diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index a8a8ce15d..17f7824ec 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -234,6 +234,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=No
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 909c9a889..bea6bb12d 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -245,6 +245,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=No
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index 06cbb1836..5b84e0ec1 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -242,6 +242,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=No
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index e920c55d0..4622436e7 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -245,6 +245,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=No
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 99edf264a..b480dbd41 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -234,6 +234,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=Yes
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index a9439ef80..d9eee10df 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -2973,8 +2973,8 @@ INLINE - - - ; -j REJECT
- WIDE_TC_MARKS={Yes|No}
+ WIDE_TC_MARKS=[Yes|No]
Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
@@ -2988,6 +2988,20 @@ INLINE - - - ; -j REJECT
+
+ WORKAROUNDS=[Yes|No]
+
+
+ Added in Shorewall 4.6.11. Over time, there have been a number
+ of changes in Shorewall that work around defects in other products
+ such as iptables and ipset. When WORKAROUNDS=Yes, these workarounds
+ are enabled; when WORKAROUNDS=No, they are disabled. If not
+ specified or if specified as empty, WORKAROUNDS=Yes is
+ assumed.
+
+
+
ZONE_BITS=[number]
@@ -3002,7 +3016,7 @@ INLINE - - - ; -j REJECT
ZONE2ZONE={|}
+ role="bold">ZONE2ZONE=[|]
Added in Shorewall 4.4.4. This option determines how Shorewall
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index afe628677..ea5dbddb9 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -209,6 +209,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=No
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index e4fe0af35..dc620ffad 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -209,6 +209,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=No
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index fcc642251..12bc4ee4a 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -209,6 +209,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=No
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index dd94457c5..69073f085 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -209,6 +209,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=No
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index d02ad3658..8416dc4c3 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -209,6 +209,8 @@ USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
+WORKAROUNDS=Yes
+
ZONE2ZONE=-
###############################################################################
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 2c17c6db4..4da0d81b1 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -2622,8 +2622,8 @@ INLINE - - - ; -j REJECT
- WIDE_TC_MARKS={Yes|No}
+ WIDE_TC_MARKS=[Yes|No]
Deprecated in Shorewall 4.4.26 in favor of TC_BITS and
@@ -2637,6 +2637,20 @@ INLINE - - - ; -j REJECT
+
+ WORKAROUNDS=[Yes|No]
+
+
+ Added in Shorewall 4.6.11. Over time, there have been a number
+ of changes in Shorewall that work around defects in other products
+ such as iptables and ipset. When WORKAROUNDS=Yes, these workarounds
+ are enabled; when WORKAROUNDS=No, they are disabled. If not
+ specified or if specified as empty, WORKAROUNDS=Yes is
+ assumed.
+
+
+
ZONE_BITS=[number]