1) In kernel 2.6.31, the handling of the rp_filter interface option was
   changed incompatibly. Previously, the effective value was determined
   by the setting of net.ipv4.config.dev.proxy_arp logically ANDed with
   the setting of net.ipv4.config.all.proxy_arp.

   Beginning with kernel 2.6.31, the value is the arithmetic MAX of
   those two values. 

   Given that Shorewall sets net.ipv4.config.all.proxy_arp to 1 if
   there are any interfaces specifying 'routefilter', specifying
   'routefilter' on any interface has the effect of setting the option
   on all interfaces.