[Ferm] protocol/subchain query

[Bret Giddings]

Hi there,

If I have the following (somewhat contrived) example:

table filter {
  chain INPUT {
    protocol ( tcp udp ) mod multiport destination-ports ( 7937:9936
10001:30000 ) @subchain foo {
      saddr host1 ACCEPT;
      saddr host2 ACCEPT;
    }
  }
}

This outputs the following:

# Generated by ferm 2.3 on Sun May 22 17:33:24 2016
*filter
:INPUT ACCEPT [0:0]
:foo - [0:0]
-A INPUT --protocol tcp --match multiport --destination-ports
7937:9936,10001:30000 --jump foo
-A INPUT --protocol udp --match multiport --destination-ports
7937:9936,10001:30000 --jump foo
-A foo --protocol tcp --source host1 --jump ACCEPT
-A foo --protocol udp --source host1 --jump ACCEPT
-A foo --protocol tcp --source host2 --jump ACCEPT
-A foo --protocol udp --source host2 --jump ACCEPT
COMMIT

However, I believe that this is unnecessarily wasteful and due to what I
believe to be a bug at line 2316. If lines 2136 - 2320 are commented out,
you get the following output.

# Generated by ferm 2.3 on Sun May 22 17:36:10 2016
*filter
:INPUT ACCEPT [0:0]
:foo - [0:0]
-A INPUT --protocol tcp --match multiport --destination-ports
7937:9936,10001:30000 --jump foo
-A INPUT --protocol udp --match multiport --destination-ports
7937:9936,10001:30000 --jump foo
-A foo --source host1 --jump ACCEPT
-A foo --source host2 --jump ACCEPT
COMMIT

Which appears to be equally correct, but uses less rules and matches. I
can't see the reason for making protocol a special case at this point in
the code so wondered if there were a particular reason that I am missing?

Regards,

Bret
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lunar-linux.org/pipermail/ferm/attachments/20160522/436a0855/attachment.html>