Disallow ipsec zones nested within an ip zone

Shorewall/Perl/Shorewall/Zones.pm

@@ -376,6 +376,12 @@ sub process_zone( \$ ) {
     } else {
 	fatal_error "Invalid zone type ($type)" ;
     }
+
+    if ( $type eq IPSEC ) {
+	for ( @parents ) {
+	    fatal_error "Parent zone $_ is not an IPSEC Zone" unless $zones{$_}{type} eq IPSEC;
+	}
+    }
     
     for ( $options, $in_options, $out_options ) {
 	$_ = '' if $_ eq '-';

Shorewall/changelog.txt

@@ -6,6 +6,8 @@ Changes in Shorewall 4.4.0-RC2
 
 3)  Make 'any' a reserved zone name.
 
+4)  Issue a warning if an ipsec zone is nested in a non-ipsec zone.
+
 Changes in Shorewall 4.4.0-RC1
 
 1)  Delete duplicate Git macro.

Shorewall/releasenotes.txt

@@ -121,6 +121,9 @@ Shorewall 4.4.0 RC2
 3)  'any' is now a reserved name. In RC1, 'any' could be defined as the
     name of a zone.
 
+4)  Previously, an IPSEC zone could be defined as a sub-zone of a
+    non-IPSEC zone. This invalid definition is now flagged with an error.
+
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------