[Ferm] Inaccuracy about subchain concept
Gian Piero Carrubba
gpiero at rm-rf.it
Fri Jul 26 22:12:12 CEST 2013
* [Fri, Jul 26, 2013 at 09:01:40PM +0200] Kiss Gabor (Bitman):
>I have version 2.1. Ferm(1) writes:
[...]
>table filter {
> chain demo1 {
> proto tcp dport 5001 @subchain "common1" {
> DROP saddr (1.0.0.0 2.0.0.0 3.0.0.0);
> }
[...]
># Generated by ferm 2.1 on Fri Jul 26 20:44:51 2013
>*filter
>:common1 - [0:0]
>:common2 - [0:0]
>:demo1 - [0:0]
>:demo2 - [0:0]
>-A common1 --protocol tcp --jump DROP --source 1.0.0.0
>-A common1 --protocol tcp --jump DROP --source 2.0.0.0
>-A common1 --protocol tcp --jump DROP --source 3.0.0.0
[...]
>Man page needs to be corrected.
Please don't, this is an actual bug that need to be fixed.
Confirmed with ferm 2.2.
Note that the issue seems triggered by the `proto` keyword, i.e.:
daddr 2.2.2.2 @subchain "common1" {
saddr (1.0.0.0 2.0.0.0 3.0.0.0) DROP;
}
correctly produces:
# Generated by ferm 2.2 on Fri Jul 26 22:09:08 2013
# *filter
# :common1 - [0:0]
# :common2 - [0:0]
# :demo1 - [0:0]
# :demo2 - [0:0]
# -A common1 --source 1.0.0.0 --jump DROP
# -A common1 --source 2.0.0.0 --jump DROP
# -A common1 --source 3.0.0.0 --jump DROP
Ciao,
Gian Piero.
More information about the Ferm
mailing list