1) In kernel 2.6.31, the handling of the rp_filter interface option was
   changed incompatibly. Previously, the effective value was determined
   by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
   the setting of net.ipv4.config.all.rp_filter.

   Beginning with kernel 2.6.31, the value is the arithmetic MAX of
   those two values. 

   Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
   there are any interfaces specifying 'routefilter', specifying
   'routefilter' on any interface has the effect of setting the option
   on all interfaces.

   A workaround for this problem is included in Shorewall 4.4.5.1.