[Ferm] Is this a bug or feature? :-)

Kiss Gabor (Bitman) kissg at ssg.ki.iif.hu
Thu May 7 12:13:40 CEST 2009 

Dear folks,

I use ferm 2.0.3 of Debian lenny.

Please have a look on these config snippets and rules generated by them:


Case 1, no subchain:

        interface eth0
            daddr 9.10.11.12
            mod comment comment "This is a block" {
                saddr (1.2.3.4 5.6.7.8) ACCEPT;
        }

-A INPUT --in-interface eth0 --destination 9.10.11.12 --match comment --comment "This is a block" --source 1.2.3.4 --jump ACCEPT
-A INPUT --in-interface eth0 --destination 9.10.11.12 --match comment --comment "This is a block" --source 5.6.7.8 --jump ACCEPT

Works as expected. All rules inherits all attributes defined outside
the block. (I.e. --in-interface, --destination, --comment)


Case 2, subchain without protocol:

        interface eth0
            daddr 9.10.11.12
            mod comment comment "This is a good subchain"
            @subchain "GOOD" {
                saddr (1.2.3.4 5.6.7.8) ACCEPT;
        }

-A GOOD --source 1.2.3.4 --jump ACCEPT
-A GOOD --source 5.6.7.8 --jump ACCEPT
-A INPUT --in-interface eth0 --destination 9.10.11.12 --match comment --comment "This is a good subchain" --jump GOOD

Rules of subchain GOOD contains what can be seen between brackets.
No --in-interface, no --destination, no --comment.


Case 3, subchain with protocol:

        proto tcp dport (https) 
            daddr 9.10.11.12
            mod comment comment "This is a bad subchain"
            @subchain "BAD" {
                saddr (1.2.3.4 5.6.7.8) ACCEPT;
        }

-A BAD --protocol tcp --source 1.2.3.4 --jump ACCEPT
-A BAD --protocol tcp --source 5.6.7.8 --jump ACCEPT
-A INPUT --protocol tcp --dport https --destination 9.10.11.12 --match comment --comment "This is a bad subchain" --jump BAD

Ooops! Rules of chain BAD are some mixture of case 1 and 2.
They inherit nothing but --protocol.

IMHO this is totally unnecessary
and makes the following real life example impossible:

        proto (esp ah) jump IPSEC;
        proto udp dport isakmp jump IPSEC;
        proto udp sport isakmp @subchain "IPSEC" {
                daddr 14.15.16.17 saddr 18.19.20.21 ACCEPT;
                daddr 18.19.20.21 saddr 14.15.16.17 ACCEPT;
        }

Subchain IPSEC looks like this:

-A IPSEC --protocol udp --destination 14.15.16.17 --source 18.19.20.21 --jump ACCEPT
-A IPSEC --protocol udp --destination 18.19.20.21 --source 14.15.16.17 --jump ACCEPT

Therefore "proto (esp ah) jump IPSEC" is ineffective.
Yes, you can say why don't I define a regular IPSEC chain.
So do I. But I don't like it. :)

Behavior of @subchain described above is inconsistent anyway as well
as confusing and undocumented.

Regards

Gabor

More information about the Ferm mailing list