Merge branch '5.2.7'

docs/ISO-3661.xml

@@ -57,11 +57,8 @@
 </programlisting>
 
     <para>Using this feature requires the <firstterm>GeoIP Match</firstterm>
-    capability in your iptables and kernel. As of this writing, that
+    capability in your iptables and kernel. That capability requires <ulink
-    capability requires installing <ulink
+    url="https://dev.maxmind.com/geoip/geoip2/geolite2/">creating a
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink> 1.33
-    or later and <ulink
-    url="http://xtables-addons.sourceforge.net/geoip.php">creating a
     country-code database</ulink>.</para>
 
     <para>The Shorewall compiler uses the geoip country-code database to
@@ -83,11 +80,19 @@
     <para>To accomodate both big-endian and little-endian machines as well as
     any future ability to install the database at another location, Shorewall
     supports a GEOIPDIR option in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and <ulink
-    url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
+    url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). The default
-    default value of that option is
+    value of that option is
     <filename>/usr/share/xt_geoip/LE</filename>.</para>
 
+    <important>
+      <para>Recent versions of the country-code database are installed in
+      <filename>/usr/share/xt_geoip/, regardless of endian convention. This
+      requires modifying the setting of GEOIPDIR in <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
+      url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</filename></para>
+    </important>
+
     <para>The country codes at the time of this writing are shown in the
     following two sections.</para>
   </section>

docs/ipsets.xml

@@ -145,7 +145,8 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
     <para>Beginning with Shorewall 4.4.14, multiple source or destination
     matches may be specified by placing multiple set names in '+[...]' (e.g.,
     +[myset,myotherset]). When so enclosed, the set names need not be prefixed
-    with a plus sign.</para>
+    with a plus sign. When such a list of sets is specified, matching packets
+    must match all of the listed sets.</para>
 
     <para>Shorewall can save/restore your ipset contents with certain
     restrictions:</para>

docs/simple_traffic_shaping.xml

@@ -93,6 +93,13 @@
     qdisc but seems to provide a benefit when the actual link output
     temporarily drops below the limit imposed by tbf or when tbf allows a
     burst of traffic to be released.</para>
+
+    <caution>
+      <para>IPSec traffic passes through traffic shaping twice - once en clair
+      and once encrypted and encapsulated. As a result, throughput may be
+      significantly less than configured if IPSEC packets form a significant
+      percentage of the traffic being shaped.</para>
+    </caution>
   </section>
 
   <section>

docs/traffic_shaping.xml

@@ -385,6 +385,14 @@
             The default burst is 10kb, but on my 50mbit line, I specify 200kb.
             (50mbit:200kb).</para>
           </note>
+
+          <caution>
+            <para>Incoming IPSec traffic traverses traffic shaping twice -
+            firs as encrypted and encapsulated ESP packets and then en clair.
+            As a result, incoming bandwidth can be significantly less than
+            specified if IPSEC packets form a significant part of inoming
+            traffic.</para>
+          </caution>
         </listitem>
 
         <listitem>