Disallow CONTINUE rules with exclusion

Shorewall/Perl/Shorewall/Chains.pm

@@ -3380,7 +3380,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	#
 	# We have non-trivial exclusion -- need to create an exclusion chain
 	#
-	fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN';
+	fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE';
 
 	#
 	# Create the Exclusion Chain

Shorewall/known_problems.txt

@@ -106,7 +106,7 @@
     rules (tcrules and rules files). The generated iptables (ip6tables)
     rules do not work as expected.
 
-    Workaround: Don't use exclusion in CONTINUE rules.
+    Corrected in Shorewall 4.4.11.4.
 
 16) Exclusion in blacklist file entries is correctly validated but is
     then ignored when generating iptables (ip6tables) input.

Shorewall/releasenotes.txt

@@ -236,6 +236,10 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 5)  Previously, the interface option combination of 'optional' and
     'upnpclient' did not work correctly.
 
+6)  Earlier releases allowed CONTINUE rules with exclusion. These rules
+    generated valid but incorrect iptables (ip6tables) input. Such
+    rules are now disallowed. 
+
 4.4.11.3
 
 1)  When 'any' was used in the rules SOURCE column, a duplicate rule