extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 12:14:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Don't combine rules with '-m policy'

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-16 08:34:30 -07:00
parent da4f7ee524
commit 1e11109bb2
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -951,7 +951,7 @@ sub compatible( $$ ) {
} }
} }
return 1; return ! ( $ref1->{policy} && $ref2->{policy} );
} }
# #

2
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1536,7 +1536,7 @@ sub handle_complex_zone( $$ ) {
if ( have_ipsec ) { if ( have_ipsec ) {
# #
# Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the # In general, policy match can only match an 'in' or an 'out' policy (but not both), so we place the
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
# can match '--pol none --dir out' rules and send the packets down the wrong rules chain. # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
# #