines to display. For example, in the rules file:

    #ACTION  SOURCE    DESTINATION PROTOCOL	DEST      SOURCE
    #                                           PORT(S)   PORT(S)

    To use the alternative input format for such two-word columns, a
    one-word abbreviation was required. For example, DEST PORTS(S) is
    abbreviated as 'dport' and SOURCE PORT(S) is abbreviated as
    'sport'.

    The two-line column headings are also a nuisance for Emacs users
    because when the <tab> key is struck, Emacs positions the cursor
    based on the white space in the preceding line. So if an ACTION is
    typed and the <tab> key is then depressed, rather than position the
    cursor in the SOURCE column, Emacs positions it in the DEST PORT(S)
    column.

    To eliminate these issues, the multi-word columns have been
    relabled to use their abbreviated names. Note that this relabelling
    does not require modification of existing configurations. It simply
    means that the sample files released with Shorewall and the
    manpages that describe column-oriented files now use the
    abbreviated names rather than the previous names (Tuomo Soini and
    Tom Eastep).

3)  ADD rules may now include a timeout value which will override
    any timeout that was specified when the related ipset was created.


4)  Commas are now allowed in log tags when LOGTAGONLY=Yes. Previously,
    characters after the first comma in a log tag were discarded when
    LOGTAGONLY=Yes.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 2
----------------------------------------------------------------------------
5.0.2.1

1)  When processing the 'dump' command, the CLI now uses 'netstat' to
    print socket information when the 'ss' utility is not installed.

2)  Several defects in the installers/uninstallers have been corrected
    (Matt Darfeuille).

5.0.2

1)  This release includes defect repair up through Shoreall 5.0.1.1.

2)  The MSSQL macro now allows UDP port 1434 (Tuomo Soini).

3)  A number of issues with param file processing on Cygwin have been
    corrected. The most serious of these issues was introduction of
    syntax errors into the generated firewall script.

4)  More version numbers have been removed from configuration files
    and Macros (Tuomo Soini).

5)  The check for use of a circular kernel log buffer (as opposed to a
    log file) has been improved.

6)  Previously, HOST=default was accepted by configure[.pl], but the
    generated shorewallrc file was unusable. Now, HOST=default is
    equivalent to HOST=linux.

7)  Previously, if a circular log buffer was being used, the output of
    various commands still displayed '/var/log/messages' as the log
    file. Now, it is displayed as 'logread'.

8)  The 'remote-*' commands now return correct exit status.

9)  Previously, if LOCKFILE specified a file in a directory other than
    $VARDIR, and that directory did not exist, it was not created
    automatically.

10) Previously, optional interfaces were not enabled during 'start' and
    'restart' unless there was at least one entry in the 'providers'
    file.  This resulted in these interfaces not appearing in the
    output of 'shorewall[6] status -i'.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 2
----------------------------------------------------------------------------

1)  The providers file now supports a 'persistent' option. When
    specified, this option removes the need to configure host routes to
    systems used as the 'checkip' in LSM.

    As part of this change, two other configuration files have changed:

    a) The 'rtrules' file now allows the rule priority to be followed
       by an exclaimation mark ("!").

    b) An OPTION column has been added to the 'routes' file. The only
       option currently supported is 'persistent'.

    The option affects the routing configuration when the provider is
    disabled:

    - The provider's routing table still exists and contains the
      provider's default route.

    - Unless 'noautosrc' is specified, connections originating from the
      interfaces IP address(es) are routed via the provider's default
      gateway.

    - Routing rules for the provider that specify '!' after the
      priority are left in place.

    - 'persistent' routes for the provider are left in place, allowing
      communication with local networks that are still accessible.

2)  It is now possible to replace any function in the CLI libraries
    except for get_config(). This is accomplished by placing the
    replacement function(s) in a shell library named 'lib.cli-user' in
    a directory on the CONFIG_PATH. This allows for customization of
    commands as well as working around distribution-specific issues.

3)  Support for OpenWRT versions BB and later has been added. Included
    in this support are:

    - The log display commands (show log, logwatch, etc.) no longer
      depend on the 'tac' utility (although it will be used if it is
      installed).

    - Shorewall-core's 'configure' script detects OpenWRT and accepts
      HOST=openwrt as an argument.
      
    - Shorewall-core, Shorewall-lite and Shoreawll6-lite installers
      support openwrt. Additionally, those installers no longer depend
      on the 'install' utility.

    - Shorewall[6]-lite will use OpenWRT's 'lock' utility to create the
      LOCKFILE.

    A special thanks to Matt Darfeuille for his help in making this
    support possible.

4)  Configuration files and extension scripts now have uniform
    introductory comments (Tuomo Soini).

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 1
----------------------------------------------------------------------------

1)  Previously, if statistical load balancing was used in the providers
    file, the default route in the main table was not deleted during
    firewall start/restart. That route is now correctly deleted.

2)  Certain files in /etc/shorewall[6] previously had permissions 644.
    Those have been changed to 600 to match the other files in the
    directories.

3)  Previously, the CLI programs did not deal properly with the absense
    of the 'hostname' utility. Now, if that utility is not present, the
    programs look for 'uname' and if it is present, they use the 'uname
    -n' command. If neither 'hostname' nor 'uname' are installed, the
    programs display 'localhost' as the system name.                 

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 1
----------------------------------------------------------------------------

1)  'second' and 'minute' are now allowed in the LOGLIMIT
    specification in place of 'sec' and 'min' respectively. This
    enhancement was present in Shorewall 4.6.13 but was not available
    in Shoreall 5.0.0.

2)  The LEGACY_RESTART option has been superseded by the RESTART
    option. RESTART may be set as follows:

      RESTART=reload

	Causes the 'restart' command to perform the same action as the
	'reload' command. This is the default if RESTART is not set.

      RESTART=restart

	Causes the 'restart' command to perform a true restart (stop
	followed by start).

    If LEGACY_RESTART is present in shorewall[6].conf and RESTART is
    not, then its setting will govern the behavior of 'restart'. The
    'update' command will convert the LEGACY_RESTART setting to the
    equivalent RESTART setting.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  5 . 0 . 0
----------------------------------------------------------------------------

1)  This release includes defect repair up through Shorewall 4.6.13.1.

2)  The compiled script now uses the %e date format rather than %_d,
    for Busybox compatibilty. (Erich Titl)

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   5 . 0 . 0
----------------------------------------------------------------------------

1)  To make the command names more accurately reflect what they do,
    several changes have been included:

    a)  Beginning with this release, the 'restart' command now does a
    	true restart and is equivalent to a 'stop' followed by a
    	'start'.

    b)  The pre-5.0.0 'load' command has been renamed 'remote_start'.

    c)  The pre-5.0.0 'reload' command has been renamed 'remote_reload'.

    c)  The 'reload' command now performs the same function as the
    	pre-5.0.0 'restart' command.

    d)  A 'remote_restart' command has been added to Shorewall and
    	Shorewall6 to allow a remote 'restart' after updating the
    	remote firewall system's compiled script.

2)  For those that can't get used to the idea of using 'reload' in
    place of 'restart', a LEGACY_RESTART option has been added. The
    option defaults to No but if set to Yes, then the 'restart' command
    does what it has always done. 

3)  It is now possible to limit connections by destination address in
    the rules file by prefixing the CONNLIMIT setting with 'd:'.

4)  While the WORKAROUNDS setting is still present in the
    shorewall[6].conf files:

    a)  Its default setting has been changed to No.
    
    b)  All workarounds for old distributions have been eliminated. See
    	the Migration Issues for additional information.

5)  A number of configuration options have been eliminated:

    - EXPORTPARAMS
    - IPSECFILE
    - LEGACY_FASTSTART
    - LOGRATE *
    - LOGBURST *
    - WIDE_TC_MARKS *
    - HIGH_ROUTE_MARKS *
    - BLACKLISTNEWONLY *

    A fatal error results if those flagged with an asterisk ("*")
    appear in the .conf file -- run the 'shorewall[6] update' command
    to convert their settings to use supported options.

    A warning is issued if any of the rest appear in the .conf file.
    'shorewall[6] update' will drop them from the file.

7)  The -b, -D, -r, -s, -t and -n options have been removed from the
    'update' command. The command now behaves as if all of those
    options had been specified.

6)  Support has been removed for the 'blacklist', 'tcrules',
    'routestopped', 'notrack' and 'tos' files.

    The 'update' command will:

    - convert the 'tcrules' and 'tos' files to the equivalent 'mangle'
      file.

    - convert the 'blacklist' file into an equivalent 'blrules' file.

    - convert the routestopped' file into the equivalent 'stoppedrules'
      file.

    - convert a 'notrack' file to the equivalent 'conntrack' file.

7)  Beginning with this release, all macros and actions are assumed
    to be FORMAT-2. FORMAT-1 macros and actions are no longer supported
    and will be silently processed as if they were FORMAT-2. For most
    macros and actions, this change will be of no concern, but may cause
    compilation errors in rare cases.

8)  Beginning with this release, COMMENT, FORMAT and SECTION lines must
    begin with a question mark ("?"). The 'update' command makes these
    changes for you.

9)  As an alternative to INLINE_MATCHES=Yes, you may now specify inline
    matches (raw ip[6]tables text) after a double semicolon (';;').

    Example from the 'masq' file to split SNAT between two public
    addresses on eth1:

      #INTERFACE SOURCE ADDRESS
      eth1       -      1.2.3.1 ;; -m statistic --mode random --probability 0.50
      eth1	 -	1.2.3.2

10) Options in shorewall[6].conf that accept a log level now also allow
    specification of a log tag.

    Example:

      TCP_FLAGS_LOG_LEVEL=info:,tcpflags

11) A PROBABILITY column has been added to the masq file. One usage
    scenario is to balance SNAT between two or more IP addresses on a
    WAN interface:

        #INTERFACE	SOURCE		ADDRESS
    	eth1		-		1.2.3.4 { probability=0.50 }
	eth2		-		1.2.3.5

12) Previously, when chain names were included in a 'reset' command,
    they were assumed to be filter table chains. Now, both a table name
    and a chain name can be given (e.g., mangle:PREROUTING). The
    specified table remains the default for the remainder of the
    command unless a following entry also includes a table name.

13) An action for Gluster FS (action.GlusterFS) has been added. See the
    action file for a description of the parameters.

