1) All versions of Shorewall-perl mishandle per-IP rate limiting in REDIRECT and DNAT rules. The effective rate and burst are 1/2 of the values given in the rule. Corrected in 4.4.7.1 2) Detection of the 'Old hashlimit match' capability was broken in /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of shorecap. This problem only affects users of older distributions such as RHEL5 and derivatives. Corrected in 4.4.7.2 3) On older distributions such as RHEL5 and derivatives, when LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was specified in /etc/shorewall/tcinterfaces. Corrected in 4.4.7.2 4) On older distributions such as RHEL5 and derivatives, when LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was specified in /etc/shorewall/tcinterfaces. Corrected in 4.4.7.3 5) A CONTINUE rule specifying a log level will cause the compiler to generate an incorrect rule sequence. The packet will be logged but the CONTINUE action will not occur. To work around the problem break the rule into two rules; a logging rule and a CONTINUE rule. Corrected in 4.4.7.5. 6) If multiple entries are present in /etc/shorewall/tcdevices and globally unique class numbers are not explicitly specified in /etc/shorewall/tcclasses, then 'shorewall start' will fail with a diagnostic such as: Setting up Traffic Control... RTNETLINK answers: File exists ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum 1500 limit 127 perturb 10" Failed Processing /etc/shorewall/stop ... Corrected in 4.4.7.5. 7) If a low per-IP rate limit (such as 1/hour) is specified, the effective enforced rate is much higher (approximately 6/min). The Shorewall compiler now configures the hashlimit table idle timeout based on the rate units (min, hour, ...) so that the rate is more accurately enforced. Corrected in 4.4.7.5. As part of this change, a unique hash table name is assigned to each per-IP rate limiting rule that does not specify a table name in the rule. The assigned names are of the form 'shorewallN' where N is an integer. Previously, all such rules shared a single 'shorewall' table which lead to unexpected results. 8) All prior versions of Shorewall-perl mishandle per-IP rate limiting in REDIRECT, DNAT and ACCEPT+ rules. The effective rate and burst are 1/2 of the values given in the rule. Corrected in 4.4.7.5.