1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The DNSAmp action released in 4.6.3 matches more packets than it
    should.

    Workaround: Change the single rule in
    /usr/share/shorewall/action.DNSAmp to:

    IPTABLES(@1)	-	-	udp	53	; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"

    Corrected in 4.6.3.1.

3)  A typo results in the following misleading error message:

      ERROR: The xxx TARGET is now allowed in the filter table

    The message should read:

      ERROR: The xxx TARGET is not allowed in the filter table

    Corrected in 4.6.3.1.

4)  The shorewall[6]-actions manpages contain incorrect examples
    of the usage of table names with builtin actions.

    Incorrect:

	FOOBAR,filter,mangle

    Correct:

	FOOBAR   builtin,filter,mangle

    The online versions of the manpages have been corrected.

    Corrected in 4.6.3.2.

5)  Including a PREROUTING SECTION in the accounting file
    unconditionally results in a fatal error:

    ERROR: The PREROUTING SECTION is not allowed when
           ACCOUNTING_TABLE=filter

    Corrected in 4.6.3.3.

6)  The Universal configuration fails to start with the error:

      ERROR: No network interface available: Firewall state not changed

    Workaround: Remove the 'optional' option from the 'net' entry in
    /etc/shorewall/interfaces.

    Corrected in 4.6.3.4.

7)  When required interfaces are present, Shorewall-init will fail to
    start. This defect was introduced in Shorewall 4.6.3.

    Corrected in 4.6.3.4.

8)  The defect repair from 4.6.2.5 was inadvertently omitted from
    4.6.3.

    Corrected in 4.6.3.4.

9)  When ADMINISABSENTMINDED=No, use of the stoppedrules file does not
    behave as documented. Until this issue is resolved, we recommend
    avoiding this configuration.