1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No and optional
    providers listed in the DUPLICATE column.

3)  While the 'ip' utility now accepts IPv6 routes with multiple
    'nexthop' destinations, these routes are not balanced. They are
    rather instantiated as a sequence of single routes with different
    metrics.  Furthermore,  the 'ip route replace' command fails on
    such routes. Beginning with Shorewall6 5.0.15, the generated script
    uses a "delete..add.." sequence on these routes rather than a
    single "replace" command.

4)  If more than one zone is excluded in a policy file entry, an error
    similar to the following is raised:

      ERROR: 'all' is not allowed in a source zone list
      	     /etc/shorewall/policy (line 8) 

    Corrected in Shorewall 5.2.3.1

5)  Shorewall 5.2 automatically converts and existing 'masq' file to an
    equivalent 'snat' file. Regrettably, Shorewall 5.2.3 broke that
    automatic update, such that the following error message was issued:

       Use of uninitialized value $Shorewall::Nat::rawcurrentline in
       pattern match (m//) at /usr/share/shorewall/Shorewall/Nat.pm
       line 511, <$currentfile> line nnn.

    and the generted 'masq' file contains only initial comments.

    Workaround:

        After upgrading to 5.2.3, issue this command:

	    'shorewall[6] update'

    Corrected in 5.2.3.2.

6)  If an ipset is listed in the SPORT column, the compiler raises
    an error similar to:

      ERROR: Invalid ipset name () /etc/shorewall/rules (line 44)

    Corrected in 5.2.3.3.

7)  If multi-queue NFQUEUE (e.g., NFQUEUE(0:1) ) is used as a policy,
    an error such as the following is incorrectly raised.

      ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line
             15)
    
    Corrected in 5.2.3.4.

8)  If multi-queue NFQUEUE( e.g., NFQUEUE(0:1,bypass) ) is passed to a
    macro, an error such as the following is incorrectly raised:

      ERROR: Invalid ACTION (PARAM:1c,bypass)))
             /usr/share/shorewall/macro.BitTorrent (line 12)
	     from /etc/shorewall/rules (line 40)

    Corrected in 5.2.3.4.

9)  If shorewall[6].conf doesn't set AUTOMAKE, the 'update' command
    will produce a new file with 'AUTOMAKE=Yes'. This results in an
    unexpected change of behavior.

    Corrected in 5.2.3.4.

10) Shorewall-rules(5) incorrectly states that the 'bypass' option to
    NFQUEUE causes the rule to be silently bypassed if there is no
    application attached to the queue. The actual behavior is that the
    rule acts like ACCEPT.

    Corrected in 5.2.3.4.

