Fix nested IPSEC zones

2009-08-26 12:46:53 -07:00 · 2009-08-26 12:46:53 -07:00 · cdf0d8f64b
commit cdf0d8f64b
parent 4c3bb5bac8
3 changed files with 6 additions and 1 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1698,7 +1698,7 @@ sub generate_matrix() {
 			add_jump(
 				 $sourcechainref,
 				 source_exclusion( $hostref->{exclusions}, $frwd_ref ),
-				 1,
+				 ! @{$zoneref->{parents}},
 				 join( '', $interfacematch , match_source_net( $net ), $ipsec_match )
 				);
 		    }
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -5,6 +5,8 @@ Changes in Shorewall 4.4.0.1

 2)  Fix log level in rules at the end of INPUT and OUTPUT

+3)  Correct handling of nested IPSEC chains.
+
 Changes in Shorewall 4.4.0

 1)  Fix 'compile ... -' so that it no longer requires '-v-1'
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -161,6 +161,9 @@ Shorewall 4.4.0 patch release 1.
    rules at the end of the INPUT and OUTPUT chains still used the
    LOG target rather than ULOG.

+2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
+    some cases.
+
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0
 ----------------------------------------------------------------------------