----------------------------------------------------------------------------
		   S H O R E W A L L  4 . 6 . 1 3 . 3
                     ------------------------------
                     D e c e m b e r  1 0 ,  2 0 1 5
----------------------------------------------------------------------------

I.    PROBLEMS CORRECTED IN THIS RELEASE
II.   KNOWN PROBLEMS REMAINING
III.  NEW FEATURES IN THIS RELEASE
IV.   MIGRATION ISSUES
V.    PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

----------------------------------------------------------------------------
                             N O T I C E

Shorewall 4.6.13 is scheduled to be the last 4.6 release. In
the fall of 2015, Shorewall 5.0.0 will be available. Please see
http://www.shorewall.org/Shorewall-5.html for information about
preparing to migrate to Shorewall 5.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

4.6.13.3

1)  Previously, Shorewall6 rejected rules in which the SOURCE contained
    both an interface name and a MAC address (in Shorewall
    format). That defect has been corrected so that such rules are now
    accepted.

2)  A number of corrections have been made to the install, uninstall
    and configure scripts (Matt Darfeuille).

3)  Previously, optional interfaces were not enabled during 'start' and
    'restart' unless there was at least one entry in the 'providers'
    file.  This resulted in these interfaces not appearing in the
    output of 'shorewall[6] status -i'.

4)  The check for use of a circular kernel log buffer (as opposed to a
    log file) has been improved.

5)  Previously, if a circular log buffer was being used, the output of
    various commands still displayed '/var/log/messages' as the log
    file. Now, it is displayed as 'logread'.

6)  When processing the 'dump' command, the CLI now uses 'netstat' to
    print socket information when the 'ss' utility is not installed.

4.6.13.2

1)  Previously, if statistical load balancing was used in the providers
    file, the default route in the main table was not deleted during
    firewall start/restart. That route is now correctly deleted.

4.6.13.1

1)  Previously, the 'reset' command would fail if chain names were
    included. Now, the command succeeds, provided that all of the
    specified chains exist in the filter table.

2)  The TCP meta-connection is now supported by the Tinc macro and
    tunnel type. Previously, only the UDP data connection was
    supported.

4.6.13 Final

1)  The 'rules' file manpages have been corrected regarding the packets
    that are processed by rules in the NEW section.

2)  Parsing of IPv6 address ranges has been corrected. Previously, use
    of ranges resulted in 'Invalid IPv6 Address' errors.

3)  The shorewall6-hosts man page has been corrected to show the
    proper contents of the HOST(S) column.

4)  Previously, INLINE statements in the mangle file were not 	
    recognized if a chain designator (:F, :P, etc.) followed 	
    INLINE(...). As a consequence, additional matches following a
    semicolon were interpreted as column/value pairs unless
    INLINE_MATCHES=Yes, resulting in compilation failure.

5)  Inline matches on IP[6]TABLE rules could be ignored if
    INLINE_MATCHES=No. They are now recognized.

6)  Specifying an action with a logging level in one of the _DEFAULT
    options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info)
    produced a compilation error:

      ERROR: Invalid value (:info) for first Reject parameter
      	     /usr/share/shorewall/action.Reject (line 52)

    That has been corrected. Note, however, that specifying logging
    with a default action tends to defeat one of the main purposes of
    default actions which is to suppress logging.

7)  Previously, it was necessary to set TC_EXPERT=Yes to have full
    access to the user mark in fw marks. That has been corrected so
    that any place that a mark or mask can be specified, both the TC
    mark and the User mark are accessible.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

4.6.13.3

1)  Support for OpenWRT versions BB and later has been added. Included
    in this support are:

    - The log display commands (show log, logwatch, etc.) no longer
      depend on the 'tac' utility (although it will be used if it is
      installed).

    - Shorewall-core's 'configure' script detects OpenWRT and accepts
      HOST=openwrt as an argument.

    - Shorewall-core, Shorewall-lite and Shoreawll6-lite installers
      support openwrt. Additionally, those installers no longer depend
      on the 'install' utility.

    - Shorewall[6]-lite will use OpenWRT's 'lock' utility to create the
      LOCKFILE.

    A special thanks to Matt Darfeuille for his help in making this
    support possible.

4.6.13

1)  'update -t' now converts both the tcrules and tos files.

2)  'second' and 'minute' are now allowed in the LOGLIMIT
    specification in place of 'sec' and 'min' respectively.

3)  The 'update' command now converts additional deprecated option
    settings:

    - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT
      setting.

    - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST
      setting.

4)  Two settings now have more reasonable defaults if they don't appear
    in the .conf file being updated:

    - USE_DEFAULT_RT now defaults to No
    - EXPORTMODULES now defaults to No.

5)  When the 'update' command is converting a deprecated file, it now
    makes additional checks when it finds a target file (mangle,
    stoppedrules or blrules) to append the converted rules to:

    - If the file is in the directory $SHAREDIR/$product/configfiles/,
      the file is not opened.
    - If the file is in the directory
      $SHAREDIR/doc/$product/default-config/, the file is not opened.
    - If the file is not writable, the file is not opened.

    When the file isn't opened because of one of these checks, an
    attempt is made to create a new file in either the directory
    specified on the command line (if any) or in the first directory
    listed in the CONFIG_PATH setting.

----------------------------------------------------------------------------
                  I V.  M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

1)  If you are migrating from Shorewall 4.4.x or earlier, please see
    http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt

2)  Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir
    and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
    favor of the VARDIR setting in shorewallrc.

        NOTE: While the name of the variable remains VARDIR, the
              meaning is slightly different. When set in shorewallrc,
              each product (shorewall-lite, and shorewall6-lite) will
              create a directory under the specified path name to
	      hold state information.

	      Example:

		  VARDIR=/opt/var/

		  The state directory for shorewall-lite will be
		  /opt/var/shorewall-lite/ and the directory for
		  shorewall6-lite will be /opt/var/shorewall6-lite.

	      When VARDIR is set in /etc/shorewall[6]/vardir, the
	      product will save its state directly in the specified
	      directory.

    In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc
    file and the meaning of VARDIR is once again consistent. The
    default setting of VARDIR for a particular product is
    ${VARLIB}/$product. There is an entry of that form in the
    shorewallrc file. Because there is a single shorewallrc file for
    all installed products, the /etc/shorewall[6]-lite/vardir file
    provides the only means for overriding this default.

3)  Begining with Shorewall 4.5.6, the tcrules file is processed if
    MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This
    allows actions like TTL and TPROXY to be used without enabling
    traffic shaping.

    If you have rules in your tcrules file that you only want processed
    when TC_ENABLED is other than 'No', then enclose them in

    	 ?IF $TC_ENABLED
	 ...
	 ?ENDIF

    If they are to be processed only if TC_ENABLED=Internal, then enclose
    them in

    	 ?IF TC_ENABLED eq 'Internal'
	 ...
	 ?ENDIF

4)  Beginning with Shorewall 4.5.7, the deprecated
    /etc/shorewall[6]/blacklist files are no longer installed. Existing
    files are still processed by the compiler. Note that blacklist
    files may be converted to equivalent blrules files using
    'shorewall[6] update -b'.

5)  In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed
    /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7,
    the conntrack file will be installed along side of an existing
    notrack file. When both files exist, a compiler warning is
    generated:

       WARNING: Both notrack and conntrack exist; conntrack is ignored

    This warning may be eliminated by moving any entries in the notrack
    file to the conntrack file and removing the notrack file.

6)  In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were
    deprecated if favor of new /etc/shorewall[6]/stoppedrules
    counterparts. The new files have much more familiar and
    straightforward semantics. Once a stoppedrules file is populated,
    the compiler will process that file and will ignore the
    corresponding routestopped file.

7)  In Shorewall 4.5.8, a new variable (VARLIB) was added to the
    shorewallrc file. This variable assumes the role formerly played by
    VARDIR, and VARDIR now designates the configuration directory for a
    particular product.

    This change should be transparent to all users:

    a) If VARDIR is set in an existing shorewallrc file and VARLIB is
       not, then VARLIB is set to ${VARDIR} and VARDIR is set to
       ${VARLIB}/${PRODUCT}.

    b) If VARLIB is set in a shorewallrc file and VARDIR is not, then
       VARDIR is set to ${VARLIB}/${PRODUCT}.

    The Shorewall-core installer will automatically update
    ~/.shorewallrc and save the original in ~/.shorewallrc.bak

8)  Previously, the macro.SNMP macro opened both UDP ports 161 and 162 
    from SOURCE to DEST. This is against the usual practice of opening
    these ports in the opposite direction. Beginning with Shorewall
    4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before,
    and a new SNMPTrap macro is added that opens port 162 (from SOURCE
    to DEST).

9)  Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT
    for specifying the format of records in these configuration files:

        action.* files
	conntrack
	interface
	macro.* files
	tcrules

    While deprecated, FORMAT (without the '?') is still supported.

    Also, ?COMMENT is preferred over COMMENT for attaching comments to
    generated netfilter rules in the following files.

        accounting
       	action.* files
       	blrules files
       	conntrack
       	masq
       	nat
       	rules
       	secmarks
       	tcrules
       	tunnels

    When one of the deprecated forms is encountered, a warning message
    is issued.

    Examples:

       WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' -
       		consider running 'shorewall update -D'.

       WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' -
       		consider running 'shorewall update -D'.

    As the warnings indicate, 'update -D' will traverse the CONFIG_PATH 
    replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT
    directives respectively. The original version of modified files
    will be saved with a .bak suffix. 

    During the update, .bak files are skipped as are files in
    ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6.

10) To allow finer-grained selection of the connection-tracking states
    that are passed through blacklists (both dynamic and static), a
    BLACKLIST option was added to shorewall.conf and shorewall6.conf in
    Shorewall 4.5.13.

    The BLACKLISTNEWONLY option was deprecated at that point. A
    'shorewall update' ( 'shorewall6 update' ) will replace the
    BLACKLISTNEWONLY option with the equivalent BLACKLIST option.

11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed
    BLACKLIST_LOG_LEVEL to be consistent with the other log-level
    option names. BLACKLIST_LOGLEVEL continues to be accepted as a
    synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or
    'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with
    BLACKLIST_LOG_LEVEL in the new .conf file.

12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE'
    is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain
    names, then specify ZONE2ZONE=2 in shorewall[6].conf.

13) Beginning with Shorewall 4.6.0, section headers are now preceded by
    '?' (e.g., '?SECTION ...').  If your configuration contains any
    bare 'SECTION' entries, the following warning is issued:

      WARNING: 'SECTION' is deprecated in favor of '?SECTION' -
               consider running 'shorewall update -D' ...

    As mentioned in the message, running 'shorewall[6] update -D' will
    eliminate the warning.

14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been
    superceded by the 'mangle' file. Existing 'tcrules' files will
    still be processed, with the restriction that TPROXY is no longer
    supported in FORMAT 1.

    If your 'tcrules' file has non-commentary entries, the following
    warning message is issued:

        WARNING: Non-empty tcrules file (...);
		 consider running 'shorewall update -t'

    See shorewall6(8) for limitations of 'update -t'.
    
15) The default value of LOAD_HELPERS_ONLY is now 'Yes'.

16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are 
    deprecated and a warning will be issued for each FORMAT-1 action
    or macro found.

      WARNING: FORMAT-1 actions are deprecated and support will be
      	       dropped in a future release.

      WARNING: FORMAT-1 macros are deprecated and support will be
      	       dropped in a future release.

    To eliminate these warnings, add the following line before the
    first rule in the action or macro:

      ?FORMAT 2

    and adjust the columns appropriately.

    FORMAT-1 actions have the following columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      RATE/LIMIT
      USER/GROUP
      MARK

    while FORMAT-2 actions have these columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      ORIGINAL DEST
      RATE/LIMIT
      USER/GROUP
      MARK
      CONNLIMIT
      TIME
      HEADERS (Used in IPv6 only)
      CONDITION
      HELPER

    FORMAT-1 macros have the following columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORTS(S)
      RATE/LIMIT
      USER/GROUP

    while FORMAT-2 macros have these columns:    

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      ORIGINAL DEST
      RATE/LIMIT
      USER/GROUP
      MARK
      CONNLIMIT
      TIME
      HEADERS (Used in IPv6 only)
      CONDITION
      HELPER

17) Prior to Shorewall 4.6.4, the stoppedrules file did not work
    properly when ADMINISABSENTMINDED=No.

    - A warning message was issued stating that the file would be
      processed as if ADMINISABSENTMINDED=Yes, and it was.

    - Unfortunately, part of the surrounding rule-generating logic
      proceded as if ADMINISABSENTMINDED=No, leading to an unusable
      ruleset.

    In Shorewall 4.6.4, this problem was corrected by changing the way
    that stoppedrules works with ADMINISABSENTMINDED=No. In the new
    implementation:

    - All existing connections continue to work.
    - Response packets and related connection requests to new accepted
      connections are accepted (in other words, the resulting ruleset
      is stateful).

    See shorewall[6].conf(5) for additional details.

----------------------------------------------------------------------------
          V.  N O T E S  F R O M  O T H E R  4 . 6  R E L E A S E S
----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 1 2
----------------------------------------------------------------------------

4.6.12.1

1)  Beginning with Shorewall 4.6.10, a fatal error during a start or
    restart operation can leave the firewall in an indeterminent state.
    That problem has been corrected so that the intended action takes
    place:

    - If there is a current executable RESTOREFILE, then the firewall
      is restored using that file.

    - Otherwise, the firewall is placed in the stopped state.

2)  Previously, if 'none' were passed as the log level argument to the
    AutoBL action, compilation failed silently. Now, the intended
    behavior (no logging) is produced. 

4.6.12

1)  This release includes defect repair up through Shorewall 4.6.11.1.

2)  Previously, when Perl 5.18.0 or later was used with Shorewall,
    multiple compilations of an unchanging configuration could produce
    different but equivalent script files. Now, the script files
    produced will be identical (except for dates and times) for any
    given Shorewall version.

3)  Previously, if a binary interface option (those that have a value
    of zero or 1) was specified with a value of zero on such an
    interface, compilation failed.

    For example, this interface definition:

      -    eth2    arp_filter=0,routeback=0,tcpflags=0,proxyarp=0

    would generate the following error message:

      ERROR: The "routeback" option may  not be specified on a
             multi-zone interface

    Now, the option is allowed.

4)  Several issues with 'update -b' have been corrected.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 1 2
----------------------------------------------------------------------------

1)  The initial 'Compiling...', 'Checking...' and 'Updating..."
    progress messages now include the Product name and version.

2)  Debian-specific .service files have been added.

3)  There are now two shorewallrc files for Debian - one for sysvinit
    and one for systemd. The configure and configure.pl scrips
    determine which to use by examining /sbin/init.

4)  Two new options are available for the 'update' command:

    -r converts a routestopped file to an equivalent stoppedrules file.

    -n converts a notrack file to an equivalent conntrack file. If
       there is already an existing conntrack file, the converted rules
       are appended to the existing file.

     WARNING: If you include /usr/share/shorewall/configfiles (or
     wherever your distro places empty files) in your CONFIG_FILE
     setting and there is no new file in your config directory (such as
     /etc/shorewall), then the 'update' command will update the copy of
     the file in /usr/share/shorewall/configfiles. This is probably not
     what you want, since files in that directory (or your distro's
     corresponding directory) will be overwritten by the next upgrade.

5)   Shorewall now uses NYTProf as its profiler rather than the
     deprecated DProf.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 1 1
----------------------------------------------------------------------------

1.  This release includes defect repair up to and including Shorewall
    4.6.10.1.

2.  Previously, when the -c option was given to the 'compile' command,
    the progress message "Compiling..." was issued before it was
    determined if compilation was necessary.  Now, that message is
    suppressed when re-compilation is not required.

3.  Previously, when the -c option was given to the 'compile' command,
    the 'postcompile' extension script was executed even when there was
    no (re-)compilation. Now, the 'postcompile' script is only invoked
    when a new script is generated.

4.  If CONFDIR was other than /etc, then ordinary users would not 
    receive a clear error message when they attempted to execute one of
    the commands that change the firewall state.

5.  Previously, IPv4 DHCP client broadcasts were blocked by the
    'rpfilter' interface option. That has been corrected.

6)  The 'update' command incorrectly added the INLINE_MATCHES option
    to shorewall6.conf with a default value of 'Yes'. This caused
    'start' to fail with invalid ip6tables rules when the alternate
    input format using ';' is used.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 1 1
----------------------------------------------------------------------------

1)  Over the years, a number of changes have been added to Shorewall
    that work around defects in other products. When running a current
    distribution, these workarounds are unnecessary and add to the time
    required for normal Shorewall operations.

    Beginning in this release, those workarounds may be disabled by
    setting WORKAROUNDS=No in shorewall.conf.

2)  Previously, both lib.cli and lib.cli-std included nearly-identical
    usage() functions. Now, only lib.cli includes the function which
    produces its output based on which product's CLI is invoking it.

3)  To accomodate compiled scripts produced by Shorewall versions
    before 4.4.8, Shorewall products from 4.4.8 onward have run scripts
    twice. The first time is simply to capture the output of the
    'version' command. Based on the script's version, it is then invoked
    to execute the requested command.

    Beginning in this release, scripts will only be run once if:

    - WORKAROUNDS=No, or
    - the script was compiled as part of executing the command, or
    - AUTOMAKE=Yes and it was determined that re-compilation was not
      required.

4)  When the 'conntrack' utility program is installed, the 'show
    connections' command can now display a subset of the entire
    conntrack table by simply following the 'connections' keyword with
    one or more conntrack filter parameters.

    For example, to display all http connections:

    	shorewall show connections -p tcp --dport 80

    See conntrack(8) for a description of the available parameters.

5)  To ensure that the compiler has an adequate PATH, the default
    Shorewall PATH is now appended to the compiler's active PATH.

----------------------------------------------------------------------------
            P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 1 0
----------------------------------------------------------------------------

1)  On some distributions, Shorewall-init would fail if one of the
    configured products had a problem. Now, Shorewall-init goes on to
    the next product rather than stopping.

2)  Previously, when startup was disabled (STARTUP_ENABLED=No or no
    compiled firewall on a -lite system), exit status 2 was
    returned. Now, exit status 6 is returned.

3)  Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did
    not use ipsets, then a superfluous warning message was issued:

      WARNING: Invalid value (ipv4) for SAVE_IPSETS

    That warning is now suppressed.

4)  Previously, the algorithm used to normalize the probabilities
    defined in the 'load' provider option was incorrect and could
    result in probabilities > 1.0. When this occurred, the firewall
    would fail to start.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 1 0
----------------------------------------------------------------------------

1)  Previously, the 'ctevents' and 'expevents' options could only be
    specified in the conntrack file if a helper was named. That is no
    longer necessary.

    Example:

      #ACTION      SOURCE          DESTINATION     PROTO   DEST    ...
      #                                                    PORT(S) ...
      #
      CT:ctevents:assured,destroy\
                   all             -               -

2)  Two new options have been added to the NFQUEUE target.

    - By default, if no userspace program is listening on an NFQUEUE,
      then all packets that are to be queued are dropped. When the new
      'bypass' option is used, the NFQUEUE rule is silently bypassed
      instead. The packet will move on to the next rule.

      Examples:

	NFQUEUE(bypass)
	NFQUEUE(3,bypass)

    - Now, a queue range of the form n:m may be specified. Packets are
      then balanced across the given queues. This is useful for
      multicore systems: start multiple instances of the userspace
      program on queues x, x+1, .. x+n and use "x:x+n". Packets
      belonging to the same connection are put into the same nfqueue.

      Examples:

	NFQUEUE(4:6)
	NFQUEUE(4:6,bypass)

      Queue ranges are also permitted in an NFQUEUE policy; the
      'bypass' option is not permitted there.

3)  The 'call' command is now documented. It provides a way to call
    shell functions in the Shorewall libraries or in the generated
    script.

      call <function> [ <parameter> ... ]

    <function> must name a shell function in one of the Shorewall
    libraries or in the generated script. The function is first
    searched for in lib.base, lib.common, lib.cli and lib.cli-std
    (lib.cli-std is not searched by the '-lite' products). If the
    function is found, it is called with any supplied <parameter>s.

    If the function is not found in the libraries, the call command
    is passed to the generated script for processing.

4)  Several changes have been made to the processing of the 'load'
    option in provider files:

    - load values are normalized to 8-digit precision and 10-byte
      length.
    - a warning is issued if the sum of the loads is not 1.000000.
    - if the normalized probability for an interface is >=
      1.000000 then the probability match part of the generated rule is
      omitted.

5)  There is now an ipv6 'findgw' skeleton file.

6)  The 'disable' and 'enable' commands now succed if the interface is
    already disabled or enabled respectively.  Tuomo Soini.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 9
----------------------------------------------------------------------------

1)  This release contains defect repair from Shorewall 4.6.8.1 and
    earlier releases.

2)  The means for preventing loading of helper modules has been
    clarified in the documentation.

3)  The SetEvent and ResetEvent actions previously set/reset the event
    even if the packet did not match the other specified columns. This
    has been corrected.

4)  Previously, the 'show capabilities' command was ignoring the
    HELPERS setting. This resulted in unwanted modules being autoloaded
    and, when the -f option was given, an incorrect capabilities file
    was generated.

6)  Previously, when 'wait' was specified for an interface, the
    generated script erroneously checked for required interfaces on all
    commands rather than just start, restart and restore.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 9
----------------------------------------------------------------------------

1)  There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your
    iptables and kernel must support this capability in order to use
    the CLAMPMSS option in shorewall.conf and the 'mss=' option in the
    zones, interfaces and hosts files. This capability was added when
    it was learned that Debian on ARM doesn't provide the feature.

    When using a capabilities file from at earlier release, the
    compiler assumes that this capability is available, since most
    distributions have traditionally provided the capability.

2)  The CLI manpages now state explicitly that 'list' and 'ls' are
    synonyms for 'show' and refer the reader to the description of
    'show'.

3)  The complete syntax of each CLI command is now repeated in the
    detailed description of the command in the man pages.

4)  Tuomo Soini has contributed a QUIC macro.

5)  The JabberSecure macro is now deprecated. Configure Jabber to use
    TLS and use the Jabber macro instead. (Tuomo Soini).

6)  The enable and disable commands now execute more quickly on slow
    hardware.

7)  The CLI programs now support a 'reenable' command. This command is
    logically equivalent to a 'disable' command followed by an 'enable'
    command, with the exception that no error is generated if the
    specified interface or provider is disabled at the time the
    command is given.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 8
----------------------------------------------------------------------------

1)  This release includes defect repair from Shorewall 4.6.6.2 and
    earlier releases.

2)  Previously, when the -n option was specified and NetworkManager was
    installed on the target system, the Shorewall-init installer would
    still create
    ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless
    of the setting of $CONFDIR. That has been corrected such that the
    directory
    ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is
    created instead.

3)  Previously, handling of the IPTABLES and IP6TABLES actions in the
    conntrack file was broken. nfw provided a fix on IRC.

4)  The Shorewall-core and Shorewall6 installers would previously
    report incorrectly that the product release was not installed. Matt
    Darfeuille provided fixes.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 8
----------------------------------------------------------------------------

1)  The CLI programs (shorewall, shorewall6, etc) now support 'open'
    and 'close' commands. The 'open' command temporarily opens the
    firewall for a specified type of connection; the syntax is:

    	open <source> <destination> [ <protocol> [ <port> ] ]

    The <source> and <destination> may be any of the following:

    - a host IP address
    - a network IP address
    - a valid DNS name (usual warnings apply)
    - the word 'all', indicating that the <source> or <destination> is
      not restricted

    The protocol may be specified by number or by a name. Same with
    <port>.

    Example: Open SSH connections to 1.2.3.4 in Shorewall:

       shorewall open all 1.2.3.4 tcp ssh

    The 'close' command reverses the effect of an earlier 'open'
    command and has two forms:

        close <open-number>
	close <source> <destination> [ <protocol [ <port ] ]


    In the first form, the <open-number> is the number displayed in the
    'num' column of the 'shorewall list opens' command (see below).
    
    In the second form, the parameters must match those of the earlier
    'open' command to be reversed. All temporary connections opens may
    be deleted by simply restarting the firewall.

    Both commands require that the firewall be in the started state and
    that DYNAMIC_BLACKLIST=Yes in the active configuration.

    The iptables rules created via 'open' commands can be displayed
    using the 'show opens' command.

    Example (after the above open command was executed):

    Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar  6 09:47:06 PST 2015
    Chain dynamic (14 references)
     num pkts bytes target     prot opt in     out     source               destination
       1    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            1.2.3.4              multiport dports 22
    root@gateway:~#

2)  A 'safesets' command is now available to proactively save changes
    to ipset contents. Using this command can guard against accidental
    loss of ipset changes in the event of a system failure before a
    'stop' command has been completed. The exact action taken by the
    command depends on the setting of SAVE_IPSETS in shorewall[6].conf.

3)  The SOURCE and DEST columns in the rtrules file may now contains
    comma-separated lists of addresses.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 7
----------------------------------------------------------------------------

None.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 7
----------------------------------------------------------------------------

1)  The 'tunnels' file now supports 'tinc' tunnels.

2)  Previously, the SAME action in the mangle file had a fixed timeout
    of 300 seconds (5 minutes). That action now allows specification of
    a different timeout.

3)  It is now possible to add or delete addresses from an ipset with
    entries in the mangle file. The ADD and DEL actions have the same
    behavior in the mangle file as they do in the rules file.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 6
----------------------------------------------------------------------------

1)  This release includes defect repair from Shorewall 4.6.5.5 and
    earlier releases.

2)  Previously, a line beginning with 'shell' was interpreted as a
    shell script. Now, the line must begin with 'SHELL'
    (case-sensitive). 

    Note that ?SHELL and BEGIN SHELL are still case-insensitive.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 6
----------------------------------------------------------------------------

4.6.6.2

1)  The compiler failed to parse the construct +<ipset>[n] where n is an
    integer (e.g., +bad[2]).

2)  Orion Paplawski has provided a patch that adds 'ko.xz' to the
    default MODULE_SUFFIX setting. This change deals with recent Fedora
    releases where the module names now end with ".ko.xz".

    In addition to Orion's patch, the sample configurations have been
    modified to specify MODULE_SUFFIX="ko ko.xz".

4.6.6.1

1)  Previously the SAVE and RESTORE actions were erroneously disallowed
    in the INPUT chain within the mangle file.

2)  The manpage descriptions of the mangle SAVE and RESTORE actions
    incorrectly required a slash (/) prior to the mask value.

3)  Race conditions could previously occur between the 'start' command
    and the 'enable' and 'disable' commands.

4)  The 'update' command incorrectly added the INLINE_MATCHES option
    to shorewall.conf with a default value of 'Yes'. This caused
    'start' to fail with invalid iptables rules when the alternate
    input format using ';' is used.

6)  Previously the LOCKFILE setting was not propagated to the generated
    script. So when the script was run directly, the script
    unconditionally used ${VARDIR}/lock.

1)  Previously, the firewall products (Shorewall, Shorewall6 and
    *-lite) specified "After=network.target" in their .service files.

    Beginning with this release, those products specify
    "After=network-online.target" like the service.214 files. This
    change is intended to delay firewall startup until after network
    initialization is complete.

2)  The 'TARPIT' target is now supported in the rules file. Using this
    target requires the appropriate support in your kernel and
    iptables. This feature implements a new "TARPIT Target" capability,
    so if you use a capabilities file, then you need to regenerate the
    file after installing this release.

    TARPIT captures and holds incoming TCP connections using no local
    per-connection resources.


    TARPIT only works with the PROTO column set to tcp (6), and is
    totally application agnostic. This module will answer a TCP request
    and play along like a listening server, but aside from  sending an
    ACK or RST, no data is sent. Incoming packets are ignored and
    dropped. The attacker will terminate the session eventually. This
    module allows the initial packets of an attack to be captured by
    other software for inspection. In most cases this is sufficient to
    determine the nature of the attack.


    This offers similar functionality to LaBrea
    <http://www.hackbusters.net/LaBrea/> but does not require dedicated
    hardware or IPs. Any TCP port that you would normally DROP or
    REJECT can instead become a tarpit.

    The target accepts a single optional parameter:

    	tarpit (default)
	
	  This mode completes a connection with the attacker but limits
	  the window size to 0, thus keeping the attacker waiting long
	  periods of time. While he is maintaining state of the
	  connection and trying to continue every 60-240 seconds, we
	  keep none, so it is very lightweight. Attempts to close the
	  connection are ignored, forcing the remote side to time out
	  the connection in 12-24 minutes.

        honeypot

	  This  mode completes a connection with the attacker, but
	  signals a normal window size, so that the remote side will
	  attempt to send data, often with some very nasty exploit
	  attempts. We can capture these packets for decoding and
	  further analysis. The module does not send any data, so if
	  the remote  expects an application level response, the game
	  is up.

        reset

          This mode is handy because we can send an inline RST
          (reset). It has no other function.

3)  A 'loopback' option has been added to the interfaces files to
    designate the interface as the loopback device. This option is
    assumed if the device's physical name is 'lo'. Only one
    interface may specify 'loopback'.

    If no interface has physical name 'lo' and no interface specifies
    the 'loopback' option, then the compiler implicitly defines an
    interface as follows:

        #ZONE	 INTERFACE	OPTIONS
        -	 lo		ignore,loopback

4)  The compiler now takes advantage of the iptables 'iface' match
    capability for identifying loopback traffic.

5)  The 'primary' provider option has been added as a synonym for
    'balance=1'. The rationale for this addition is that 'balance'
    seems inappropriate when only a single provider specifies that
    option. For example, if there are two providers and one specifies
    'fallback', then the other would specify 'primary' rather than
    'balance'.

6)  Two new Macros have been contributed:

    Zabbix - Tuomo Soini
    Tinc   - Răzvan Sandu

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 5
----------------------------------------------------------------------------

4.6.5.5

1)  The Shorewall-init ifupdown scripts were looking for the firewall
    script in the wrong directory. Correction was provider by Tuomo
    Soini.

4.6.5.4

1)  The '-c' option of the 'dump' and 'show routing' commands is now
    documented.

2)  The handling of the 'DIGEST' environmental variable has been
    corrected in the Shorewall installer. Previously, specifying that
    option would not correctly update the Chains module which led to a
    Perl compilation failure.

3)  Handling of ipset names on PORT columns has been
    corrected. Previously, such usage resulted in an invalid iptables
    rule being generated.

4.6.5.3

1)  The Shorewall-init scripts were using the incorrect
    variable to set the state directory.

2)  For normal dynamic zones, the 'add' command failed with a
    diagnostic such as:

      ERROR: Zone ast, interface net0 does not have a dynamic host list

3)  When a mark range was used in the marks (tcrules) file, a run-time
    error occured while attempting to load the generated ruleset.

4.6.5.2

1)  LOG_BACKEND=LOG failed at run-time for all but the most recent
    kernels.

4.6.5.1

1)  The generated script can now detect an gateway address assigned by
    later versions of that program (Alan Barrett).

2)  In 4.6.5, the bash-based configure script would issue the following
    diagnostic if SERVICEDIR was not specified in the shorewallrc
    file:

      ./configure: line 199: [SERVICEDIR]=: command not found

    This was compounded by the fact that all of the released
    shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR
    (Evangelos Foutras)

3)  The shorewallrc.archlinux file now reflects a change in SBINDIR
    that occurred in Arch Linux in mid 2013 (Evangelos Foutras).

4.6.5

1)  This release includes defect repair through release 4.6.4.3.

2)  On kernel 3.17, LOG_BACKEND=LOG previously failed with the
    diagnostics:

      Setting up log backend
      /var/lib/shorewall/.restart: line 2075: echo: write error:
              No such file or directory
      WARNING: Unable to set log backend to ipt_LOG

3)  A number of corrections have been made to the manpages (Thomas D).

4)  Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, 
    then servicd failed to start/stop Shorewall-init. 

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 5
----------------------------------------------------------------------------

1)  The configure scripts and installers now support SERVICEDIR as an
    alternative to SYSTEMD. For compatability, SERVICED is an alias
    for SERVICEDIR.

2)  The installers now offer a choice of .service files, selected by
    the SERVICEFILE option. The default remains $PRODUCT.service. Each
    product supplying a .service file now supplies a .service.214. The
    differences between the standard .service files and the service.214
    files are:

    a)  They specify 'after=network-online.target' rather than
    	'after=network.target'.

    b)  The file shorewall-init.service.214 specifies
    	'before=network-pre.target' rather than
    	'before=network.target'. That file requires serviced 214 or
    	later, hence the names of the new files.

    Regardless of which file is selected, it is installed in
    $SERVICEDIR/$PRODUCT.service.

3)  The RATE LIMIT column of the rules files now allows specification
    of both a per-source and per-destination limit. See
    shorewall[6]-rules(5) for details.

4)  Previously, /bin/sh was used unconditionally to process the helper
    script 'getparams'. That shell script reads the params file and
    passes back the (variable,value) pairs to the compiler. Beginning
    with this release, $SHOREWALL_SHELL is used to process that script,
    unless the compilation is for export, in which case /bin/sh is
    still used.

    Note that the default value of $SHOREWALL_SHELL is /bin/sh, so
    unless your configuration sets that variable, this enhancement will
    have no effect. Similarly, on an administrative system, this
    enhancement has no effect on the processing of the 'compile -e',
    'load', 'reload' and 'export' commands.

5)  A -C option has been added to several commands to allow the 
    ip[6]tables packet and byte counters to be preserved.

    - save command

      Causes the packet and byte counters to be saved along with the
      chains and rules.

    - restore command
      
      Causes the packet and byte counters (if saved) to be restored
      along with the chains and rules.

    - start command

      With Shorewall and Shorewall6, the -C option only has an effect
      if the -f option is also specified. If a previously-saved
      configuration is restored, then the packet and byte counters (if
      saved) will be restored along with the chains and rules.

    - restart command

      If an existing compiled script is used (no recompilation
      required) and if that script generated the current running
      configuration, then the current netfilter configuration is
      reloaded as is so as to preserve the current packet and byte
      counters.

   If you wish to (approximately) preserve the counters over a
   possibly unexpected reboot, then:

   - Create a cron job that periodically does 'shorewall save -C'

   - Specify the -C and -f option in the STARTOPTIONS variable in
     either /etc/default/shorewall[6][-lite] or
     /etc/sysconfig/shorewall[6][-lite], whichever is supported by your
     distribution. Note that some distributions do not distribute these
     files so you may have to create the one(s) you need (such as
     /etc/sysconfig/shorewall).

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 4
----------------------------------------------------------------------------

4.6.4.1

1)  Confusing 'usage' output was produced under the following
    conditions:

    a)  4.6.4 installed

    b)  The running firewall was compiled on an earlier release.

    c)  A 'safe-start', 'save-restart', 'save' or 'try' command is
    	executed.

    This problem has been corrected.

2)  The 'optional' option has been removed from the IPv4 Universal 
    interfaces file, as that option caused startup failures.

4.6.4 Final.

1)  This release includes defect repair through release 4.6.3.4.

2)  Two corrections have been made to the .service files:

    - The .service files now correctly specify

          WantedBy=basic.target

    - Conflicting services have been added.

3)  A warning message generated during stoppedrules processing
    previously referred to the file as routestopped.

4)  Previously, the stoppedrules file did not work properly when
    ADMINISABSENTMINDED=No.

    - A warning message was issued stating that the file would be
      processed as if ADMINISABSENTMINDED=Yes, and it was.

    - Unfortunately, part of the surrounding rule-generating logic
      proceded as if ADMINISABSENTMINDED=No, leading to an unusable
      ruleset.

    This problem has been corrected by changing the way that
    stoppedrules works with ADMINISABSENTMINDED=No. In the new
    implementation:

    - All existing connections continue to work.
    - Response packets and related connection requests to new accepted
      connections are accepted (in other words, the resulting ruleset
      is stateful).

    See shorewall[6].conf(5) for additional details.

5)  The .spec files now set SBINDIR correctly.

6)  The -lite installers now create INITDIR if it doesn't exist.

7)  The installers no longer attempt to create a symbolic link to the
    init script when no init script is installed.

8)  A large number of defects in the uninstallers have been corrected.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 4
----------------------------------------------------------------------------

1)  Install support for Centos 7 and Foobar 7 has been added (Tuomo
    Soini).

2)  A 'terminating' option has been added to shorewall[6].actions.
    this option, when used with the 'builtin' option, indicates to the
    compiler that the built-in action is terminating. This allows the
    optimizer to omit rules after an unconditional jump to the
    built-in.

3)  A LOG_BACKEND option has been added to allow specification of the
    default logging backends. See shorewall.conf(5) and
    shorewall6.conf(5) for details.

4)  The SAVE_IPSETS option may now specify a list of ipsets to be
    saved. When such a list is specified, only those ipsets together
    with the ipsets supporting dynamic zones are saved.

    Shorewall6 now supports the SAVE_IPSETS option. When
    SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if
    SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features
    require ipset version 5 or later.

    Note that shorewall.conf and shorewall6.conf may now both specify
    SAVE_IPSETS.

5)  The SBINDIR setting for SuSE now defaults to /usr/sbin/.

6)  With the exception of Shorewall-core, the tarball installers and
    uninstallers now support a -n option which inhibits any attempt to
    change the startup configuration. The -n option can be
    automatically invoked by setting the SANDBOX variable to a
    non-empty value, either in the environment or in your shorewallrc
    file.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 3
----------------------------------------------------------------------------

4.6.3.1

1)  The DNSAmp action released in 4.6.3 matched more packets than it
    should have. That has now been corrected.

4.6.3

1)  This release contains defect repair up through release 4.6.2.5.

2)  The SAVE_IPSETS option in the Debian version of Shorewall-init now
    works correctly. Thomas D.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 3
----------------------------------------------------------------------------

1)  A new 'run' command has been implemented. This command allows you
    to run an arbitrary command in the context of the generated
    script. 

       shorewall[6][-lite] run <command> [ <parameter> ... ]

    Normally, <command> will be a function declared in lib.private.

2)  A DNSAmp action has been added. This action matches recursive UDP
    DNS queries. The default disposition is DROP which can be
    overridden by the single action parameter (e.g, 'DNSAmp(REJECT)'
    will reject these queries). Recursive DNS queries are the basis for
    'DNS Amplification' attacks; hence the action name.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 2
----------------------------------------------------------------------------

4.6.2.5

1)  Previously, when an interface specified the 'physical=' option and
    the physical interface name was specified in the INTERFACES column
    of the providers file, compilation would fail with diagnostics
    similar to the following:

	Use of uninitialized value $physical in pattern match
	  (m//) at /usr/lib/perl5/vendor_perl/5.18.1/
          Shorewall/Providers.pm line 463, <$currentfile> line 2.
 	 ERROR: A provider interface must have at least one
	        associated zone /opt/etc/shorewall/providers (line 2)

2)  Shorewall-init now works correctly on systems with systemd.
    By Louis Lagendijk.

4.6.2.4

1)  Previously, inline matches were incorrectly disallowed in action
    files. These matches are now allowed.

4.6.2.3

1)  Previously, the compiler would fail with a Perl diagnostic if:

    - Optimize Level 8 was enabled.
    - Perl 5.20 was being used. This is the current Perl version on
      Arch Linux.

    The diagnostic was:

      Can't use string ("nat") as a HASH ref while "strict refs" in use
        at /usr/share/shorewall/Shorewall/Chains.pm line 3486.

4.6.2.2

1)  The compiler now correctly detects the IPv6 "Header Match"
    capability when LOAD_MODULES_ONLY=No.

2)  The compiler now correctly detects the IPv6 "Ipset Match"
    capability on systems running a 3.14 or later kernel.

3)  The compiler now correctly detects "Arptables JF" capability when
    LOAD_MODULES_ONLY=No.

3)  The tcfilter manpages previously failed to mention that
    BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.

4.6.2.1

1)  Two issues with tcrules processing have been corrected:

    - SAVE and RESTORE generated fatal compilation errors.
    - '|' and '&' were ignored.

4.6.2

1)  The DSCP match in the mangle and tcrules files didn't work with
    service class names such as EF, BE, CS1, ... (Thibaut Chèze)

2)  The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
    tcrules and mangle; this was a regression from 4.5.21.

3)  Additional ports required by Asus, Supermicro and Dell have been
    added to the IPMI macro (Tuomo Soini).

4)  Some issues regarding install under Cygwin64 have been addressed.

    - configure.pl did not understand CYGWIN returned from `uname`
    - Shorewall-core install.sh did not understand CYGWIN returned from 
      `uname`.
    - The Shorewall and Shorewall6 installers tried to run the command 
      'mkdir -p //etc/shorewall[6]' which is broken in the current
      Cygwin64.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 2
----------------------------------------------------------------------------

1)  The 'status' command now allows a -i option which causes the state
    of all optional and provider interfaces to be displayed.

    Example:

    root@gateway:/etc/shorewall# shorewall status -i
    Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014

    Shorewall is running
    State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/
       (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1)

       Interface eth0 is Enabled
       Interface eth1 is Enabled
       Interface lo is Enabled

2)  A 'shorewall show blacklists' command has been
    implemented. The abbreviation 'bl' may be used in place of
    'blacklists'.

    The command displays the output of the 'dynamic' chain together
    with the chains created by entries in the blrules file.

3)  A TIME column has been added to the mangle file. It has the same
    use in that file as the corresponding column in the rules file.

4)  A stateful port knocking example has been added to the Events
    article (http://www.shorewall.net/Events.html). This example allows
    a sequence of knocking ports to be defined (Gerhard Weisinger).

5)  A macro supporting HP's Integrated Lights Out (ILO) has been added
    (Tuomo Soini).

6)  It is now possible to specify the MAC address of a provider
    GATEWAY. This is useful when there are multiple providers serviced
    by a single interface as it avoids the need for the generated
    script to detect the MAC during start/restart.

7)  The copyrights in the sample configuration files have been updated. 

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 1
----------------------------------------------------------------------------

4.6.1.4

1)  The DSCP match in the mangle and tcrles files didn't work with
    service class names such as EF, BE, CS1, ...

2)  The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
    tcrules and mangle; this was a regression from 4.6.21.

4.6.1.3

1)  Use of the 'IfEvent' action resulted in a compilation failure:

      ERROR: -j is only allowed when the ACTION is INLINE with no
        parameter /usr/share/shorewall/action.IfEvent (line 139)
         from /etc/shorewall/action.SSHKnock (line 8)
         from /etc/shorewall/rules (line 31)

4.6.1.2

1)  The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled
    heading for the description of the SOURCE column, leading some
    readers to assert the that description was missing.

2)  When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could
    fail during script execution with this diagnostic:

      Running /sbin/iptables-restore...
      Bad argument `helper=netbios-ns'
      Error occurred at line: nnn
      Try `iptables-restore -h' or 'iptables-restore --help' for more
          information.
        ERROR: iptables-restore Failed. Input is in
               /var/lib/shorewall/.iptables-restore-input

4.6.1.1

1)  An improved error message is generatred when a server address list
    is specified in the DEST colume of a DNAT or REDIRECT
    rule. At one time, iptables supported such lists, but now only a
    single address or an address range is supported.

    The previous error message was:

    	ERROR: Unkknown Host (192.168.1.4,192.168.1.22)

    The new error message is:

    	ERROR: An address list (192.168.1.4,192.168.1.22) is not
	       allowed in the DEST column of a xxx RULE

    where xxx is DNAT or REDIRECT as appropriate.

2)  Two problems have been corrected in the Shorewall-init Debian init
    script.

	a) A cosmetic problem which resulted in 'echo_notdone' being
	   displayed on failure rather than 'not done'.

 	b) More seriously, the test for the existance of compiled
 	   firewall scripts was incorrect, with the result that the
 	   firewall scripts were not executed.

    These defects, introduced in Shorewall 4.5.17, have now been
    corrected.

4.6.1

1)  When the 'rpfilter' option is specified on all interfaces, no
    references to the 'dynamic' chain were created and that chain was
    optimized away.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 1
----------------------------------------------------------------------------

1)  Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve
    and IPMI (RMCP).
	
----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 0
----------------------------------------------------------------------------

4.6.0.3

1)  The Shorewall-init package now installs correctly on RHEL7.

2)  1:1 NAT is now enabled in IPv6.

3)  A subtle interaction between NAT and sub-zones is explained in
    shorewall-nat.

4)  The 'show filters' command now works with Simple TC.

4.6.0.2

1)  The 'upgrade -A' command now converts the tcrules file to a mangle
    file. Previously, that didn't happen.

2)  The install components now support RHEL7.

3)  Whitespace issues in the skeleton configuration files have been
    corrected (Tuomo Soini).

4)  The install components now support RHEL7.

5)  FAQ 2e has been added which describes additional steps required to
    achieve hairpin NAT on a bridge where the modified packets are to
    go out the same bridge port as they entered.

6)  shorewall-masq(5) has been corrected to include the word SOURCE on
    the description of that column. Previously, the description read
    '(formerly called SUBNET)'. 

7)  The output of 'shorewall show filters' once again shows ingress
    (policing) filters. This works around undocumented changes to the
    behavior of the 'tc' utility.

4.6.0.1

1)  The CHECKSUM target in the tcrules and mangle files was broken and
    resulted in this error diagnostic:

      Running /sbin/iptables-restore...
      iptables-restore v1.4.7: CHECKSUM target: Parameter --checksum-fill is
                               required
      Error occurred at line: 41
      Try `iptables-restore -h' or 'iptables-restore --help' for more
         information.
      ERROR: iptables-restore Failed. Input is in
         /var/lib/shorewall/.iptables-restore-input

    The compiler is now generating the correct rule.

2)  Some cosmetic issues in the 'mangle' files have been resolved.

3)  When an invalid chain designator was supplied in 'tcrules' or
    'mangle', the compiler's error message was garbled and a 
    Perl diagnostic was issued.

4.6.0

This release includes all defect repair from releases up through
4.5.21.9.

1)  The tarball installers, now install .service files with mode 644
    rather than mode 600.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 0
----------------------------------------------------------------------------

1)  SECTION entries in the accounting and rules files now allow
    "SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The
    new form is preferred and if any SECTION entries do not have the
    question mark, a warning is issued (see Migration Issues below).

2)  The default setting for ZONE2ZONE has been changed from '2' to '-'
    for increased readability when zone names contain '2'.

3)  The 'tcrules' file has been superceded by the 'mangle'
    file. Existing 'tcrules' files will still be processed, with the
    restriction that TPROXY is no longer supported in FORMAT 1.

    You can convert your tcrules file into the equivalent mangle file
    using the command:

       shorewall update -t

    See shorewall(8) and shorewall6(8) for important restrictions of
    the -t option.

4)  Prior to now, the ability to specify raw iptables matches has been
    tied to the INLINE action. Beginning with this release, the two can
    be separated by specifying INLINE_MATCHES=Yes.

    When INLINE_MATCHES=Yes, then inline matches may be specified after
    a semicolon in the following files:

      action files
      macros
      rules
      mangle
      masq

    Note that semicolons are not allowed in any other files. If you
    want to use the alternative input format in those files, then you
    must inclosed the specifications in curly brackets ({...}). The -i
    option of the 'check' command will warn you of lines that need to
    be changed from using ";" to using "{...}".

5)  The 'conntrack', 'raw', 'mangle' and 'rules' files now support an IPTABLES
    (IP6TABLES) action. This action is similar to INLINE in that it
    allows arbitrary ip[6]tables matches to be specified after a
    semicolon (even when INLINE_MATCHES=No). It differs in that the
    parameter passed is an iptables target with target options.

    Example (rules file):

       #ACTION				SOURCE	DEST	PROTO
       IPTABLES(TARPIT --honeypot)	net	pot

    If the particular target that you wish to use is unknown to
    Shorewall, you will get this error message:

       ERROR: Unknown TARGET (<target>)

    You can eliminate that error by adding your target as a builtin
    action in /etc/shorewall[6]/actions.

    As part if this change, the /etc/shorewall[6]/actions file options
    have been extended to allow you to specify the Netfilter table(s)
    where the target is accepted. When 'builtin' is specified, you can
    also include the following options:

    	 filter
	 nat
	 mangle
	 raw

    If no table is given, 'filter' is assumed for backward
    compatibility.

6)  The 'tcpflags' option is now set by default. To disable the option,
    specify 'tcpflags=0' in the OPTIONS column of the interface file.

7)  You may now use ipset names (preceded by '+') in PORT columns,
    allowing you to take advantage of bitmap:port ipsets.

8)  The counter extensions to ipset matches have been
    implemented. See shorewall[6]-ipsets for details.

9)  DROP is now a valid action in the stoppedrules files. DROP occurs
    in the raw table PREROUTING chain which avoids conntrack entry
    creation.

10) A new BASIC_FILTERS option is now supported. When set to 'Yes',
    this option causes the compiler to generate basic TC filters from
    tcfilters entries rather than u32 filters.

    Basic filters are more straight-forward than u32 filters and, in
    later iptables/kernel versions, basic filters support ipset
    matches.  Please note that Shorewall cannot reliably detect whether
    your iptables/kernel support ipset matches, so an error-free
    compilation does not guarantee that the firewall will start
    successfully when ipset names are specified in tcfilters entries.

11) The update command now supports an -A option. This is intended to
    perform all available updates to the configuration and is currently
    equivalent to '-b -D -t'.

12) Beginning with this release, FORMAT-1 actions and macros are 
    deprecated and a warning will be issued for each FORMAT-1 action
    or macro found. See the Migration Issues for further information.

13) To facilitate creation of ipsets with characteristics different
    from what Shorewall generates, the 'init' user exit is now executed
    before Shorewall creates ipsets that don't exist.
