----------------------------------------------------------------------------
	               S H O R E W A L L  5 . 1 . 0
                       -----------------------------
                       J a n u a r y  0 8,  2 0 1 7
----------------------------------------------------------------------------

I.    PROBLEMS CORRECTED IN THIS RELEASE
II.   KNOWN PROBLEMS REMAINING
III.  NEW FEATURES IN THIS RELEASE
IV.   MIGRATION ISSUES
V.    PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  This release includes defect repair through Shorewall 5.0.15.2.

2)  A defect associated with CHAIN_SCRIPTS=Yes previously prevented
    some of the optimizations associated with optimize level 4 from
    being applied. Removal of the CHAIN_SCRIPT option (see below) has
    eliminated the defect.

3)  The install.sh and uninstall.sh have had some minor cleanup (Matt
    Darfeuille).

4)  Previously, when SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4, the restore
    phase of a rejected safe-restart would fail. That has been
    corrected.

5)  It is now possible to include compact IPv6 addresses (those with
    "::") in IP6TABLES() parameters. Previously, such addresses
    resulted in an "INVALID ACTION..." error.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No and optional
    providers listed in the DUPLICATE column.

3)  While the 'ip' utility now accepts IPv6 routes with multiple
    'nexthop' destinations, these routes are not balanced. They are
    rather instantiated as a sequence of single routes with different
    metrics.  Furthermore,  the 'ip route replace' command fails on
    such routes. Beginning with Shorewall6 5.0.15, the generated script
    will use a "delete..add.." sequence on these routes rather than a
    single "replace" command.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
    (normally /sbin/shorewall). This program performs all of the same
    functions previously performed by /sbin/shorewall,
    /sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
    and is installed as part of the Shorewall-core package. It's
    default 'personality' is determined by the Shorewall packages
    installed:

    a) If the Shorewall package is installed, then by default,
       /sbin/shorewall behaves as in prior versions.

    b) If the Shorewall package is not installed, but the
       Shorewall-lite package is present, then /sbin/shorewall behaves
       as did /sbin/shorewall-lite in prior versions.

    c) If neither the Shorewall nor Shorewall-lite packages are
       installed, but the Shorewall6-lite package is installed, then
       /sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
       versions.

    The program's personality can be altered through use of two new
    options.

    -6  When specified, changes the personality from Shorewall to
     	Shorewall6 or from Shorewall-lite to Shorewall6-lite.

    -l  When specified, changes the personality from Shorewall to
     	Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
     	option is only required when both the standard package
     	(Shorewall or Shorewall6) and the corresponding -lite package
     	are installed on the system.

    The following is a comparison of Shorewall 5.0 and Shorewall 5.1
    with respect to the CLI invocation:

    	 All four packages installed:

    	 Shorewall 5.0			Shorewall 5.1

	 shorewall 			shorewall
	 shorewall6			shorewall -6
	 shorewall-lite			shorewall -l
	 shorewall6-lite		shorewall -6l

	 Only Shorewall-lite and Shorewall6-lite installed:

	 Shorewall 5.0	     	        Shorewall 5.1

	 shorewall-lite			shorewall
	 shorewall6-lite		shorewall -6

    A single shorewall(8) manpage now describes the CLI.

    The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
    manpages are now minimal and refer the reader to shorewall(8).

    For backward compatibility, Shorewall6, Shorewall-lite and
    Shorewall6-lite install symlinks $SBINDIR/shorewall6,
    $SBINDIR/shorewall-lite and
    $SBINDIR/shorewall6-lite respectively. When the shorewall program
    is invoked through one of these symlinks, it adopts the appropriate
    personality.

2)  Several settings in the default/sample .conf files have been
    modified:

    a)  The LOGFORMAT setting has been changed from "Shorewall:%s:%s:"
    	to "%s %s " to enable longer zone names.

    b)  The LOGLIMIT setting has been changed from empty to
    	"s:1/sec:10", to enable log trottling by default.

    c)  The AUTOMAKE setting has been changed from "No" to "Yes", to
    	avoid unnecessary recompilation.

    d)  The IP_FORWARDING setting has been changed from "On" to "Keep"
    	in shorewall.conf to accomodate cases where forwarding has been
    	configured before installing Shorewall.

    e)  The OPTIMIZE setting has been changed to "All", to create more
    	compact rulesets by default.

    f)  TC_CLEAR has been set to "No" in the shorewall6.conf files.

3)  The allowed syntax in the SOURCE and DEST columns in the rules file
    has been extended to allow multiple comma-separated
    <zone>:[<interface>:][<address-list>] tupples in a single
    rule. Where the <address-list> lists mulitiple addresses separated
    by commas, the <address-list> must be enclosed in parentheses.

    Example: net:(1.2.3.4,2.3.4.5),dmz:(5.6.7.8,6.7.8.9)

    See shorewall[6]-rules(5) for details.

    A similar change has been made to the conntrack and mangle files,
    where multiple <interface>:<address-lists> groups can be specified:

    Example: eth0:(1.2.3.4,2.3.4.5),eth1(5.6.7.8,6.7.8.9)

    See shorewall[6]-conntrack(5) and shorewall[6]-mangle(5) for
    details.

5)  The CHAIN_SCRIPTS option in the .conf files has been eliminated,
    and the compiler no longer looks for script files with the same
    name as a chain or action.

    If you are using such files, you will need to convert them into
    equivalent ?begin perl .... ?end perl text or to use the
    IP[6]TABLES target and/or inline matches.

    See http://www.shorewall.org/Shorewall-5.html#idp41228128.

5)  The --queue-cpu-fanout NFQUEUE option is now supported in NFQUEUE
    rules and policies. It is enabled by following the high queue
    number with the letter 'c' (e.g., NFQUEUE(0:3c)). This option
    requires 'NFQUEUE CPU Fanout' support in your kernel and
    ip[6]tables.

6)  A SWITCH column has been added to the mangle files. See
    shorewall[6]-mangle(5) for details.

7)  A 'show ipsec' command has been added. This command displays the
    contents of the IPSEC "Security Policy Database" (SPD) and
    "Security Association Database" (SAD). SAD keys are not shown.

8)  The Netfilter team have removed support for the rawpost table, so
    Shorewall no longer supports features requiring that table
    (stateless netmapping in the netmap file). The good news is that,
    since kernel 3.7, Netfilter supports stateful IPv6 network mapping
    which is now also supported in Shorewall6 (see
    shorewall6-netmap(5)).

9)  In the released tarballs, the action.* files now reside in a
    separate Actions/ directory.

10) The 'echo' builtin in recent versions of the dash shell does not
    support the -n option. To accomodate that version, Shorewall no
    longer uses either the -e or -n options.

11) When LOAD_HELPERS_ONLY=No, additional modules required for NAT are
    now loaded.

12) The (undocumented) Makefiles haven't been maintained for many
    releases and have been removed.

----------------------------------------------------------------------------
                  I V.  M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

1)  If you are migrating from Shorewall 4.6.x or earlier, please see
    http://www.shorewall.net/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt

2)  Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
    (normally /sbin/shorewall). This program performs all of the same
    functions previously performed by /sbin/shorewall,
    /sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
    and is installed as part of the Shorewall-core package. It's
    default 'personality' is determined by the Shorewall packages
    installed:

    a) If the Shorewall package is installed, then by default,
       /sbin/shorewall behaves as in prior versions.

    b) If the Shorewall package is not installed, but the
       Shorewall-lite package is present, then /sbin/shorewall behaves
       as did /sbin/shorewall-lite in prior versions.

    c) If neither the Shorewall nor Shorewall-lite packages are
       installed, but the Shorewall6-lite package is installed, then
       /sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
       versions.

    The program's personality can be altered through use of two new
    options.

    -6  When specified, changes the personality from Shorewall to
     	Shorewall6 or from Shorewall-lite to Shorewall6-lite.

    -l  When specified, changes the personality from Shorewall to
     	Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
     	option is only required when both the standard package
     	(Shorewall or Shorewall6) and the corresponding -lite package
     	are installed on the system.

    The following is a comparison of Shorewall 5.0 and Shorewall 5.1
    with respect to the CLI invocation:

    	 All four packages installed:

    	 Shorewall 5.0			Shorewall 5.1

	 shorewall 			shorewall
	 shorewall6			shorewall -6
	 shorewall-lite			shorewall -l
	 shorewall6-lite		shorewall -6l

	 Only Shorewall-lite and Shorewall6-lite installed:

	 Shorewall 5.0	     	        Shorewall 5.1

	 shorewall-lite			shorewall
	 shorewall6-lite		shorewall -6

    A single shorewall(8) manpage now describes the CLI.

    The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
    manpages are now minimal and refer the reader to shorewall(8).

    For backward compatibility, Shorewall6, Shorewall-lite and
    Shorewall6-lite install symlinks $SBINDIR/shorewall6,
    $SBINDIR/shorewall-lite and
    $SBINDIR/shorewall6-lite respectively. When the shorewall program
    is invoked through one of these symlinks, it adopts the appropriate
    personality.

3)  The CHAIN_SCRIPTS option in the .conf files has been eliminated,
    and the compiler no longer looks for script files with the same
    name as a chain or action.

    If you are using such files, you will need to convert them into
    equivalent ?begin perl .... ?end perl text or to use the
    IP[6]TABLES target and/or inline matches.

    For the common case where you have an action xxx with an empty
    action.xxx file and have perl code in a file named xxx, the
    compiler will now generate a fatal error:

      ERROR: File action.xxx is empty and file xxx exists - the two
      	     must be combined as described in the Migration
      	     Considerations section of the Shorewall release notes

    For information about resolving this error, see
    http://www.shorewall.org/Shorewall-5.html#idp41228128.

4)  The Netfilter team have removed support for the rawpost table, so
    Shorewall no longer supports features requiring that table
    (stateless netmapping in the netmap file). The good news is that,
    since kernel 3.7, Netfilter supports stateful IPv6 network mapping
    which is now also supported in Shorewall6 (see
    shorewall6-netmap(5)).

5)  The (undocumented) Makefiles haven't been maintained for many
    releases and have been removed.

----------------------------------------------------------------------------
         V.  N O T E S  F R O M  O T H E R  5 . 1  R E L E A S E S
----------------------------------------------------------------------------
