forked from extern/shorewall_code
Disallow CONTINUE rules with exclusion
This commit is contained in:
parent
9125f4611c
commit
4089349eba
@ -3380,7 +3380,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# We have non-trivial exclusion -- need to create an exclusion chain
|
||||
#
|
||||
fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN';
|
||||
fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN' || $disposition eq 'CONTINUE';
|
||||
|
||||
#
|
||||
# Create the Exclusion Chain
|
||||
|
@ -106,7 +106,7 @@
|
||||
rules (tcrules and rules files). The generated iptables (ip6tables)
|
||||
rules do not work as expected.
|
||||
|
||||
Workaround: Don't use exclusion in CONTINUE rules.
|
||||
Corrected in Shorewall 4.4.11.4.
|
||||
|
||||
16) Exclusion in blacklist file entries is correctly validated but is
|
||||
then ignored when generating iptables (ip6tables) input.
|
||||
|
@ -236,6 +236,10 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
5) Previously, the interface option combination of 'optional' and
|
||||
'upnpclient' did not work correctly.
|
||||
|
||||
6) Earlier releases allowed CONTINUE rules with exclusion. These rules
|
||||
generated valid but incorrect iptables (ip6tables) input. Such
|
||||
rules are now disallowed.
|
||||
|
||||
4.4.11.3
|
||||
|
||||
1) When 'any' was used in the rules SOURCE column, a duplicate rule
|
||||
|
Loading…
Reference in New Issue
Block a user