[Ferm] Another subchain problem

Kiss Gabor (Bitman) kissg at ssg.ki.iif.hu
Thu Aug 24 10:40:31 CEST 2017 

I'm playing with subchains and I found an annoying problem.
But first here is a quoting error in source code:

[...]
            # create a subchain
            if ($keyword eq '@subchain' or $keyword eq 'subchain' or $keyword eq '@gotosubchain') {
                error('Chain must be specified')
                  unless exists $rule{chain};

                my $jumptype = ($keyword =~ /^\@go/) ? 'goto' : 'jump';
                my $jumpkey = $keyword;
                $jumpkey =~ s/^sub/\@sub/;

### Double quotes should be here:
                error('No rule specified before $jumpkey')
                  unless $rule{has_rule};
[...]



So check this quite legal configuration snippet:

------------------------------
domain (ip ip6) {
    table filter {
        chain INPUT { 
            policy DROP;
            proto tcp dport ssh @subchain "ssh" {
                @subchain "fail2ban-SSH" { RETURN; }
                ACCEPT saddr (
                    @ipfilter((192.0.2.0/24 2001:db8::/32))
                    host1.example.com
                );
            }
        }
    }
}
------------------------------

If I run ferm I get this:

/etc/ferm# ferm -n -l --domain ip subchain.ferm 
Error in subchain.ferm line 12:
        chain INPUT 
        { 
            proto tcp dport ssh @subchain "ssh" 
            { 
                @subchain <--
No rule specified before $jumpkey
/etc/ferm# 

(Don't care with missing variable interpolation now. It is easy to fix.
See above.)


jump @subchain "fail2ban-SSH" { RETURN; }
produces this:

/etc/ferm# ferm -n -l --domain ip subchain.ferm 
Error in subchain.ferm line 12:
        chain INPUT 
        { 
            proto tcp dport ssh @subchain "ssh" 
            { 
                jump @subchain <--
unknown ferm built-in function
/etc/ferm# 


I have to find some workaround. Let me try this:
proto tcp @subchain "fail2ban-SSH" { RETURN; }
Now there is no error but the result looks be quite strange:
[...]
-A INPUT --protocol tcp --dport ssh --jump ssh
-A fail2ban-SSH --protocol tcp --jump RETURN
-A ssh --protocol tcp --protocol tcp --jump fail2ban-SSH
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]

And we can see it also sucks when loading:
"iptables-restore v1.4.21: multiple -p flags not allowed"

It would work if subchain did not contain the surrounding protocol
settings. See "Inaccuracy about subchain concept" in 2013.
http://lists.lunar-linux.org/pipermail/ferm/2013-July/date.html

Now I continue the quest for a workaround... :)

Gabor

More information about the Ferm mailing list