Clean up rate limiting fixes (documentation)

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/releasenotes.txt

@@ -192,8 +192,8 @@ Shorewall 4.4.7 Patch Release 5.
     but the CONTINUE action would not occur.
 
 2)  If multiple entries were present in /etc/shorewall/tcdevices and
-    unique class numbers were not explicitly specified in
+    globally unique class numbers were not explicitly specified in
-    /etc/shorewall/tc, then 'shorewall start' would fail with a
+    /etc/shorewall/tcclasses, then 'shorewall start' would fail with a
     diagnostic such as:
 
     Setting up Traffic Control...
@@ -202,14 +202,22 @@ Shorewall 4.4.7 Patch Release 5.
              1500 limit 127 perturb 10" Failed
     Processing /etc/shorewall/stop ...
 
-3)  Previously, when per-IP rate limiting was specified with a low rate
+3)  Previously, when a low per-IP rate limit (such as 1/hour) was
-    (such as 1/hour), the effective rate was much higher (once every 10
+    specified, the effective enforced rate was much higher
-    seconds). The Shorewall compiler now configures the hashlimit table
+    (approximately 6/min). The Shorewall compiler now configures the
-    based on the rate such that the rate is more accurately enforced.
+    hashlimit table idle timeout based on the rate units (min, hour,
+    ...) so that the rate is more accurately enforced.
 
     As part of this change, a unique hash table name is assigned to
-    each rule that does not specify a table name in the rule. The
+    each per-IP rate limiting rule that does not specify a table name
-    assigned names are of the form 'shorewallN' where N is an integer.
+    in the rule. The assigned names are of the form 'shorewallN' where
+    N is an integer. Previously, all such rules shared a single
+    'shorewall' table which lead to unexpected results.
+
+4)  All prior versions of Shorewall-perl mishandle per-IP rate limiting
+    in REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule. This problem has been corrected so
+    that the specified rate is now the effective rate.
 
 ----------------------------------------------------------------------------
        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 4

manpages/shorewall-rules.xml

@@ -891,10 +891,10 @@
           respectively. The <replaceable>name</replaceable> may be chosen by
           the user and specifies a hash table to be used to count matching
           connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          rule specifies the same name, the connections counts for the rules
+          assumed. Where more than one rule specifies the same name, the
-          are aggregated and the individual rates apply to the aggregated
+          connections counts for the rules are aggregated and the individual
-          count.</para>
+          rates apply to the aggregated count.</para>
 
           <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
         </listitem>

manpages6/shorewall6-rules.xml

@@ -692,10 +692,10 @@
           respectively. The <replaceable>name</replaceable> may be chosen by
           the user and specifies a hash table to be used to count matching
           connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
-          POLICY specifies the same name, the connections counts for the rules
+          assumed. Where more than one POLICY specifies the same name, the
-          are aggregated and the individual rates apply to the aggregated
+          connections counts for the rules are aggregated and the individual
-          count.</para>
+          rates apply to the aggregated count.</para>
         </listitem>
       </varlistentry>