diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 0b0318b4c..15017bc57 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -173,7 +173,8 @@ Shorewall 4.4.1
rules at the end of the INPUT and OUTPUT chains would still use the
LOG target rather than ULOG.
-2) Using CONTINUE policies with a nested IPSEC zone was still broken.
+2) Using CONTINUE policies with a nested IPSEC zone was still broken
+ in some cases.
3) The setting of IP_FORWARDING has been change to Off in the
one-interface sample configuration since forwarding is typically
@@ -216,13 +217,14 @@ None.
accepts all SNAT flags without verifying them and returns them to
iptables when asked.
-2) A 'clean' target has been added to the Makefiles.
+2) A 'clean' target has been added to the Makefiles. It removes backup
+ files (*~ and .*~).
3) The meaning of 'full' has been redefined when used in the context
- of a sub-class. Previously, 'full' always meant the OUT-BANDWIDTH
- of the device. In the case of a sub-class, however, that definition
- is awkward to use because the sub-class is limited by the parent
- class.
+ of a traffic shaping sub-class. Previously, 'full' always meant the
+ OUT-BANDWIDTH of the device. In the case of a sub-class, however,
+ that definition is awkward to use because the sub-class is limited
+ by the parent class.
Beginning with this release, 'full' in a sub-class definition
refers to the specified rate defined for the parent class. So
diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml
index adc7b73ad..56929dea8 100644
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@@ -120,15 +120,17 @@ loc eth2 -
role="bold">detect|address[,address]...}
- The broadcast address(es) for the network(s) to which the
- interface belongs. For P-T-P interfaces, this column is left blank.
- If the interface has multiple addresses on multiple subnets then
- list the broadcast addresses as a comma-separated list.
-
If you use the special value detect, Shorewall will detect the broadcast
- address(es) for you. If you select this option, the interface must
- be up before the firewall is started.
+ address(es) for you if your iptables and kernel include Address Type
+ Match support.
+
+ If your iptables and/or kernel lack Address Type Match support
+ then you may list the broadcast address(es) for the network(s) to
+ which the interface belongs. For P-T-P interfaces, this column is
+ left blank. If the interface has multiple addresses on multiple
+ subnets then list the broadcast addresses as a comma-separated
+ list.
If you don't want to give a value for this column but you want
to enter a value in the OPTIONS column, enter
+
+ nets=(net[,...])
+
+
+ Limit the zone named in the ZONE column to only the
+ listed networks. The parentheses may be omitted if only a
+ single net is given (e.g.,
+ nets=192.168.1.0/24). Limited broadcast is supported on the
+ interface.
+
+
+
nosmurfs
diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml
index 7989ff702..07a9b968d 100644
--- a/manpages6/shorewall6-interfaces.xml
+++ b/manpages6/shorewall6-interfaces.xml
@@ -142,6 +142,17 @@ loc eth2 -
+
+ nets=(net[,...])
+
+
+ Limit the zone named in the ZONE column to only the
+ listed networks. The parentheses may be omitted if only a
+ single net is given.
+
+
+
optional