[Ferm] Parser error or user error ...
Auke Kok
sofar at foo-projects.org
Thu Dec 31 21:47:09 CET 2015
On 12/31/2015 04:15 AM, Bret Giddings wrote:
> Hello,
>
> The following (somewhat contrived) snippet results in a warning message of
>
> Warning in test.ferm line 16: Chain is already specified
>
> table filter {
> chain FORWARD {
> policy DROP;
> # connection tracking
> mod state state INVALID DROP;
> mod state state (ESTABLISHED RELATED) ACCEPT;
>
> interface eth0 outerface eth1 @subchain eth0.eth1 {
> chain dns {
> daddr 1.2.3.4 ACCEPT;
> daddr 5.6.7.8 ACCEPT;
> }
> protocol (udp tcp) dport 53 realgoto dns;
> }
> }
> }
>
> This appears to be related to ferm detecting that the subchain
> ethic.eth1 is defined twice - however, I can't see that it is.
>
> Am i doing something wrong or is this a harmless parser bug?
You have a chain nested inside a chain, which is wrong.
I don't know what actually happens, I assume that the innermost chain
will be
used for the section where it is defined, but you should likely reorder
your lines
something like this (rough sketch, untested):
table filter {
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
interface eth0 outerface eth1 @subchain eth0.eth1 {
chain dns {
daddr 1.2.3.4 ACCEPT;
daddr 5.6.7.8 ACCEPT;
}
chain FORWARD protocol (udp tcp) dport 53 realgoto dns;
}
}
Auke
More information about the Ferm
mailing list