1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

2)  The 'enable', 'reenable' and 'disable' commands do not work
    correctly in configurations with USE_DEFAULT_RT=No and optional
    providers listed in the DUPLICATE column.

3)  The 'getrc' and 'getcaps' commands do not process the params file.

    Corrected in Shorewall 5.2.0.1.

4)  The getrc and getcaps commands added in 5.2.0 do not read the
    params file.

    Corrected in Shorewall 5.2.0.1.

3)  There is a shell syntax error in the code that implements the
    'ipdecimal' command.

    Corrected in Shorewall 5.2.0.1.

4)  The 'safe-' commands fail with the error:

        /usr/sbin/shorewall: 1194: /usr/sbin/shorewall:
	                           read_yesno_with_timeout: not found

    Corrected in Shorewall 5.2.0.2.

5)  When the -c option is specified with the 'compile' command, and
    AUTOMAKE=No or AUTOMAKE=, the command fails with errors such as:

      usr/sbin/shorewall: 415: [: =: unexpected operator
      /usr/bin/find: Expected a positive decimal integer argument to
                     -maxdepth, but got ‘-type’
      /usr/sbin/shorewall: 415: [: =: unexpected operator
      /usr/bin/find: Expected a positive decimal integer argument to
                     -maxdepth, but got ‘-type’

    Corrected in Shorewall 5.2.0.2.

6)  The 'show saves' command fails when there are no saved
    configurations.

    Corrected in Shorewall 5.2.0.2.

7)  The 'update' command does not replace Drop or Reject in the setting
    of BLACKLIST_DEFAULT.

8)  The 'update' command (and automatic conversion of the masq file)
    fail to handle variables of the form ${...} correctly, resulting in
    "Invalid column/value pair" errors.

    Corrected in Shorewall 5.2.0.3.

9)  If AUTOMAKE is not specified in shorewall[6].conf, the following
    Perl diagnostic was issued:

      Use of uninitialized value $val in pattern match (m//) at
      /usr/share/shorewall/Shorewall/Config.pm line 6602

    Corrected in Shorewall 5.2.0.3.

10) if an ethernet provider interface loses carrier, an attempt to
    disable the interface may result in an error similar to this:

      Error: "nexthop" or end of line is expected instead of "linkdown"
      ERROR: Command "ip -4 route replace table 250 default
             nexthop via 192.168.0.1 dev eth2 weight 1 linkdown" Failed

    Corrected in Shorewall 5.2.0.3.

11) The 'lost carrier' change in 5.0.2.3 does not play well with link
    monitors like FooLSM. When carrier is restored, the link monitor
    might be unable to detect that the interface is working
    again.

    Corrected in Shorewall 5.2.0.4.

12) If

    - DYNAMIC_BLACKLIST=ipset...,src-dst... with logging specified
    - dbl=src_dst appears in the OPTIONS column of an interface

    then compilation fails with a series of Perl runtime diagnostics

      Use of uninitialized value $to in split at
        /usr/share/shorewall/Shorewall/Chains.pm line 2769.
      Use of uninitialized value $target in hash element at
        /usr/share/Shorewall/Chains.pm line 2770.
      Use of uninitialized value $target in hash element at
        /usr/share/shorewall/Shorewall/Chains.pm line 2771.
      Use of uninitialized value $to in concatenation (.) or string at
        /usr/share/shorewall/Shorewall/Chains.pm line 2771.

    and possibly the message

        ERROR: Unknown rule target () ...

    Workaround:

    remove dbl=src_dst from the OPTIONS column of the interfaces file.

    Corrected in Shorewall 5.2.0.4.

13) Including rules in the UNTRACKED section of the rules file may
    result in errors such as the following:

       ERROR: Command "/sbin/iptables --wait -t filter -A &loc-fw -m
                       addrtype --dst-type BROADCAST -j ACCEPT" Failed
       iptables v1.8.0 (legacy): option "-A" requires an argument
       Try `iptables -h' or 'iptables --help' for more information. »

    Corrected in Shorewall 5.2.0.5.

14) Where Shorewall-lite is deployed on OpenWRT (LEDE), stale 'lock'
    processes may be left running after 'shorewall-lite' exits.

    Corrected in Shorewall 5.2.0.5.

15) When the 'ipcalc' command is invoked with no arguments, a
    misleading 'too many arguments' message is issued.

    Corrected in Shorewall 5.2.0.5.
