Update release notes

Shorewall/releasenotes.txt

@@ -58,11 +58,32 @@ None.
     to segregate IPSEC traffic from non-IPSEC traffic. See 'man
     shorewall-accounting' (man shorewall6-accounting) for details.
 
-    Note that accounting rules that have a non-empty IPSEC column
-    may only appear in the 'accipsecin' and 'accipsecout' chains. The
-    former contains rules that select de-capsulated/decrypted traffic
-    while the latter contains rules that select traffic that will be
-    encapsulated/encrypted.
+    With this change, there are now three trees of accounting chains:
+
+    - The one rooted in the 'accounting' chain.
+    - The one rooted in the 'accipsecin' chain. This tree handles
+      traffic that has been decrypted on the firewall. Rules in this
+    - tree cannot specify an interface name in the DEST column.
+    - The one rooted in the 'accipsecout' chain. This tree handles
+      traffic that will be encrypted on the firewall. Rules in this
+    - tree cannot specify an interface name in the SOURCE column.
+
+    In reality, when there are bridges defined in the configuration,
+    there is a fourth tree rooted in the 'accountout' chain. That chain
+    handles traffic that originates on the firewall (both IPSEC and
+    non-IPSEC).
+
+    This change also implements a couple of new warnings:
+
+    - WARNING: Adding rule to unreferenced accounting chain <name>
+
+      The first reference to user-defined accounting chain <name> is
+      not a JUMP or COUNT from an already-defined chain.
+
+    - WARNING: Accounting chain <name> has o references
+
+      The named chain contains accounting rules but no JUMP or COUNT
+      specifies that chain as the target.
 
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S