Document semantic change to 'all' handling in the conntrack file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/manpages/shorewall-conntrack.xml

@@ -254,6 +254,16 @@
           <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
           used as the <replaceable>zone</replaceable> name to mean all
           <firstterm>off-firewall zone</firstterm>s.</para>
+
+          <note>
+            <para>In 4.5.10, handling of <option>all</option> was changed.
+            <option>all</option> now causes the generated netfilter rule to be
+            appended to the raw table PREROUTING and OUTPUT chains directly.
+            <option>all-</option> rules are added directly to PREROUTING.
+            <option>all</option> and <option>all-</option> rules are processed
+            after the more specific rules that specify an individual
+            zone.</para>
+          </note>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-conntrack.xml

@@ -149,6 +149,16 @@
           <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
           used as the <replaceable>zone</replaceable> name to mean all
           <firstterm>off-firewall zone</firstterm>s.</para>
+
+          <note>
+            <para>In 4.5.10, handling of <option>all</option> was changed.
+            <option>all</option> now causes the generated netfilter rule to be
+            appended to the raw table PREROUTING and OUTPUT chains directly.
+            <option>all-</option> rules are added directly to PREROUTING.
+            <option>all</option> and <option>all-</option> rules are processed
+            after the more specific rules that specify an individual
+            zone.</para>
+          </note>
         </listitem>
       </varlistentry>