[Ferm] [PATCH] Fix regression: functions containing domain (ip ip6)

Faidon Liambotis paravoid at debian.org
Wed Oct 31 19:05:21 CET 2012 

Commit 729e3e introduced support for individual evaluation of rules
per-domain. As part of that, inside a domain statement, execution forks
into two inner rules and then individually executed.

However, the inner rule is entered starting with level $lev, which can
never be zeroed back, since its contents are collected via a call to
collect_tokens(), which is a zero-summed collection.

This worked on most cases, since domain is usually defined on level
zero. A notable exception is when domain (ip ip6) is defined inside a
function.

Fix this by entering the inner rule with an initial zero level and add a
test case to the test suite. This is a fix for a ferm 2.1 regression.
---
 src/ferm               |    2 +-
 test/ipv6/mixed.ferm   |    7 +++++++
 test/ipv6/mixed.result |    2 ++
 3 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/src/ferm b/src/ferm
index 745cbda..e43318b 100755
--- a/src/ferm
+++ b/src/ferm
@@ -2063,7 +2063,7 @@ sub enter($$) {
                         new_level(%inner, \%rule);
                         set_domain(%inner, $domain) or next;
                         $script->{tokens} = [ @$tokens ];
-                        enter($lev, \%inner);
+                        enter(0, \%inner);
                     }
 
                     $script->{tokens} = $old_tokens;
diff --git a/test/ipv6/mixed.ferm b/test/ipv6/mixed.ferm
index 8ffa5a7..b043adc 100644
--- a/test/ipv6/mixed.ferm
+++ b/test/ipv6/mixed.ferm
@@ -9,6 +9,13 @@ domain (ip6 ip) chain INPUT {
     LOG log-prefix $DOMAIN;
 }
 
+ at def &SERVICE($proto, $port) = {
+	domain (ip ip6) chain INPUT {
+		proto $proto dport $port ACCEPT;
+	}
+}
+&SERVICE(tcp, smtp);
+
 domain $both chain INPUT @if (@eq($DOMAIN,ip)) LOG log-prefix "four";
 domain $both chain INPUT @if (@eq($DOMAIN,ip6)) LOG log-prefix "six";
 
diff --git a/test/ipv6/mixed.result b/test/ipv6/mixed.result
index 4ffdc6a..297cdd2 100644
--- a/test/ipv6/mixed.result
+++ b/test/ipv6/mixed.result
@@ -2,6 +2,7 @@ iptables -t filter -P OUTPUT DROP
 iptables -t filter -A INPUT -j DROP
 iptables -t filter -A INPUT -p tcp --dport ssh -j ACCEPT
 iptables -t filter -A INPUT -j LOG --log-prefix ip
+iptables -t filter -A INPUT -p tcp --dport smtp -j ACCEPT
 iptables -t filter -A INPUT -j LOG --log-prefix four
 iptables -t filter -A INPUT -j LOG --log-prefix four2
 iptables -t filter -A INPUT -j LOG --log-prefix four3
@@ -9,6 +10,7 @@ iptables -t filter -A INPUT -j REJECT
 ip6tables -t filter -P OUTPUT DROP
 ip6tables -t filter -A INPUT -p tcp --dport ssh -j ACCEPT
 ip6tables -t filter -A INPUT -j LOG --log-prefix ip6
+ip6tables -t filter -A INPUT -p tcp --dport smtp -j ACCEPT
 ip6tables -t filter -A INPUT -j LOG --log-prefix six
 ip6tables -t filter -A INPUT -j LOG --log-prefix six2
 ip6tables -t filter -A INPUT -j LOG --log-prefix six3
-- 
1.7.2.5

More information about the Ferm mailing list