----------------------------------------------------------------------------
	               S H O R E W A L L  5 . 2 . 8
                      -------------------------------
                     S E P T E M B E R  2 4 ,  2 0 2 0
----------------------------------------------------------------------------

I.    PROBLEMS CORRECTED IN THIS RELEASE
II.   KNOWN PROBLEMS REMAINING
III.  NEW FEATURES IN THIS RELEASE
IV.   MIGRATION ISSUES
V.    PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  Certain restrictions that apply to wildcard interfaces (interface
    name ends in '+') were previously not enforced when the logical
    interface name did not end in '+' but the physical interface name
    did end in '+'.  That has been corrected.

2)  To ensure that error messages appear in the correct place in the
    output stream, stderr is now redirected to stdout when the
    configured PAGER is used by a command.

3)  Since Shorewall 5.1.0, the Shorewall uninstall.sh script has
    incorrectly removed ${SBINDIR}/shorewall, while the Shorewall-core
    uninstall.sh script has failed to remove that file. Both scripts
    have been corrected.

4)  Previously, the Shorewall CLI included a spurious hyphen ('-')
    between the product name (e.g., 'Shorewall6') and the version when
    printing a command output banner.

    Example:

      Shorewall6 Lite 5.2.8-RC1 Logwatch at foo8 - Thu 17 Sep 2020 ...

    That has been corrected.

5)  The shorewall-snat(5) manpage previously stated that a
    comma-separated list of IP address could be specified for
    SNAT. That statement was in error and has been removed. As part of
    this change, IPv4 Example 6 has been updated to use the
    PROBABILITY column.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No and optional
    providers listed in the DUPLICATE column.

3)  While the 'ip' utility now accepts IPv6 routes with multiple
    'nexthop' destinations, these routes are not balanced. They are
    rather instantiated as a sequence of single routes with different
    metrics.  Furthermore,  the 'ip route replace' command fails on
    such routes. Beginning with Shorewall6 5.0.15, the generated script
    uses a "delete..add.." sequence on these routes rather than a
    single "replace" command.

4)  On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart
    shorewall' command looses Docker rules.

    Workaround (courtesy of J Cliff Armstrong):

    Type (as root):

        `systemctl edit shorewall.service`.

    This will open the default terminal editor to a blank file in
    which you can paste the following:

    [Service]
    # reset ExecStop
    ExecStop=
    # set ExecStop to "stop" instead of "clear"
    ExecStop=/sbin/shorewall $OPTIONS stop

    Then type `systemctl daemon-reload` to activate the changes. This
    change will survive future updates of the shorewall package from apt
    repositories. The override file itself will be saved to
    `/etc/systemd/system/shorewall.service.d/`.

5)  RFC 2526 describes IPv6 subnet anycast addresses. The RFC makes a
    distinction between subnets with "IPv6 address types required to
    have 64-bit interface identifiers in EUI-64 format" and all other
    subnets. When generating these anycast addresses, the Shorewall
    compiler does not make this distinction and unconditionally
    assumes that the last 128 addresses in the subnet are reserved as
    anycast addresses.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  The 'show tc' command now shows the classifiers associated with
    each interface (as displayed by the 'show classifiers'
    command). This integrated qdisc/filter information is also included 
    in the output of the 'dump' command. This change deprecates the
    'show classifiers' ('show filters') command, as that command's
    output is now included in the 'show tc' output.

2)  Shorewall6 has traditionally generated rules for IPv6 anycast
    addresses. These rules include:

    a)  Packets with these destination IP addresses are dropped by
    	REJECT rules.

    b)  Packets with these source IP addresses are dropped by the
    	'nosmurfs' interface option and by the 'dropSmurfs' action.

    c)  Packets with these destination IP addresses are not logged
        during policy enforcement.

    d)  Packets with these destination IP addresses are processes by
    	the 'Broadcast' action.

    Beginning with this release, individual network interfaces can be
    excluded from this treatment through use of the 'omitanycast'
    option in /etc/shorewall6/interfaces.

    Note: This option was named 'noanycast' in earlier Beta releases.

3)  Duplicate function names have been eliminated between the
    Shorewall-core lib.cli shell library and the Shorewall lib.cli-std
    library.

4)  The 'status' command in Shorewall[6]-lite now precedes the
    configuration directory name with the administrative host name
    separated with a colon (":").

    Example (Firewall script generated on host 'debianvm'):

      root@gateway:~# shorewall-lite status
      Shorewall Lite-5.2.8 Status at gateway - Tue 15 Sep 2020 03:09:15 PM PDT

      Shorewall Lite is running
      State:Started Tue 15 Sep 2020 03:08:33 PM PDT from
      debianvm:/home/teastep/shorewall/gateway/shorewall/
      (/var/lib/shorewall-lite/firewall compiled Tue 15 Sep 2020
      03:08:28 PM PDT by Shorewall version 5.2.8)

      root@gateway:~#

5)  Tuomo Soini has contributed a macro that handles NFS v1.4 (no
    dynamic ports).

----------------------------------------------------------------------------
                  I V.  M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

    If you are migrating from Shorewall 4.6.x or earlier, please see
    http://www.shorewall.org/pub/shorewall/5.0/shorewall-5.0.15/releasenotes.txt

    Immediately after installing Shorewall 5.2.x, we recommend that you run
    'shorewall[6] update'. This command will handle many of the migration
    issues described here.

    ------------------------------------------------------------------------
    I S S U E S  M I G R A T I N G  T O  S H O R E W A L L  5 . 2
    F R O M  S H O R E W A L L  5 . 0
    ------------------------------------------------------------------------

    If you are migrating from Shorewall 5.0, this section will
    familiarize you with the changes in Shorewall 5.1 that may affect
    your configuration.

1)  Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
    (normally /sbin/shorewall). This program performs all of the same
    functions previously performed by /sbin/shorewall,
    /sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
    and is installed as part of the Shorewall-core package. It's
    default 'personality' is determined by the Shorewall packages
    installed:

    a) If the Shorewall package is installed, then by default,
       /sbin/shorewall behaves as in prior versions.

    b) If the Shorewall package is not installed, but the
       Shorewall-lite package is present, then /sbin/shorewall behaves
       as did /sbin/shorewall-lite in prior versions.

    c) If neither the Shorewall nor Shorewall-lite packages are
       installed, but the Shorewall6-lite package is installed, then
       /sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
       versions.

    The program's personality can be altered through use of two new
    options.

    -6  When specified, changes the personality from Shorewall to
     	Shorewall6 or from Shorewall-lite to Shorewall6-lite.

    -l  When specified, changes the personality from Shorewall to
     	Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
     	option is only required when both the standard package
     	(Shorewall or Shorewall6) and the corresponding -lite package
     	are installed on the system.

    The following is a comparison of Shorewall 5.0 and Shorewall 5.1
    with respect to the CLI invocation:

    	 All four packages installed:

    	 Shorewall 5.0			Shorewall 5.1

	 shorewall 			shorewall
	 shorewall6			shorewall -6
	 shorewall-lite			shorewall -l
	 shorewall6-lite		shorewall -6l

	 Only Shorewall-lite and Shorewall6-lite installed:

	 Shorewall 5.0	     	        Shorewall 5.1

	 shorewall-lite			shorewall
	 shorewall6-lite		shorewall -6

    A single shorewall(8) manpage now describes the CLI.

    The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
    manpages are now minimal and refer the reader to shorewall(8).

    For backward compatibility, Shorewall6, Shorewall-lite and
    Shorewall6-lite install symlinks $SBINDIR/shorewall6,
    $SBINDIR/shorewall-lite and
    $SBINDIR/shorewall6-lite respectively. When the shorewall program
    is invoked through one of these symlinks, it adopts the appropriate
    personality.

2)  The CHAIN_SCRIPTS option in the .conf files has been eliminated,
    and the compiler no longer looks for script files with the same
    name as a chain or action.

    If you are using such files, you will need to convert them into
    equivalent ?begin perl .... ?end perl text or to use the
    IP[6]TABLES target and/or inline matches.

    For the common case where you have an action xxx with an empty
    action.xxx file and have perl code in a file named xxx, the
    compiler will now generate a fatal error:

      ERROR: File action.xxx is empty and file xxx exists - the two
      	     must be combined as described in the Migration
      	     Considerations section of the Shorewall release notes

    For information about resolving this error, see
    http://www.shorewall.org/Shorewall-5.html#idp41228128.

    This issue is not handled by 'shorewall update' and must be
    corrected manually.

4)  The Netfilter team have removed support for the rawpost table, so
    Shorewall no longer supports features requiring that table
    (stateless netmapping in the netmap file). The good news is that,
    since kernel 3.7, Netfilter supports stateful IPv6 network mapping
    which is now also supported in Shorewall6 (see
    shorewall-netmap(5)).

    This issue is not handled by 'shorewall update' and must be
    corrected manually.

5)  The (undocumented) Makefiles haven't been maintained for many
    releases and have been removed.

6)  Beginning with Shorewall 5.1.2, The DROP_DEFAULT, REJECT_DEFAULT,
    etc. options may now specify a comma-separated list of actions
    rather than just a single action. The actions are invoked in the
    order in which they are listed and each action may optionally be
    followed by a colon (":") and a log level.  The POLICY column in
    shorewall[6]-policy can now specify a similar list of actions. In
    that file, the list may be preceded by a plus sign ("+"), in which
    case the listed actions will be in addition to those listed in the
    related _DEFAULT setting in shorewall[6].conf.

    With these changes, the Drop and Reject policy actions are now
    deprecated in favor of a list of smaller actions. A warning is
    issued when these deprecated actions are used; the warning refers
    the reader to http://www.shorewall.org/Actions.html#Default.

    This issue is partially handled by 'shorewall update' - see
    the 5.2 issues below.

7)  Beginning with Shorewall 5.1.2, the allowBcast, dropBcast, and
    Broadcast no longer handle multicast. Multicast is handeled
    separately in actions allowMcast, dropMcast and Multicast. The
    now-deprecated Drop and Reject policy actions have been modified so
    that they continue to silently drop multicast packets.

8)  According to the Netfilter team (see
    https://patchwork.kernel.org/patch/9198133/), the --nflog-range option
    of the NFLOG target has never worked correctly, and they have
    deprecated that option in favor of the --nflog-size option.

    To accomodate this change, Shorewall 5.1.5 added an "--nflog-size
    support" (NFLOG_SIZE) Shorewall capability and a USE_NFLOG_SIZE
    option in shorewall[6].conf. If USE_NFLOG_SIZE=Yes, then if the
    capability is present, Shorewall will use '--nflog-size' in place
    of '--nflog-range'. If USE_NFLOG_SIZE=Yes and the capability is not
    present, an error is raised.

    If you don't use NFLOG or if you use NFLOG with omittted second
    parameter or with 0 as the second parameter, and 'shorewall show
    capabilities' indicated that --nflog-size support is present, you
    may safely set USE_NFLOG_SIZE=Yes.

    If you pass a non-zero value as the second parameter to NFLOG and
    the '--nflog-size support' capability is present, you need to
    verify that those NFLOG messages are as you expect with
    USE_NFLOG_SIZE=Yes.

    This issue is not handled by 'shorewall update' and must be
    corrected manually.

9)  The MODULE_SUFFIX option in shorewall[6].conf was eliminated in
    Shorewall 5.1.7. Shorewall now finds modules, independent of their
    filename suffix.

    'shorewall [-6] update' will automatically remove any MODULE_SUFFIX
    setting.

10) Beginning with Shorewall 5.1.8, when RESTORE_DEFAULT_ROUTE=Yes the
    default route is only restored when there are no enabled
    'balance/primary' providers and no enabled fallback providers.

    Also beginning with Shorewall 5.1.8, if the default route(s) have
    been restored to the 'main' table, and a fallback provider is
    successfully enabled, the default route(s) are removed from the
    main table.

11) Because restoring default routes to the main routing table can
    break the ability of Foolsm and other link status monitors to
    properly detect non-functioning provider links, a warning message
    is issued when the 'persistent' provider option is specified and
    RESTORE_DEFAULT_ROUTE=Yes.

      WARNING: When RESTORE_DEFAULT_ROUTE=Yes, the 'persistent' option
               may not work as expected

    This change was released in Shorewall 5.1.8.

    This issue is not handled by 'shorewall update' and must be
    corrected manually.

12) Most interface OPTIONS have always been ignored when the INTERFACE
    name is '+'. Beginning with the Shorewall 5.1.10 release, a warning
    is issued when an ignored option is specified with interface name '+'.

	Example: The 'sourceroute' option is ignored when used with
		 interface name '+'

    In many cases, this issue can be worked around by a change similar
    to the following:

    Original:

	net	+		dhcp,routeback,sourceroute=0

    Change to:

	net	all		dhcp,physical=+,routeback,sourceroute=0
		---		     ----------

    As part of this change, interfaces that specify a wildcard physical
    interface name will generate a warning if any of the following
    options are specified:

	accept_ra
	arp_filter
	arp_ignore
	forward
	logmartians
	proxyarp
	proxyndp
	routefilter
	sourceroute

    When the warning is issued, the specified option is then ignored
    for the interface.

    Example:

	WARNING: The 'sourceroute' option is ignored when used with a
		 wildcard physical name
		 /etc/shorewall6.universal/interfaces (line 14)

    This issue is not handled by 'shorewall update' and must be
    corrected manually.

13) INLINE_MATCHES=Yes has been documented as deprecated for some
    time, but it has not generated a warning. Beginning with the
    Shorewall 5.1.12 release, a warning is issued:
    
        WARNING: Option INLINE_MATCHES=Yes is deprecated

    Additionally, each line that requires modification to work with
    INLINE_MATCHES=No is flagged with the warning:

        WARNING: This entry needs to be changed (replace ';' with ';;')
		 before the INLINE_MATCHES option is removed in
		 Shorewall 5.2

    You can eliminate the warnings by setting INLINE_MATCHES=No and
    by replacing the single semicolon (";") separating inline matches
    from the column-oriented part of the rule with two semicolons
    (";;") in each entry flagged by the second warning.

    This issue is mostly handled by 'shorewall update' - see
    the 5.2 issues below.

    ------------------------------------------------------------------------
    I S S U E S  M I G R A T I N G  T O  S H O R E W A L L  5 . 2
    F R O M  S H O R E W A L L  5 . 0  A N D  5 . 1
    ------------------------------------------------------------------------

1)  The MAPOLDACTIONS option in shorewall.conf has been removed. This
    option provided compatibility with releases prior to Shorewall 3.0.
    'shorewall update' will remove the setting of this option from
    shorewall.conf.

2)  The INLINE_MATCH option has been removed. Shorewall now behaves as
    if INLINE_MATCH=No had been specified:

    - A single semicolon (';') is used to separate column-oriented
      input from column-name/value input.

    - The preferred method of specifying column-name/value input is to
      enclose such input in curly braces ("{....}").

    - A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
      input. This is true in INLINE and IP[6]TABLES rules as well as
      rules with other targets.

    As part of this change, 'shorewall update' will replace ';' with
    ';;' in INLINE and IP[6]TABLES rules. It will also replace ';' by
    ';;', if ';' is followed by '-m', '-j' or '-g'.

3)  With the wide availability of ipset-based blacklisting, the need
    for the 'refresh' command has been largely eliminated. As a result,
    that command has been removed.

    Some users may have been using 'refresh' as a lightweight form of
    reload. The most common of these uses seem to be for reloading
    traffic shaping after an interface has gone down and come back up.
    The best way to handle this situation under 5.2 is to make the
    interface 'optional' in your /etc/shorewall[6]/interfaces file,
    then either:

    - Install Shorewall-init and enable IFUPDOWN; or
    - Use the 'reenable' command when the interface comes back up
      in place of the 'refresh' command.

4)  The following deprecated macros and actions have been removed:

	Action A_AllowICMPs  - use AllowICMPs(A_ACCEPT)
	Action A_Drop	     - see below
	Action A_Reject	     - see below
	Action Drop	     - see below
	Action Reject	     - see below
	Macro SNMPTrap	     - use SNMPtrap

     The [A_]Drop and [A_]Reject actions are used primarily as policy
     actions. As part of this change, 'shorewall update' will update
     DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:

       IPv4

         DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
	 DROP_DEFAULT=A_Drop becomes
	     Broadcast(A_DROP),Multicast(A_DROP)
	 REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
	 REJECT_DEFAULT=A_Reject becomes
	     Broadcast(A_DROP),Multicast(A_DROP)

      IPv6

         DROP_DEFAULT=Drop becomes
             AllowICMPs,Broadcast(DROP),Multicast(DROP)
	 DROP_DEFAULT=A_Drop becomes
             AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
	 REJECT_DEFAULT=Reject becomes
             AllowICMPs,Broadcast(DROP),Multicast(DROP)
	 REJECT_DEFAULT=A_Reject becomes
             AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)

    The 'update' commmand will also make similar changes in the policy
    file.

    'shorewall update' does not handle invocations of 'Drop' and
    'Reject' within the rules file, or within actions and macros. Those
    instances will generate an error which must be corrected manually.

    It should also be noted that, in prior releases, Drop and Reject
    silently dropped more traffic than their replacements. As a
    consequence, you will see more traffic being logged with Shorewall
    5.2 than you did on earlier releases. The translations performed
    by 'update' can be extended after the update to drop additional
    traffic as desired.

5)  When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
    searched recursively for files newer than the compiled script. That
    was changed in Shorewall 5.1.10.2 such that only the listed
    directories themselves were searched. That broke some
    configurations that played tricks with embedded SHELL such as:
    
       SHELL cat /etc/shorewall/rules.d/loc/*.rules
       
    Prior to 5.1.10.2, a change to a file in or adding a file to
    /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
    with 5.1.10.2, such changes would not trigger recompilation.

    Beginning with Shorewall 5.2.0, the pre-5.1.10.2 behavior can be
    obtained by setting AUTOMAKE=recursive.

    Also beginning with Shorewall 5.2.0, AUTOMAKE may be set to a
    numeric <depth> which specifies how deeply each listed directory is
    to be searched. AUTOMAKE=1 only searches each directory itself and
    is equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each
    directory and its immediate sub-directories; AUTOMAKE=3 will search
    each diretory, each of its immediate sub-directories, and each of
    their immediate sub-directories, etc.

6)  Support for the deprecated 'masq' file has been deleted. Any
    existing 'masq' file will automatically be converted to the
    equivalent 'snat' file.

7)  Where two or more providers share a network interface, the
    'optional' interface/provider option has never worked correctly.
    Beginning with Shorewall 5.2.1, the 'optional' option is disallowed
    on such interfaces and providers.

8)  With the availability of zone exclusion in the rules file, 'all[+]-'
    and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
    respectively. Beginning with Shorewall 5.2.3, the former are
    deprecated in favor of the latter and will result in a warning
    message, if used.

9)  Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option in
    shorewall[6].conf has been removed, and the behavior is as if
    LOAD_HELPERS_ONLY=Yes had been specified. 'shorewall[6] update'
    will remove the option from shorewall[6].conf.

----------------------------------------------------------------------------
         V.  N O T E S  F R O M  O T H E R  5 . 2  R E L E A S E S
----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 7
----------------------------------------------------------------------------

1)  Previously, it was not possible to classify traffic by destination
    IP address when using an Intermediate Functional Block (IFB) for
    traffic shaping. This is because such classification takes place
    before the traffic passes through the mangle PREROUTING chain.

    Such filtering is now possible by setting the 'connmark' option in
    the tcdevices file. This option causes the current connection mark
    to be copied to the packet mark prior to filtering, thus allowing
    the packet mark to be used for classification.

    This change adds a new CONNMARK_ACTION capability which is
    required to be able to specify the 'connmark' option.

    Rodrigo Araujo provided the bulk of the code for this enhancement.

2)  The tcpri file now supports ?FORMAT 2 which inserts an SPORT
    column directly to the right of the PORT column. As part of this
    change, the PORT column is renamed to DPORT while allowing both
    'port' and 'dport' to be used in the alternate input format. See
    shorewall-tcpri(5) and
    http://shorewall.org/simple_traffic_shaping.html for additional
    information.

3)  The Simple TC document is now linked to FAQs 97 and 97a.

----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 6
----------------------------------------------------------------------------

1)  The 'actions' file now supports a 'dport' option to go along with
    the 'proto' option. Using these two options can now restrict an
    action to a particular service. See shorewall-actions(5) for
    details.

    Example limiting net->all SSH connections to 3/min per source IP:

    /etc/shorewall/actions:

      SSHLIMIT     proto=tcp,\	# Blacklist overzealous SSHers
	           dport=ssh

    /etc/shorewall/action.SSLHIMIT

      ACCEPT { RATE=s:3/min:3 }
      BLACKLIST:$LOG_LEVEL:net_SSHLIMIT

    /etc/shorewall/rules:

      SSHLIMIT  net	all

2)  The change to 'show actions' implemented in 5.2.5.1 (see below)
    has been further extended.

    - "?IF...?ELSE...?ENDIF" sequences are now shown in the output
    - Continuation lines are now shown in the output so that all
      action options are now displayed
    - If an action appears in both /usr/share/shorewall[6]/actions.std
      and in /etc/shorewall[6]/actions, then the entry in the actions
      file is shown followed by the entry in the actions.std file.

3)  To emphasize that it specifies destination ports, the PORT column
    in the snat file has been renamed DPORT. Beginning with this
    release, both 'port' and 'dport' are accepted in the alternative
    input format.

4)  The snat file now supports ?FORMAT 2, which adds an SPORT (source
    port) column immediately to the right of the DPORT (destination
    port) column.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 6
----------------------------------------------------------------------------

5.2.6.1

1)  Previously, Perl diagnostics or outright failures could occur
    during update.

    Examples:

    Processing /etc/shorewall/params ...
    Use of uninitialized value $policy in pattern match (m//) at
    /usr/share/shorewall/Shorewall/Config.pm line 5531.
    Use of uninitialized value $policy in pattern match (m//) at
    /usr/share/shorewall/Shorewall/Config.pm line 5537.
    Use of uninitialized value $policy in pattern match (m//) at
    /usr/share/shorewall/Shorewall/Config.pm line 5543.
    Use of uninitialized value $policy in pattern match (m//) at
    /usr/share/shorewall/Shorewall/Config.pm line 5531.
    Use of uninitialized value $policy in pattern match (m//) at
    /usr/share/shorewall/Shorewall/Config.pm line 5537.
    Use of uninitialized value $policy in pattern match (m//) at
    /usr/share/shorewall/Shorewall/Config.pm line 5543.
    Configuration file /root/try/shorewall.conf updated - old file renamed
    /root/try/shorewall.conf.bak
    Loading Modules...
        ERROR: Internal error in Shorewall::Config::detect_capability

    This defect has been corrected.

2)  Previously, if 'update' added a CONFIG_PATH setting to
    shorewall[6].conf, that setting could contain "::" which could
    then cause the next 'update' to fail. Now, the compiler correctly
    handles double colons in the CONFIG_PATH setting.

3)  Local zones (type 'local' in /etc/shorewall[6]/zones) are only
    accessible from the firewall and from vserver zones. Previously,
    the compiler generated superluous rules for handling forwarded
    traffic from such zones; that has been corrected, and no
    forwarding rules are now generated.

5.2.6

1)  This release includes defect repair up through Shorewall version
    5.2.5.2.

2)  When compiling for export, the compiler generates a firewall.conf
    file which is later installed on the remote firewall system as
    ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was
    not processing the file, resulting in some features not being
    available:

    - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
      SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
      DYNAMIC_BLACKLIST and PAGER are not supplied.

    - scfilter file supplied at compile time.

    - dumpfilter file supplied at compile time.

    That has been corrected.

3)  A bug in iptables (see
    https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1)
    prevents the '--queue-cpu-fanout' option from being applied unless
    that option is the last one specified. Unfortunately, Shorewall
    places the '--queue-bypass' option last if that option is also
    specified.

    This release works around this issue by ensuring that the
    '--queue-cpu-fanout' option appears last.

4)  The -D 'compile', 'check', 'reload' and 'Restart'  option was
    previously omitted from the output of 'shorewall help'. It is now
    included. As part of this change, an incorrect and conflicting
    description of the -D option was removed from the 'remote-restart'
    section of shorewall(8).

5)  Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT
    policies were not completely optimized by optimize level 2 (ACCEPT
    rules preceding the final unconditional ACCEPT were not
    deleted). That has been corrected such that these rules are now
    optimized.

----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 5
----------------------------------------------------------------------------

1)  Prior to this release, when a 'timeout' value was specified in the
    DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset was
    created with this default timeout. This had the unfortunate
    disadvantage that it was not possible to add permanent entries
    into the ipset. Even if 'timeout 0' was specified in a 'blacklist'
    command, the entry would still age out of the ipset after the
    default timeout had elapsed.

    Beginning with this release, the dynamic-blacklisting ipset is
    created with 'timeout 0'. When an address is added to the set,
    either by BLACKLIST policy enforcement, by the BLACKLIST action,
    or by the CLI 'blacklist' command (where no 'timeout' is
    specified), the default timeout is applied to the new entry.

    Once you have upgraded to this version of Shorewall, you can
    convert your existing dynamic-blacklisting ipset (with a non-zero
    default timeout) to have a default timeout of zero as follows:

    a) If RESTART=restart in shorewall[6].conf, then simply
       'shorewall[6] restart'.

    b) Otherwise, 'shorewall[6] stop && shorewall[6] start'.

2)  Previously, when an ADD or DEL rule specified logging, the entire
    action (e.g. 'ADD(+NET_BL:src:7200)') was included in the log
    message. This could easily lead to a "Log prefix shortened..."
    warning during compilation.

    Beginning with this release, such log messages will contain only
    the basic action ('ADD' or 'DEL') and the set name (e.g.,
    'ADD(NET_BL)') to reduce the liklihood of producing the warning.

3)  Traditionally, Shorewall has logged state change messages using
    the 'user' syslog facility. Beginning with this release, these
    messages will be logged using the 'daemon' facility to more
    accurately reflect that these messages relate to a service.

4)  The DYNAMIC_BLACKLIST setting now allows a 'log' option to be
    specified for ipset-based blacklisting. When this option is given,
    successful 'blacklist' and 'allow' commands generate a 'daemon.info'
    log message.

5)  When ipset-based dynamic blacklisting is enabled, the generated
    ruleset has traditionally refreshed the 'timeout' of an ipset
    entry when a packet from blacklisted host is received. This has
    the unfortunate side effect that it can change a permanent entry
    (timeout 0) to a temporary (one with non-zero timeout). Beginning
    with this release, this timeout refresh can be avoided by
    specifying the 'noupdate' option in the DYNAMIC_BLACKLIST
    setting.

6)  To allow Shorewall's ipset-based blacklisting to play nicely with
    fail2ban, the 'blacklist!' CLI command has been added.

    The command

	blacklist! <ip>

    is equivalent to

	blacklist <ip> timeout 0

    thus allowing 'blacklist!' to be specified as the 'blocktype' in
    /etc/fail2ban/actions.d/shorewall.conf.

    See https://shorewall.org/blacklisting_support.htm#fail2ban for
    further information about using Shorewall dynamic blacklisting
    with fail2ban.

7)  Previously, when a zone name was too long, the resulting error
    message was "Invalid zone name (<name>)". To make the cause of
    the failure clearer, the message is now "Zone name (<name>) too
    long".

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 5
----------------------------------------------------------------------------

5.2.5.1

1)  The change in 5.2.5 base which changed the 'user' facility to the
    'daemon' facility in Shorewall syslog messages did not change the
    messages with severity 'err'. That has been corrected such that
    all syslog messages now use the 'daemon' facility.

2)  The actions.std file contains "?IF...?ELSE...?ENDIF" sequences
    that provide different action options depending on the availabilty
    of certain capabilities. This has resulted in the Broadcast and
    Multicast options being listed twice in the output of
    "shorewall[6] show actions". Beginning with this release, this
    duplication is eliminated. Note, however, that the options shown
    will be incomplete if they were continued onto another line, and
    may be incorrect for Broadcast and Multicast.

3)  A typo in shorewall-providers(5) has been corrected.

5.2.5 Base

1)  Previously, Shorewall-init installed a 'shorewall' script in
    /etc/network/if-down.d on Debian and derivatives. This script was
    unnecessary and required Debian-specific code in the generated
    firewall script. The Shorewall-init script is no longer installed
    and the generated firewall script is now free of
    distribution-specific code.

2)  Also on Debian and derivatives, Shorewall-init installed
    /etc//NetworkManager/dispatcher.d/01-shorewall which was also
    unnecessary.  Beginning with this release, that file is no longer
    installed.

3)  Previously, if the dynamic-blacklisting default timeout was set in
    a variable in the params file and the variable was used in setting
    DYNAMIC_BLACKLIST, then the 'allow' command would fail with
    the message:

    	ERROR: Invalid value (ipset-only,disconnect,timeout=) for
	       DYNAMIC_BLACKLIST

    That has been corrected.

4)  When EXPAND_POLICIES=No in shorewall[6].conf, policies in complex
    rulesets are enforced in chains such as 'net-all' and
    'all-all'. Previously, these chains included redundant
    state-oriented rules. In addition to being redundant. these rules
    could actually break complex IPv6 configurations. The extra rules are
    now omitted.

----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 4
----------------------------------------------------------------------------

1)  Previously, Shorewall's Docker support assumed that the default
    Docker Bridge (docker0) was being used. Beginning with this
    release, the DOCKER_BRIDGE option in Shorewall.conf allows an
    arbitrary name to be assigned to the bridge. In particular, when
    CNI is being used, DOCKER_BRIDGE=cni0 is the appropriate setting.

2)  The CLI keywords 'debug' and 'trace' have been replaced by -D and
    -T options respectively (e.g., 'shorewall trace reload' is now
    'shorewall -T reload'). Like the keywords, only one of these
    options can be active at a time; if both are entered, only the
    last one is activated. A similar change has been made to the
    generated script.

    The -T option (formerly 'trace') now applies only to shell-level
    tracing in the CLI and generated script. Those commands that
    invoke the rules compiler now accept a -D command option which
    causes the compiler to generate debugging information (e.g.,
    'shorewall check -D').

    The 'nolock' keyword is now deprecated in favor of the -N
    option (e.g., 'shorewall nolock reload' becomes 'shorewall -N
    reload').

    See shorewall(8) for details.

3)  Within the source code and documentation, 'shorewall.net' has been
    replaced by 'shorewall.org'.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 4
----------------------------------------------------------------------------

5.2.4.4

1)  When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in
    shorewall[6].conf, 'shorewall[6] start' could hang when 5.2.4.3
    was installed. That has been corrected.

2)  When 5.2.4.3 was installed, 'shorewall[6] start' would not
    automatically create dynamic blacklisting ipsets. That has been
    corrected.

5.2.4.3

1)  When interfaces was managed by Network Manager and IFUPDOWN=1 was
    specified in the Shorewall-init configuration file, when an optional
    interface was brought up, enabling the interface in
    Shorewall6[-lite] could fail.

    Correcting this issue involves corrected code in this release of
    Shorewall, but also may require a configuration change in
    /etc/shorewall6/interfaces. The change in Shorewall makes the
    generated script honor the 'wait=<seconds>' specification in
    /etc/shorewall6/interfaces when executing the 'enable' command.
    If there are optional interfaces that do not specify 'wait=...',
    then the interfaces file must be altered to include such
    specifications.
    
2)  An unnecessary test during command initialization in the generated
    script has been eliminated.

3)  Previously, 'shorewall[6] stop' or 'shorewall[6] clear' would
    create the dynamic blacklist ipset if it did not exist. Creation
    of the ipset is now defered until the next 'start'.

4)  Previously, 'shorewall[6] start' would delete all corresponding
    ipsets before restoring. It now deletes only those sets that will
    be restored, thus allowing SAVE_IPSETS to be specified in the
    Shorewall-init configuration when ipset-based dynamic blacklisting
    is also enabled. Previously, if any additional ipsets were used,
    it was necessary to set SAVE_IPSETS=Yes in shorewall[6].conf as
    well.

5)  Previously, 'Shorewall-init start' restored ipsets after stopping
    the firewalls, precluding use of ipsets in the stoppedrules file.
    Shorewall-init now restores the ipsets before stopping the
    firewalls.

6)  Optimize level 16 has been speeded up by an order of magnitude.
    Tests using a large user-supplied configuration showed compilation
    time with OPTIMIZE=all was reduced from 22min 40 seconds to 21.5
    seconds.

5.2.4.2

1)  This release corrects two problems associated with Debian
    Shorewall-init when IFUPDOWN=1 in the Shorewall-init
    configuration file (/etc/default/shorewall-init):

    a) Down events were ignored when Network Manager was being used.

    b) Up events were processed twice when a dual-stack interface
       was brought up.

    Both problems have been corrected. To make the fixes effective,
    it is necessary to recompile the firewall script (shorewall[6]
    compile, start, restart or reload).

5.2.4.1

1)  The web site and documentation have been improved to correct some
    invalid links in the manpages (including the manpages released
    in Shorewall components) and to link directly to the current
    website at https://shorewall.org. (Tuomo Soini)

2)  Cautions regarding SAVE_IPSETS have been added to the ipsets
    article.

3)  OpenSuSE users running systemd have complained that the firewalls
    are stopped after a Shorewall product upgrade. The problem is that
    OpenSuSE restarts all running products that have been
    upgraded. Recall that 'systemctl restart' is equivalent to
    'systemctl stop && systemctl start'. But starting Shorewall-init
    results in the firewall products specified in the Shorewall-init
    config file to be stopped. To address this issue, Shorewall-init
    will now ignore 'start' and 'stop' commands, for running firewalls
    (Tuomo Soini).

4)  On Redhat-based system and on OpenSuSE, extraneous Shorewall-init
    log messages regarding invalid commands were being issued. These
    harmless messages are now suppressed (Tuomo Soini).

5.2.4 Final

1)  Previously, when a Shorewall6 firewall was placed into the
    'stopped' state, ICMP6 packets required by RFC 4890 were not
    automatically accepted by the generated ruleset.
    
    Beginning with this release, those packets are automatically
    accepted.

2)  Previously, the output of 'shorewall[6] help' displayed the
    superseded 'load' command. That text has been deleted.

3)  The QOSExample.html file in the documentation and on the web site
    previously showed tcrules content for the /etc/shorewall/mangle
    file (recall that 'mangle' superseded 'tcrules'). That page has
    been corrected.

4)  The 'Starting and Stopping' and 'Configuration file basics'
    documents have been updated to align them with the current product
    behavior.

5)  The 'ipsets' document has been updated to clarify the use of
    ipsets in the stoppedrules file.

----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 3
----------------------------------------------------------------------------

1)  Zone exclusion (e.g., "all!z2,z2,...") is now supported in the
    policy file.

2)  With the availability of zone exclusion in the rules file, 'all[+]-'
    and 'any[+]-' are equivalent to 'all[+]!$FW' and 'any[+]!$FW'
    respectively. Beginning with this release, the former are
    deprecated in favor of the latter and will result in a warning
    message, if used.

3)  Internal documentaton of the undocumented 'test' parameter to
    compiler.pl has been added (it is used by the regression test
    library to suppress versions and date/times from the generated
    script).

4)  The LOAD_HELPERS_ONLY option has been removed from
    shorewall[6].conf. Hereafter, Shorewall[6] will behave as if
    LOAD_HELPERS_ONLY=Yes had been specified.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 3
----------------------------------------------------------------------------

5.2.3.7

1)  When DOCKER=Yes, if both the DOCKER-ISOLATE and
    DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-*
    chains were not preserved through shorewall state changes.
    That has been corrected so that both chains are preserved if
    present.

2)  Previously, the compiler always detected the OLD_CONNTRACK_MATCH
    capability as being available in IPv6. When OLD_CONNTRACK_MATCH
    was available, the compiler also mishandled inversion ('!') in the
    ORIGDEST columns, leading to an assertion failure:

      Shorewall::Config::fatal_error("Internal error in
        Shorewall::Chains::set_rule_option at /usr/"...) called at
        /usr/share/shorewall/Shorewall/Config.pm line 1619

    Both the incorrect capability detection and the mishandled
    inversion have been corrected.

3)  During 'enable' processing, if address variables associated with
    the interface have values different than those when the firewall
    was last started/restarted/reloaded, then a 'reload' is performed
    rather than a simple 'enable'. The logic that checks for those
    changes was incorrect in some configurations, leading to unneeded
    reload operations. That has been corrected.

4)  When MANGLE_ENABLED=No in shorewall[6].conf, some features
    requiring use of the mangle table can be allowed, even though the
    mangle table is not updated. That has been corrected such that use
    of such features will raise an error.

5)  When an invocation of the IfEvent(...,reset) action was invoked,
    the compiler previously emitted a spurious "Resetting..." message.
    That message has been suppressed.

5.2.3.6

1)  When both Docker containers and Libvirt VMs were in use, 'shorewall
    start' could fail as follows:

      Running /sbin/iptables-restore --wait 60...
      iptables-restore v1.8.3 (legacy): Couldn't load target
      `LIBVIRT_PRT':No such file or directory
      Error occurred at line: 19
      Try `iptables-restore -h' or 'iptables-restore --help' for more information.
         ERROR: /sbin/iptables-restore --wait 60 Failed.

    That has been corrected.

5.2.3.5

1)  A typo in the FTP documentation has been corrected.

2)  The recommended mss setting when using IPSec with ipcomp has been
    corrected.

3)  A number of incorrect links in the manpages have been corrected.

4)  The 'bypass' option is now allowed when specifying an NFQUEUE
    policy. Previously, specifying that option resulted in an error.

5)  Corrected IPv6 Address Range parsing.
    
    Previously, such ranges were required to be of the form [<addr1>-<addr2>]
    rather than the more standard form [<addr1>]-[<addr2>]. In the snat file
    (and in nat actions), the latter form was actually flagged as an error
    while in other contexts, it resulted in a less obvious error being
    raised.

6)  The manpages have been updated to refer to https://shorewall.org
    rather than http://www.shorewall.org.

5.2.3.4

1)  If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) WAS used as a policy,
    an error such as the following was previously incorrectly raised.

      ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line
             15)
    
    That has been corrected such that no error is raised.

2)  If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) was passed to a
    macro, an error such as the following was previously incorrectly
    raised:

      ERROR: Invalid ACTION (PARAM:1c,bypass)))
             /usr/share/shorewall/macro.BitTorrent (line 12)
	     from /etc/shorewall/rules (line 40)

    Now, the NFQUEUE action is correctly substituted for PARAM in
    the Macro body.

3)  If shorewall[6].conf didn't set AUTOMAKE, the 'update' command
    previously produced a new file with 'AUTOMAKE=Yes'. This resulted
    in an unexpected change of behavior. Now, the new file contains
    'AUTOMAKE=No', which preserves the pre-update behavior.

4)  Shorewall-rules(5) incorrectly stated that the 'bypass' option to
    NFQUEUE causes the rule to be silently bypassed if there is no
    application attached to the queue. The actual behavior is that the
    rule acts like ACCEPT in that case. Shorewall-rules(5) has been
    corrected.

5.2.3.3

1)  Previously, if an ipset was specified in an SPORT column, the
    compiler would raise an error similar to:

      ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)

    That has been corrected.

5.2.3.2

1)  Shorewall 5.2 automatically converts and existing 'masq' file to an
    equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
    automatic update, such that the following error message was issued:

       Use of uninitialized value $Shorewall::Nat::raw::currentline in
       pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
       line 511, <$currentfile> line nnn.

    and the generted 'masq' file contains only initial comments.

    That has been corrected.

5.2.3.1

1)  An issue in the implementation of policy file zone exclusion,
    released in 5.2.3 has been resolved. In the original release,
    if more than one zone was excluded, then the following error was
    raised:

	ERROR:  'all' is not allowed in a source zone list
	        etc/shorewall/policy (line ...)

5.2.3

1)  To prevent a helper kernel module from being loaded, it was
    previously necessary to list both its current name and its
    pre-kernel-2.6.20 name in the DONT_LOAD option in
    /etc/shorewall[6].conf. For example, to prevent nf_conntrack_sip
    from being loaded, it was necessary to also list ip_conntrack_sip
    in DONT_LOAD. That is no longer necessary.

----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 2
----------------------------------------------------------------------------
1)  New macros have been contributed by Vincas Dargis:

        Bitcoin
	Tor
	ONCRPC

    Additionally, Tuomo Soini has contributed a WUDO (Windows Update
    Delivery Optimization) macro.

2)  The Perl modules have undergone some cleanup/optimization.

3)  Given that recent kernels have dropped ULOG support, use of ULOG in
    Shorewall is now deprecated and results in a warning message. The
    warning can be eliminated by switching to NFLOG and ulogd2.

4)  Shorewall can now detect interface default gateways configured by
    Network Manager.

5)  Inline matches are now supported in the 'conntrack' file.

6)  In the 'accounting' file, Inline matches in an INLINE(...) rule now
    allow a leading '+' to cause the matches to be evaluated before
    those generated by the column specifications.

7)  If view of the fact that some modems take an eternity to recover
    from a power failure, the limit of the 'wait' interface option
    setting has been increased from 120 seconds (2 minutes) to 300
    seconds (5 minutes).

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 2
----------------------------------------------------------------------------

5.2.2.1

1)  A typo has been corrected in shorewall-providers(5). The manpage
    previously referred to RESTORE_DEFAULT_OPTION; that should have
    been RESTORE_DEFAULT_GATEWAY.

1)  This release includes defect repair through Shorewall 5.2.1.4.

2)  When processing inline matches, the compiler previously inserted
    the matches before the column-generated matches if there was a plus
    sign ("+") anywhere in the matches. Now, it only does so if the
    first non-blank character in the matches is a plus sign.

----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 1
----------------------------------------------------------------------------

1)  New macros have been contributed by Vincas Dargis:

        Bitcoin
	Tor
	ONCRPC

    Additionally, Tuomo Soini has contributed a WUDO (Windows Update
    Delivery Optimization) macro.

2)  The Perl modules have undergone some cleanup/optimization.

3)  Given that recent kernels have dropped ULOG support, use of ULOG in
    Shorewall is now deprecated and results in a warning message. The
    warning can be eliminated by switching to NFLOG and ulogd2.

4)  Shorewall can now detect interface default gateways configured by
    Network Manager.

5)  Inline matches are now supported in the 'conntrack' file.

6)  In the 'accounting' file, Inline matches in an INLINE(...) rule now
    allow a leading '+' to cause the matches to be evaluated before
    those generated by the column specifications.

7)  If view of the fact that some modems take an eternity to recover
    from a power failure, the limit of the 'wait' interface option
    setting has been increased from 120 seconds (2 minutes) to 300
    seconds (5 minutes).

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 1
----------------------------------------------------------------------------

5.2.1.4

1)  A change in 5.2.0.5 that corrected an ip[6]tables error in the
    UNTRACKED section of the rules file, changed the name of the chain
    used to hold UNTRACKED rules. Previously, the chain was named
    &z1-z2, where 'z1' is the source zone and 'z2' is the
    destination; after the change, the chain was named =z1-z2.
    Unfortunately, some log messages generated out of these chains
    still referred to &z1-z2; that has been corrected.

2)  Some dead/silly code has been removed from two functions in
    the Chains.pm Perl module. The two functions have been combined
    into a single function.

3)  When the RATE column contains both a source and a destination rate,
    it was previously impossible to specifiy a netmask (VLSM) on either
    rate. Attempting to specify a mask would result in:

        ERROR: Invalid rate (...)

    That has been corrected. Note that when specifying a
    netmask, the leading 's' or 'd' may not be omitted.

4)  Several typos in the man pages have been corrected (Roberto
    Sánchez).

5.2.1.3

1)  When a configuration had optional interfaces but no providers, the
    'status -i' command previously would fail to show interface status
    for interfaces that had not been disabled or enabled since the
    last start, restart or reload. That has been corrected.

5.2.1.2

1)  The fix for DOCKER=Yes in 5.2.1.1 inadvertantly results in an
    assertion failure when processing a 'check -r' command when
    DOCKER=Yes. That has been corrected. As part of that change,
    empty 'cat' commands in the generated script were eliminated.

2)  When the HELPER target is used with an empty HELPER column, the
    error message produced previously incorrectly read:

	  ERROR: HELPER require requires that ...

    That has been corrected so that the message now reads:

	  ERROR: HELPER requires that ...

3)  On Centos 7, the following journal message appeared when Shorewall
    attempted to load kernel modules:

      nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already
              loaded

    To eliminate that message, Shorewall no longer attempts to load
    ipt_ULOG. Note that most current distributions no longer support
    ULOG. Current users of ULOG should convert to using NFLOG at the
    earliest opportunity.

5.2.1.1

1)  The Perl module versions were not updated for the 5.2.1
    release. That has been corrected.

2)  The lib.common file previously confused Emacs such that editing the
    file in shell mode was awkward. Because lib.common is included in
    compiled scripts, this defect also made editing a compiled script
    awkward. The issue has been resolved, so that the file now renders
    properly in Emacs's shell mode.

3)  Previously, if ip6tables-restore failed during Shorewall6 start,
    restart or reload, the resulting error message indicated that
    iptables-load had failed. That has been corrected.

4)  Setting Docker=Yes did not work correctly with Docker version
    18.03.1-ce. In that version, the DOCKER-ISOLATION chain was
    replaced by a pair of chains: DOCKER-ISOLATION-STAGE-1 and
    DOCKER-ISOLATION-STAGE-2. That has been corrected. As part of this
    change, Shorewall now correctly handles the DOCKER-USER chain as
    well as the two new isolation chains.

5)  Previously, if there were multiple 'balance' providers and more
    than one of them were experiencing carrier loss, then the 'enable' and
    'disable' operations could fail. That has been corrected.

5.2.1

1)  This release contains defect repair up through Shorewall 5.2.0.5.

2)  Previously, if:

    a) IP[6]TABLES was not set in shorewall[6].conf; and
    b) The ip[6]tables binary was not found on the PATH.

    then a shell 'not found' error on 'fatal-error' was generated. That
    has been corrected (Matt Darfeuille)

3)  A number of files in the Shorewall-common package have had their
    heading version updated to version 5.2 (Matt Darfeuille).

4)  Previously, if statistical load balancing ('load=<load-factor>' in
    provider OPTIONS) was configured on providers that shared an
    interface, then the compiler would die with an assertion
    failure. That has been corrected so that this combination now works
    as expected.

5)  Where two or more providers share a network interface, the
    'optional' interface/provider option has never worked correctly.
    Beginning with this release, the 'optional' option is disallowed
    on such interfaces and providers.

6)  Previously, when rate limiting was applied to a DNAT or
    REDIRECT rule, rate limiting was applied to the accompanying
    ACCEPT rule. Since logging is applied in the DNAT/REDIRECT rule, if
    the connection failed the rate limit then the connection attempt
    could be logged twice - once in the nat table and once when the
    applicable policy was applied. Beginning with this release, rate
    limiting is applied to the DNAT/REDIRECT rule so that no nat-table
    logging occurs if the connection attempt exceeds the rate limit.

7)  Some regular expressions used in Shorewall's Perl code will be
    disallowed by Perl version 5.23. These have been changed to be
    acceptable to that version of Perl.

8)  Previously, if SNAT(detect) was used on an optional interface and
    the resulting ip[6]tables rule was unreachable, then invalid shell
    code similar to the following was generated:

    	 if [ "$SW_PPP1_ADDRESS" != 0.0.0.0 ]; then
	 fi

    That has been corrected such that the above code is not generated
    and a warning message is issued, indicating that the entry generated
    no ip[6]tables rule.

----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 1
----------------------------------------------------------------------------

5.2.1.2

1)  A new variable SW_CONFDIR has been added. $SW_CONFDIR evaluates to
    $CONFDIR/shorewall[6] if no directory name is passed to a compile,
    check, start, restart or reload command. If a directory name is
    passed to one of these commands, then $SW_CONFDIR expands to that
    directory name.

5.2.1

1)  New macros for IPFS (https://ipfs.io/) have been contributed by
    Răzvan Sandu.

2)  Several new man pages have been added:

    - shorewall-addresses(5) describes specification of addresses in
      shorewall configuration files.

    - shorewall-files(5) describes the shorewall configuration files
      together with features common to multiple files.

    - shorewall-logging(5) describes shorewall's logging facilities.

    - shorewall-names(5) describes restrictions on names used in
      Shorewall configuration files.

    Additional man pages will be included in future 5.2.1 pre-releases.

3)  In the SOURCE and DEST columns, it is now possible to exclude an
    interface by preceding the interface name with '!'. This is useful
    for excluding the loopback interface (lo).

    Example from the mangle file:

        #ACTION	     	SOURCE          DEST
	DROP:T		127.0.0.0/8	!lo

4)  The MARK, CONNMARK, SAVE and RESTORE commands may now be placed in
    the nat table through used of new chain designators in the mangle
    file:

        NP - nat table PREROUTING chain
	NI - nat table INPUT chain
	NO - nat table OUTPUT chain
	NT - nat table POSTROUTING chain

5)  When TC_EXPERT=Yes, it is now possible to specify any mark/mask
    values that are displayed by the 'show marks' command, including
    the Exclusion and TPROXY values.

6)  The configure and install scripts now support ALT Linux (Alexey
    Shabalin).

7)  The verbosity of the 'remote-*' CLI commands has been increased
    (Matt Darfeuille).

8)  You may now specify a VLSM in the RATE columns of the policy and
    rules files, when per-IP limiting is used. This results in one hash
    table entry per subnet rather than one entry per hosts, and applies
    the limit to the subnet. See shorewall-policy(5) and
    shorewall-rules(5) for details. This provides a means for reducing
    the size of the hash tables.

9)  You man now specify the number of hash table buckets and the
    maximum number of hash table entries in the RATE columns of the
    policy and rules files, when per-IP limiting is used. This allows
    you to increase the size of the tables to more fully handle DDOS
    attacks. See shorewall-policy(5) and shorewall-rules(5) for
    details.

10) Eric Teeter has contributed a macro for Cockpit.

----------------------------------------------------------------------------
             P R O B L E M S  C O R R E C T E D  I N  5 . 2 . 0
----------------------------------------------------------------------------

5.2.0.1

1)  This release includes defect repair through Shorewall 5.1.12.4.

2)  The getrc and getcaps commands added in 5.2.0 did not read the
    params file. That has been corrected.

3)  A shell syntax error in the code that implements the 'ipdecimal'
    command has been corrected.

5.2.0

1)  This release includes defect repair through Shorewall 5.1.12.3.

2)  Previously, optimize category 8 (combine identical chains) was
    applied before optimize category 16 (eliminate duplicate rules,
    ...).  This could (and has) resulted in uncombined identical chains
    in the final ruleset. Beginning with this release:

    a) Optimize category 16 will be applied before optimize category 8.
    b) If optimize category 8 combined any chains, then optimize
       category 16 will be applied again.

    This change ensures that the final ruleset has no duplicate chains
    and that all combatible adjacent port and state rules are combined.

3)  Previously, use of &lo would result in an error:

       ERROR: Can't determine the IP address of lo: Firewall state not changed

    That problem has been corrected such that &lo always expands to
    127.0.0.1 (IPv4) or ::1 (IPv6).

----------------------------------------------------------------------------
                   N E W  F E A T U R E S  I N  5 . 2 . 0
----------------------------------------------------------------------------

1)  The MAPOLDACTIONS option in shorewall.conf has been removed. This
    option provided compatibility with releases prior to Shorewall 3.0.
    'shorewall update' will remove the setting of this option from
    shorewall.conf.

2)  The INLINE_MATCH option has been removed. Shorewall now behaves as
    if INLINE_MATCH=No had been specified:

    - A single semicolon (';') is used to separate column-oriented
      input from column-name/value input.

    - The preferred method of specifying column-name/value input is to
      enclose such input in curly braces ("{....}").

    - A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
      input. This is true in INLINE and IP[6]TABLES rules as well as
      rules with other targets.

    As part of this change, 'shorewall update' will replace ';' with
    ';;' in INLINE and IP[6]TABLES rules.

3)  With the wide availability of ipset-based blacklisting, the need
    for the 'refresh' command has been largely eliminated. As a result,
    that command has been removed.

    Some users may have been using 'refresh' as a lightweight form of
    reload. The most common of these uses seem to be for reloading
    traffic shaping after an interface has gone down and come back up.
    The best way to handle this situation under 5.2 is to make the
    interface 'optional' in your /etc/shorewall[6]/interfaces file,
    then either:

    - Install Shorewall-init and enable IFUPDOWN; or
    - Use the 'reenable' command when the interface comes back up
      in place of the 'refresh' command.

4)  The following deprecated macros and actions have been removed:

	Action A_AllowICMPs  - use AllowICMPs(A_ACCEPT)
	Action A_Drop	     - see below
	Action A_Reject	     - see below
	Action Drop	     - see below
	Action Reject	     - see below
	Macro SNMPTrap	     - use SNMPtrap

     The [A_]Drop and [A_]Reject actions are used primarily as policy
     actions. As part of this change, 'shorewall update' will update
     DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:

       IPv4

         DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
	 DROP_DEFAULT=A_Drop becomes
	     Broadcast(A_DROP),Multicast(A_DROP)
	 REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
	 REJECT_DEFAULT=A_Reject becomes
	     Broadcast(A_DROP),Multicast(A_DROP)

      IPv6

         DROP_DEFAULT=Drop becomes
             AllowICMPs,Broadcast(DROP),Multicast(DROP)
	 DROP_DEFAULT=A_Drop becomes
             AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
	 REJECT_DEFAULT=Reject becomes
             AllowICMPs,Broadcast(DROP),Multicast(DROP)
	 REJECT_DEFAULT=A_Reject becomes
             AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)

   See the Migration Issues for additional information.

5) A 'show saves' command has been added to list the snapshots
   created using the 'save' command.

   Example:

      root@gateway:~# shorewall show saves
      Shorewall 5.2.0 Saves at gateway - Thu Feb 15 11:58:37 PST 2018
      Saved snapshots are:

      Feb 15 10:08 foo
      Feb 14 12:34 restore (default)

    root@gateway:~#

    The snapshots are listed by creation time from latest to
    earliest. If the name of one matches the RESTOREFILE setting, that
    snapshot is marked as the default for the 'restore' command.

6)  For installing into a Sandbox, the file shorewallrc.sandbox has
    been added to Shorewall-core. See
    http://www.shorewall.org/install.htm#idm327.

7)  The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
    and has been deleted. This removal has introduced a new
    capabilities version.

8)  When a log message is issued from a chain that relates to a pair of
    zones (e.g, 'fw-net'), the chain name normally appears in the log
    message (unless LOGTAGONLY=Yes and a log tag is specified). This
    can prevent OPTIMIZE category 8 from combining chains which are
    identical except for chain names in logging rules. The new
    LOG_ZONE option in shorewall[6].conf allows for only the source or
    destination zone to appear in the messages by setting LOG_ZONE to
    'src' or 'dst' respectively. If LOG_ZONE=both (the default), then
    the full chain name is included in log messages

    Setting LOG_ZONE=src has been shown to decrease the size of the
    generated ruleset by more than 10 prcent in some cases. Your
    results may vary.

9)  Traditionally, when OPTIMIZE category 8 is enabled, identical
    chains are combined under a name beginning with '~comb' or
    '~blacklist'. Beginning with this release, setting
    RENAME_COMBINED=Yes (the default) in shorewall[6].conf retains that
    behavior. If RENAME_COMBINED=No, identical chains are combined
    under the original name of one of the chains.

10) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
    searched recursively for files newer than the compiled script. That
    was changed in Shorewall 5.1.10.2 such that only the listed
    directories themselves were searched. That broke some
    configurations that played tricks with embedded SHELL such as:
    
       SHELL cat /etc/shorewall/rules.d/loc/*.rules
       
    Prior to 5.1.10.2, a change to a file in or adding a file to
    /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
    with 5.1.10.2, such changes would not trigger
    recompilation.

    Beginning with this release, the pre-5.1.10.2 behavior can be
    obtained by setting AUTOMAKE=recursive.

    Also beginning with this release, AUTOMAKE may be set to a numeric
    <depth> which specifies how deeply each listed directory is to be
    searched. AUTOMAKE=1 only searches each directory itself and is
    equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each directory
    and its immediate sub-directories; AUTOMAKE=3 will search each
    diretory, each of its immediate sub-directories, and each of their
    immediate sub-directories, etc.

11) Previously, the maximum depth of INCLUDEs was four (although the
    documentation gave the limit as three). Beginning with this
    release, that limit has been raised to 20.

12) Support for the deprecated 'masq' file has been deleted. Any
    existing 'masq' file will automatically be converted to the
    equivalent 'snat' file.

13) Three new shorewall commands have been implemented:

    a)  show rc

    	Displays the contents of the shorewallrc file
    	($SHAREDIR/shorewall/shorewallrc).

    b)  getcaps

    	Generates a capabilities file on a remote system and copies it
    	to a directory on the local system.

    c)  getrc

        Copies the shorewallrc file from a remote system to a directory
        on the local system.

    See shorewall(8) for details.

    Implemented by Matt Darfeuille
