----------------------------------------------------------------------------
	             S H O R E W A L L  4 . 6 . 4 . 3
                   ------------------------------------
                      O c t o b e r  2 0 ,  2 0 1 4
----------------------------------------------------------------------------

I.    PROBLEMS CORRECTED IN THIS RELEASE
II.   KNOWN PROBLEMS REMAINING
III.  NEW FEATURES IN THIS RELEASE
IV.   MIGRATION ISSUES
V.    PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

4.6.4.3

1)  The fix for LOGBACKEND in 4.6.4.2 worked on some older
    distributions but not on newer ones. This release fixes the problem
    in the remaining cases.

4.6.4.2

1)  Setting LOGBACKEND=ipt_LOG could result in the following startup
    failure at boot:

       Starting shorewall ...
       /var/lib/shorewall/firewall: line 2080: echo: write error: No such file or directory
          WARNING: Unable to set log backend to ipt_LOG

4.6.4.1

1)  Confusing 'usage' output was produced under the following
    conditions:

    a)  4.6.4 installed

    b)  The running firewall was compiled on an earlier release.

    c)  A 'safe-start', 'save-restart', 'save' or 'try' command is
    	executed.

    This problem has been corrected.

2)  The 'optional' option has been removed from the IPv4 Universal 
    interfaces file, as that option caused startup failures.

4.6.4 Final.

1)  This release includes defect repair through release 4.6.3.4.

2)  Two corrections have been made to the .service files:

    - The .service files now correctly specify

          WantedBy=basic.target

    - Conflicting services have been added.

3)  A warning message generated during stoppedrules processing
    previously referred to the file as routestopped.

4)  Previously, the stoppedrules file did not work properly when
    ADMINISABSENTMINDED=No.

    - A warning message was issued stating that the file would be
      processed as if ADMINISABSENTMINDED=Yes, and it was.

    - Unfortunately, part of the surrounding rule-generating logic
      proceded as if ADMINISABSENTMINDED=No, leading to an unusable
      ruleset.

    This problem has been corrected by changing the way that
    stoppedrules works with ADMINISABSENTMINDED=No. In the new
    implementation:

    - All existing connections continue to work.
    - Response packets and related connection requests to new accepted
      connections are accepted (in other words, the resulting ruleset
      is stateful).

    See shorewall[6].conf(5) for additional details.

5)  The .spec files now set SBINDIR correctly.

6)  The -lite installers now create INITDIR if it doesn't exist.

7)  The installers no longer attempt to create a symbolic link to the
    init script when no init script is installed.

8)  A large number of defects in the uninstallers have been corrected.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Install support for Centos 7 and Foobar 7 has been added (Tuomo
    Soini).

2)  A 'terminating' option has been added to shorewall[6].actions.
    this option, when used with the 'builtin' option, indicates to the
    compiler that the built-in action is terminating. This allows the
    optimizer to omit rules after an unconditional jump to the
    built-in.

3)  A LOG_BACKEND option has been added to allow specification of the
    default logging backends. See shorewall.conf(5) and
    shorewall6.conf(5) for details.

4)  The SAVE_IPSETS option may now specify a list of ipsets to be
    saved. When such a list is specified, only those ipsets together
    with the ipsets supporting dynamic zones are saved.

    Shorewall6 now supports the SAVE_IPSETS option. When
    SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if
    SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features
    require ipset version 5 or later.

    Note that shorewall.conf and shorewall6.conf may now both specify
    SAVE_IPSETS.

5)  The SBINDIR setting for SuSE now defaults to /usr/sbin/.

6)  With the exception of Shorewall-core, the tarball installers and
    uninstallers now support a -n option which inhibits any attempt to
    change the startup configuration. The -n option can be
    automatically invoked by setting the SANDBOX variable to a
    non-empty value, either in the environment or in your shorewallrc
    file.

----------------------------------------------------------------------------
                  I V.  M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

1)  If you are migrating from Shorewall 4.4.x or earlier, please see
    http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt

2)  Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir
    and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in
    favor of the VARDIR setting in shorewallrc.

        NOTE: While the name of the variable remains VARDIR, the
              meaning is slightly different. When set in shorewallrc,
              each product (shorewall-lite, and shorewall6-lite) will
              create a directory under the specified path name to
	      hold state information.

	      Example:

		  VARDIR=/opt/var/

		  The state directory for shorewall-lite will be
		  /opt/var/shorewall-lite/ and the directory for
		  shorewall6-lite will be /opt/var/shorewall6-lite.

	      When VARDIR is set in /etc/shorewall[6]/vardir, the
	      product will save its state directly in the specified
	      directory.

    In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc
    file and the meaning of VARDIR is once again consistent. The
    default setting of VARDIR for a particular product is
    ${VARLIB}/$product. There is an entry of that form in the
    shorewallrc file. Because there is a single shorewallrc file for
    all installed products, the /etc/shorewall[6]-lite/vardir file
    provides the only means for overriding this default.

3)  Begining with Shorewall 4.5.6, the tcrules file is processed if
    MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This
    allows actions like TTL and TPROXY to be used without enabling
    traffic shaping.

    If you have rules in your tcrules file that you only want processed
    when TC_ENABLED is other than 'No', then enclose them in

    	 ?IF $TC_ENABLED
	 ...
	 ?ENDIF

    If they are to be processed only if TC_ENABLED=Internal, then enclose
    them in

    	 ?IF TC_ENABLED eq 'Internal'
	 ...
	 ?ENDIF

4)  Beginning with Shorewall 4.5.7, the deprecated
    /etc/shorewall[6]/blacklist files are no longer installed. Existing
    files are still processed by the compiler. Note that blacklist
    files may be converted to equivalent blrules files using
    'shorewall[6] update -b'.

5)  In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed
    /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7,
    the conntrack file will be installed along side of an existing
    notrack file. When both files exist, a compiler warning is
    generated:

       WARNING: Both notrack and conntrack exist; conntrack is ignored

    This warning may be eliminated by moving any entries in the notrack
    file to the conntrack file and removing the notrack file.

6)  In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were
    deprecated if favor of new /etc/shorewall[6]/stoppedrules
    counterparts. The new files have much more familiar and
    straightforward semantics. Once a stoppedrules file is populated,
    the compiler will process that file and will ignore the
    corresponding routestopped file.

7)  In Shorewall 4.5.8, a new variable (VARLIB) was added to the
    shorewallrc file. This variable assumes the role formerly played by
    VARDIR, and VARDIR now designates the configuration directory for a
    particular product.

    This change should be transparent to all users:

    a) If VARDIR is set in an existing shorewallrc file and VARLIB is
       not, then VARLIB is set to ${VARDIR} and VARDIR is set to
       ${VARLIB}/${PRODUCT}.

    b) If VARLIB is set in a shorewallrc file and VARDIR is not, then
       VARDIR is set to ${VARLIB}/${PRODUCT}.

    The Shorewall-core installer will automatically update
    ~/.shorewallrc and save the original in ~/.shorewallrc.bak

8)  Previously, the macro.SNMP macro opened both UDP ports 161 and 162 
    from SOURCE to DEST. This is against the usual practice of opening
    these ports in the opposite direction. Beginning with Shorewall
    4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before,
    and a new SNMPTrap macro is added that opens port 162 (from SOURCE
    to DEST).

9)  Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT
    for specifying the format of records in these configuration files:

        action.* files
	conntrack
	interface
	macro.* files
	tcrules

    While deprecated, FORMAT (without the '?') is still supported.

    Also, ?COMMENT is preferred over COMMENT for attaching comments to
    generated netfilter rules in the following files.

        accounting
       	action.* files
       	blrules files
       	conntrack
       	masq
       	nat
       	rules
       	secmarks
       	tcrules
       	tunnels

    When one of the deprecated forms is encountered, a warning message
    is issued.

    Examples:

       WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' -
       		consider running 'shorewall update -D'.

       WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' -
       		consider running 'shorewall update -D'.

    As the warnings indicate, 'update -D' will traverse the CONFIG_PATH 
    replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT
    directives respectively. The original version of modified files
    will be saved with a .bak suffix. 

    During the update, .bak files are skipped as are files in
    ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6.

10) To allow finer-grained selection of the connection-tracking states
    that are passed through blacklists (both dynamic and static), a
    BLACKLIST option was added to shorewall.conf and shorewall6.conf in
    Shorewall 4.5.13.

    The BLACKLISTNEWONLY option was deprecated at that point. A
    'shorewall update' ( 'shorewall6 update' ) will replace the
    BLACKLISTNEWONLY option with the equivalent BLACKLIST option.

11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed
    BLACKLIST_LOG_LEVEL to be consistent with the other log-level
    option names. BLACKLIST_LOGLEVEL continues to be accepted as a
    synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or
    'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with
    BLACKLIST_LOG_LEVEL in the new .conf file.

12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE'
    is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain
    names, then specify ZONE2ZONE=2 in shorewall[6].conf.

13) Beginning with Shorewall 4.6.0, ection headers are now preceded by
    '?' (e.g., '?SECTION ...').  If your configuration contains any
    bare 'SECTION' entries, the following warning is issued:

      WARNING: 'SECTION' is deprecated in favor of '?SECTION' -
               consider running 'shorewall update -D' ...

    As mentioned in the message, running 'shorewall[6] update -D' will
    eliminate the warning.

14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been
    superceded by the 'mangle' file. Existing 'tcrules' files will
    still be processed, with the restriction that TPROXY is no longer
    supported in FORMAT 1.

    If your 'tcrules' file has non-commentary entries, the following
    warning message is issued:

        WARNING: Non-empty tcrules file (...);
		 consider running 'shorewall update -t'

    See shorewall6(8) for limitations of 'update -t'.
    
15) The default value LOAD_HELPERS_ONLY is now 'Yes'.

16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are 
    deprecated and a warning will be issued for each FORMAT-1 action
    or macro found.

      WARNING: FORMAT-1 actions are deprecated and support will be
      	       dropped in a future release.

      WARNING: FORMAT-1 macros are deprecated and support will be
      	       dropped in a future release.

    To eliminate these warnings, add the following line before the
    first rule in the action or macro:

      ?FORMAT 2

    and adjust the columns appropriately.

    FORMAT-1 actions have the following columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      RATE/LIMIT
      USER/GROUP
      MARK

    while FORMAT-2 actions have these columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      ORIGINAL DEST
      RATE/LIMIT
      USER/GROUP
      MARK
      CONNLIMIT
      TIME
      HEADERS (Used in IPv6 only)
      CONDITION
      HELPER

    FORMAT-1 macros have the following columns:

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORTS(S)
      RATE/LIMIT
      USER/GROUP

    while FORMAT-2 macros have these columns:    

      TARGET
      SOURCE
      DEST
      PROTO
      DEST PORT(S)
      SOURCE PORT(S)
      ORIGINAL DEST
      RATE/LIMIT
      USER/GROUP
      MARK
      CONNLIMIT
      TIME
      HEADERS (Used in IPv6 only)
      CONDITION
      HELPER

17) Prior to Shorewall 4.6.4, the stoppedrules file did not work
    properly when ADMINISABSENTMINDED=No.

    - A warning message was issued stating that the file would be
      processed as if ADMINISABSENTMINDED=Yes, and it was.

    - Unfortunately, part of the surrounding rule-generating logic
      proceded as if ADMINISABSENTMINDED=No, leading to an unusable
      ruleset.

    In Shorewall 4.6.4, this problem was corrected by changing the way
    that stoppedrules works with ADMINISABSENTMINDED=No. In the new
    implementation:

    - All existing connections continue to work.
    - Response packets and related connection requests to new accepted
      connections are accepted (in other words, the resulting ruleset
      is stateful).

    See shorewall[6].conf(5) for additional details.

----------------------------------------------------------------------------
         V.  N O T E S  F R O M  O T H E R  4 . 6  R E L E A S E S
----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 3
----------------------------------------------------------------------------

4.6.3.1

1)  The DNSAmp action released in 4.6.3 matched more packets than it
    should have. That has now been corrected.

4.6.3

1)  This release contains defect repair up through release 4.6.2.5.

2)  The SAVE_IPSETS option in the Debian version of Shorewall-init now
    works correctly. Thomas D.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 3
----------------------------------------------------------------------------

1)  A new 'run' command has been implemented. This command allows you
    to run an arbitrary command in the context of the generated
    script. 

       shorewall[6][-lite] run <command> [ <parameter> ... ]

    Normally, <command> will be a function declared in lib.private.

2)  A DNSAmp action has been added. This action matches recursive UDP
    DNS queries. The default disposition is DROP which can be
    overridden by the single action parameter (e.g, 'DNSAmp(REJECT)'
    will reject these queries). Recursive DNS queries are the basis for
    'DNS Amplification' attacks; hence the action name.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 2
----------------------------------------------------------------------------

4.6.2.5

1)  Previously, when an interface specified the 'physical=' option and
    the physical interface name was specified in the INTERFACES column
    of the providers file, compilation would fail with diagnostics
    similar to the following:

	Use of uninitialized value $physical in pattern match
	  (m//) at /usr/lib/perl5/vendor_perl/5.18.1/
          Shorewall/Providers.pm line 463, <$currentfile> line 2.
 	 ERROR: A provider interface must have at least one
	        associated zone /opt/etc/shorewall/providers (line 2)

2)  Shorewall-init now works correctly on systems with systemd.
    By Louis Lagendijk.

4.6.2.4

1)  Previously, inline matches were incorrectly disallowed in action
    files. These matches are now allowed.

4.6.2.3

1)  Previously, the compiler would fail with a Perl diagnostic if:

    - Optimize Level 8 was enabled.
    - Perl 5.20 was being used. This is the current Perl version on
      Arch Linux.

    The diagnostic was:

      Can't use string ("nat") as a HASH ref while "strict refs" in use
        at /usr/share/shorewall/Shorewall/Chains.pm line 3486.

4.6.2.2

1)  The compiler now correctly detects the IPv6 "Header Match"
    capability when LOAD_MODULES_ONLY=No.

2)  The compiler now correctly detects the IPv6 "Ipset Match"
    capability on systems running a 3.14 or later kernel.

3)  The compiler now correctly detects "Arptables JF" capability when
    LOAD_MODULES_ONLY=No.

3)  The tcfilter manpages previously failed to mention that
    BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.

4.6.2.1

1)  Two issues with tcrules processing have been corrected:

    - SAVE and RESTORE generated fatal compilation errors.
    - '|' and '&' were ignored.

4.6.2

1)  The DSCP match in the mangle and tcrules files didn't work with
    service class names such as EF, BE, CS1, ... (Thibaut Chèze)

2)  The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
    tcrules and mangle; this was a regression from 4.5.21.

3)  Additional ports required by Asus, Supermicro and Dell have been
    added to the IPMI macro (Tuomo Soini).

4)  Some issues regarding install under Cygwin64 have been addressed.

    - configure.pl did not understand CYGWIN returned from `uname`
    - Shorewall-core install.sh did not understand CYGWIN returned from 
      `uname`.
    - The Shorewall and Shorewall6 installers tried to run the command 
      'mkdir -p //etc/shorewall[6]' which is broken in the current
      Cygwin64.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 2
----------------------------------------------------------------------------

1)  The 'status' command now allows a -i option which causes the state
    of all optional and provider interfaces to be displayed.

    Example:

    root@gateway:/etc/shorewall# shorewall status -i
    Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014

    Shorewall is running
    State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/
       (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1)

       Interface eth0 is Enabled
       Interface eth1 is Enabled
       Interface lo is Enabled

2)  A 'shorewall show blacklists' command has been
    implemented. The abbreviation 'bl' may be used in place of
    'blacklists'.

    The command displays the output of the 'dynamic' chain together
    with the chains created by entries in the blrules file.

3)  A TIME column has been added to the mangle file. It has the same
    use in that file as the corresponding column in the rules file.

4)  A stateful port knocking example has been added to the Events
    article (http://www.shorewall.net/Events.html). This example allows
    a sequence of knocking ports to be defined (Gerhard Weisinger).

5)  A macro supporting HP's Integrated Lights Out (ILO) has been added
    (Tuomo Soini).

6)  It is now possible to specify the MAC address of a provider
    GATEWAY. This is useful when there are multiple providers serviced
    by a single interface as it avoids the need for the generated
    script to detect the MAC during start/restart.

7)  The copyrights in the sample configuration files have been updated. 

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 1
----------------------------------------------------------------------------

4.6.1.4

1)  The DSCP match in the mangle and tcrles files didn't work with
    service class names such as EF, BE, CS1, ...

2)  The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
    tcrules and mangle; this was a regression from 4.6.21.

4.6.1.3

1)  Use of the 'IfEvent' action resulted in a compilation failure:

      ERROR: -j is only allowed when the ACTION is INLINE with no
        parameter /usr/share/shorewall/action.IfEvent (line 139)
         from /etc/shorewall/action.SSHKnock (line 8)
         from /etc/shorewall/rules (line 31)

4.6.1.2

1)  The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled
    heading for the description of the SOURCE column, leading some
    readers to assert the that description was missing.

2)  When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could
    fail during script execution with this diagnostic:

      Running /sbin/iptables-restore...
      Bad argument `helper=netbios-ns'
      Error occurred at line: nnn
      Try `iptables-restore -h' or 'iptables-restore --help' for more
          information.
        ERROR: iptables-restore Failed. Input is in
               /var/lib/shorewall/.iptables-restore-input

4.6.1.1

1)  An improved error message is generatred when a server address list
    is specified in the DEST colume of a DNAT or REDIRECT
    rule. At one time, iptables supported such lists, but now only a
    single address or an address range is supported.

    The previous error message was:

    	ERROR: Unkknown Host (192.168.1.4,192.168.1.22)

    The new error message is:

    	ERROR: An address list (192.168.1.4,192.168.1.22) is not
	       allowed in the DEST column of a xxx RULE

    where xxx is DNAT or REDIRECT as appropriate.

2)  Two problems have been corrected in the Shorewall-init Debian init
    script.

	a) A cosmetic problem which resulted in 'echo_notdone' being
	   displayed on failure rather than 'not done'.

 	b) More seriously, the test for the existance of compiled
 	   firewall scripts was incorrect, with the result that the
 	   firewall scripts were not executed.

    These defects, introduced in Shorewall 4.5.17, have now been
    corrected.

4.6.1

1)  When the 'rpfilter' option is specified on all interfaces, no
    references to the 'dynamic' chain were created and that chain was
    optimized away.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 1
----------------------------------------------------------------------------

1)  Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve
    and IPMI (RMCP).
	
----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  4 . 6 . 0
----------------------------------------------------------------------------

4.6.0.3

1)  The Shorewall-init package now installs correctly on RHEL7.

2)  1:1 NAT is now enabled in IPv6.

3)  A subtle interaction between NAT and sub-zones is explained in
    shorewall-nat.

4)  The 'show filters' command now works with Simple TC.

4.6.0.2

1)  The 'upgrade -A' command now converts the tcrules file to a mangle
    file. Previously, that didn't happen.

2)  The install components now support RHEL7.

3)  Whitespace issues in the skeleton configuration files have been
    corrected (Tuomo Soini).

4)  The install components now support RHEL7.

5)  FAQ 2e has been added which describes additional steps required to
    achieve hairpin NAT on a bridge where the modified packets are to
    go out the same bridge port as they entered.

6)  shorewall-masq(5) has been corrected to include the word SOURCE on
    the description of that column. Previously, the description read
    '(formerly called SUBNET)'. 

7)  The output of 'shorewall show filters' once again shows ingress
    (policing) filters. This works around undocumented changes to the
    behavior of the 'tc' utility.

4.6.0.1

1)  The CHECKSUM target in the tcrules and mangle files was broken and
    resulted in this error diagnostic:

      Running /sbin/iptables-restore...
      iptables-restore v1.4.7: CHECKSUM target: Parameter --checksum-fill is
                               required
      Error occurred at line: 41
      Try `iptables-restore -h' or 'iptables-restore --help' for more
         information.
      ERROR: iptables-restore Failed. Input is in
         /var/lib/shorewall/.iptables-restore-input

    The compiler is now generating the correct rule.

2)  Some cosmetic issues in the 'mangle' files have been resolved.

3)  When an invalid chain designator was supplied in 'tcrules' or
    'mangle', the compiler's error message was garbled and a 
    Perl diagnostic was issued.

4.6.0

This release includes all defect repair from releases up through
4.5.21.9.

1)  The tarball installers, now install .service files with mode 644
    rather than mode 600.

----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 6 . 0
----------------------------------------------------------------------------

1)  SECTION entries in the accounting and rules files now allow
    "SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The
    new form is preferred and if any SECTION entries do not have the
    question mark, a warning is issued (see Migration Issues below).

2)  The default setting for ZONE2ZONE has been changed from '2' to '-'
    for increased readability when zone names contain '2'.

3)  The 'tcrules' file has been superceded by the 'mangle'
    file. Existing 'tcrules' files will still be processed, with the
    restriction that TPROXY is no longer supported in FORMAT 1.

    You can convert your tcrules file into the equivalent mangle file
    using the command:

       shorewall update -t

    See shorewall(8) and shorewall6(8) for important restrictions of
    the -t option.

4)  Prior to now, the ability to specify raw iptables matches has been
    tied to the INLINE action. Beginning with this release, the two can
    be separated by specifying INLINE_MATCHES=Yes.

    When INLINE_MATCHES=Yes, then inline matches may be specified after
    a semicolon in the following files:

      action files
      macros
      rules
      mangle
      masq

    Note that semicolons are not allowed in any other files. If you
    want to use the alternative input format in those files, then you
    must inclosed the specifications in curly brackets ({...}). The -i
    option of the 'check' command will warn you of lines that need to
    be changed from using ";" to using "{...}".

5)  The 'conntrack', 'raw', 'mangle' and 'rules' files now support an IPTABLES
    (IP6TABLES) action. This action is similar to INLINE in that it
    allows arbitrary ip[6]tables matches to be specified after a
    semicolon (even when INLINE_MATCHES=No). It differs in that the
    parameter passed is an iptables target with target options.

    Example (rules file):

       #ACTION				SOURCE	DEST	PROTO
       IPTABLES(TARPIT --honeypot)	net	pot

    If the particular target that you wish to use is unknown to
    Shorewall, you will get this error message:

       ERROR: Unknown TARGET (<target>)

    You can eliminate that error by adding your target as a builtin
    action in /etc/shorewall[6]/actions.

    As part if this change, the /etc/shorewall[6]/actions file options
    have been extended to allow you to specify the Netfilter table(s)
    where the target is accepted. When 'builtin' is specified, you can
    also include the following options:

    	 filter
	 nat
	 mangle
	 raw

    If no table is given, 'filter' is assumed for backward
    compatibility.

6)  The 'tcpflags' option is now set by default. To disable the option,
    specify 'tcpflags=0' in the OPTIONS column of the interface file.

7)  You may now use ipset names (preceded by '+') in PORT columns,
    allowing you to take advantage of bitmap:port ipsets.

8)  The counter extensions to ipset matches have been
    implemented. See shorewall[6]-ipsets for details.

9)  DROP is now a valid action in the stoppedrules files. DROP occurs
    in the raw table PREROUTING chain which avoids conntrack entry
    creation.

10) A new BASIC_FILTERS option is now supported. When set to 'Yes',
    this option causes the compiler to generate basic TC filters from
    tcfilters entries rather than u32 filters.

    Basic filters are more straight-forward than u32 filters and, in
    later iptables/kernel versions, basic filters support ipset
    matches.  Please note that Shorewall cannot reliably detect whether
    your iptables/kernel support ipset matches, so an error-free
    compilation does not guarantee that the firewall will start
    successfully when ipset names are specified in tcfilters entries.

11) The update command now supports an -A option. This is intended to
    perform all available updates to the configuration and is currently
    equivalent to '-b -D -t'.

12) Beginning with this release, FORMAT-1 actions and macros are 
    deprecated and a warning will be issued for each FORMAT-1 action
    or macro found. See the Migration Issues for further information.

13) To facilitate creation of ipsets with characteristics different
    from what Shorewall generates, the 'init' user exit is now executed
    before Shorewall creates ipsets that don't exist.