[Ferm] Dual-stacking and IP in variables
Faidon Liambotis
paravoid at debian.org
Wed Jul 6 11:16:51 CEST 2011
Hi,
Thanks for the input.
On Wed, Jul 06, 2011 at 07:15:57AM +0200, Kiss Gabor (Bitman) wrote:
> @def &ALLOW($proto,$port,$addrlist) = {
> @if @eq($DOMAIN, ip) {
> ALLOW proto $proto dport $port saddr (SELECT4($addrlist));
> }
> @if @eq($DOMAIN, ip6) {
> ALLOW proto $proto dport $port saddr (SELECT6($addrlist));
> }
> }
Note that this construct does not work if you use the function in a
"domain (ip ip6)" stanza, $DOMAIN is set to the array (ip ip6)...
> Or similar.
>
> What is your opinion?
Besides the problem I mentioned, the above has the problem of needing to
use the builtins in each and every call-site — if you come to think
about it, if you create a variable to hold a list of addresses or subnets,
you'll *never* going to use it without filtering at the call sites.
Regards,
Faidon
More information about the Ferm
mailing list