[Ferm] Inaccuracy about subchain concept
Gian Piero Carrubba
gpiero at rm-rf.it
Mon Aug 26 23:49:34 CEST 2013
Hi Max, thanks for replying.
* [Wed, Aug 07, 2013 at 12:08:23PM +0200] Max Kellermann:
>The code you cited above is necessary to support:
>
> proto tcp @subchain {
> dport 1234 ACCEPT;
> }
>
>Unfortunately, this "magic" has side effects as Kiss Gabor found out.
>It is difficult to support both the syntax above while at the same
>time being supporting Kiss Gabor's interpretation of the
>documentation.
>
>My own interpretation (as author of this piece of documentation): you
>can achieve the same effect of @subchain by using the full chain
>syntax, but not vice versa. But the subchain that was implicitly
>created by ferm cannot be used from other places, it's not reusable.
>Maybe that should be pointed out in the documentation.
Well, reading the man page I agree with Gabor about the interpretation,
so in my opinion that definitively has to be pointed out.
>However, I agree that this unconditional copy of the "proto" keyword
>into each subchain is sort of a bug. If there's no keyword which
>depends on "proto", ferm should suppress the "proto".
Attached you can find a draft patch and the input file I used for
testing it. Note that the patch also add inheritance to the protocol in
case of nested subchains (not sure it is desirable).
Please note that I just had a quick look at the source and I'm not sure
I've understood well enough how the parser works, so I could very well
have broken some feature. Anyway the test suite seems to succeed
(obviously apart the tests impacted by the patch).
>But, maybe, this kind of weird configuration shouldn't be supported at
>all - matter of taste, I personally think it's worthwile and shouldn't
>be removed.
I don't have a strong opinion about this, I changed my idea more than
once while thinking at it. Anyway, after having written the attached
patch, I suspect that such feature is not worth the work needed for
maintaining it and I would probably remove it.
Ciao,
Gian Piero.
-------------- next part --------------
table filter chain 'tcp'
{
proto tcp @subchain 'TCP' { saddr 1.1.1.1 NOP mod comment comment NO-TCP; }
proto tcp @subchain 'TCP' { tcp-option 1 NOP mod comment comment TCP-OPTION; }
proto tcp @subchain 'TCP' { dport 1 NOP mod comment comment TCP-DPORT; }
proto tcp @subchain 'TCP' { proto udp NOP mod comment comment UDP; }
proto tcp @subchain 'TCP' { proto udp sport 1 NOP mod comment comment UDP-SPORT; }
proto tcp @subchain 'TCP' {
saddr 2.2.2.2 @subchain 'NO-TCP'
{ daddr 1.1.1.1 NOP mod comment comment NO-TCP; }
saddr 3.3.3.3 @subchain 'NO-TCP'
{ tcp-option 7 NOP mod comment comment TCP-OPTION; }
saddr 4.4.4.4 @subchain 'NO-TCP'
{ dport 7 NOP mod comment comment TCP-DPORT; }
saddr 5.5.5.5 @subchain 'NO-TCP'
{ proto udp NOP mod comment comment UDP; }
saddr 6.6.6.6 @subchain 'NO-TCP'
{ proto udp sport 2 NOP mod comment comment UDP-SPORT; }
tcp-option 2 @subchain 'TCP-OPTION'
{ daddr 2.2.2.2 NOP mod comment comment NO-TCP; }
tcp-option 3 @subchain 'TCP-OPTION'
{ tcp-option 8 NOP mod comment comment TCP-OPTION; }
tcp-option 4 @subchain 'TCP-OPTION'
{ dport 8 NOP mod comment comment TCP-DPORT; }
tcp-option 5 @subchain 'TCP-OPTION'
{ proto udp NOP mod comment comment UDP; }
tcp-option 6 @subchain 'TCP-OPTION'
{ proto udp sport 3 NOP mod comment comment UDP-SPORT; }
dport 2 @subchain 'TCP-DPORT'
{ daddr 3.3.3.3 NOP mod comment comment NO-TCP; }
dport 3 @subchain 'TCP-DPORT'
{ tcp-option 9 NOP mod comment comment TCP-OPTION; }
dport 4 @subchain 'TCP-DPORT'
{ dport 9 NOP mod comment comment TCP-DPORT; }
dport 5 @subchain 'TCP-DPORT'
{ proto udp NOP mod comment comment UDP; }
dport 6 @subchain 'TCP-DPORT'
{ proto udp sport 4 NOP mod comment comment UDP-SPORT; }
}
}
table filter chain 'icmp'
{
proto icmp @subchain 'ICMP' { icmp-type 99 NOP mod comment comment ICMP-TYPE; }
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft.patch
Type: text/x-diff
Size: 4018 bytes
Desc: not available
URL: <http://foo-projects.org/pipermail/ferm/attachments/20130826/a4c82c98/attachment.bin>
More information about the Ferm
mailing list