Extend release notes and correct typos

Shorewall/releasenotes.txt

@@ -43,6 +43,10 @@ Shorewall 4.4.0
 
 10) Support for per-IP traffic shaping classes has been added.
 
+11) Support for netfilter's TRACE facility has been added. TRACE allows
+    you to trace selected packets through Netfilter, including marking
+    by tcrules. 
+
 ----------------------------------------------------------------------------
                     M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
@@ -65,20 +69,26 @@ Shorewall 4.4.0
        http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
        and make changes to your configuration as necessary.
 
+    We strongly recommend that you migrate to Shorewall-perl on your
+    current Shorewall version before upgrading to Shorewall 4.4.0. That
+    way, you can have both Shorewall-shell and Shorewall-perl available
+    until you are certain that Shorewall-perl is working correctly for
+    you.
+
 2)  The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and
     'shorewall6 clear' commands no longer read the 'routestopped'
     file. The 'routestopped' file used is the one that was present at
     the last 'start', 'restart' or 'restore' command.
 
-    IMPORTANT: If you modify the routestopped file, you must restart
+    IMPORTANT: If you modify the routestopped file, you must refresh or
-    Shorewall before the changes to that file take effect.
+    restart Shorewall before the changes to that file take effect.
 
 3)  The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated
     in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4 documentation
     uses the new syntax exclusively, although the old syntax
     continues to be supported.
 
-    The sample configuration also use the new syntax.
+    The sample configurations also use the new syntax.
 
 4)  Support for the SAME target in /etc/shorewall/masq and
     /etc/shorewall/rules has been removed, following the removal of the
@@ -208,7 +218,7 @@ None.
 		   IPv6 firewall scripts generated by Shorewall6.
 
 2)  The interfaces file supports a new 'nets=' option. This option
-    allows users to restrict a zone's definition to particular networks
+    allows you to restrict a zone's definition to particular networks
     through an interface without having to use the hosts file.
 
     Example interfaces file:
@@ -262,7 +272,7 @@ None.
     the connection over which that last packet was sent.
 
     When used in the OUTPUT chain, it causes all matching connections
-    to an individual remote system to all use the same provider.
+    to an individual remote system to use the same provider.
 
     For example:
 
@@ -285,10 +295,17 @@ None.
     executed the command copies itself to
     /var/lib/shorewall[6]/firewall.
 
+    As always, /var/lib/shorewall[6] is the default directory which may
+    be overridden using the /etc/shorewall[6]/vardir file.
+
 5)  Dynamic zone support is once again available for IPv4. This support 
     is built on top of ipsets so you must have the xtables-addons
     installed on the firewall system.
 
+    See http://www.shorewall.net/Dynamic.html for information about
+    this feature and for instructions for installing xtables-addons on
+    your firewall.
+
     Dynamic zones are available when Shorewall-lite is used as well.
 
     You define a zone as having dynamic content in one of two ways:
@@ -316,7 +333,7 @@ None.
        /etc/shorewall/vardir (/etc/shorewall-lite/vardir).
 
     b) During 'start', 'restart' and 'restore' processing, Shorewall
-       will then attempt to create an ipset named <zone>_<interface>
+       will attempt to create an ipset named <zone>_<interface>
        for each zone/interface pair that has been specified as
        dynamic. The type of ipset created is 'iphash' so that only
        individual IPv4 addresses may be added to the set.
@@ -343,11 +360,12 @@ None.
     These commands are supported by shorewall-lite as well.
 
 6)  The generated program now attempts to detect all dynamic
-    information when it first starts. If any of those steps fail, an
+    information when it first starts. Dynamic information includes IP
-    error message is generated and the state of the firewall is not
+    addresses, default gateways, networks routed through an interface,
-    changed.
+    etc. If any of those steps fail, an error message is generated and
+    the state of the firewall is not changed.
 
-7)  To improve readability of the configuration files, Shorewall now
+7)  To improve the readability of configuration files, Shorewall now
     allows leading white space in continuation lines when the continued
     line ends in ":" or ",".
 
@@ -461,7 +479,7 @@ None.
 	 ...
 	 -A log0 -j LOG --log-level 6
 	    --log-prefix "Shorewall:loc2net:REJECT:" 
-	 -A log0 -p 6 --dport 25 -j reject 
+	 -A log0 -j reject 
 
     Notice that now there is only a single rule generated in the
     'loc2net' chain where before there were two. Packets for other than
@@ -566,7 +584,7 @@ None.
     For example, suppose that your internal network is 192.168.1.0/29
     (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
     might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs
-    1:1 through 1:6. But 1:1 is the class ID if the base HTB class on
+    1:1 through 1:6. But 1:1 is the class ID of the base HTB class on
     interface 1. So you might chose instead to use
     IPMARK(src,0xFF,0x10100) as shown in the example above so as to
     avoid minor class 1.
@@ -614,8 +632,8 @@ None.
     class number when none is given.
 
     - Prior to this change, the class number was constructed by concatinating
-      the mark value with the either '1' or '10'. '10' is used when
+      the mark value with the either '1' or '10'. '10' was used when
-      there are more than 10 devices defined in /etc/shorewall/tcdevices.
+      there were more than 10 devices defined in /etc/shorewall/tcdevices.
 
     - Beginning with this change, a new method is added; class numbers
       are assigned sequentially beginning with 2.
@@ -632,9 +650,10 @@ None.
     column) must be >= 65536 (0x10000) and must be a multiple of 65536
     (0x1000, 0x20000, 0x30000, ...).
 
-16) In the 'shorewall compile' command, the filename '-' now causes
+16) In the 'shorewall compile' and 'shorewall6 compile' commands, the
-    the compiled script to be written to Standard Out. As a side
+    filename '-' now causes the compiled script to be written to
-    effect, the effective VERBOSITY is set to -1 (silent).
+    Standard Out. As a side effect, the effective VERBOSITY is set to
+    -1 (silent).
 
     Examples:
 
@@ -647,7 +666,8 @@ None.
 
 17) Supplying an interface name in the SOURCE column of
     /etc/shorewall/masq is now deprecated. Entering the name of an
-    interface there will result in a compile-time warning.
+    interface there will result in a compile-time warning (see the
+    Migration Considerations above).
 
 18) Shorewall now supports nested HTB traffic shaping classes.  The
     nested classes within a class can borrow from their parent class in
@@ -688,13 +708,12 @@ None.
     Local traffic (that coming from the firewall and from the DMZ
     server) is placed in the effectively unrestricted class 1:10. The
     default class is guaranteed half of the download capacity and my
-    work system (172.20.1.107) is guarandeed the other half.
+    work system (172.20.1.107) is guarandeed the other half.	
-	
 
 19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
-    discipline has been added. HFSC is superior to the "Hierarchical
+    discipline has been added. HFSC is claimed to be superior to the
-    Token Bucket" queuing discipline where realtime traffic such as
+    "Hierarchical Token Bucket" queuing discipline where realtime
-    VOIP is being used.
+    traffic such as VOIP is being used.
 
     An excellent overview of HFSC on Linux may be found at
     http://linux-ip.net/articles/hfsc.en/.