[Ferm] Ferm state match/icmpv6 bug/patch

[Max Kellermann]

On 2010/11/17 07:32, Martin Buck <mb-tmp-sbb-cebwrpgf.bet at gromit.dyndns.org> wrote:
> I don't know whether this is the right place to send ferm patches and bug
> reports, but the sourcefore mailing lists didn't look very active and this
> address was listed in the source code.

Hi Martin,

I was not aware that SourceForge hosts a mailing list for us.  You're
right here.

>   I'm not a Perl expert, but I guess this can be fixed with the patch
>   attached at the end.

Thanks, I've merged your patch.

> * 2nd (and partially cosmetic) issue: I'm trying to use the same ferm
>   function to generate IPv4 and IPv6 rules. This works fine in general, but
>   I need to special-case ICMP, because it's called icmpv6 both in the
>   protocol name and the option/match prefix in case of IPv6. ferm already
>   seems to automatically translate protocol icmp to icmpv6 in domain ip6,
>   but it doesn't do that for the icmp-type match which should become
>   icmpv6-type. Example:
>   domain ip chain INPUT {
>     # works
>     proto icmp icmp-type echo-request ACCEPT;
>   }
>   domain ip6 chain INPUT {
>     # works
>     proto icmpv6 icmpv6-type echo-request ACCEPT;
>     # doesn't work
>     proto icmp icmp-type echo-request ACCEPT;
>   }
>   
>   If the last one would work as well, I could use this both for IPv4 and
>   IPv6. Looking at the add_proto_def statement for icmpv6 (containing
>   "icmp-type:=icmpv6-type") in the ferm source code, I even get the
>   impression that this is supposed to work but fails for some reason.

That did work partially:

 proto icmpv6 icmp-type echo-request  # works
 proto icmp icmp-type echo-request  # does not work

ferm translates icmp-type to icmpv6-type only if the protocol "icmpv6"
is selected initially, but changes "icmp" to "icmpv6" only right
before printing the rules.  I've added a patch which translates both
right before printing.

Max