From 383f3e8bcf505cef333ec34b188e2336f5d29cde Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 26 Aug 2009 12:44:10 -0700 Subject: [PATCH] Fix nested IPSEC zones --- Shorewall/Perl/Shorewall/Rules.pm | 2 +- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 8956bc8e0..86b7d64da 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1694,7 +1694,7 @@ sub generate_matrix() { add_jump( $sourcechainref, source_exclusion( $hostref->{exclusions}, $frwd_ref ), - 1, + ! @{$zoneref->{parents}}, join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) ); } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ebcd92365..de377eb39 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -16,6 +16,8 @@ Changes in Shorewall 4.4.1 8) Fix log level in rules at the end of INPUT and OUTPUT chains. +9) Fix nested ipsec zones. + Changes in Shorewall 4.4.0 1) Fix 'compile ... -' so that it no longer requires '-v-1' diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 0e5c6ac91..540694905 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -173,6 +173,8 @@ Shorewall 4.4.1 rules at the end of the INPUT and OUTPUT chains would still use the LOG target rather than ULOG. +2) Using CONTINUE policies with a nested IPSEC zone was broken. + ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------