shorewall_code/Shorewall/known_problems.txt

1)  On systems running Upstart, Shorewall-init cannot reliably close
    the firewall before interfaces come up.

2)  Under rare circumstances where COMMENT is used to attach comments
    to rules, OPTIMIZE 8 through 15 can result in invalid
    iptables-restore (ip6tables-restore) input.

    Corrected in Shorewall 4.4.12.1.

3)  Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
    canresult in invalid iptables-restore (ip6tables-restore) input.

    Corrected in Shorewall 4.4.12.1.

4)  The change in 4.4.12 to detect and use the new ipset match syntax
    broke the ability to detect the old ipset match capability. 

    Corrected in Shorewall 4.4.12.1.

5)  If REQUIRE_INTERFACE=Yes then start/restart will fail
    if the last optional interface tested is not available.

    Corrected in Shorewall 4.4.12.1.

6)  The fix for COMMENT and optimization in 4.4.12.1 is incomplete.

    Corrected in Shorewall 4.4.12.2

7)  Exclusion in the blacklist file is correctly validated but is then
    ignored when generating iptables (ip6tables) rules.

    Corrected in Shorewall 4.4.12.2.

8)  Shorewall allows CONTINUE rules with exclusion. These rules
    generate valid but incorrect iptables (ip6tables) input.

    Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed.

9)  When a comma-separated list of 'src' and/or 'dst' was specified in
    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
    or 'dst' was previously ignored when generating the resulting
    iptables rule.

    Workaround: If you simply need src,src or dst,dst, you can use the
    alternative syntax. Instead of +fooset[src,src], use +fooset[2] in
    the SOURCE column or +fooset[2] in the DEST column.

10) Since Shorewall 4.4.9, the SAME target in tcrules has generated
    invalid iptables-restore (ip6tables-restore) input.

    Workaround: None Available. Will be corrected in Shorewall 4.4.13.