"Fossies" - the Fresh Open Source Software Archive

Member "shorewall6-5.2.8/releasenotes.txt" (24 Sep 2020, 68852 Bytes) of package /linux/misc/shorewall/shorewall6-5.2.8.tar.bz2:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "releasenotes.txt": 5.2.7_vs_5.2.8.

    1 ----------------------------------------------------------------------------
    2 	               S H O R E W A L L  5 . 2 . 8
    3                       -------------------------------
    4                      S E P T E M B E R  2 4 ,  2 0 2 0
    5 ----------------------------------------------------------------------------
    6 
    7 I.    PROBLEMS CORRECTED IN THIS RELEASE
    8 II.   KNOWN PROBLEMS REMAINING
    9 III.  NEW FEATURES IN THIS RELEASE
   10 IV.   MIGRATION ISSUES
   11 V.    PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
   12 
   13 ----------------------------------------------------------------------------
   14   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
   15 ----------------------------------------------------------------------------
   16 
   17 1)  Certain restrictions that apply to wildcard interfaces (interface
   18     name ends in '+') were previously not enforced when the logical
   19     interface name did not end in '+' but the physical interface name
   20     did end in '+'.  That has been corrected.
   21 
   22 2)  To ensure that error messages appear in the correct place in the
   23     output stream, stderr is now redirected to stdout when the
   24     configured PAGER is used by a command.
   25 
   26 3)  Since Shorewall 5.1.0, the Shorewall uninstall.sh script has
   27     incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core
   28     uninstall.sh script has failed to remove that file. Both scripts
   29     have been corrected.
   30 
   31 4)  Previously, the Shorewall CLI included a spurious hyphen ('-')
   32     between the product name (e.g., 'Shorewall6') and the version when
   33     printing a command output banner.
   34 
   35     Example:
   36 
   37       Shorewall6 Lite 5.2.8-RC1 Logwatch at foo8 - Thu 17 Sep 2020 ...
   38 
   39     That has been corrected.
   40 
   41 5)  The shorewall-snat(5) manpage previously stated that a
   42     comma-separated list of IP address could be specified for
   43     SNAT. That statement was in error and has been removed. As part of
   44     this change, IPv4 Example 6 has been updated to use the
   45     PROBABILITY column.
   46 
   47 ----------------------------------------------------------------------------
   48            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
   49 ----------------------------------------------------------------------------
   50 
   51 1)  On systems running Upstart, shorewall-init cannot reliably secure
   52     the firewall before interfaces are brought up.
   53 
   54 2)  The 'enable', 'reenable' and 'disable' commands do not work
   55     correctly in configurations with USE_DEFAULT_RT=No and optional
   56     providers listed in the DUPLICATE column.
   57 
   58 3)  While the 'ip' utility now accepts IPv6 routes with multiple
   59     'nexthop' destinations, these routes are not balanced. They are
   60     rather instantiated as a sequence of single routes with different
   61     metrics.  Furthermore,  the 'ip route replace' command fails on
   62     such routes. Beginning with Shorewall6 5.0.15, the generated script
   63     uses a "delete..add.." sequence on these routes rather than a
   64     single "replace" command.
   65 
   66 4)  On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart
   67     shorewall' command looses Docker rules.
   68 
   69     Workaround (courtesy of J Cliff Armstrong):
   70 
   71     Type (as root):
   72 
   73         `systemctl edit shorewall.service`.
   74 
   75     This will open the default terminal editor to a blank file in
   76     which you can paste the following:
   77 
   78     [Service]
   79     # reset ExecStop
   80     ExecStop=
   81     # set ExecStop to "stop" instead of "clear"
   82     ExecStop=/sbin/shorewall $OPTIONS stop
   83 
   84     Then type `systemctl daemon-reload` to activate the changes. This
   85     change will survive future updates of the shorewall package from apt
   86     repositories. The override file itself will be saved to
   87     `/etc/systemd/system/shorewall.service.d/`.
   88 
   89 5)  RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a
   90     distinction between subnets with "IPv6 address types required to
   91     have 64-bit interface identifiers in EUI-64 format" and all other
   92     subnets. When generating these anycast addresses, the Shorewall
   93     compiler does not make this distinction and unconditionally
   94     assumes that the last 128 addresses in the subnet are reserved as
   95     anycast addresses.
   96 
   97 ----------------------------------------------------------------------------
   98       I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
   99 ----------------------------------------------------------------------------
  100 
  101 1)  The 'show tc' command now shows the classifiers associated with
  102     each interface (as displayed by the 'show classifiers'
  103     command). This integrated qdisc/filter information is also included 
  104     in the output of the 'dump' command. This change deprecates the
  105     'show classifiers' ('show filters') command, as that command's
  106     output is now included in the 'show tc' output.
  107 
  108 2)  Shorewall6 has traditionally generated rules for IPv6 anycast
  109     addresses. These rules include:
  110 
  111     a)  Packets with these destination IP addresses are dropped by
  112     	REJECT rules.
  113 
  114     b)  Packets with these source IP addresses are dropped by the
  115     	'nosmurfs' interface option and by the 'dropSmurfs' action.
  116 
  117     c)  Packets with these destination IP addresses are not logged
  118         during policy enforcement.
  119 
  120     d)  Packets with these destination IP addresses are processes by
  121     	the 'Broadcast' action.
  122 
  123     Beginning with this release, individual network interfaces can be
  124     excluded from this treatment through use of the 'omitanycast'
  125     option in /etc/shorewall6/interfaces.
  126 
  127     Note: This option was named 'noanycast' in earlier Beta releases.
  128 
  129 3)  Duplicate function names have been eliminated between the
  130     Shorewall-core lib.cli shell library and the Shorewall lib.cli-std
  131     library.
  132 
  133 4)  The 'status' command in Shorewall[6]-lite now precedes the
  134     configuration directory name with the administrative host name
  135     separated with a colon (":").
  136 
  137     Example (Firewall script generated on host 'debianvm'):
  138 
  139       root@gateway:~# shorewall-lite status
  140       Shorewall Lite-5.2.8 Status at gateway - Tue 15 Sep 2020 03:09:15 PM PDT
  141 
  142       Shorewall Lite is running
  143       State:Started Tue 15 Sep 2020 03:08:33 PM PDT from
  144       debianvm:/home/teastep/shorewall/gateway/shorewall/
  145       (/var/lib/shorewall-lite/firewall compiled Tue 15 Sep 2020
  146       03:08:28 PM PDT by Shorewall version 5.2.8)
  147 
  148       root@gateway:~#
  149 
  150 5)  Tuomo Soini has contributed a macro that handles NFS v1.4 (no
  151     dynamic ports).
  152 
  153 ----------------------------------------------------------------------------
  154                   I V.  M I G R A T I O N   I S S U E S
  155 ----------------------------------------------------------------------------
  156 
  157     If you are migrating from Shorewall 4.6.x or earlier, please see
  158     http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt
  159 
  160     Immediately after installing Shorewall 5.2.x, we recommend that you run
  161     'shorewall[6] update'. This command will handle many of the migration
  162     issues described here.
  163 
  164     ------------------------------------------------------------------------
  165     I S S U E S  M I G R A T I N G  T O  S H O R E W A L L  5 . 2
  166     F R O M  S H O R E W A L L  5 . 0
  167     ------------------------------------------------------------------------
  168 
  169     If you are migrating from Shorewall 5.0, this section will
  170     familiarize you with the changes in Shorewall 5.1 that may affect
  171     your configuration.
  172 
  173 1)  Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
  174     (normally /sbin/shorewall). This program performs all of the same
  175     functions previously performed by /sbin/shorewall,
  176     /sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
  177     and is installed as part of the Shorewall-core package. It's
  178     default 'personality' is determined by the Shorewall packages
  179     installed:
  180 
  181     a) If the Shorewall package is installed, then by default,
  182        /sbin/shorewall behaves as in prior versions.
  183 
  184     b) If the Shorewall package is not installed, but the
  185        Shorewall-lite package is present, then /sbin/shorewall behaves
  186        as did /sbin/shorewall-lite in prior versions.
  187 
  188     c) If neither the Shorewall nor Shorewall-lite packages are
  189        installed, but the Shorewall6-lite package is installed, then
  190        /sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
  191        versions.
  192 
  193     The program's personality can be altered through use of two new
  194     options.
  195 
  196     -6  When specified, changes the personality from Shorewall to
  197      	Shorewall6 or from Shorewall-lite to Shorewall6-lite.
  198 
  199     -l  When specified, changes the personality from Shorewall to
  200      	Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
  201      	option is only required when both the standard package
  202      	(Shorewall or Shorewall6) and the corresponding -lite package
  203      	are installed on the system.
  204 
  205     The following is a comparison of Shorewall 5.0 and Shorewall 5.1
  206     with respect to the CLI invocation:
  207 
  208     	 All four packages installed:
  209 
  210     	 Shorewall 5.0			Shorewall 5.1
  211 
  212 	 shorewall 			shorewall
  213 	 shorewall6			shorewall -6
  214 	 shorewall-lite			shorewall -l
  215 	 shorewall6-lite		shorewall -6l
  216 
  217 	 Only Shorewall-lite and Shorewall6-lite installed:
  218 
  219 	 Shorewall 5.0	     	        Shorewall 5.1
  220 
  221 	 shorewall-lite			shorewall
  222 	 shorewall6-lite		shorewall -6
  223 
  224     A single shorewall(8) manpage now describes the CLI.
  225 
  226     The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
  227     manpages are now minimal and refer the reader to shorewall(8).
  228 
  229     For backward compatibility, Shorewall6, Shorewall-lite and
  230     Shorewall6-lite install symlinks $SBINDIR/shorewall6,
  231     $SBINDIR/shorewall-lite and
  232     $SBINDIR/shorewall6-lite respectively. When the shorewall program
  233     is invoked through one of these symlinks, it adopts the appropriate
  234     personality.
  235 
  236 2)  The CHAIN_SCRIPTS option in the .conf files has been eliminated,
  237     and the compiler no longer looks for script files with the same
  238     name as a chain or action.
  239 
  240     If you are using such files, you will need to convert them into
  241     equivalent ?begin perl .... ?end perl text or to use the
  242     IP[6]TABLES target and/or inline matches.
  243 
  244     For the common case where you have an action xxx with an empty
  245     action.xxx file and have perl code in a file named xxx, the
  246     compiler will now generate a fatal error:
  247 
  248       ERROR: File action.xxx is empty and file xxx exists - the two
  249       	     must be combined as described in the Migration
  250       	     Considerations section of the Shorewall release notes
  251 
  252     For information about resolving this error, see
  253     http://www.shorewall.org/Shorewall-5.html#idp41228128.
  254 
  255     This issue is not handled by 'shorewall update' and must be
  256     corrected manually.
  257 
  258 4)  The Netfilter team have removed support for the rawpost table, so
  259     Shorewall no longer supports features requiring that table
  260     (stateless netmapping in the netmap file). The good news is that,
  261     since kernel 3.7, Netfilter supports stateful IPv6 network mapping
  262     which is now also supported in Shorewall6 (see
  263     shorewall-netmap(5)).
  264 
  265     This issue is not handled by 'shorewall update' and must be
  266     corrected manually.
  267 
  268 5)  The (undocumented) Makefiles haven't been maintained for many
  269     releases and have been removed.
  270 
  271 6)  Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT,
  272     etc. options may now specify a comma-separated list of actions
  273     rather than just a single action. The actions are invoked in the
  274     order in which they are listed and each action may optionally be
  275     followed by a colon (":") and a log level.  The POLICY column in
  276     shorewall[6]-policy can now specify a similar list of actions. In
  277     that file, the list may be preceded by a plus sign ("+"), in which
  278     case the listed actions will be in addition to those listed in the
  279     related _DEFAULT setting in shorewall[6].conf.
  280 
  281     With these changes, the Drop and Reject policy actions are now
  282     deprecated in favor of a list of smaller actions. A warning is
  283     issued when these deprecated actions are used; the warning refers
  284     the reader to http://www.shorewall.org/Actions.html#Default.
  285 
  286     This issue is partially handled by 'shorewall update' - see
  287     the 5.2 issues below.
  288 
  289 7)  Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and
  290     Broadcast no longer handle multicast. Multicast is handeled
  291     separately in actions allowMcast, dropMcast and Multicast. The
  292     now-deprecated Drop and Reject policy actions have been modified so
  293     that they continue to silently drop multicast packets.
  294 
  295 8)  According to the Netfilter team (see
  296     https://patchwork.kernel.org/patch/9198133/), the --nflog-range option
  297     of the NFLOG target has never worked correctly, and they have
  298     deprecated that option in favor of the --nflog-size option.
  299 
  300     To accomodate this change, Shorewall 5.1.5 added an "--nflog-size
  301     support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE
  302     option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the
  303     capability is present, Shorewall will use '--nflog-size' in place
  304     of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not
  305     present, an error is raised.
  306 
  307     If you don't use NFLOG or if you use NFLOG with omittted second
  308     parameter or with 0 as the second parameter, and 'shorewall show
  309     capabilities' indicated that --nflog-size support is present, you
  310     may safely set USE_NFLOG_SIZE=Yes.
  311 
  312     If you pass a non-zero value as the second parameter to NFLOG and
  313     the '--nflog-size support' capability is present, you need to
  314     verify that those NFLOG messages are as you expect with
  315     USE_NFLOG_SIZE=Yes.
  316 
  317     This issue is not handled by 'shorewall update' and must be
  318     corrected manually.
  319 
  320 9)  The MODULE_SUFFIX option in shorewall[6].conf was eliminated in
  321     Shorewall 5.1.7. Shorewall now finds modules, independent of their
  322     filename suffix.
  323 
  324     'shorewall [-6] update' will automatically remove any MODULE_SUFFIX
  325     setting.
  326 
  327 10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the
  328     default route is only restored when there are no enabled
  329     'balance/primary' providers and no enabled fallback providers.
  330 
  331     Also beginning with Shorewall 5.1.8, if the default route(s) have
  332     been restored to the 'main' table, and a fallback provider is
  333     successfully enabled, the default route(s) are removed from the
  334     main table.
  335 
  336 11) Because restoring default routes to the main routing table can
  337     break the ability of Foolsm and other link status monitors to
  338     properly detect non-functioning provider links, a warning message
  339     is issued when the 'persistent' provider option is specified and
  340     RESTORE_DEFAULT_ROUTE=Yes.
  341 
  342       WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option
  343                may not work as expected
  344 
  345     This change was released in Shorewall 5.1.8.
  346 
  347     This issue is not handled by 'shorewall update' and must be
  348     corrected manually.
  349 
  350 12) Most interface OPTIONS have always been ignored when the INTERFACE
  351     name is '+'. Beginning with the Shorewall 5.1.10 release, a warning
  352     is issued when an ignored option is specified with interface name '+'.
  353 
  354 	Example: The 'sourceroute' option is ignored when used with
  355 		 interface name '+'
  356 
  357     In many cases, this issue can be worked around by a change similar
  358     to the following:
  359 
  360     Original:
  361 
  362 	net	+		dhcp,routeback,sourceroute=0
  363 
  364     Change to:
  365 
  366 	net	all		dhcp,physical=+,routeback,sourceroute=0
  367 		---		     ----------
  368 
  369     As part of this change, interfaces that specify a wildcard physical
  370     interface name will generate a warning if any of the following
  371     options are specified:
  372 
  373 	accept_ra
  374 	arp_filter
  375 	arp_ignore
  376 	forward
  377 	logmartians
  378 	proxyarp
  379 	proxyndp
  380 	routefilter
  381 	sourceroute
  382 
  383     When the warning is issued, the specified option is then ignored
  384     for the interface.
  385 
  386     Example:
  387 
  388 	WARNING: The 'sourceroute' option is ignored when used with a
  389 		 wildcard physical name
  390 		 /etc/shorewall6.universal/interfaces (line 14)
  391 
  392     This issue is not handled by 'shorewall update' and must be
  393     corrected manually.
  394 
  395 13) INLINE_MATCHES=Yes has been documented as deprecated for some
  396     time, but it has not generated a warning. Beginning with the
  397     Shorewall 5.1.12 release, a warning is issued:
  398     
  399         WARNING: Option INLINE_MATCHES=Yes is deprecated
  400 
  401     Additionally, each line that requires modification to work with
  402     INLINE_MATCHES=No is flagged with the warning:
  403 
  404         WARNING: This entry needs to be changed (replace ';' with ';;')
  405 		 before the INLINE_MATCHES option is removed in
  406 		 Shorewall 5.2
  407 
  408     You can eliminate the warnings by setting INLINE_MATCHES=No and
  409     by replacing the single semicolon (";") separating inline matches
  410     from the column-oriented part of the rule with two semicolons
  411     (";;") in each entry flagged by the second warning.
  412 
  413     This issue is mostly handled by 'shorewall update' - see
  414     the 5.2 issues below.
  415 
  416     ------------------------------------------------------------------------
  417     I S S U E S  M I G R A T I N G  T O  S H O R E W A L L  5 . 2
  418     F R O M  S H O R E W A L L  5 . 0  A N D  5 . 1
  419     ------------------------------------------------------------------------
  420 
  421 1)  The MAPOLDACTIONS option in shorewall.conf has been removed. This
  422     option provided compatibility with releases prior to Shorewall 3.0.
  423     'shorewall update' will remove the setting of this option from
  424     shorewall.conf.
  425 
  426 2)  The INLINE_MATCH option has been removed. Shorewall now behaves as
  427     if INLINE_MATCH=No had been specified:
  428 
  429     - A single semicolon (';') is used to separate column-oriented
  430       input from column-name/value input.
  431 
  432     - The preferred method of specifying column-name/value input is to
  433       enclose such input in curly braces ("{....}").
  434 
  435     - A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
  436       input. This is true in INLINE and IP[6]TABLES rules as well as
  437       rules with other targets.
  438 
  439     As part of this change, 'shorewall update' will replace ';' with
  440     ';;' in INLINE and IP[6]TABLES rules. It will also replace ';' by
  441     ';;', if ';' is followed by '-m', '-j' or '-g'.
  442 
  443 3)  With the wide availability of ipset-based blacklisting, the need
  444     for the 'refresh' command has been largely eliminated. As a result,
  445     that command has been removed.
  446 
  447     Some users may have been using 'refresh' as a lightweight form of
  448     reload. The most common of these uses seem to be for reloading
  449     traffic shaping after an interface has gone down and come back up.
  450     The best way to handle this situation under 5.2 is to make the
  451     interface 'optional' in your /etc/shorewall[6]/interfaces file,
  452     then either:
  453 
  454     - Install Shorewall-init and enable IFUPDOWN; or
  455     - Use the 'reenable' command when the interface comes back up
  456       in place of the 'refresh' command.
  457 
  458 4)  The following deprecated macros and actions have been removed:
  459 
  460 	Action A_AllowICMPs  - use AllowICMPs(A_ACCEPT)
  461 	Action A_Drop	     - see below
  462 	Action A_Reject	     - see below
  463 	Action Drop	     - see below
  464 	Action Reject	     - see below
  465 	Macro SNMPTrap	     - use SNMPtrap
  466 
  467      The [A_]Drop and [A_]Reject actions are used primarily as policy
  468      actions. As part of this change, 'shorewall update' will update
  469      DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:
  470 
  471        IPv4
  472 
  473          DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
  474 	 DROP_DEFAULT=A_Drop becomes
  475 	     Broadcast(A_DROP),Multicast(A_DROP)
  476 	 REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
  477 	 REJECT_DEFAULT=A_Reject becomes
  478 	     Broadcast(A_DROP),Multicast(A_DROP)
  479 
  480       IPv6
  481 
  482          DROP_DEFAULT=Drop becomes
  483              AllowICMPs,Broadcast(DROP),Multicast(DROP)
  484 	 DROP_DEFAULT=A_Drop becomes
  485              AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
  486 	 REJECT_DEFAULT=Reject becomes
  487              AllowICMPs,Broadcast(DROP),Multicast(DROP)
  488 	 REJECT_DEFAULT=A_Reject becomes
  489              AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
  490 
  491     The 'update' commmand will also make similar changes in the policy
  492     file.
  493 
  494     'shorewall update' does not handle invocations of 'Drop' and
  495     'Reject' within the rules file, or within actions and macros. Those
  496     instances will generate an error which must be corrected manually.
  497 
  498     It should also be noted that, in prior releases, Drop and Reject
  499     silently dropped more traffic than their replacements. As a
  500     consequence, you will see more traffic being logged with Shorewall
  501     5.2 than you did on earlier releases. The translations performed
  502     by 'update' can be extended after the update to drop additional
  503     traffic as desired.
  504 
  505 5)  When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
  506     searched recursively for files newer than the compiled script. That
  507     was changed in Shorewall 5.1.10.2 such that only the listed
  508     directories themselves were searched. That broke some
  509     configurations that played tricks with embedded SHELL such as:
  510     
  511        SHELL cat /etc/shorewall/rules.d/loc/*.rules
  512        
  513     Prior to 5.1.10.2, a change to a file in or adding a file to
  514     /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
  515     with 5.1.10.2, such changes would not trigger recompilation.
  516 
  517     Beginning with Shorewall 5.2.0, the pre-5.1.10.2 behavior can be
  518     obtained by setting AUTOMAKE=recursive.
  519 
  520     Also beginning with Shorewall 5.2.0, AUTOMAKE may be set to a
  521     numeric <depth> which specifies how deeply each listed directory is
  522     to be searched. AUTOMAKE=1 only searches each directory itself and
  523     is equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each
  524     directory and its immediate sub-directories; AUTOMAKE=3 will search
  525     each diretory, each of its immediate sub-directories, and each of
  526     their immediate sub-directories, etc.
  527 
  528 6)  Support for the deprecated 'masq' file has been deleted. Any
  529     existing 'masq' file will automatically be converted to the
  530     equivalent 'snat' file.
  531 
  532 7)  Where two or more providers share a network interface, the
  533     'optional' interface/provider option has never worked correctly.
  534     Beginning with Shorewall 5.2.1, the 'optional' option is disallowed
  535     on such interfaces and providers.
  536 
  537 8)  With the availability of zone exclusion in the rules file, 'all[+]-'
  538     and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
  539     respectively. Beginning with Shorewall 5.2.3, the former are
  540     deprecated in favor of the latter and will result in a warning
  541     message, if used.
  542 
  543 9)  Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in
  544     shorewall[6].conf has been removed, and the behavior is as if
  545     LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update'
  546     will remove the option from shorewall[6].conf.
  547 
  548 ----------------------------------------------------------------------------
  549          V.  N O T E S  F R O M  O T H E R  5 . 2  R E L E A S E S
  550 ----------------------------------------------------------------------------
  551                    N E W  F E A T U R E S  I N  5 . 2 . 7
  552 ----------------------------------------------------------------------------
  553 
  554 1)  Previously, it was not possible to classify traffic by destination
  555     IP address when using an Intermediate Functional Block (IFB) for
  556     traffic shaping. This is because such classification takes place
  557     before the traffic passes through the mangle PREROUTING chain.
  558 
  559     Such filtering is now possible by setting the 'connmark' option in
  560     the tcdevices file. This option causes the current connection mark
  561     to be copied to the packet mark prior to filtering, thus allowing
  562     the packet mark to be used for classification.
  563 
  564     This change adds a new CONNMARK_ACTION capability which is
  565     required to be able to specify the 'connmark' option.
  566 
  567     Rodrigo Araujo provided the bulk of the code for this enhancement.
  568 
  569 2)  The tcpri file now supports ?FORMAT 2 which inserts an SPORT
  570     column directly to the right of the PORT column. As part of this
  571     change, the PORT column is renamed to DPORT while allowing both
  572     'port' and 'dport' to be used in the alternate input format. See
  573     shorewall-tcpri(5) and
  574     http://shorewall.org/simple_traffic_shaping.html for additional
  575     information.
  576 
  577 3)  The Simple TC document is now linked to FAQs 97 and 97a.
  578 
  579 ----------------------------------------------------------------------------
  580                    N E W  F E A T U R E S  I N  5 . 2 . 6
  581 ----------------------------------------------------------------------------
  582 
  583 1)  The 'actions' file now supports a 'dport' option to go along with
  584     the 'proto' option. Using these two options can now restrict an
  585     action to a particular service. See shorewall-actions(5) for
  586     details.
  587 
  588     Example limiting net->all SSH connections to 3/min per source IP:
  589 
  590     /etc/shorewall/actions:
  591 
  592       SSHLIMIT     proto=tcp,\	# Blacklist overzealous SSHers
  593 	           dport=ssh
  594 
  595     /etc/shorewall/action.SSLHIMIT
  596 
  597       ACCEPT { RATE=s:3/min:3 }
  598       BLACKLIST:$LOG_LEVEL:net_SSHLIMIT
  599 
  600     /etc/shorewall/rules:
  601 
  602       SSHLIMIT  net	all
  603 
  604 2)  The change to 'show actions' implemented in 5.2.5.1 (see below)
  605     has been further extended.
  606 
  607     - "?IF...?ELSE...?ENDIF" sequences are now shown in the output
  608     - Continuation lines are now shown in the output so that all
  609       action options are now displayed
  610     - If an action appears in both /usr/share/shorewall[6]/actions.std
  611       and in /etc/shorewall[6]/actions, then the entry in the actions
  612       file is shown followed by the entry in the actions.std file.
  613 
  614 3)  To emphasize that it specifies destination ports, the PORT column
  615     in the snat file has been renamed DPORT. Beginning with this
  616     release, both 'port' and 'dport' are accepted in the alternative
  617     input format.
  618 
  619 4)  The snat file now supports ?FORMAT 2, which adds an SPORT (source
  620     port) column immediately to the right of the DPORT (destination
  621     port) column.
  622 
  623 ----------------------------------------------------------------------------
  624              P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 6
  625 ----------------------------------------------------------------------------
  626 
  627 5.2.6.1
  628 
  629 1)  Previously, Perl diagnostics or outright failures could occur
  630     during update.
  631 
  632     Examples:
  633 
  634     Processing /etc/shorewall/params ...
  635     Use of uninitialized value $policy in pattern match (m//) at
  636     /usr/share/shorewall/Shorewall/Config.pm line 5531.
  637     Use of uninitialized value $policy in pattern match (m//) at
  638     /usr/share/shorewall/Shorewall/Config.pm line 5537.
  639     Use of uninitialized value $policy in pattern match (m//) at
  640     /usr/share/shorewall/Shorewall/Config.pm line 5543.
  641     Use of uninitialized value $policy in pattern match (m//) at
  642     /usr/share/shorewall/Shorewall/Config.pm line 5531.
  643     Use of uninitialized value $policy in pattern match (m//) at
  644     /usr/share/shorewall/Shorewall/Config.pm line 5537.
  645     Use of uninitialized value $policy in pattern match (m//) at
  646     /usr/share/shorewall/Shorewall/Config.pm line 5543.
  647     Configuration file /root/try/shorewall.conf updated - old file renamed
  648     /root/try/shorewall.conf.bak
  649     Loading Modules...
  650         ERROR: Internal error in Shorewall::Config::detect_capability
  651 
  652     This defect has been corrected.
  653 
  654 2)  Previously, if 'update' added a CONFIG_PATH setting to
  655     shorewall[6].conf, that setting could contain "::" which could
  656     then cause the next 'update' to fail. Now, the compiler correctly
  657     handles double colons in the CONFIG_PATH setting.
  658 
  659 3)  Local zones (type 'local' in /etc/shorewall[6]/zones) are only
  660     accessible from the firewall and from vserver zones. Previously,
  661     the compiler generated superluous rules for handling forwarded
  662     traffic from such zones; that has been corrected, and no
  663     forwarding rules are now generated.
  664 
  665 5.2.6
  666 
  667 1)  This release includes defect repair up through Shorewall version
  668     5.2.5.2.
  669 
  670 2)  When compiling for export, the compiler generates a firewall.conf
  671     file which is later installed on the remote firewall system as
  672     ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was
  673     not processing the file, resulting in some features not being
  674     available:
  675 
  676     - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
  677       SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
  678       DYNAMIC_BLACKLIST and PAGER are not supplied.
  679 
  680     - scfilter file supplied at compile time.
  681 
  682     - dumpfilter file supplied at compile time.
  683 
  684     That has been corrected.
  685 
  686 3)  A bug in iptables (see
  687     https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1)
  688     prevents the '--queue-cpu-fanout' option from being applied unless
  689     that option is the last one specified. Unfortunately, Shorewall
  690     places the '--queue-bypass' option last if that option is also
  691     specified.
  692 
  693     This release works around this issue by ensuring that the
  694     '--queue-cpu-fanout' option appears last.
  695 
  696 4)  The -D 'compile', 'check', 'reload' and 'Restart'  option was
  697     previously omitted from the output of 'shorewall help'. It is now
  698     included. As part of this change, an incorrect and conflicting
  699     description of the -D option was removed from the 'remote-restart'
  700     section of shorewall(8).
  701 
  702 5)  Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT
  703     policies were not completely optimized by optimize level 2 (ACCEPT
  704     rules preceding the final unconditional ACCEPT were not
  705     deleted). That has been corrected such that these rules are now
  706     optimized.
  707 
  708 ----------------------------------------------------------------------------
  709                    N E W  F E A T U R E S  I N  5 . 2 . 5
  710 ----------------------------------------------------------------------------
  711 
  712 1)  Prior to this release, when a 'timeout' value was specified in the
  713     DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was
  714     created with this default timeout. This had the unfortunate
  715     disadvantage that it was not possible to add permanent entries
  716     into the ipset. Even if 'timeout 0' was specified in a 'blacklist'
  717     command, the entry would still age out of the ipset after the
  718     default timeout had elapsed.
  719 
  720     Beginning with this release, the dynamic-blacklisting ipset is
  721     created with 'timeout 0'. When an address is added to the set,
  722     either by BLACKLIST policy enforcement, by the BLACKLIST action,
  723     or by the CLI 'blacklist' command (where no 'timeout' is
  724     specified), the default timeout is applied to the new entry.
  725 
  726     Once you have upgraded to this version of Shorewall, you can
  727     convert your existing dynamic-blacklisting ipset (with a non-zero
  728     default timeout) to have a default timeout of zero as follows:
  729 
  730     a) If RESTART=restart in shorewall[6].conf, then simply
  731        'shorewall[6] restart'.
  732 
  733     b) Otherwise, 'shorewall[6] stop && shorewall[6] start'.
  734 
  735 2)  Previously, when an ADD or DEL rule specified logging, the entire
  736     action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log
  737     message. This could easily lead to a "Log prefix shortened..."
  738     warning during compilation.
  739 
  740     Beginning with this release, such log messages will contain only
  741     the basic action ('ADD' or 'DEL') and the set name (e.g.,
  742     'ADD(NET_BL)') to reduce the liklihood of producing the warning.
  743 
  744 3)  Traditionally, Shorewall has logged state change messages using
  745     the 'user' syslog facility. Beginning with this release, these
  746     messages will be logged using the 'daemon' facility to more
  747     accurately reflect that these messages relate to a service.
  748 
  749 4)  The DYNAMIC_BLACKLIST setting now allows a 'log' option to be
  750     specified for ipset-based blacklisting. When this option is given,
  751     successful 'blacklist' and 'allow' commands generate a 'daemon.info'
  752     log message.
  753 
  754 5)  When ipset-based dynamic blacklisting is enabled, the generated
  755     ruleset has traditionally refreshed the 'timeout' of an ipset
  756     entry when a packet from blacklisted host is received. This has
  757     the unfortunate side effect that it can change a permanent entry
  758     (timeout 0) to a temporary (one with non-zero timeout). Beginning
  759     with this release, this timeout refresh can be avoided by
  760     specifying the 'noupdate' option in the DYNAMIC_BLACKLIST
  761     setting.
  762 
  763 6)  To allow Shorewall's ipset-based blacklisting to play nicely with
  764     fail2ban, the 'blacklist!' CLI command has been added.
  765 
  766     The command
  767 
  768 	blacklist! <ip>
  769 
  770     is equivalent to
  771 
  772 	blacklist <ip> timeout 0
  773 
  774     thus allowing 'blacklist!' to be specified as the 'blocktype' in
  775     /etc/fail2ban/actions.d/shorewall.conf.
  776 
  777     See https://shorewall.org/blacklisting_support.htm#fail2ban for
  778     further information about using Shorewall dynamic blacklisting
  779     with fail2ban.
  780 
  781 7)  Previously, when a zone name was too long, the resulting error
  782     message was "Invalid zone name (<name>)". To make the cause of
  783     the failure clearer, the message is now "Zone name (<name>) too
  784     long".
  785 
  786 ----------------------------------------------------------------------------
  787              P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 5
  788 ----------------------------------------------------------------------------
  789 
  790 5.2.5.1
  791 
  792 1)  The change in 5.2.5 base which changed the 'user' facility to the
  793     'daemon' facility in Shorewall syslog messages did not change the
  794     messages with severity 'err'. That has been corrected such that
  795     all syslog messages now use the 'daemon' facility.
  796 
  797 2)  The actions.std file contains "?IF...?ELSE...?ENDIF" sequences
  798     that provide different action options depending on the availabilty
  799     of certain capabilities. This has resulted in the Broadcast and
  800     Multicast options being listed twice in the output of
  801     "shorewall[6] show actions". Beginning with this release, this
  802     duplication is eliminated. Note, however, that the options shown
  803     will be incomplete if they were continued onto another line, and
  804     may be incorrect for Broadcast and Multicast.
  805 
  806 3)  A typo in shorewall-providers(5) has been corrected.
  807 
  808 5.2.5 Base
  809 
  810 1)  Previously, Shorewall-init installed a 'shorewall' script in
  811     /etc/network/if-down.d on Debian and derivatives. This script was
  812     unnecessary and required Debian-specific code in the generated
  813     firewall script. The Shorewall-init script is no longer installed
  814     and the generated firewall script is now free of
  815     distribution-specific code.
  816 
  817 2)  Also on Debian and derivatives, Shorewall-init installed
  818     /etc//NetworkManager/dispatcher.d/01-shorewall which was also
  819     unnecessary.  Beginning with this release, that file is no longer
  820     installed.
  821 
  822 3)  Previously, if the dynamic-blacklisting default timeout was set in
  823     a variable in the params file and the variable was used in setting
  824     DYNAMIC_BLACKLIST, then the 'allow' command would fail with
  825     the message:
  826 
  827     	ERROR: Invalid value (ipset-only,disconnect,timeout=) for
  828 	       DYNAMIC_BLACKLIST
  829 
  830     That has been corrected.
  831 
  832 4)  When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex
  833     rulesets are enforced in chains such as 'net-all' and
  834     'all-all'. Previously, these chains included redundant
  835     state-oriented rules. In addition to being redundant. these rules
  836     could actually break complex IPv6 configurations. The extra rules are
  837     now omitted.
  838 
  839 ----------------------------------------------------------------------------
  840                    N E W  F E A T U R E S  I N  5 . 2 . 4
  841 ----------------------------------------------------------------------------
  842 
  843 1)  Previously, Shorewall's Docker support assumed that the default
  844     Docker Bridge (docker0) was being used. Beginning with this
  845     release, the DOCKER_BRIDGE option in Shorewall.conf allows an
  846     arbitrary name to be assigned to the bridge. In particular, when
  847     CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting.
  848 
  849 2)  The CLI keywords 'debug' and 'trace' have been replaced by -D and
  850     -T options respectively (e.g., 'shorewall trace reload' is now
  851     'shorewall -T reload'). Like the keywords, only one of these
  852     options can be active at a time; if both are entered, only the
  853     last one is activated. A similar change has been made to the
  854     generated script.
  855 
  856     The -T option (formerly 'trace') now applies only to shell-level
  857     tracing in the CLI and generated script. Those commands that
  858     invoke the rules compiler now accept a -D command option which
  859     causes the compiler to generate debugging information (e.g.,
  860     'shorewall check -D').
  861 
  862     The 'nolock' keyword is now deprecated in favor of the -N
  863     option (e.g., 'shorewall nolock reload' becomes 'shorewall -N
  864     reload').
  865 
  866     See shorewall(8) for details.
  867 
  868 3)  Within the source code and documentation, 'shorewall.net' has been
  869     replaced by 'shorewall.org'.
  870 
  871 ----------------------------------------------------------------------------
  872              P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 4
  873 ----------------------------------------------------------------------------
  874 
  875 5.2.4.4
  876 
  877 1)  When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in
  878     shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3
  879     was installed. That has been corrected.
  880 
  881 2)  When 5.2.4.3 was installed, 'shorewall[6] start' would not
  882     automatically create dynamic blacklisting ipsets. That has been
  883     corrected.
  884 
  885 5.2.4.3
  886 
  887 1)  When interfaces was managed by Network Manager and IFUPDOWN=1 was
  888     specified in the Shorewall-init configuration file, when an optional
  889     interface was brought up, enabling the interface in
  890     Shorewall6[-lite] could fail.
  891 
  892     Correcting this issue involves corrected code in this release of
  893     Shorewall, but also may require a configuration change in
  894     /etc/shorewall6/interfaces. The change in Shorewall makes the
  895     generated script honor the 'wait=<seconds>' specification in
  896     /etc/shorewall6/interfaces when executing the 'enable' command.
  897     If there are optional interfaces that do not specify 'wait=...',
  898     then the interfaces file must be altered to include such
  899     specifications.
  900     
  901 2)  An unnecessary test during command initialization in the generated
  902     script has been eliminated.
  903 
  904 3)  Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would
  905     create the dynamic blacklist ipset if it did not exist. Creation
  906     of the ipset is now defered until the next 'start'.
  907 
  908 4)  Previously, 'shorewall[6] start' would delete all corresponding
  909     ipsets before restoring. It now deletes only those sets that will
  910     be restored, thus allowing SAVE_IPSETS to be specified in the
  911     Shorewall-init configuration when ipset-based dynamic blacklisting
  912     is also enabled. Previously, if any additional ipsets were used,
  913     it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as
  914     well.
  915 
  916 5)  Previously, 'Shorewall-init start' restored ipsets after stopping
  917     the firewalls, precluding use of ipsets in the stoppedrules file.
  918     Shorewall-init now restores the ipsets before stopping the
  919     firewalls.
  920 
  921 6)  Optimize level 16 has been speeded up by an order of magnitude.
  922     Tests using a large user-supplied configuration showed compilation
  923     time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5
  924     seconds.
  925 
  926 5.2.4.2
  927 
  928 1)  This release corrects two problems associated with Debian
  929     Shorewall-init when IFUPDOWN=1 in the Shorewall-init
  930     configuration file (/etc/default/shorewall-init):
  931 
  932     a) Down events were ignored when Network Manager was being used.
  933 
  934     b) Up events were processed twice when a dual-stack interface
  935        was brought up.
  936 
  937     Both problems have been corrected. To make the fixes effective,
  938     it is necessary to recompile the firewall script (shorewall[6]
  939     compile, start, restart or reload).
  940 
  941 5.2.4.1
  942 
  943 1)  The web site and documentation have been improved to correct some
  944     invalid links in the manpages (including the manpages released
  945     in Shorewall components) and to link directly to the current
  946     website at https://shorewall.org. (Tuomo Soini)
  947 
  948 2)  Cautions regarding SAVE_IPSETS have been added to the ipsets
  949     article.
  950 
  951 3)  OpenSuSE users running systemd have complained that the firewalls
  952     are stopped after a Shorewall product upgrade. The problem is that
  953     OpenSuSE restarts all running products that have been
  954     upgraded. Recall that 'systemctl restart' is equivalent to
  955     'systemctl stop && systemctl start'. But starting Shorewall-init
  956     results in the firewall products specified in the Shorewall-init
  957     config file to be stopped. To address this issue, Shorewall-init
  958     will now ignore 'start' and 'stop' commands, for running firewalls
  959     (Tuomo Soini).
  960 
  961 4)  On Redhat-based system and on OpenSuSE, extraneous Shorewall-init
  962     log messages regarding invalid commands were being issued. These
  963     harmless messages are now suppressed (Tuomo Soini).
  964 
  965 5.2.4 Final
  966 
  967 1)  Previously, when a Shorewall6 firewall was placed into the
  968     'stopped' state, ICMP6 packets required by RFC 4890 were not
  969     automatically accepted by the generated ruleset.
  970     
  971     Beginning with this release, those packets are automatically
  972     accepted.
  973 
  974 2)  Previously, the output of 'shorewall[6] help' displayed the
  975     superseded 'load' command. That text has been deleted.
  976 
  977 3)  The QOSExample.html file in the documentation and on the web site
  978     previously showed tcrules content for the /etc/shorewall/mangle
  979     file (recall that 'mangle' superseded 'tcrules'). That page has
  980     been corrected.
  981 
  982 4)  The 'Starting and Stopping' and 'Configuration file basics'
  983     documents have been updated to align them with the current product
  984     behavior.
  985 
  986 5)  The 'ipsets' document has been updated to clarify the use of
  987     ipsets in the stoppedrules file.
  988 
  989 ----------------------------------------------------------------------------
  990                    N E W  F E A T U R E S  I N  5 . 2 . 3
  991 ----------------------------------------------------------------------------
  992 
  993 1)  Zone exclusion (e.g., "all!z2,z2,...") is now supported in the
  994     policy file.
  995 
  996 2)  With the availability of zone exclusion in the rules file, 'all[+]-'
  997     and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
  998     respectively. Beginning with this release, the former are
  999     deprecated in favor of the latter and will result in a warning
 1000     message, if used.
 1001 
 1002 3)  Internal documentaton of the undocumented 'test' parameter to
 1003     compiler.pl has been added (it is used by the regression test
 1004     library to suppress versions and date/times from the generated
 1005     script).
 1006 
 1007 4)  The LOAD_HELPERS_ONLY option has been removed from
 1008     shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
 1009     LOAD_HELPERS_ONLY=Yes had been specified.
 1010 
 1011 ----------------------------------------------------------------------------
 1012              P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 3
 1013 ----------------------------------------------------------------------------
 1014 
 1015 5.2.3.7
 1016 
 1017 1)  When DOCKER=Yes, if both the DOCKER-ISOLATE and
 1018     DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-*
 1019     chains were not preserved through shorewall state changes.
 1020     That has been corrected so that both chains are preserved if
 1021     present.
 1022 
 1023 2)  Previously, the compiler always detected the OLD_CONNTRACK_MATCH
 1024     capability as being available in IPv6. When OLD_CONNTRACK_MATCH
 1025     was available, the compiler also mishandled inversion ('!') in the
 1026     ORIGDEST columns, leading to an assertion failure:
 1027 
 1028       Shorewall::Config::fatal_error("Internal error in
 1029         Shorewall::Chains::set_rule_option at /usr/"...) called at
 1030         /usr/share/shorewall/Shorewall/Config.pm line 1619
 1031 
 1032     Both the incorrect capability detection and the mishandled
 1033     inversion have been corrected.
 1034 
 1035 3)  During 'enable' processing, if address variables associated with
 1036     the interface have values different than those when the firewall
 1037     was last started/restarted/reloaded, then a 'reload' is performed
 1038     rather than a simple 'enable'. The logic that checks for those
 1039     changes was incorrect in some configurations, leading to unneeded
 1040     reload operations. That has been corrected.
 1041 
 1042 4)  When MANGLE_ENABLED=No in shorewall[6].conf, some features
 1043     requiring use of the mangle table can be allowed, even though the
 1044     mangle table is not updated. That has been corrected such that use
 1045     of such features will raise an error.
 1046 
 1047 5)  When an invocation of the IfEvent(...,reset) action was invoked,
 1048     the compiler previously emitted a spurious "Resetting..." message.
 1049     That message has been suppressed.
 1050 
 1051 5.2.3.6
 1052 
 1053 1)  When both Docker containers and Libvirt VMs were in use, 'shorewall
 1054     start' could fail as follows:
 1055 
 1056       Running /sbin/iptables-restore --wait 60...
 1057       iptables-restore v1.8.3 (legacy): Couldn't load target
 1058       `LIBVIRT_PRT':No such file or directory
 1059       Error occurred at line: 19
 1060       Try `iptables-restore -h' or 'iptables-restore --help' for more information.
 1061          ERROR: /sbin/iptables-restore --wait 60 Failed.
 1062 
 1063     That has been corrected.
 1064 
 1065 5.2.3.5
 1066 
 1067 1)  A typo in the FTP documentation has been corrected.
 1068 
 1069 2)  The recommended mss setting when using IPSec with ipcomp has been
 1070     corrected.
 1071 
 1072 3)  A number of incorrect links in the manpages have been corrected.
 1073 
 1074 4)  The 'bypass' option is now allowed when specifying an NFQUEUE
 1075     policy. Previously, specifying that option resulted in an error.
 1076 
 1077 5)  Corrected IPv6 Address Range parsing.
 1078     
 1079     Previously, such ranges were required to be of the form [<addr1>-<addr2>]
 1080     rather than the more standard form [<addr1>]-[<addr2>]. In the snat file
 1081     (and in nat actions), the latter form was actually flagged as an error
 1082     while in other contexts, it resulted in a less obvious error being
 1083     raised.
 1084 
 1085 6)  The manpages have been updated to refer to https://shorewall.org
 1086     rather than http://www.shorewall.org.
 1087 
 1088 5.2.3.4
 1089 
 1090 1)  If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy,
 1091     an error such as the following was previously incorrectly raised.
 1092 
 1093       ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line
 1094              15)
 1095     
 1096     That has been corrected such that no error is raised.
 1097 
 1098 2)  If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a
 1099     macro, an error such as the following was previously incorrectly
 1100     raised:
 1101 
 1102       ERROR: Invalid ACTION (PARAM:1c,bypass)))
 1103              /usr/share/shorewall/macro.BitTorrent (line 12)
 1104 	     from /etc/shorewall/rules (line 40)
 1105 
 1106     Now, the NFQUEUE action is correctly substituted for PARAM in
 1107     the Macro body.
 1108 
 1109 3)  If shorewall[6].conf didn't set AUTOMAKE, the 'update' command
 1110     previously produced a new file with 'AUTOMAKE=Yes'. This resulted
 1111     in an unexpected change of behavior. Now, the new file contains
 1112     'AUTOMAKE=No', which preserves the pre-update behavior.
 1113 
 1114 4)  Shorewall-rules(5) incorrectly stated that the 'bypass' option to
 1115     NFQUEUE causes the rule to be silently bypassed if there is no
 1116     application attached to the queue. The actual behavior is that the
 1117     rule acts like ACCEPT in that case. Shorewall-rules(5) has been
 1118     corrected.
 1119 
 1120 5.2.3.3
 1121 
 1122 1)  Previously, if an ipset was specified in an SPORT column, the
 1123     compiler would raise an error similar to:
 1124 
 1125       ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)
 1126 
 1127     That has been corrected.
 1128 
 1129 5.2.3.2
 1130 
 1131 1)  Shorewall 5.2 automatically converts and existing 'masq' file to an
 1132     equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
 1133     automatic update, such that the following error message was issued:
 1134 
 1135        Use of uninitialized value $Shorewall::Nat::raw::currentline in
 1136        pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
 1137        line 511, <$currentfile> line nnn.
 1138 
 1139     and the generted 'masq' file contains only initial comments.
 1140 
 1141     That has been corrected.
 1142 
 1143 5.2.3.1
 1144 
 1145 1)  An issue in the implementation of policy file zone exclusion,
 1146     released in 5.2.3 has been resolved. In the original release,
 1147     if more than one zone was excluded, then the following error was
 1148     raised:
 1149 
 1150 	ERROR:  'all' is not allowed in a source zone list
 1151 	        etc/shorewall/policy (line ...)
 1152 
 1153 5.2.3
 1154 
 1155 1)  To prevent a helper kernel module from being loaded, it was
 1156     previously necessary to list both its current name and its
 1157     pre-kernel-2.6.20 name in the DONT_LOAD option in
 1158     /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
 1159     from being loaded, it was necessary to also list ip_conntrack_sip
 1160     in DONT_LOAD. That is no longer necessary.
 1161 
 1162 ----------------------------------------------------------------------------
 1163                    N E W  F E A T U R E S  I N  5 . 2 . 2
 1164 ----------------------------------------------------------------------------
 1165 1)  New macros have been contributed by Vincas Dargis:
 1166 
 1167         Bitcoin
 1168 	Tor
 1169 	ONCRPC
 1170 
 1171     Additionally, Tuomo Soini has contributed a WUDO (Windows Update
 1172     Delivery Optimization) macro.
 1173 
 1174 2)  The Perl modules have undergone some cleanup/optimization.
 1175 
 1176 3)  Given that recent kernels have dropped ULOG support, use of ULOG in
 1177     Shorewall is now deprecated and results in a warning message. The
 1178     warning can be eliminated by switching to NFLOG and ulogd2.
 1179 
 1180 4)  Shorewall can now detect interface default gateways configured by
 1181     Network Manager.
 1182 
 1183 5)  Inline matches are now supported in the 'conntrack' file.
 1184 
 1185 6)  In the 'accounting' file, Inline matches in an INLINE(...) rule now
 1186     allow a leading '+' to cause the matches to be evaluated before
 1187     those generated by the column specifications.
 1188 
 1189 7)  If view of the fact that some modems take an eternity to recover
 1190     from a power failure, the limit of the 'wait' interface option
 1191     setting has been increased from 120 seconds (2 minutes) to 300
 1192     seconds (5 minutes).
 1193 
 1194 ----------------------------------------------------------------------------
 1195              P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 2
 1196 ----------------------------------------------------------------------------
 1197 
 1198 5.2.2.1
 1199 
 1200 1)  A typo has been corrected in shorewall-providers(5). The manpage
 1201     previously referred to RESTORE_DEFAULT_OPTION; that should have
 1202     been RESTORE_DEFAULT_GATEWAY.
 1203 
 1204 1)  This release includes defect repair through Shorewall 5.2.1.4.
 1205 
 1206 2)  When processing inline matches, the compiler previously inserted
 1207     the matches before the column-generated matches if there was a plus
 1208     sign ("+") anywhere in the matches. Now, it only does so if the
 1209     first non-blank character in the matches is a plus sign.
 1210 
 1211 ----------------------------------------------------------------------------
 1212                    N E W  F E A T U R E S  I N  5 . 2 . 1
 1213 ----------------------------------------------------------------------------
 1214 
 1215 1)  New macros have been contributed by Vincas Dargis:
 1216 
 1217         Bitcoin
 1218 	Tor
 1219 	ONCRPC
 1220 
 1221     Additionally, Tuomo Soini has contributed a WUDO (Windows Update
 1222     Delivery Optimization) macro.
 1223 
 1224 2)  The Perl modules have undergone some cleanup/optimization.
 1225 
 1226 3)  Given that recent kernels have dropped ULOG support, use of ULOG in
 1227     Shorewall is now deprecated and results in a warning message. The
 1228     warning can be eliminated by switching to NFLOG and ulogd2.
 1229 
 1230 4)  Shorewall can now detect interface default gateways configured by
 1231     Network Manager.
 1232 
 1233 5)  Inline matches are now supported in the 'conntrack' file.
 1234 
 1235 6)  In the 'accounting' file, Inline matches in an INLINE(...) rule now
 1236     allow a leading '+' to cause the matches to be evaluated before
 1237     those generated by the column specifications.
 1238 
 1239 7)  If view of the fact that some modems take an eternity to recover
 1240     from a power failure, the limit of the 'wait' interface option
 1241     setting has been increased from 120 seconds (2 minutes) to 300
 1242     seconds (5 minutes).
 1243 
 1244 ----------------------------------------------------------------------------
 1245              P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 1
 1246 ----------------------------------------------------------------------------
 1247 
 1248 5.2.1.4
 1249 
 1250 1)  A change in 5.2.0.5 that corrected an ip[6]tables error in the
 1251     UNTRACKED section of the rules file, changed the name of the chain
 1252     used to hold UNTRACKED rules. Previously, the chain was named
 1253     &z1-z2, where 'z1' is the source zone and 'z2' is the
 1254     destination; after the change, the chain was named =z1-z2.
 1255     Unfortunately, some log messages generated out of these chains
 1256     still referred to &z1-z2; that has been corrected.
 1257 
 1258 2)  Some dead/silly code has been removed from two functions in
 1259     the Chains.pm Perl module. The two functions have been combined
 1260     into a single function.
 1261 
 1262 3)  When the RATE column contains both a source and a destination rate,
 1263     it was previously impossible to specifiy a netmask (VLSM) on either
 1264     rate. Attempting to specify a mask would result in:
 1265 
 1266         ERROR: Invalid rate (...)
 1267 
 1268     That has been corrected. Note that when specifying a
 1269     netmask, the leading 's' or 'd' may not be omitted.
 1270 
 1271 4)  Several typos in the man pages have been corrected (Roberto
 1272     Sánchez).
 1273 
 1274 5.2.1.3
 1275 
 1276 1)  When a configuration had optional interfaces but no providers, the
 1277     'status -i' command previously would fail to show interface status
 1278     for interfaces that had not been disabled or enabled since the
 1279     last start, restart or reload. That has been corrected.
 1280 
 1281 5.2.1.2
 1282 
 1283 1)  The fix for DOCKER=Yes in 5.2.1.1 inadvertantly results in an
 1284     assertion failure when processing a 'check -r' command when
 1285     DOCKER=Yes. That has been corrected. As part of that change,
 1286     empty 'cat' commands in the generated script were eliminated.
 1287 
 1288 2)  When the HELPER target is used with an empty HELPER column, the
 1289     error message produced previously incorrectly read:
 1290 
 1291 	  ERROR: HELPER require requires that ...
 1292 
 1293     That has been corrected so that the message now reads:
 1294 
 1295 	  ERROR: HELPER requires that ...
 1296 
 1297 3)  On Centos 7, the following journal message appeared when Shorewall
 1298     attempted to load kernel modules:
 1299 
 1300       nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already
 1301               loaded
 1302 
 1303     To eliminate that message, Shorewall no longer attempts to load
 1304     ipt_ULOG. Note that most current distributions no longer support
 1305     ULOG. Current users of ULOG should convert to using NFLOG at the
 1306     earliest opportunity.
 1307 
 1308 5.2.1.1
 1309 
 1310 1)  The Perl module versions were not updated for the 5.2.1
 1311     release. That has been corrected.
 1312 
 1313 2)  The lib.common file previously confused Emacs such that editing the
 1314     file in shell mode was awkward. Because lib.common is included in
 1315     compiled scripts, this defect also made editing a compiled script
 1316     awkward. The issue has been resolved, so that the file now renders
 1317     properly in Emacs's shell mode.
 1318 
 1319 3)  Previously, if ip6tables-restore failed during Shorewall6 start,
 1320     restart or reload, the resulting error message indicated that
 1321     iptables-load had failed. That has been corrected.
 1322 
 1323 4)  Setting Docker=Yes did not work correctly with Docker version
 1324     18.03.1-ce. In that version, the DOCKER-ISOLATION chain was
 1325     replaced by a pair of chains: DOCKER-ISOLATION-STAGE-1 and
 1326     DOCKER-ISOLATION-STAGE-2. That has been corrected. As part of this
 1327     change, Shorewall now correctly handles the DOCKER-USER chain as
 1328     well as the two new isolation chains.
 1329 
 1330 5)  Previously, if there were multiple 'balance' providers and more
 1331     than one of them were experiencing carrier loss, then the 'enable' and
 1332     'disable' operations could fail. That has been corrected.
 1333 
 1334 5.2.1
 1335 
 1336 1)  This release contains defect repair up through Shorewall 5.2.0.5.
 1337 
 1338 2)  Previously, if:
 1339 
 1340     a) IP[6]TABLES was not set in shorewall[6].conf; and
 1341     b) The ip[6]tables binary was not found on the PATH.
 1342 
 1343     then a shell 'not found' error on 'fatal-error' was generated. That
 1344     has been corrected (Matt Darfeuille)
 1345 
 1346 3)  A number of files in the Shorewall-common package have had their
 1347     heading version updated to version 5.2 (Matt Darfeuille).
 1348 
 1349 4)  Previously, if statistical load balancing ('load=<load-factor>' in
 1350     provider OPTIONS) was configured on providers that shared an
 1351     interface, then the compiler would die with an assertion
 1352     failure. That has been corrected so that this combination now works
 1353     as expected.
 1354 
 1355 5)  Where two or more providers share a network interface, the
 1356     'optional' interface/provider option has never worked correctly.
 1357     Beginning with this release, the 'optional' option is disallowed
 1358     on such interfaces and providers.
 1359 
 1360 6)  Previously, when rate limiting was applied to a DNAT or
 1361     REDIRECT rule, rate limiting was applied to the accompanying
 1362     ACCEPT rule. Since logging is applied in the DNAT/REDIRECT rule, if
 1363     the connection failed the rate limit then the connection attempt
 1364     could be logged twice - once in the nat table and once when the
 1365     applicable policy was applied. Beginning with this release, rate
 1366     limiting is applied to the DNAT/REDIRECT rule so that no nat-table
 1367     logging occurs if the connection attempt exceeds the rate limit.
 1368 
 1369 7)  Some regular expressions used in Shorewall's Perl code will be
 1370     disallowed by Perl version 5.23. These have been changed to be
 1371     acceptable to that version of Perl.
 1372 
 1373 8)  Previously, if SNAT(detect) was used on an optional interface and
 1374     the resulting ip[6]tables rule was unreachable, then invalid shell
 1375     code similar to the following was generated:
 1376 
 1377     	 if [ "$SW_PPP1_ADDRESS" != 0.0.0.0 ]; then
 1378 	 fi
 1379 
 1380     That has been corrected such that the above code is not generated
 1381     and a warning message is issued, indicating that the entry generated
 1382     no ip[6]tables rule.
 1383 
 1384 ----------------------------------------------------------------------------
 1385                    N E W  F E A T U R E S  I N  5 . 2 . 1
 1386 ----------------------------------------------------------------------------
 1387 
 1388 5.2.1.2
 1389 
 1390 1)  A new variable SW_CONFDIR has been added. $SW_CONFDIR evaluates to
 1391     $CONFDIR/shorewall[6] if no directory name is passed to a compile,
 1392     check, start, restart or reload command. If a directory name is
 1393     passed to one of these commands, then $SW_CONFDIR expands to that
 1394     directory name.
 1395 
 1396 5.2.1
 1397 
 1398 1)  New macros for IPFS (https://ipfs.io/) have been contributed by
 1399     Răzvan Sandu.
 1400 
 1401 2)  Several new man pages have been added:
 1402 
 1403     - shorewall-addresses(5) describes specification of addresses in
 1404       shorewall configuration files.
 1405 
 1406     - shorewall-files(5) describes the shorewall configuration files
 1407       together with features common to multiple files.
 1408 
 1409     - shorewall-logging(5) describes shorewall's logging facilities.
 1410 
 1411     - shorewall-names(5) describes restrictions on names used in
 1412       Shorewall configuration files.
 1413 
 1414     Additional man pages will be included in future 5.2.1 pre-releases.
 1415 
 1416 3)  In the SOURCE and DEST columns, it is now possible to exclude an
 1417     interface by preceding the interface name with '!'. This is useful
 1418     for excluding the loopback interface (lo).
 1419 
 1420     Example from the mangle file:
 1421 
 1422         #ACTION	     	SOURCE          DEST
 1423 	DROP:T		127.0.0.0/8	!lo
 1424 
 1425 4)  The MARK, CONNMARK, SAVE and RESTORE commands may now be placed in
 1426     the nat table through used of new chain designators in the mangle
 1427     file:
 1428 
 1429         NP - nat table PREROUTING chain
 1430 	NI - nat table INPUT chain
 1431 	NO - nat table OUTPUT chain
 1432 	NT - nat table POSTROUTING chain
 1433 
 1434 5)  When TC_EXPERT=Yes, it is now possible to specify any mark/mask
 1435     values that are displayed by the 'show marks' command, including
 1436     the Exclusion and TPROXY values.
 1437 
 1438 6)  The configure and install scripts now support ALT Linux (Alexey
 1439     Shabalin).
 1440 
 1441 7)  The verbosity of the 'remote-*' CLI commands has been increased
 1442     (Matt Darfeuille).
 1443 
 1444 8)  You may now specify a VLSM in the RATE columns of the policy and
 1445     rules files, when per-IP limiting is used. This results in one hash
 1446     table entry per subnet rather than one entry per hosts, and applies
 1447     the limit to the subnet. See shorewall-policy(5) and
 1448     shorewall-rules(5) for details. This provides a means for reducing
 1449     the size of the hash tables.
 1450 
 1451 9)  You man now specify the number of hash table buckets and the
 1452     maximum number of hash table entries in the RATE columns of the
 1453     policy and rules files, when per-IP limiting is used. This allows
 1454     you to increase the size of the tables to more fully handle DDOS
 1455     attacks. See shorewall-policy(5) and shorewall-rules(5) for
 1456     details.
 1457 
 1458 10) Eric Teeter has contributed a macro for Cockpit.
 1459 
 1460 ----------------------------------------------------------------------------
 1461              P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 0
 1462 ----------------------------------------------------------------------------
 1463 
 1464 5.2.0.1
 1465 
 1466 1)  This release includes defect repair through Shorewall 5.1.12.4.
 1467 
 1468 2)  The getrc and getcaps commands added in 5.2.0 did not read the
 1469     params file. That has been corrected.
 1470 
 1471 3)  A shell syntax error in the code that implements the 'ipdecimal'
 1472     command has been corrected.
 1473 
 1474 5.2.0
 1475 
 1476 1)  This release includes defect repair through Shorewall 5.1.12.3.
 1477 
 1478 2)  Previously, optimize category 8 (combine identical chains) was
 1479     applied before optimize category 16 (eliminate duplicate rules,
 1480     ...).  This could (and has) resulted in uncombined identical chains
 1481     in the final ruleset. Beginning with this release:
 1482 
 1483     a) Optimize category 16 will be applied before optimize category 8.
 1484     b) If optimize category 8 combined any chains, then optimize
 1485        category 16 will be applied again.
 1486 
 1487     This change ensures that the final ruleset has no duplicate chains
 1488     and that all combatible adjacent port and state rules are combined.
 1489 
 1490 3)  Previously, use of &lo would result in an error:
 1491 
 1492        ERROR: Can't determine the IP address of lo: Firewall state not changed
 1493 
 1494     That problem has been corrected such that &lo always expands to
 1495     127.0.0.1 (IPv4) or ::1 (IPv6).
 1496 
 1497 ----------------------------------------------------------------------------
 1498                    N E W  F E A T U R E S  I N  5 . 2 . 0
 1499 ----------------------------------------------------------------------------
 1500 
 1501 1)  The MAPOLDACTIONS option in shorewall.conf has been removed. This
 1502     option provided compatibility with releases prior to Shorewall 3.0.
 1503     'shorewall update' will remove the setting of this option from
 1504     shorewall.conf.
 1505 
 1506 2)  The INLINE_MATCH option has been removed. Shorewall now behaves as
 1507     if INLINE_MATCH=No had been specified:
 1508 
 1509     - A single semicolon (';') is used to separate column-oriented
 1510       input from column-name/value input.
 1511 
 1512     - The preferred method of specifying column-name/value input is to
 1513       enclose such input in curly braces ("{....}").
 1514 
 1515     - A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
 1516       input. This is true in INLINE and IP[6]TABLES rules as well as
 1517       rules with other targets.
 1518 
 1519     As part of this change, 'shorewall update' will replace ';' with
 1520     ';;' in INLINE and IP[6]TABLES rules.
 1521 
 1522 3)  With the wide availability of ipset-based blacklisting, the need
 1523     for the 'refresh' command has been largely eliminated. As a result,
 1524     that command has been removed.
 1525 
 1526     Some users may have been using 'refresh' as a lightweight form of
 1527     reload. The most common of these uses seem to be for reloading
 1528     traffic shaping after an interface has gone down and come back up.
 1529     The best way to handle this situation under 5.2 is to make the
 1530     interface 'optional' in your /etc/shorewall[6]/interfaces file,
 1531     then either:
 1532 
 1533     - Install Shorewall-init and enable IFUPDOWN; or
 1534     - Use the 'reenable' command when the interface comes back up
 1535       in place of the 'refresh' command.
 1536 
 1537 4)  The following deprecated macros and actions have been removed:
 1538 
 1539 	Action A_AllowICMPs  - use AllowICMPs(A_ACCEPT)
 1540 	Action A_Drop	     - see below
 1541 	Action A_Reject	     - see below
 1542 	Action Drop	     - see below
 1543 	Action Reject	     - see below
 1544 	Macro SNMPTrap	     - use SNMPtrap
 1545 
 1546      The [A_]Drop and [A_]Reject actions are used primarily as policy
 1547      actions. As part of this change, 'shorewall update' will update
 1548      DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:
 1549 
 1550        IPv4
 1551 
 1552          DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
 1553 	 DROP_DEFAULT=A_Drop becomes
 1554 	     Broadcast(A_DROP),Multicast(A_DROP)
 1555 	 REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
 1556 	 REJECT_DEFAULT=A_Reject becomes
 1557 	     Broadcast(A_DROP),Multicast(A_DROP)
 1558 
 1559       IPv6
 1560 
 1561          DROP_DEFAULT=Drop becomes
 1562              AllowICMPs,Broadcast(DROP),Multicast(DROP)
 1563 	 DROP_DEFAULT=A_Drop becomes
 1564              AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
 1565 	 REJECT_DEFAULT=Reject becomes
 1566              AllowICMPs,Broadcast(DROP),Multicast(DROP)
 1567 	 REJECT_DEFAULT=A_Reject becomes
 1568              AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
 1569 
 1570    See the Migration Issues for additional information.
 1571 
 1572 5) A 'show saves' command has been added to list the snapshots
 1573    created using the 'save' command.
 1574 
 1575    Example:
 1576 
 1577       root@gateway:~# shorewall show saves
 1578       Shorewall 5.2.0 Saves at gateway - Thu Feb 15 11:58:37 PST 2018
 1579       Saved snapshots are:
 1580 
 1581       Feb 15 10:08 foo
 1582       Feb 14 12:34 restore (default)
 1583 
 1584     root@gateway:~#
 1585 
 1586     The snapshots are listed by creation time from latest to
 1587     earliest. If the name of one matches the RESTOREFILE setting, that
 1588     snapshot is marked as the default for the 'restore' command.
 1589 
 1590 6)  For installing into a Sandbox, the file shorewallrc.sandbox has
 1591     been added to Shorewall-core. See
 1592     http://www.shorewall.org/install.htm#idm327.
 1593 
 1594 7)  The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
 1595     and has been deleted. This removal has introduced a new
 1596     capabilities version.
 1597 
 1598 8)  When a log message is issued from a chain that relates to a pair of
 1599     zones (e.g, 'fw-net'), the chain name normally appears in the log
 1600     message (unless LOGTAGONLY=Yes and a log tag is specified). This
 1601     can prevent OPTIMIZE category 8 from combining chains which are
 1602     identical except for chain names in logging rules. The new
 1603     LOG_ZONE option in shorewall[6].conf allows for only the source or
 1604     destination zone to appear in the messages by setting LOG_ZONE to
 1605     'src' or 'dst' respectively. If LOG_ZONE=both (the default), then
 1606     the full chain name is included in log messages
 1607 
 1608     Setting LOG_ZONE=src has been shown to decrease the size of the
 1609     generated ruleset by more than 10 prcent in some cases. Your
 1610     results may vary.
 1611 
 1612 9)  Traditionally, when OPTIMIZE category 8 is enabled, identical
 1613     chains are combined under a name beginning with '~comb' or
 1614     '~blacklist'. Beginning with this release, setting
 1615     RENAME_COMBINED=Yes (the default) in shorewall[6].conf retains that
 1616     behavior. If RENAME_COMBINED=No, identical chains are combined
 1617     under the original name of one of the chains.
 1618 
 1619 10) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
 1620     searched recursively for files newer than the compiled script. That
 1621     was changed in Shorewall 5.1.10.2 such that only the listed
 1622     directories themselves were searched. That broke some
 1623     configurations that played tricks with embedded SHELL such as:
 1624     
 1625        SHELL cat /etc/shorewall/rules.d/loc/*.rules
 1626        
 1627     Prior to 5.1.10.2, a change to a file in or adding a file to
 1628     /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
 1629     with 5.1.10.2, such changes would not trigger
 1630     recompilation.
 1631 
 1632     Beginning with this release, the pre-5.1.10.2 behavior can be
 1633     obtained by setting AUTOMAKE=recursive.
 1634 
 1635     Also beginning with this release, AUTOMAKE may be set to a numeric
 1636     <depth> which specifies how deeply each listed directory is to be
 1637     searched. AUTOMAKE=1 only searches each directory itself and is
 1638     equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each directory
 1639     and its immediate sub-directories; AUTOMAKE=3 will search each
 1640     diretory, each of its immediate sub-directories, and each of their
 1641     immediate sub-directories, etc.
 1642 
 1643 11) Previously, the maximum depth of INCLUDEs was four (although the
 1644     documentation gave the limit as three). Beginning with this
 1645     release, that limit has been raised to 20.
 1646 
 1647 12) Support for the deprecated 'masq' file has been deleted. Any
 1648     existing 'masq' file will automatically be converted to the
 1649     equivalent 'snat' file.
 1650 
 1651 13) Three new shorewall commands have been implemented:
 1652 
 1653     a)  show rc
 1654 
 1655     	Displays the contents of the shorewallrc file
 1656     	($SHAREDIR/shorewall/shorewallrc).
 1657 
 1658     b)  getcaps
 1659 
 1660     	Generates a capabilities file on a remote system and copies it
 1661     	to a directory on the local system.
 1662 
 1663     c)  getrc
 1664 
 1665         Copies the shorewallrc file from a remote system to a directory
 1666         on the local system.
 1667 
 1668     See shorewall(8) for details.
 1669 
 1670     Implemented by Matt Darfeuille