forked from extern/shorewall_code
Don't combine rules with '-m policy'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
da4f7ee524
commit
1e11109bb2
@ -951,7 +951,7 @@ sub compatible( $$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return 1;
|
return ! ( $ref1->{policy} && $ref2->{policy} );
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -1536,7 +1536,7 @@ sub handle_complex_zone( $$ ) {
|
|||||||
|
|
||||||
if ( have_ipsec ) {
|
if ( have_ipsec ) {
|
||||||
#
|
#
|
||||||
# Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
|
# In general, policy match can only match an 'in' or an 'out' policy (but not both), so we place the
|
||||||
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
|
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
|
||||||
# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
|
# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user