[Ferm] Dual-stacking and IP in variables

Faidon Liambotis paravoid at debian.org
Thu Jul 7 11:20:31 CEST 2011 

Hi Max,

On Thu, Jul 07, 2011 at 09:55:42AM +0200, Max Kellermann wrote:
> On 2011/07/06 02:47, Faidon Liambotis <paravoid at debian.org> wrote:
> > On several dual-stack setups of mine, I tend to have configurations such
> > as below:
> 
> I have finally taken some time to sort this ever-lasting issue out.
> A new patch in git master executes all rules after "domain (ip ip6)"
> twice, once for each domain.  That means that the $DOMAIN variable is
> available now.

Wow, great, thanks! I began coding the individual evaluation of rules
per domain last night but you're obviously much faster :-)

> What you can do now is slightly easier than what we had before:
> 
>  domain (ip ip6) {
>    @if @eq($DOMAIN, ip) {
>      # IPv4 rules go here
>    } @else {
>      # IPv4 rules go here
>    }
>  }

Having $DOMAIN set to the *current* domain is nice, but the above stanza
doesn't make much sense, does it? Wouldn't
  domain ip {
    # IPv4 rules go here
  }
  domain ip6 {
    # IPv4 rules go here
  }
make a lot more sense?

In general, maybe the use of $DOMAIN should be discouraged in favor of
domain stanzas?

> Or you can define domain-specific variables in an include (instead of
> having to move the common rules into an include/function):
> 
>  domain (ip ip6) {
>    @if @eq($DOMAIN, ip)
>      @include "ipv4-vars.ferm";
>    @else
>      @include "ipv6-vars.ferm";
>  }

But I won't be able to do the more obvious:
  domain ip {
     @def $TRUSTED = (...);
  }
  domain ip6 {
     @def $TRUSTED = (...);
  }
due to scoping and 
  domain ip  @def $TRUSTED = (...);
  domain ip6 @def $TRUSTED = (...);
doesn't work either.

> Note there are no curly braces around the @include; the curly braces
> would open a new namespace, and variables declared inside those
> (inside the included file) would be lost after the closing brace.

Yes, that's an unusual intricacy... :)

> Bonus: I've implemented a function called @ipfilter.  See manpage.

Hah, so you went for all of the approaches combined. Impressive, thanks
a lot!

Regards,
Faidon

More information about the Ferm mailing list