shorewall_code/Shorewall/known_problems.txt

1)  In kernel 2.6.31, the handling of the rp_filter interface option was
    changed incompatibly. Previously, the effective value was determined
    by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
    the setting of net.ipv4.config.all.rp_filter.

    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
    those two values. 

    Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
    there are any interfaces specifying 'routefilter', specifying
    'routefilter' on any interface has the effect of setting the option
    on all interfaces.

    A workaround for this problem is included in Shorewall 4.4.5.1.

2)  When using an up-to-date capabilities file with Shorewall 4.4.5.1, the
    following warning messages were issued.

       WARNING: Unknown capability (KERNELVERSION) 
         ignored : /etc/shorewall2/capabilities (line 49)
       WARNING: Your capabilities file does not contain a Kernel Version --
         using 2.6.30

    This defect was corrected in 4.4.5.2.

3)  'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time
    error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later
    was broken.

    This was fixed in 4.4.5.3.

4)  With Shorewall 4.4.5.3, using a capabilities file with Shorewall6
    will result in the following warnings during compilation:

       WARNING: Your capabilities file is out of date -- it does not
          contain all of the capabilities defined by Shorewall6 version
          4.4.5.3

       WARNING: Your capabilities file does not contain a Kernel
          Version -- using 2.6.30

    Corrected in 4.4.5.4.

5)  The change in Shorewall 4.4.5.1 broke the 'forward' interface
    option in Shorewall6.

    Corrected in 4.4.5.4.

6)  Under circumstances, the Netfilter ruleset generated by Shorewall
    can include jumps to non-existent chains. This problem was
    apparently introduced between 4.4.0 and 4.4.5.

    Corrected in 4.4.5.5.