1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. Corrected in Shorewall 4.4.19.1 2) There is a harmless duplicate ACCEPT rule in the INPUT filter chain when the firewall is stopped. Corrected in Shorewall 4.4.19.1 3) Shorewall interprets all 'nexthop' routes as default routes when analyzing the pre-start routing configuration. This can lead to unwanted default routes when the firewall was started or stopped. Corrected in Shorewall 4.4.19.1 3) A defect introduced in Shorewall 4.4.17 broke the ability to specify ':-' in the ADDRESS column of /etc/shorewall/masq. Corrected in Shorewall 4.4.19.1 4) There are several known problems in Complex TC: a) The following entry in /etc/shorewall/tcclasses A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack produces this error: ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses b) Shorewall reserves class number 1 for the root class of the queuing discipline. Definining class 1 in /etc/shorewall/tcclasses results in a run-time error. c) The compiler does not complain if a CLASSID specified in the MARK column of tcrules refers to an IFB class. Such a rule is nonsensical since packets are passed through the IFB before they are passed through any marking rules. d) Where there are more than 10 tcdevices, tcfilter entries can generate invalid rules. These problems are corrected in Shorewall 4.4.19.2. 3) Double exclusion involving ipset lists is not detected, resulting in anomalous behavior. Example: ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]] Corrected in Shorewall 4.4.19.2. 4) The changes in 4.4.19.1 that corrected long-standing issues with default route save/restore are incompatible with 'gawk'. When 'gawk' is installed (rather than 'mawk'), awk syntax errors having to do with the symbol 'default' were issued. Workaround: Install mawk Corrected in Shorewall 4.4.19.3. 5) An entry in the USER/GROUP column in the rules and tcrules files can cause run-time start/restart failures if the rule(s) being added did not have the firewall as the source or and was not being added to the POSTROUTING chain. Workaround: Insure that all USER/GROUP matches are only specified when the SOURCE is $FW (rules file) or is being added to the POSTROUTING chain (:T designator in the tcrules file). Corrected in Shorewall 4.4.19.3. 6) The compiler allow degenerate entries (only the BAND column specified) in /etc/shorewall/tcpri. Such entries cause a run-time failure during start/restart. Corrected in Shorewall 4.4.19.4. 7) It is possible to specify tcfilters and tcrules that classify traffic with the class-id of a non-leaf HFSC class. Such classes are not capabable of handling packets. If a non-leaf class is specified as the default class, then a run-time start/restart failure occurs. Corrected in Shorewall 4.4.19.4. 8) Shorewall does not check for the existance of ipsets mentioned in the configuration, potentially resulting in a run-time start/restart failure. Corrected in Shorewall 4.4.19.4. 9) As currently implemented, the 'refresh' command can fail or can result in a ruleset other than what was intended. If there have been changes in the ruleset since it was originally started/restarted/restored that added or deleted sequenced chains (chains such as ~lognnn and ~exclnnn), the resulting ruleset can jump to the wrong such chains or can fail to 'refresh' successfully. Workaround: Use 'restart' rather than 'refresh' Corrected in Shorewall 4.4.19.4. 10) 'shorewall6 refresh issues a harmless 'ip6tables: Chain exists' error message. Corrected in Shorewall 4.4.19.4.