
----------------------------------------------------------------------------
                      S H O R E W A L L  4 . 5 . 2 . 2
                          ------------------------
                          A p r i l  1 4 , 2 0 1 2
----------------------------------------------------------------------------

I.    PROBLEMS CORRECTED IN THIS RELEASE
II.   KNOWN PROBLEMS REMAINING
III.  NEW FEATURES IN THIS RELEASE
IV.   RELEASE 4.4 HIGHLIGHTS
V.    MIGRATION ISSUES
VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

4.5.2.2

1)  If a shorewallrc file is passed to the Shorewall-core 4.5.2.1
    installer, subsequent compilations will fail. The error message
    indicates that the compiler is looking for the lib.core file
    but the pathname has embedded whitespace.

    This has been corrected.

4.5.2.1

1)  The 4.5.2 configure script does not work on systems with Bash 3.x.
    To allow RPMs to be built on those systems, a Perl-based script
    (configure.pl) has been added. The sample .spec files included in
    the various packages have been changed to use the new script.

    Both configure and configure.pl now detect the distribution if
    neither 'host' nor 'vendor' (--host or --vendor) is specified on
    the command line.

    The 'configure' script now detects that it is running on a version
    of Bash that won't support the features used in the script and 
    issues an appropriate error message.

2)  In release 4.5.2, if an INCLUDE directive appeared inside a ?IF
    ... ?ENDIF sequence, then the following error would be generated
    after the included file had been read:

    	  ERROR: Missing ?ENDIF to match the ?IF at line ...

3)  An error in the shorewallrc.apple file has been corrected.

4)  The shorewallrc.redhat file has been change to conform to Fedora
    packaging guidelines.

5)  The installers now modify the Makefile if non-standard settings are
    used for either SBINDIR or SHAREDIR.

6)  The output of the 'version -a' command reflected incorrect versions
    when Shorewall-core 4.5.2 was installed. That has been corrected.

4.5.2

1)  This release includes the defect repairs from Shorewall 4.5.1.1 and
    4.5.1.2 (see below).

2)  The generated firewall script includes code to automatically create
    ipsets that are referenced but that don't exist. That code was
    broken in releases 4.4.22 and later. This defect has been
    corrected. As part of the fix, the generated script will now
    issue a warning message when it creates an ipset.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  The 'mss' option is now supported in the /etc/shorewall[6]/hosts
    files. See the manpages for details.

2)  It is now possible to conditionally include or omit configuration
    entries based on the settings of shell variables. See
    http://www.shorewall.net/configuration_file_basics.htm#Conditional
    for details.

3)  The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been
    renamed ACTION to reflect the expanded set of actions that can be
    specified in the column.

4)  Some users are finding these ipset warnings objectionable:

    - Warning when a referenced ipset does not exist.
    - Warning when using [src] in a destination column or [dst] in a
      source column.

    These warnings may now be suppressed by setting IPSET_WARNINGS=No
    in shorewall.conf and/or shorewall6.conf.

5)  The evolution of the Shorewall installation process
    continues. Testers are invited to provide comments and suggestions
    about the following.

    Beginning with this release, the installers accept a configuration
    file as a parameter. Options set in the configuration file are as
    follows:

    BUILD (optional)   -- Platform on which the installation is being
    	  	     	  performed. Possible values are:

			  apple - OS X
			  archlinux - ArchLinux
			  cygwin - Cygwin running under Windows
			  debian - Debian and derivatives
			  linux - Generic Linux system
			  redhat - Fedora, RHEL and derivatives
			  suse - SLES and OpenSuSE
			
			  If no value is assigned, then the installer
			  will detect the platform.

    HOST (Optional)    -- Allowed values are same as for BUILD. If not
    	 	          specified, the BUILD setting is used.

    CONFDIR (Req'd)    -- Directory where product configuration
    	    	       	  directory is installed. Normally /etc.

    SHAREDIR (Req'd)   -- Directory where architecture-independent
    	     	     	  product files are installed. Normally
    	     	     	  /usr/share.

    LIBEXECDIR (Req'd) -- Directory where product executables are
    	       	          installed. Normally /usr/share or
    	       	          /usr/libexec.

    PERLLIBDIR (Req'd) -- Directory where Shorewall Perl modules are
    	       	       	  to be installed. Traditionally
    	       	       	  /usr/share/shorewall.
 
    SBINDIR (Req'd)    -- Directory where product CLI programs are
    	    	          installed. Normally /sbin

    MANDIR (Req.d)     -- Directory where manpages are
    	   	          installed. Mornally /usr/share/man.

    INITFILE (Optional)
                       -- Optional. If given, specifies the installed
		       	  filename of the initscript. Normally 
			  set to $PRODUCT which the installers expand
			  to the name of the product being installed.
			  If not specified, no init script will be
			  installed.

    INITSOURCE (Optional)
                       -- Must be specified if INITFILE is specified. 
		          Gives the name of the file to be installed
			  as the INITFILE. 

    INITDIR (Optional) -- Directory where SysV init scripts are
    	    	          installed. Must be specified if INITFILE is
    	    	          specified.

    ANNOTATED (Optional) 
                       -- If non-empty, indicates that the
    		       	  configuration files are to be annotated with
			  manpage information. Normally empty.

    SYSTEMD (Optional) -- Name of the directory where .service files
    	    	       	  are to be installed. Should only be specified
    	    	       	  on systems running systemd.

    SYSCONFDIR (Optional)
                       -- Name of the directory where subsystem
    		          init configuration information is stored. 
			  On Debian and derivates, this is
    			  /etc/default.  On other systems, it is
			  /etc/sysconfig.

    SYSCONFFILE (Optional) 
                       -- Name of the file to be installed in the
		          SYSCONFIGDIR. The installed name of the file
			  will always be the product name (shorewall,
    			  shorewall-lite, etc.)

    SPARSE (Optional)  -- If non-empty, causes only the .conf file to
    	   	          be installed in
    	   	          ${CONFDIR}/${PRODUCT}/. Otherwise, all of 
			  the product's skeleton configuration files
			  will be installed.

    TEMPDIR (Optional) -- If non-empty, the generated firewall script
    	    	       	  will export the variable TMPDIR with 
			  value $TEMPDIR.

    VARDIR (Required)  -- Directory where product state information
    	   	          is stored. Normally /var/lib.

			  This setting was previously stored in the
			  optional vardir file in the product's 
			  configuration directory.

    Each of the product tarballs contains a set of configuration files
    for the various HOSTS: 

    	shorewallrc.apple
    	shorewallrc.archlinux
	shorewallrc.cygwin
    	shorewallrc.debian
    	shorewallrc.default (for HOST 'linux')
	shorewallrc.redhat
	shorewallrc.suse

    To aid distribution packagers, a configure script has been added.
    The arguments to the script are the usual list of <option>=<value>
    assignments. The supported options are the same as those above,
    although they may be in lower case and may be optionally preceded
    by '--'.

    The configure script uses the setting of --host to select the
    appropriate rc file. It reads that file to establish default
    settings and then applies the values specified in the argument
    list. To allow use with the %configure RPM macro, only the last
    occurrence of a particular option setting is applied. The resulting
    settings are written to a file named 'shorewallrc' in the current
    working directory and are also written to standard out.

    When Shorewall-core is installed on a system (with no DESTDIR), it
    copies the specified configuration file into root's
    ~/.shorewallrc. The ~/.shorewallrc file is then used, by default,
    when installing the other packages.

    To further aid use with %configure, several aliases are supported:

       alias   	       option
       -----           ------
       sharedstatedir  vardir
       datadir	       sharedir
       sysconfdir      confdir

    The configuration file is also copied to
    ${SHAREDIR}/shorewall/shorewallrc where the CLI programs and init
    scripts can find it. Those programs are modified by the installer
    when ${SHAREDIR} is not /usr/share.

    When using Shorewall-lite or Shorewall6-lite, if the remote
    firewall's shorewallrc file differs from that on the firewall, then
    a copy of the remote file should be placed in the firewall's
    configuration directory on the administrative system.

    Beginning with this release, using /etc/shorewall-lite/vardir
    and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
    favor of the VARDIR setting in shorewallrc.

        NOTE: While the name of the variable remains VARDIR, the
              meaning is slightly different. When set in shorewallrc,
              each product (shorewall-lite, and shorewall6-lite) will
              create a directory under the specified path name to
	      hold state information.

	      Example:

		  VARDIR=/opt/var/lib/

		  The state directory for shorewall-lite will be
		  /opt/var/lib/shorewall-lite/ and the directory for
		  shorewall6-lite will be /opt/var/lib/shorewall6-lite.

	      When VARDIR is set in /etc/shorewall[6]-lite/vardir, the
	      product will save its state in the specified directory.

----------------------------------------------------------------------------
                   V.  M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

1)  If you are migrating from Shorewall 4.2.x or earlier, please see
    http://www.shorewall.net/pub/shorewall/4.4/shorewall-4.4.27/releasenotes.txt

2)  The BLACKLIST section of the rules file has been eliminated. 
    If you have entries in that file section, you must move them to the
    blrules file.

3)  This version of Shorewall requires the Digest::SHA1 Perl module.

        Debian: libdigest-sha1-perl
    	Fedora: perl-Digest-SHA1
    	OpenSuSE: perl-Digest-SHA1

4)  The generated firewall script now maintains the
    /var/lib/shorewall[6][-lite]/interface.status files used by SWPING
    and by LSM.

    If you have optional providers and to not run a link monitor like
    SWPING  or LSM that updates these files, then you should remove
    /etc/shorewall[6]/isusable if it is installed.

5)  The /etc/shorewall[6]/tos file is now deprecated in favor of the
    TOS() action in /etc/shorewall[6]/tcrules.

6)  The MARK/CLASSIFY column in /etc/shorewall[6]/tcrules has been
    renamed ACTION to reflect the expanded set of actions that can be
    specified in the column. There is no change to existing
    functionality.

7)  Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir
    and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
    favor of the VARDIR setting in shorewallrc.

        NOTE: While the name of the variable remains VARDIR, the
              meaning is slightly different. When set in shorewallrc,
              each product (shorewall-lite, and shorewall6-lite) will
              create a directory under the specified path name to
	      hold state information.

	      Example:

		  VARDIR=/opt/var/

		  The state directory for shorewall-lite will be
		  /opt/var/shorewall-lite/ and the directory for
		  shorewall6-lite will be /opt/var/shorewall6-lite.


	      When VARDIR is set in /etc/shorewall[6]/vardir, the
	      product will save its state directly in the specified
	      directory.

----------------------------------------------------------------------------
        V I.  N O T E S  F R O M  O T H E R  4 . 5  R E L E A S E S
----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 5 . 1
----------------------------------------------------------------------------

4.5.1.2

1)  The Shorewall Lite and Shorewall6 Lite installers have been 
    installing the wrong SysV init script on Debian and derivatives.
    The correct script is now installed.

2)  Nested TC classes could result in Perl diagnostics like this one:

    Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in
    numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042,
    <$currentfile> line 13.

    These harmless messages have been eliminated.

3)  It is once again possible to omit the minimum length in the LENGTH
    column of the tcrules file.

4)  Under the following conditions, a compiler internal error was
    raised:

    - Extended conntrack match support is available.
    - Repeat Match is not available.
    - A DNAT rule specifies a destination port, a server port and
      an original destination.

5)  Beginning with release 4.4.26, setting both 'nets=' and 'dhcp' on
    an interface does not work correctly. That issue has been resolved
    in this release.

4.5.1.1

1)  When checking or compiling for export (-e option), /sbin/shorewall
    would previously issue a warning message if the SHOREWALL_SHELL
    specified in the remote firewall's shorewall.conf did not exist.

2)  The changes to TOS handling in 4.5.1 are incompatible with older
    releases such as RHEL5 and derivatives. That has been corrected.

3)  The rules compiler now verifies that the protocol is TCP, UDP, SCTP
    or DCCP when checking a port range (low:high or low-high).

4)  Previously, start or restart using the init script would fail with
    an error message referencing 'SHOREWALL_INIT_SCRIPT'. This defect
    was not visible to users that set AUTOMAKE=Yes or that run
    Shorewall-init.

4.5.1

1)  This release includes all defect repair from versions
    4.5.0.1-4.5.0.3.

2)  The Shorewall-init installer now installs the proper init script on
    Redhat and Fedora.

3)  A typo has been corrected in the blrules man pages.

4)  Previously, if the interface appearing in the HOSTS column of
    /etc/shorewall6/hosts was not defined in
    /etc/shorewall6/interfaces, then the compiler would terminate with
    a Perl diagnostic:

      	   Can't use an undefined value as a HASH reference at
      	   /usr/share/shorewall/Shorewall/Zones.pm line 1817,
      	   <$currentfile> line ...

5)  The handling of the LIBEXEC and PERLLIB variables was broken in the
    base 4.5.0 release. Simon Mater has supplied a fix which is
    included in this release.

6)  On systems running systemd, init scripts are no longer installed in
    /etc/rc.d/init.d.

7)  The Shorewall Init installer now correctly detects the use of
    systemd.

8)  On systems running systemd, the installer now installs
    /sbin/shorewall-init. That file has not existed previously, even
    though shorewall-init.service is trying to use it.

9)  The compiler was previously failing to validate the contents of the
    LENGTH and TOS columns in /etc/shorewall/tcrules. The contents of
    those columns are now validated by the compiler and an appropriate
    error message is issued if validation fails.

10) The column headings in the tos files are now in the proper
    order. Previously, the SOURCE PORT and DEST PORT columns were
    reversed.

----------------------------------------------------------------------------
                    N E W  F E A T U R E S  I N  4 . 5 . 0
----------------------------------------------------------------------------

1)  Support is now included for IMQ. This takes the form of of
    IMQ(<number>) in the MARK/CLASSIFY column of
    /etc/shorewall/tcrules.

2)  It is no longer necessary to specify a MARK value for the default
    class under a device that does not specify the 'classify'
    option. Simple set the MARK column to '-' in the default class.

3)  Previously, the install scripts included in the Shorewall packages
    were very restrictive. They could either be run to install directly
    onto the system in a distribution-dependent way, or they could
    install into a directory in a distribution-independent way. This
    limited their usefullness to packagers.

    Beginning with this release, the install scripts handle the install
    system and the target system independently. When running an
    installer, the following environmental variables can be set:

    a)  BUILD - Describes the system where the installer is
        running. Accepted values are:

	    cygwin    - Cygwin running under a Microsoft OS
	    apple     - OS X
	    debian    - Debian,Ubuntu,etc.
	    redhat    - Fedora,RHEL,Centos,Foobar,etc.
	    slackware - Slackware
	    archlinux - Arch Linux
	    linux     - Generic Linux
	    
        If BUILD is not set, then the installer uses its existing
        algorithm for detecting the current OS and distribution.

    b)  HOST - Describes the system where the installed package
        will run.

	- For Shorewall and Shorewall6, the possible values are
          the same as for BUILD.

        - If HOST is not set, the value of BUILD (through setting or
          detection) is used.
    
        - For Shorewall-lite and Shorewall6-lite, the possible choices
          are debian,  redhat, suse, slackware, archlinux and
          linux.

    	- For Shorewall-init, the possible choices are debian,
          redhat, and suse.

    c)  INITDIR - Gives the absolute path name of the directory
    	containing the init scripts.

    The choice of HOST and TARGET follow the naming of similar macros
    in rpm and autoconf.

    As part of these changes, LIBEXEC and PERLLIB must now hold an
    absolute pathname. So, for example, if you have been using

    	LIBEXEC=libexec

    you will need to change to

        LIBEXEC=/usr/libexec

    Additionally, support has been added for sourcing a file containing
    option settings. The file name is 'shorewall-pkg.config' in the
    parent directory of the untar'ed package file.

5)  The .spec files included with each package have undergone
    considerable revision.

    When running the package ./install.sh script:

    a) The setting for LIBEXEC is taken from the standard '_libexecdir'
       rpm macro.

    b) The setting for PERLLIB is taken from the standard
       'perl_privlib' rpm macro.

    c) The setting for INITDIR is taken from the standard
       '_initddir' rpm macro.

    d) The setting of BUILD is detected by the install script.

    e) The setting for TARGET is taken from the standard '_vendor' rpm
       macro.

    The rpms included with Shorewall are built with these settings of
    the standard rpm-supplied macros:

    	%_libexecdir  	   	/usr/libexec
        %perl_privlib		/usr/share/shorewall
	%_initddir		/etc/init.d
	%_vendor		suse
 
    The setting of %perl_sitelib is chosen for portability, since there
    seems to be no common location for site-specific Perl modules among
    the rpm-based distributions.

6)  A SWITCH column has been added to /etc/shorewall/masq. This column
    allows for enabling and disabling a rule based on a setting in
    /proc/net/nf_condition. See shorewall-masq(5) for details.

7)  The rules compiler now issues a warning when the 'src' ipset flag
    is used in a destination column or the 'dst' ipset flag is used in
    a source column.

8)  Support has been added for matching and setting the "Differentiated
    Services Code Point" (DSCP) field in the IP header. See
    shorewall-tcrules(5) and shorewall6-tcrules(5) for details.

9)  "Run-time gateway variables" are now supported. These variables
    have names that are composed of a percent sign ('%') followed by
    the logical name of an interface defined in
    /etc/shorewall/interfaces. They are expanded to the IP address of
    the default gateway out of the corresponding interface.

    Example: 

    %eth0 expands to the IP address of the default gateway out of eth0.

    See
    http://www.shorewall.net/configuration_file_basics.htm#Variables
    for details.

10) The 'update' command now omits non-default settings of
    WIDE_TC_MARKS and HIGH_ROUTE_MARKS from the updated .conf file.

11) The 'isusable' extension script is no longer installed by
    default. Users wishing to install it may simply copy it from
    /usr/share/shorewall[6]/configfiles. 

12) Support has been added for seting the "Type of Service" (TOS)
    header field in shorewall-tcrules(5) and shorewall6-tcrules(5). See
    the manpages for details. As part of this change, use of the
    shorewall-tos(5) and shorewall6-tos(5) files is deprecated and a
    warning is issued on the first rule in each file.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 5 . 0
----------------------------------------------------------------------------

4.5.0.3

1)  The .service file with Shorewall Init specified that
    /sbin/shorewall-init should be run for start and stop, but there
    was no such file.

    Now, the installer will install /sbin/shorewall-init and will omit
    installing /etc/rc.d/init.d/shorewall-init when systemd is being
    used.

2)  If the variable DEBUG was set to a non-empty value in the environment
    or in /etc/shorewall/params, then 'shorewall stop' and 'shorewall
    clear' would not totally remove the old ruleset and a subsequent
    'shorewall start' would fail.

3)  'shorewall trace stop' or 'shorewall trace clear' would previously
    fail to remove the entire ruleset.

4.5.0.2

1)  The init scripts from shorewall.net that were installed on systems
    other than Redhat-based and Debian-based systems were broken.
    
    '/etc/init.d/shorewall start' and /etc/init.d/shorewall restart'
    failed with:

    	 "ERROR: No directory 'start'"

    or

	"ERROR: No directory 'restart'"

2)  The Shorewall-init installer now works correctly when installing
    the product on a Redhat-based distribution.

4.5.0.1

1)  The handling of the LIBEXEC and PERLLIB variables was broken in the
    base 4.5.0 release. Simon Mater has supplied a fix which is
    included in this release.
    
2)  A typo has been corrected in the blrules man pages.

3)  Previously, if the interface appearing in the HOSTS column of
    /etc/shorewall6/hosts was not defined in
    /etc/shorewall6/interfaces, then the compiler would terminate with
    a Perl diagnostic:

      	   Can't use an undefined value as a HASH reference at
      	   /usr/share/shorewall/Shorewall/Zones.pm line 1817,
      	   <$currentfile> line ...

4)  The Shorewall-init installer now installs the correct init script
    on Fedora and Redhat systems.

4.5.0

1)  This release includes all defect repair included in
    4.4.27.1-4.4.27.3.

2)  The start and restart commands in Shorewall Lite and Shorewall6
    Lite now correctly handle the 'trace' and 'debug'
    keywords. Previously, those keywords were ignored.

3)  The 'ip route list' command on recent Linux systems (Ubuntu 11.10,
    for example) displays the IPv4 routing table in a seemingly random
    order. In the 'show routing' and 'dump' commands, Shorewall and
    Shorewall-lite now sort the output into the traditional
    'Most-specific to most-general' order.

4) Previously, specifying 'No' in the HAVEROUTE column of
    /etc/shorewall6/proxyndp resulted in a run-time error. The code has
    been corrected so that no error occurs.

----------------------------------------------------------------------------
                    N E W  F E A T U R E S  I N  4 . 5 . 0
----------------------------------------------------------------------------

1)  The rules generated by the following interface options are now
    traversed after those generated by the blrules file.

	dhcp
	maclist
    	nosmurfs
	sfilter
        tcpflags

    As part of this change, the BLACKLIST section in the rules file has
    been eliminated. If you have rules in that section, you must move
    them to the blrules file prior to installing this Shorewall
    version.

2)  The timeout interval after which the previous state is restored 
    may now be specified in the safe-start and safe-restart commands.

3)  The packing of the Shorewall products has been changed. Beginning
    with this release, the packages are:

    - Shorewall Core  -- Core libraries installed in
      		         /usr/share/shorewall/

    - Shorewall       -- Requires Shorewall Core. Together with
                         Shorewall Core, provides IPv4 firewalling.

    - Shorewall6      -- Requires Shorewall. Provides IPv6 firewalling.

    - Shorewall Lite  -- Requires Shorewall Core. As before.

    - Shorewall6 Lite -- Requires Shorewall Core. As before.

    - Shorewall Init  -- As before.

4)  Shorewall and Shorewall6 now share a single install.sh file as do
    Shorewall Lite and Shorewall6 Lite.

5)  Functions common to both /usr/share/shorewall/prog.header and
    /usr/share/shorewall/prog.header6 are now in a new library -
    lib.core. The files /usr/share/shorewall/prog.footer is now used
    for both IPv4 and IPv6.

6)  Run-time address variables (e.g., &eth0) may now be used in the
    SOURCE column of the rtrules files.

7)  The route_rules file has been renamed to 'rtrules'. The Shorewall
    and Shorewall6 installers will perform the rename on an existing
    file.

    If both files exist, route_rules will be processed and rtrules 
    will be ignored with a warning.

8)  A 'PROBABILITY' column has been added to the tcrules files. It
    causes the rule to match randomly with the probability specified in
    the column. See shorewall-tcrules(5) and shorewall6-tcrules(5) for
    details.

9)  An alternative to the balance=<weight> option in the providers file
    is now available. This alternative works when there are multiple
    links to the same ISP where both links use an ethernet interface (as
    opposed to PPP0E) and have the same default gateway.

    As part of this change, the generated firewall script now
    automatically maintains the
    /var/lib/shorewall[6][-lite]/interface.status files used by SWPING
    and by LSM.

    See http://www.shorewall.net/MultiISP.html#load for additional
    information.

    Example that sends 1/3 of the connections to the ComcastC provider
    and the rest to ComcastB:

    /etc/shorewall/shorewall.conf

    MARK_IN_FORWARD_CHAIN=No
    ...
    USE_DEFAULT_RT=Yes

    /etc/shorewall/providers:

    #NAME    NUMBER MARK DUP  INTERFACE GATEWAY       OPTIONS
    ComcastB 1      -    -    eth1      70.90.191.126 loose,balance,load=0.66666667
    ComcastC 2      -    -    eth0      67.170.120.1  loose,fallback,load=0.33333333

    Note: The 'loose' option is specified so that the compiler will not
    	  generate and rules based on interface IP addresses. That way
	  we have complete control over the priority of such rules 
	  through entries in the rtrules file.

    /etc/shorewall/rtrules

    #SOURCE             DEST  PROVIDER  PRIORITY
    70.90.191.120/29    -     ComcastB  1000
    &eth0	    	-     ComcastC  1000

    Note: eth0 has a dynamic address, so &eth0 is used in the SOURCE
    	  column.

    Note: Priority = 1000 means that these rules will come before rules
    	  that select a provider based on marks.

10) The Shorewall files in /etc/default and /etc/sysconfig now support
    two new options that affect how '/etc/init.d/shorewall start' 
    and '/etc/init.d/shorewall restart' behave:

    STARTOPTIONS   -- options to the start commmand.
    RESTARTOPTIONS -- options to the restart command.

    For example, if you always want 'start' to flush the conntrack
    table, then you would have:

    	   STARTOPTIONS="-p"

11) The Git repository has been reorganized to place the samples and
    manpages under their corresponding product directories. For
    example, trunk/manpage6 was moved to trunk/Shorewall6/manpages.

