Document portlist-splitting change

Shorewall/Perl/Shorewall/Chains.pm

@@ -443,9 +443,18 @@ sub push_rule( $$ ) {
 }
 
 #
-# Post-process a rule having an port list. Split the rule into multiple rules if necessary
+# Post-process a rule having a port list. Split the rule into multiple rules if necessary
 # to work within the 15-element limit imposed by iptables/Netfilter.
 #
+# The third argument ($dport) indicates what type of list we are spltting:
+#
+#      $dport == 1     Destination port list
+#      $dport == 0     Source port list
+#
+# When expanding a Destination port list, each resulting rule is checked for the presence
+# of a Source port list; if one is present, the function calls itself recursively with
+# $dport == 0.
+#
 sub handle_port_list( $$$$$$ );
 
 sub handle_port_list( $$$$$$ ) {

Shorewall/changelog.txt

@@ -20,7 +20,7 @@ Changes in Shorewall 4.4.1
 
 10) Change one-interface sample to IP_FORWARDING=Off.
 
-11) Allow multicast to non-dynamic zones with nets=.
+11) Allow multicast to non-dynamic zones defined with nets=.
 
 12) Allow zones with nets= to be extended by /etc/shorewall/hosts
     entries.
@@ -33,6 +33,8 @@ Changes in Shorewall 4.4.1
 
 16) Tighen up zone membership checking.
 
+17) Combine portlist-spitting routines into a single function.
+
 Changes in Shorewall 4.4.0
 
 1)  Fix 'compile ... -' so that it no longer requires '-v-1'