[Ferm] Inaccuracy about subchain concept

[Max Kellermann]

On 2013/07/26 22:33, Gian Piero Carrubba <gpiero at rm-rf.it> wrote:
> * [Fri, Jul 26, 2013 at 10:12:12PM +0200] Gian Piero Carrubba:
> >Please don't, this is an actual bug that need to be fixed.
> >Confirmed with ferm 2.2.
> 
> It appears to be intentional:
> 
>  2244                 if (exists $rule{protocol}) {
>  2245                     $inner{protocol} = $rule{protocol};
>  2246                     append_option(%inner, 'protocol', $inner{protocol});
>  2247                 }
> 
> but I still lack to see the need of special-ruling `proto' when
> there's no need for it (i.e. when no `sport', `dport' or a similar
> one is used inside the subchain).

The code you cited above is necessary to support:

 proto tcp @subchain {
     dport 1234 ACCEPT;
 }

Unfortunately, this "magic" has side effects as Kiss Gabor found out.
It is difficult to support both the syntax above while at the same
time being supporting Kiss Gabor's interpretation of the
documentation.

My own interpretation (as author of this piece of documentation): you
can achieve the same effect of @subchain by using the full chain
syntax, but not vice versa.  But the subchain that was implicitly
created by ferm cannot be used from other places, it's not reusable.
Maybe that should be pointed out in the documentation.

However, I agree that this unconditional copy of the "proto" keyword
into each subchain is sort of a bug.  If there's no keyword which
depends on "proto", ferm should suppress the "proto".

But, maybe, this kind of weird configuration shouldn't be supported at
all - matter of taste, I personally think it's worthwile and shouldn't
be removed.

Max