1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The Shorewall Init installer (install.sh) fails on Gentoo systems.

    Corrected in Shorewall 4.5.21.1.

3)  The installers (install.sh) fail to start the products at boot time
    on Debian and derivatives. This problem was introduced in Shorewall
    4.5.21.

    Corrected in Shorewall 4.5.21.1.

4)  Multiple ICMP/ICMP6 types listed in a rule result in a Perl runtime
    error on the compiler.

    Corrected in Shorewall 4.5.21.1.

5)  An attempt to specify RAS or Q.931 in the HELPER column is rejected
    with an error.

    Corrected in Shorewall 4.5.21.1.

6) The 'nohostroute' provider option does not suppress the addition of
   a host route in the default routing table when USE_DEFAULT_RT=Yes.

   Corrected in Shorewall 4.5.21.1.

7)  The AutoBL action fails if the kernel and iptables does not support
    the Recent Match '--reap' option.

    Corrected in Shorewall 4.5.21.2.

8)  The Shorewall-core installer reports an error from 'cp'
    stating that it can not stat the shorewallrc file.

    Workaround: Run the installer a second time.

    Corrected in Shorewall 4.5.21.2.

9)  When a non-root user attempts to execute 'version -a', the CLI
    attempts to get the version of the compiled firewall resulting in
    the following diagnostic when run by non-root:

    	 /sbin/shorewall: /var/lib/shorewall/firewall: Permission denied

    Corrected in Shorewall 4.5.21.2.

10) Shorewall uses 'fgrep' making it unusable on on systems without
    that utility.

    Corrected in Shorewall 4.5.21.2.

11) Placing |<mark> in the ACTION column of the tcrules file raises a
    fatal compilation error. 

    Corrected in Shorewall 4.5.21.2.

12) The Shorewall-core installer fails when run on Ubuntu Raring.

    Corrected in Shorewall 4.5.21.2.

13) The Shorewall-init installer fails when run on Ubuntu Raring.

    Workaround: Run as follows:

    	BUILD=debian ./install.sh

    Corrected in Shorewall 4.5.21.3.

14) The tarball installers don't run update-rc.d on Debian-based
    systems without insserv.

    Corrected in Shorewall 4.5.21.3.

15) If an HFSC class is specified with dmax but not umax, then
    the firewall fails to start with the messages:

      Nov 14 13:42:42 Setting up Traffic Control...
      HFSC: Illegal "umax"
      HFSC: Illegal "sc"
      ERROR: Command "tc class add dev eth1 parent 1:1 classid 1:110 hfsc sc
         umax b dmax 150ms rate 1575kbit ul rate 3150kbit" Failed

    Workaround: Specify a umax value equal to the device MTU.

    Corrected in Shorewall 4.5.21.4.

16) The 'add' command previously fails if 'IPSET=' appears in the
    shorewall.conf file.

    Workaround: Specify the correct pathname in the IPSET= entry.

    Corrected in Shorewall 4.5.21.5.

16) When a non-terminating target specifies logging, the compiler
    erroneously generates a 'goto' (-g) iptables command rather than a
    'jump' (-j) command. This causes the wrong set of rules to be
    traversed, usually the catchall 'REJECT' rule at the end of the
    INPUT or FORWARD chain.

    Corrected in Shorewall 4.5.21.6

17) When an interface containing a period (such as a VLAN interface)
    is used in an 'add' or 'delete' command, the wrong ipset name was
    generated, resulting in failure of the command.

    Workaround: Replace the period in the interface with an underscore.

    Corrected in Shorewall 4.5.21.6

18) Existing connections are not blocked when ADMINISABSENTMINDED=No
    and the firewall is stopped.

    Corrected in Shorewall 4.5.21.7 (but read the release notes
    carefully).

19) If an rtrules entry duplicates a Shorewall-generated route rule but
    has a lower priority than the generated one has (20000), then a
    disable/enable sequence on the provider will result in duplicate
    rules with priority 20000.

    Workaround: Specify the 'loose' option and specify all needed route
    rules for the provider in /etc/shorewall[6]/rtrules.

    Corrected in Shorewall 4.5.21.8

20) When 'shorewall[6] debug [re]start' is run, any error messages
    generated because of ip[6]tables command errors do not include '-t
    table'.

    Corrected in Shorewall 4.5.21.8

21) The output of 'shorewall show capabilities' always shows the
    'Recent match --reap option' as 'Not Available'. 'shorewall show -f
    capabilities' correctly reports the capability.

    Corrected in Shorewall 4.5.21.9

22) When a rules file section other than NEW begins with a ?COMMENT
    directive, the comment erroneously appears in the rule which
    jumps to the section chain as well as in the rules directly related
    to the following entries.

    Corrected in Shorewall 4.5.21.9

23) Rule comments are omitted from the compiler's 'trace' output in
    some cases.

    Corrected in Shorewall 4.5.21.9

24) When FASTACCEPT=Yes, ESTABLISHED,RELATED accept rules are
    incorrectly omitted from an interfaces's _in and _fwd chains when
    'rpfilter' is specified in the interfaces's entry in
    /etc/shorewall[6]/interfaces.

    Workaround: Set FASTACCEPT=No

    Corrected in Shorewall 4.5.21.9
