From c77bae376126289cf761db2374f7a2e768a20c69 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 11 Sep 2010 09:23:23 -0700
Subject: [PATCH] Document known/corrected problems.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/changelog.txt      |  4 ++++
 Shorewall/known_problems.txt | 15 +++++++++++++++
 Shorewall/releasenotes.txt   |  9 ++++++++-
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index c91f2a9f2..c67d399a4 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,3 +1,7 @@
+Changes in Shorewall 4.4.12.3
+
+1)  Correct SAME
+
 Changes in Shorewall 4.4.12.2
 
 1)  Add tweak to 4.4.12.1 optimization fix.
diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt
index 8bc3d85d8..8ea074745 100644
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -35,3 +35,18 @@
     generate valid but incorrect iptables (ip6tables) input.
 
     Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed.
+
+9)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
+    Workaround: If you simply need src,src or dst,dst, you can use the
+    alternative syntax. Instead of +fooset[src,src], use +fooset[2] in
+    the SOURCE column or +fooset[2] in the DEST column.
+
+10) Since Shorewall 4.4.9, the SAME target in tcrules has generated
+    invalid iptables-restore (ip6tables-restore) input.
+
+    Workaround: None Available. Will be corrected in Shorewall 4.4.13.
+
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 1d18e24e6..47f3f804f 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                   S H O R E W A L L  4 . 4 . 1 2 . 2
+                   S H O R E W A L L  4 . 4 . 1 2 . 3
 ----------------------------------------------------------------------------
 
 I.    RELEASE 4.4 HIGHLIGHTS
@@ -224,6 +224,13 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
+4.4.12.3
+
+1)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
 4.4.12.2
 
 1)  Earlier releases allowed CONTINUE rules with exclusion. These rules