1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No and optional
    providers listed in the DUPLICATE column.

3)  When address variables for an optional interface are used, and the
    interface does not have an IP address when the firewall is started,
    then enabling the interface does not create the rules that use the
    address variables.

    Workaround: Use the 'reload' command rather than the 'enable'
    command when the interface becomes usable.

4)  When running Shorewall 5 on older distributions, such as Centos 6,
    Shorewall ipset creation will fail with an error similar to the
    following:

      WARNING: ipset lvpn does not exist; creating it as an hash:net set
      ipset v6.11: Unknown argument: `counters' Try `ipset help' for
      more information.

    Workaround: Create the ipset yourself.

       ipset create <name> hash:net family inet timeout 0

    Corrected in Shorewall 5.0.13.1.

5)  When running Shorewall 5.0.13.1, the compiler will crash when all
    of the following are true:

     1)  LOAD_HELPERS_ONLY=Yes and a capabilities file is not being
         used.

     2)  SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4 in shorewall.conf.

     3)  Ipset-based dynamic blacklisting is being used.

     4)  No other ipset-based rules appear in the configuration.

     Workaround:

     Use a capabilities file:

        shorewall show -f capabilities > /etc/shorewall/capabilities

     Corrected in Shorewall 5.0.13.2.

6)   When the effective verbosity is < 2 and the 'disconnect' option
     is specified in DYNAMIC_BLACKLIST, a successful 'blacklist'
     command issues the following error message and would produce
     no other output.

         sed: -e expression #1, char 8: unknown command: `/'

     Corrected in Shorewall 5.0.13.3