[Ferm] [PATCH] Fix "--match set" support for newer iptables

Faidon Liambotis paravoid at debian.org
Mon Jul 11 13:55:01 CEST 2011 

The set module was merged into Linux 2.6.39 (d956798d) / iptables v1.4.9
(d40f1628). Unfortunately, the same iptables commit that merged it, also
deprecated support for --set in favor of --match-set (which was also
supported previously).

Hence using --set with iptables v1.4.9 results in the following warning,
printed in stderr:
  --set option deprecated, please use --match-set

This adds support for match-set to ferm and adjusts the test suite
accordingly. It does *not* remove "set" but makes it an alias to
"match-set" instead.

Due to the above, this /should/ be backwards-compatible both with older
ferm configurations and older iptables, since --match-set was supported
in the past.
---
 Makefile                |    2 +-
 src/ferm                |    2 +-
 test/modules/set.ferm   |    1 +
 test/modules/set.result |    3 ++-
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index d13b46e..f9671a0 100644
--- a/Makefile
+++ b/Makefile
@@ -60,7 +60,7 @@ RESULT_SED += -e 's,--in-interface,-i,g'
 RESULT_SED += -e 's,--out-interface,-o,g'
 RESULT_SED += -e 's,--destination ,-d ,g'
 RESULT_SED += -e 's,--source ,-s ,g'
-RESULT_SED += -e 's,--match,-m,g'
+RESULT_SED += -e 's,--match ,-m ,g'
 RESULT_SED += -e 's,--jump,-j,g'
 RESULT_SED += -e 's,--goto,-g,g'
 RESULT_SED += -e 's,--fragment,-f,g'
diff --git a/src/ferm b/src/ferm
index 92131e1..5fab46d 100755
--- a/src/ferm
+++ b/src/ferm
@@ -271,7 +271,7 @@ add_match_def 'random', qw(average);
 add_match_def 'realm', qw(realm!);
 add_match_def 'recent', qw(name=s !set*0 !remove*0 !rcheck*0 !update*0 !seconds !hitcount rttl*0 rsource*0 rdest*0);
 add_match_def 'rt', qw(rt-type! rt-segsleft! rt-len! rt-0-res*0 rt-0-addrs=c rt-0-not-strict*0);
-add_match_def 'set', qw(!set=sc);
+add_match_def 'set', qw(!match-set=sc set:=match-set);
 add_match_def 'state', qw(!state=c);
 add_match_def 'statistic', qw(mode=s probability=s every=s packet=s);
 add_match_def 'string', qw(algo=s from=s to=s string hex-string);
diff --git a/test/modules/set.ferm b/test/modules/set.ferm
index 299c7c5..372beaf 100644
--- a/test/modules/set.ferm
+++ b/test/modules/set.ferm
@@ -1,3 +1,4 @@
 table filter chain INPUT mod set {
     set foo (src src) ACCEPT;
+    match-set foo (src src) ACCEPT;
 }
diff --git a/test/modules/set.result b/test/modules/set.result
index ba5203c..89c5347 100644
--- a/test/modules/set.result
+++ b/test/modules/set.result
@@ -1 +1,2 @@
-iptables -t filter -A INPUT -m set --set foo src,src -j ACCEPT
+iptables -t filter -A INPUT -m set --match-set foo src,src -j ACCEPT
+iptables -t filter -A INPUT -m set --match-set foo src,src -j ACCEPT
-- 
1.7.2.5

More information about the Ferm mailing list