extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 17:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Disallow CONTINUE rules with exclusion

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-04 07:10:41 -07:00
parent b7f5a0645e
commit e4e1ba2022
3 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3392,7 +3392,7 @@ sub expand_rule( $$$$$$$$$$;$ )
#
# We have non-trivial exclusion -- need to create an exclusion chain
#
fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN';
fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE';
#
# Create the Exclusion Chain

5
Shorewall/known_problems.txt
View File

@ -30,3 +30,8 @@
ignored when generating iptables (ip6tables) rules.
Corrected in Shorewall 4.4.12.2.
8) Shorewall allows CONTINUE rules with exclusion. These rules
generate valid but incorrect iptables (ip6tables) input.
Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed.

13
Shorewall/releasenotes.txt
View File

@ -226,10 +226,14 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
4.4.12.2
1) The fix for COMMENT and OPTIMIZE 8-15 in 4.4.12.1 missed one case
1) Earlier releases allowed CONTINUE rules with exclusion. These rules
generated valid but incorrect iptables (ip6tables) input. Such
rules are now disallowed.
2) The fix for COMMENT and OPTIMIZE 8-15 in 4.4.12.1 missed one case
which has mpe been corrected.
2) Previously, exclusion in the blacklist file was correctly validated
3) Previously, exclusion in the blacklist file was correctly validated
but was then ignored when generating iptables (ip6tables) rules.
4.4.12.1
@ -251,13 +255,8 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
5) Previously, the interface option combination of 'optional' and
'upnpclient' did not work correctly.
6) Earlier releases allowed CONTINUE rules with exclusion. These rules
generated valid but incorrect iptables (ip6tables) input. Such
rules are now disallowed.
4.4.12
1) Previously, the Shorewall6-lite version of shorecap was using
iptables rather than ip6tables, with the result that many capabilities
that are only available in IPv4 were being reported as available.