From 5141ea88419bd509e08a8b51d647271bb04ea6b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20L=C3=B6nnhager?= <david.l@mullvad.net>
Date: Wed, 13 Apr 2022 09:40:42 +0200
Subject: [PATCH 1/2] Reset callout action to CONTINUE when app is not split

---
 src/firewall/callouts.cpp | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/src/firewall/callouts.cpp b/src/firewall/callouts.cpp
index cc47c4e..82404f8 100644
--- a/src/firewall/callouts.cpp
+++ b/src/firewall/callouts.cpp
@@ -380,10 +380,7 @@ CalloutClassifyBind
 		return;
 	}
 
-	if (ClassifyOut->actionType == FWP_ACTION_NONE)
-	{
-		ClassifyOut->actionType = FWP_ACTION_CONTINUE;
-	}
+	ClassificationReset(ClassifyOut);
 
 	if (!FWPS_IS_METADATA_FIELD_PRESENT(MetaValues, FWPS_METADATA_FIELD_PROCESS_ID))
 	{
@@ -727,10 +724,7 @@ CalloutClassifyConnect
 		return;
 	}
 
-	if (ClassifyOut->actionType == FWP_ACTION_NONE)
-	{
-		ClassifyOut->actionType = FWP_ACTION_CONTINUE;
-	}
+	ClassificationReset(ClassifyOut);
 
 	if (!FWPS_IS_METADATA_FIELD_PRESENT(MetaValues, FWPS_METADATA_FIELD_PROCESS_ID))
 	{
@@ -940,10 +934,7 @@ CalloutPermitSplitApps
 		return;
 	}
 
-	if (ClassifyOut->actionType == FWP_ACTION_NONE)
-	{
-		ClassifyOut->actionType = FWP_ACTION_CONTINUE;
-	}
+	ClassificationReset(ClassifyOut);
 
 	if (!FWPS_IS_METADATA_FIELD_PRESENT(MetaValues, FWPS_METADATA_FIELD_PROCESS_ID))
 	{
@@ -1093,10 +1084,7 @@ CalloutBlockSplitApps
 		return;
 	}
 
-	if (ClassifyOut->actionType == FWP_ACTION_NONE)
-	{
-		ClassifyOut->actionType = FWP_ACTION_CONTINUE;
-	}
+	ClassificationReset(ClassifyOut);
 
 	if (!FWPS_IS_METADATA_FIELD_PRESENT(MetaValues, FWPS_METADATA_FIELD_PROCESS_ID))
 	{

From 45f4f31cfbf092e1cddc6a61c404777ec864d034 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20L=C3=B6nnhager?= <david.l@mullvad.net>
Date: Thu, 14 Apr 2022 16:12:30 +0200
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 578a7d0..ab5a006 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,9 @@ Line wrap the file at 100 chars.                                              Th
 * **Security**: in case of vulnerabilities.
 
 ## [Unreleased]
+### Security
+- For non-excluded DNS traffic, evaluate all appropriate filters within the DNS sublayer when a soft
+  permit has been applied in a higher-priority sublayer.
 
 ## [1.2.0.0] - 2022-01-10
 ### Changed