Fix nested IPSEC zones

2024-11-09 01:04:06 +01:00 · 2009-08-26 12:44:10 -07:00 · 2009-08-26 12:44:10 -07:00 · 383f3e8bcf
commit 383f3e8bcf
parent 608d7b11da
3 changed files with 5 additions and 1 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1694,7 +1694,7 @@ sub generate_matrix() {
 			add_jump(
 				 $sourcechainref,
 				 source_exclusion( $hostref->{exclusions}, $frwd_ref ),
-				 1,
+				 ! @{$zoneref->{parents}},
 				 join( '', $interfacematch , match_source_net( $net ), $ipsec_match )
 				);
 		    }
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -16,6 +16,8 @@ Changes in Shorewall 4.4.1

 8)  Fix log level in rules at the end of INPUT and OUTPUT chains.

+9)  Fix nested ipsec zones.
+
 Changes in Shorewall 4.4.0

 1)  Fix 'compile ... -' so that it no longer requires '-v-1'
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -173,6 +173,8 @@ Shorewall 4.4.1
    rules at the end of the INPUT and OUTPUT chains would still use the
    LOG target rather than ULOG.

+2)  Using CONTINUE policies with a nested IPSEC zone was broken.
+
 ----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------