1) In kernel 2.6.31, the handling of the rp_filter interface option was changed incompatibly. Previously, the effective value was determined by the setting of net.ipv4.config.dev.rp_filter logically ANDed with the setting of net.ipv4.config.all.rp_filter. Beginning with kernel 2.6.31, the value is the arithmetic MAX of those two values. Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if there are any interfaces specifying 'routefilter', specifying 'routefilter' on any interface has the effect of setting the option on all interfaces. A workaround for this problem is included in Shorewall 4.4.5.1. 2) When using an up-to-date capabilities file with Shorewall 4.4.5.1, the following warning messages were issued. WARNING: Unknown capability (KERNELVERSION) ignored : /etc/shorewall2/capabilities (line 49) WARNING: Your capabilities file does not contain a Kernel Version -- using 2.6.30 This defect was corrected in 4.4.5.2. 3) 'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later was broken. This was fixed in 4.4.5.3. 4) With Shorewall 4.4.5.3, using a capabilities file with Shorewall6 will result in the following warnings during compilation: WARNING: Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall6 version 4.4.5.3 WARNING: Your capabilities file does not contain a Kernel Version -- using 2.6.30 Corrected in 4.4.5.4. 5) The change in Shorewall 4.4.5.1 broke the 'forward' interface option in Shorewall6. Corrected in 4.4.5.4. 6) Under rare and not fully-understood circumstances, the Netfilter ruleset generated by Shorewall can include jumps to non-existent chains. This problem was apparently introduced between 4.4.0 and 4.4.5. Corrected in 4.4.5.5.