[Ferm] one target for multiple rules
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Sun Feb 27 10:44:18 CET 2011
> I find myself frequently writing stuff like
>
> saddr $source_list @subchain {
> daddr $target1 proto tcp dport (list1t) ACCEPT;
> daddr $target1 proto udp dport (list1u) ACCEPT;
> daddr $target2 proto tcp dport (list2t) ACCEPT;
> daddr $target2 proto udp dport (list2u) ACCEPT;
> }
>
> and I almost equally frequently forget writing the target, which is of
> course an error.
>
> Would it be awfully hard to implement to allow one target to be
> written for a list of rules, such as:
>
> saddr $source_list @subchain {
> {
> daddr $target1 proto tcp dport (list1t);
> daddr $target1 proto udp dport (list1u);
> daddr $target2 proto tcp dport (list2t);
> daddr $target2 proto udp dport (list2u);
> } ACCEPT;
> }
Marc,
I'm not sure but I guess this would conflict with the principle of subchain.
Why don't you define a function for this idiom?
I mean like this:
@def &myaccept($da,$prot,$dplist) = {
ACCEPT daddr $da proto $prot dport ($dplist);
}
saddr $source_list @subchain {
&myaccept($target1, tcp, (list1t));
&myaccept($target1, udp, (list1u));
&myaccept($target2, tcp, (list2t));
&myaccept($target2, udp, (list2u));
}
Regards
Gabor
More information about the Ferm
mailing list