[Ferm] protocol/subchain query
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Sun May 22 19:26:23 CEST 2016
> This outputs the following:
>
> # Generated by ferm 2.3 on Sun May 22 17:33:24 2016
> *filter
> :INPUT ACCEPT [0:0]
> :foo - [0:0]
> -A INPUT --protocol tcp --match multiport --destination-ports
> 7937:9936,10001:30000 --jump foo
> -A INPUT --protocol udp --match multiport --destination-ports
> 7937:9936,10001:30000 --jump foo
> -A foo --protocol tcp --source host1 --jump ACCEPT
> -A foo --protocol udp --source host1 --jump ACCEPT
> -A foo --protocol tcp --source host2 --jump ACCEPT
> -A foo --protocol udp --source host2 --jump ACCEPT
> COMMIT
>
> However, I believe that this is unnecessarily wasteful and due to what I
> believe to be a bug at line 2316. If lines 2136 - 2320 are commented out,
> you get the following output.
>
> # Generated by ferm 2.3 on Sun May 22 17:36:10 2016
> *filter
> :INPUT ACCEPT [0:0]
> :foo - [0:0]
> -A INPUT --protocol tcp --match multiport --destination-ports
> 7937:9936,10001:30000 --jump foo
> -A INPUT --protocol udp --match multiport --destination-ports
> 7937:9936,10001:30000 --jump foo
> -A foo --source host1 --jump ACCEPT
> -A foo --source host2 --jump ACCEPT
> COMMIT
>
> Which appears to be equally correct, but uses less rules and matches. I
> can't see the reason for making protocol a special case at this point in
> the code so wondered if there were a particular reason that I am missing?
Check the "Inaccuracy about subchain concept" thread in the list archive:
http://lists.lunar-linux.org/pipermail/ferm/2013-July/000124.html
http://lists.lunar-linux.org/pipermail/ferm/2013-August/000126.html
etc.
Gabor
More information about the Ferm
mailing list