From 54f368c413d10b71d2b372b2ac7bfbe8b84f49c1 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 28 Apr 2011 12:21:59 -0700
Subject: [PATCH] Document fix for ORIGINAL DEST

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/changelog.txt    |  3 ++-
 Shorewall/releasenotes.txt | 15 ++++++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 48c1896ac..53ddc6b9b 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,6 +1,7 @@
 Changes in Shorewall 4.4.19.2
 
-None.
+1)  Restore the ability to have IPSET names in the ORIGINAL DEST column
+    of a DNAT or REDIRECT rule.
 
 Changes in Shorewall 4.4.19.1
 
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 769f392fb..4ce7abc91 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -15,7 +15,20 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
 4.4.19.2
 
-None.
+1)  In Shorewall-shell, there was the ability to specify IPSET names in
+    the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability,
+    inadvertently dropped in Shorewall-perl, has been restored.
+
+    CAUTION: When an IPSET is used in this way, the server port is
+    opened from the SOURCE zone. 
+
+    Example:
+
+	DNAT	net	dmz:10.1.1.2	tcp	80	-	+foo
+
+    will implicitly add this rule
+
+	ACCEPT	net	dmz:10.1.1.2	tcp	80	
 
 4.4.19.1