[Ferm] Proposal for new location keyword at gotosubchain

Bret Giddings bretgiddings at gmail.com
Sat Jan 9 18:03:16 CET 2016 

Hi there,

I believe that there is a case to be made for a new location keyword
@gotosubchain. This would be analogous to @subchain, but call the created
subchain via goto rather than jump.I certainly have a number of use cases
for this.

The following appears to be sufficient to implement this.

diff --git a/src/ferm b/src/ferm
index 7cdcae4..88cd57d 100755
--- a/src/ferm
+++ b/src/ferm
@@ -2248,11 +2248,15 @@ sub enter($$) {
             }

             # create a subchain
-            if ($keyword eq '@subchain' or $keyword eq 'subchain') {
+            if ($keyword eq '@subchain' or $keyword eq 'subchain' or
$keyword eq '@gotosubchain') {
                 error('Chain must be specified')
                   unless exists $rule{chain};

-                error('No rule specified before "@subchain"')
+               my $jumptype = ( $keyword =~ /^\@go/ ) ? 'goto' : 'jump';
+               my $jumpkey = $keyword;
+               $jumpkey =~ s/^sub/\@sub/;
+
+                error('No rule specified before "$jumpkey"')
                   unless $rule{has_rule};

                 my $subchain;
@@ -2275,9 +2279,9 @@ sub enter($$) {
                     $domains{$domain}{tables}{$table}{chains}{$subchain}
||= {};
                 }

-                set_target(%rule, 'jump', $subchain);
+                set_target(%rule, $jumptype, $subchain);

-                error('"{" or chain name expected after "@subchain"')
+                error('"{" or chain name expected after "$jumpkey"')
                   unless $keyword eq '{';

                 # create a deep copy of %rule, only containing values


diff --git a/doc/ferm.pod b/doc/ferm.pod
index f721736..727db70 100644
--- a/doc/ferm.pod
+++ b/doc/ferm.pod
@@ -448,9 +448,13 @@ expression such as @cat("interface_", $iface) or
@substr($var,0,20).
 You can achieve the same by explicitly declaring a custom chain, but
 you may feel that using B<@subchain> requires less typing.

+=item B<@gotosubchain ["CHAIN-NAME"] { ... }>

-=back
+Works like B<@subchain> except that instead of using B<jump> target
+it uses B<realgoto> target. See discussion below for the difference
+between these two targets.

+=back

 =head2 Basic iptables match keywords

I would appreciate it if this could be considered as a future enhancement -
unless of course I have missed the obvious direct way of achieving this
already.

Regards,

Bret
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lunar-linux.org/pipermail/ferm/attachments/20160109/0076bc3a/attachment.html>

More information about the Ferm mailing list