1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2) The 'local' option in /etc/shorewall6/providers produces an 'ip
   route add' command containing an IPv4 address.

3) When optimize lever 4 is set, the optimizer mis-handles rules of the
   form:

	-A <chain1> -j <chain2> -m comment ...

   when such a rule is the only rule in a chain.

   Workarounds:

	1. Don't use optimization level 4; or
	2. Remove the comment from the rule.