diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 6b9a99ad6..2b872c19d 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1698,7 +1698,7 @@ sub generate_matrix() { add_jump( $sourcechainref, source_exclusion( $hostref->{exclusions}, $frwd_ref ), - 1, + ! @{$zoneref->{parents}}, join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) ); } diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ff44c8d66..0915febc9 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -5,6 +5,8 @@ Changes in Shorewall 4.4.0.1 2) Fix log level in rules at the end of INPUT and OUTPUT +3) Correct handling of nested IPSEC chains. + Changes in Shorewall 4.4.0 1) Fix 'compile ... -' so that it no longer requires '-v-1' diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 8ec755e48..35e84af96 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -161,6 +161,9 @@ Shorewall 4.4.0 patch release 1. rules at the end of the INPUT and OUTPUT chains still used the LOG target rather than ULOG. +2) Use of CONTINUE policies with a nested IPSEC zone was broken in + some cases. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 0 ----------------------------------------------------------------------------