[Ferm] Subchain confusion
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Thu Aug 24 11:28:57 CEST 2017
Check this quite legal configuration snippet:
------------------------------
domain (ip ip6) {
table filter {
chain INPUT {
policy DROP;
proto tcp dport ssh @subchain "ssh" {
@subchain "fail2ban-SSH" { RETURN; }
ACCEPT saddr (
@ipfilter((192.0.2.0/24 2001:db8::/32))
host1.example.com
);
}
}
}
}
------------------------------
Then run command
ferm -n -l --domain ip subchain.ferm
Expected output:
------------------------------
# Generated by ferm 2.2 on Thu Aug 24 09:38:15 2017
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-SSH - [0:0]
:ssh - [0:0]
-A INPUT --protocol tcp --dport ssh --jump ssh
-A fail2ban-SSH --jump RETURN
-A ssh --jump fail2ban-SSH
-A ssh --jump ACCEPT --source 192.0.2.0/24
-A ssh --jump ACCEPT --source host1.example.com
COMMIT
------------------------------
Barely acceptable output:
(See also http://lists.lunar-linux.org/pipermail/ferm/2013-July/000123.html)
------------------------------
# Generated by ferm 2.2 on Thu Aug 24 09:38:15 2017
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-SSH - [0:0]
:ssh - [0:0]
-A INPUT --protocol tcp --dport ssh --jump ssh
-A fail2ban-SSH --protocol tcp --jump RETURN
-A ssh --protocol tcp --jump fail2ban-SSH
-A ssh --protocol tcp --jump ACCEPT --source 192.0.2.0/24
-A ssh --protocol tcp --jump ACCEPT --source host1.example.com
COMMIT
------------------------------
Real output:
------------------------------
Error in subchain.ferm line 12:
chain INPUT
{
proto tcp dport ssh @subchain "ssh"
{
@subchain <--
No rule specified before $jumpkey
------------------------------
Gabor
More information about the Ferm
mailing list