[Ferm] Ferm state match/icmpv6 bug/patch

Martin Buck mb-tmp-sbb-cebwrpgf.bet at gromit.dyndns.org
Wed Nov 17 07:32:15 CET 2010 

Hi,

I don't know whether this is the right place to send ferm patches and bug
reports, but the sourcefore mailing lists didn't look very active and this
address was listed in the source code.

First of all, thanks a lot for ferm - it's exactly what I've been searching
for a long time. Finally, there is some structure in my iptable rules. :-)

Two minor issues I noticed:
* The state match of "mod state" doesn't accept negation, even though the
  corresponding --state option in iptables does. Example:
  chain INPUT {
    # works
    mod state state NEW NOP;
    # doesn't work, should result in something like this:
    # iptables -A INPUT -m state \! --state NEW
    mod state ! state NEW NOP;
  }
  
  I'm not a Perl expert, but I guess this can be fixed with the patch
  attached at the end.

* 2nd (and partially cosmetic) issue: I'm trying to use the same ferm
  function to generate IPv4 and IPv6 rules. This works fine in general, but
  I need to special-case ICMP, because it's called icmpv6 both in the
  protocol name and the option/match prefix in case of IPv6. ferm already
  seems to automatically translate protocol icmp to icmpv6 in domain ip6,
  but it doesn't do that for the icmp-type match which should become
  icmpv6-type. Example:
  domain ip chain INPUT {
    # works
    proto icmp icmp-type echo-request ACCEPT;
  }
  domain ip6 chain INPUT {
    # works
    proto icmpv6 icmpv6-type echo-request ACCEPT;
    # doesn't work
    proto icmp icmp-type echo-request ACCEPT;
  }
  
  If the last one would work as well, I could use this both for IPv4 and
  IPv6. Looking at the add_proto_def statement for icmpv6 (containing
  "icmp-type:=icmpv6-type") in the ferm source code, I even get the
  impression that this is supposed to work but fails for some reason.

Any feedback appreciated.

Thanks,
Martin


diff -ur git20101104/ferm patched/ferm
--- git20101104/ferm	2010-11-04 09:41:55.000000000 +0100
+++ patched/ferm	2010-11-04 09:42:01.000000000 +0100
@@ -271,7 +271,7 @@
 add_match_def 'recent', qw(name=s !set*0 !remove*0 !rcheck*0 !update*0 !seconds !hitcount rttl*0 rsource*0 rdest*0);
 add_match_def 'rt', qw(rt-type! rt-segsleft! rt-len! rt-0-res*0 rt-0-addrs=c rt-0-not-strict*0);
 add_match_def 'set', qw(!set=sc);
-add_match_def 'state', qw(state=c);
+add_match_def 'state', qw(!state=c);
 add_match_def 'statistic', qw(mode=s probability=s every=s packet=s);
 add_match_def 'string', qw(algo=s from=s to=s string hex-string);
 add_match_def 'tcpmss', qw(!mss);

More information about the Ferm mailing list