1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

    Corrected in Shorewall 4.4.19.1

2)  There is a harmless duplicate ACCEPT rule in the INPUT filter chain
    when the firewall is stopped.

    Corrected in Shorewall 4.4.19.1

3)  Shorewall interprets all 'nexthop' routes as default routes when
    analyzing the pre-start routing configuration. This can lead to
    unwanted default routes when the firewall was started or stopped.

    Corrected in Shorewall 4.4.19.1

3)  A defect introduced in Shorewall 4.4.17 broke the ability to
    specify ':<low port>-<high port>' in the ADDRESS column of 
    /etc/shorewall/masq.

    Corrected in Shorewall 4.4.19.1 

4)  There are several known problems in Complex TC:

    a) The following entry in /etc/shorewall/tcclasses

       	A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack

       produces this error:

        ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses

    b) Shorewall reserves class number 1 for the root class of the
       queuing discipline. Definining class 1 in
       /etc/shorewall/tcclasses results in a run-time error.

    c) The compiler does not complain if a CLASSID specified in the MARK
       column of tcrules refers to an IFB class. Such a rule is
       nonsensical since packets are passed through the IFB before
       they are passed through any marking rules.

    d) Where there are more than 10 tcdevices, tcfilter entries can
       generate invalid rules.

    These problems are corrected in Shorewall 4.4.19.2.

3)  Double exclusion involving ipset lists is not detected,
    resulting in anomalous behavior.

    Example:

	ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]

    Corrected in Shorewall 4.4.19.2.

4)  The changes in 4.4.19.1 that corrected long-standing issues with
    default route save/restore are incompatible with 'gawk'. When
    'gawk' is installed (rather than 'mawk'), awk syntax errors having
    to do with the symbol 'default' were issued.

    Workaround: Install mawk

    Corrected in Shorewall 4.4.19.3.

5)  An entry in the USER/GROUP column in the rules and tcrules files
    can cause run-time start/restart failures if the rule(s) being
    added did not have the firewall as the source or and was not being
    added to the POSTROUTING chain.

    Workaround: Insure that all USER/GROUP matches are only specified
    when the SOURCE is $FW (rules file) or is being added to the
    POSTROUTING chain (:T designator in the tcrules file).

    Corrected in Shorewall 4.4.19.3.

