[Ferm] one target for multiple rules

Marc Haber mh+ferm at zugschlus.de
Sun Feb 27 10:51:39 CET 2011 

On Sun, Feb 27, 2011 at 10:44:18AM +0100, Kiss Gabor (Bitman) wrote:
> > I find myself frequently writing stuff like
> > 
> >   saddr $source_list @subchain {
> >     daddr $target1 proto tcp dport (list1t) ACCEPT;
> >     daddr $target1 proto udp dport (list1u) ACCEPT;
> >     daddr $target2 proto tcp dport (list2t) ACCEPT;
> >     daddr $target2 proto udp dport (list2u) ACCEPT;
> >   }
> > 
> > and I almost equally frequently forget writing the target, which is of
> > course an error.
> > 
> > Would it be awfully hard to implement to allow one target to be
> > written for a list of rules, such as:
> > 
> >   saddr $source_list @subchain {
> >     {
> >       daddr $target1 proto tcp dport (list1t);
> >       daddr $target1 proto udp dport (list1u);
> >       daddr $target2 proto tcp dport (list2t);
> >       daddr $target2 proto udp dport (list2u);
> >     } ACCEPT;
> >   }
> 
> 
> I'm not sure but I guess this would conflict with the principle of subchain.

Why? Same thing could be written without subchain:

   saddr $source_list {
     {
       daddr $target1 proto tcp dport (list1t);
       daddr $target1 proto udp dport (list1u);
       daddr $target2 proto tcp dport (list2t);
       daddr $target2 proto udp dport (list2u);
     } ACCEPT;
   }

ferm would, if it found a rule without target, look for a target being
written after some of the surrounding blocks and use the first match
found. That way, one could even write shortcuts like

   saddr $source_list {
     {
       daddr $target1 proto tcp dport (list1t);
       daddr $target1 proto udp dport (list1u);
       daddr $exceptiontarget proto tcp dport (list2t) DROP;
       daddr $target2 proto tcp dport (list2t);
       daddr $target2 proto udp dport (list2u);
     } ACCEPT;
   }

creating four ACCEPT rules and one DROP route.

> Why don't you define a function for this idiom?
> I mean like this:
> 
> @def &myaccept($da,$prot,$dplist) = {
> 	ACCEPT daddr $da proto $prot dport ($dplist);
> }

The actual rules are a little more complex and less uniform. I'd need
some kind of an eval function to pass arbitrary rule strings to the
function.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

More information about the Ferm mailing list