1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No and optional
    providers listed in the DUPLICATE column.

3)  While the 'ip' utility now accepts IPv6 routes with multiple
    'nexthop' destinations, these routes are not balanced. They are
    rather instantiated as a sequence of single routes with different
    metrics.  Furthermore,  the 'ip route replace' command fails on
    such routes. Beginning with Shorewall6 5.0.15, the generated script
    uses a "delete..add.." sequence on these routes rather than a
    single "replace" command.

4)  On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart
    shorewall' command looses Docker rules.

    Workaround (courtesy of J Cliff Armstrong):

    Type (as root):

        `systemctl edit shorewall.service`.

    This will open the default terminal editor to a blank file in
    which you can paste the following:

    [Service]
    # reset ExecStop
    ExecStop=
    # set ExecStop to "stop" instead of "clear"
    ExecStop=/sbin/shorewall $OPTIONS stop

    Then type `systemctl daemon-reload` to activate the changes. This
    change will survive future updates of the shorewall package from apt
    repositories. The override file itself will be saved to
    `/etc/systemd/system/shorewall.service.d/`.

5)  OpenSuSE users running systemd complain that the firewalls are
    stopped after a Shorewall product upgrade.

    Corrected in 5.2.4.1.

6)  On Redhat-based systems and on OpenSuSE, the Shorewall-init log
    contains spurious log messages regarding invalid commands. These
    messages are harmless.

    Corrected in 5.2.4.1.

7)  There are two problems associated with Debian Shorewall-init when
    IFUPDOWN=1 in the Shorewall-init configuration file
    (/etc/default/shorewall-init).

    a)  Down events are ignored when Network Manager is being used.

    b)  Up events are processed twice on dual-stack interfaces.

    Corrected in 5.2.4.2.

8)  When interfaces are managed by Network Manager and IFUPDOWN=1 is
    specified in the Shorewall-init configuration file, when an optional
    interface is brought up, enabling the interface in
    Shorewall6[-lite] may fail.

    Corrected in 5.2.4.3.

9)  When DYNAMIC_BLACKLIST="ipset...." in shorewall[6].conf, and
    additional ipsets are used in the configuration, specifying
    SAVE_IPSETS in the Shorewall-init configuration file does not work
    correctly. Shorewall-init restores the ipsets but the generated
    firewall deletes them. It is necessary to specify SAVE_IPSETS=Yes
    in shorewall[6].conf to work around this problem.

    Corrected in 5.2.4.3.

10) The 'shorewall-init start' command restores ipsets after it has
    stopped the firewall, precluding using ipsets in the stoppedrules
    file.

    Corrected in 5.2.4.3.

11) Setting OPTIMIZE to a value > 15 (or 'all') may cause compilation
    to be extreamly slow on large configurations.

    Corrected in 5.2.4.3.

12) When 5.2.4.3 is installed, two issues have been observed:

    a) When DYNAMIC_BLACKLIST=ipset... or when SAVE_IPSETS=Yes in
       shorewall[6].conf, 'shorewall[6] start' can hang.

    b) 'shorewall[6] start' does not automatically create dynamic
       blacklisting ipsets.

    Corrected in 5.2.4.4.

13) The AUTOMAKE option doesn't work correctly when /etc/shorewall[6]
    is a symbolic link.

    Corrected in 5.2.4.5.
