I've been adapting Shorewall v2.0.8 to work on OpenWRT, with the hope of making it into a package.

Here's some issues I've had with it so far:

It's very slow to initialise - v2 has all these "action" files that take a long time to process.  Having shorewall start at boot time would make for a long boot.

The iptables compiled into the .bin file I used doesn't have the --set-tos option which Shorewall needs to do TOS stuff - you can get around this by simply deleting Shorewall's tos file.

Shorewall uses printf to write to the log file and the .bin I used doesn't have printf compiled into busybox.

Shorewall by default checks for the existance of the Logfile (usually /var/log/messages) and complains if it's not there.  I changed it so instead of complaining it touches the file to create it.

There's no /etc/services in OpenWRT so all services have to be referred to by port number, not service name.  I had to edit the tos file to reflect this. (Shortly before I deleted it )

I'm not 100% sure shorewall is appropriate to use in OpenWRT, but I would like to find something that makes configuring the firewall a bit easier.  We're not all netfilter gurus!  Any suggestions?

I chose shorewall because it's very flexible.  If we're going to start having lots of VLANS I think using iptables alone is going to be a bit of a mind-bender.