diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 16e2db1dc..284a5525a 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -58,11 +58,32 @@ None. to segregate IPSEC traffic from non-IPSEC traffic. See 'man shorewall-accounting' (man shorewall6-accounting) for details. - Note that accounting rules that have a non-empty IPSEC column - may only appear in the 'accipsecin' and 'accipsecout' chains. The - former contains rules that select de-capsulated/decrypted traffic - while the latter contains rules that select traffic that will be - encapsulated/encrypted. + With this change, there are now three trees of accounting chains: + + - The one rooted in the 'accounting' chain. + - The one rooted in the 'accipsecin' chain. This tree handles + traffic that has been decrypted on the firewall. Rules in this + - tree cannot specify an interface name in the DEST column. + - The one rooted in the 'accipsecout' chain. This tree handles + traffic that will be encrypted on the firewall. Rules in this + - tree cannot specify an interface name in the SOURCE column. + + In reality, when there are bridges defined in the configuration, + there is a fourth tree rooted in the 'accountout' chain. That chain + handles traffic that originates on the firewall (both IPSEC and + non-IPSEC). + + This change also implements a couple of new warnings: + + - WARNING: Adding rule to unreferenced accounting chain + + The first reference to user-defined accounting chain is + not a JUMP or COUNT from an already-defined chain. + + - WARNING: Accounting chain has o references + + The named chain contains accounting rules but no JUMP or COUNT + specifies that chain as the target. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S