1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No and optional
    providers listed in the DUPLICATE column.

3)  While the 'ip' utility now accepts IPv6 routes with multiple
    'nexthop' destinations, these routes are not balanced. They are
    rather instantiated as a sequence of single routes with different
    metrics.  Furthermore,  the 'ip route replace' command fails on
    such routes. Beginning with Shorewall6 5.0.15, the generated script
    uses a "delete..add.." sequence on these routes rather than a
    single "replace" command.

4)  On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart
    shorewall' command looses Docker rules.

    Workaround (courtesy of J Cliff Armstrong):

    Type (as root):

        `systemctl edit shorewall.service`.

    This will open the default terminal editor to a blank file in
    which you can paste the following:

    [Service]
    # reset ExecStop
    ExecStop=
    # set ExecStop to "stop" instead of "clear"
    ExecStop=/sbin/shorewall $OPTIONS stop

    Then type `systemctl daemon-reload` to activate the changes. This
    change will survive future updates of the shorewall package from apt
    repositories. The override file itself will be saved to
    `/etc/systemd/system/shorewall.service.d/`.

5)  When ';;+" appears in the snat file, the '+' incorrectly appears
    in the generated ip[6]tables rule.

    Corrected in Shorewall 5.2.5.2.

6)  A bug in iptables (see
    https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1)
    prevents the '--queue-cpu-fanout' option from being applied unless
    that option is the last one specified. Unfortunately, Shorewall
    places the '--queue-bypass' option last if that option is also
    specified.

    This bug is known to affect Centos 7 systems.

    Workaround:

    Use an INLINE rule with the options in the correct order.

    Example:

      Original Rule:

         NFQUEUE(0:1c) all+ all+

      New Rule:

        INLINE all+ all+ ; -j NFQUEUE --queue-balance 0:1 \
	                              --queue-bypass \
                                      --queue-cpu-fanout

    Corrected in 5.2.6 RC 1

7)  When compiling for export, the compiler generates a firewall.conf
    file which is later installed on the remote firewall system as
    ${VARDIR}/firewall.conf. Currently, the CLI on that firewall is
    not processing the file, resulting in some features not being
    available:

    - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH,
      SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART,
      DYNAMIC_BLACKLIST and PAGER are not supplied.

    - scfilter file supplied at compile time.

    - dumpfilter file supplied at compile time.

    Corrected in 5.2.6 Beta 1.