From 6603978ba43d2fcb42433abc95b93a8fff765d97 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 3 May 2011 13:54:54 -0700
Subject: [PATCH] Document double exclusion fix

---
 Shorewall/changelog.txt    |  2 ++
 Shorewall/releasenotes.txt | 11 ++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index bacc4305f..64ae4476d 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -5,6 +5,8 @@ Changes in Shorewall 4.4.19.2
 
 2)  Correct several complex TC issues reported by Mr Dash4.
 
+3)  Detect double exclusion involving ipset expressions.
+
 Changes in Shorewall 4.4.19.1
 
 1)  Eliminate silly duplicate rule when stopped.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index f051fa33d..be63ef0d4 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -54,7 +54,16 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
        now results in a compilation error.
 
     d) Where there are more than 10 tcdevices, tcfilter entries could
-       generate invalid rules. 
+       generate invalid rules.
+
+3)  Double exclusion involving ipset lists was previously not detected,
+    resulting in anomalous behavior.
+
+    Example:
+
+	ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]
+
+    Such cases now result in a compilation error.
 
 4.4.19.1