Each line of a generated subchain herite the "--protocol" from the calling line

Question

Each line of a generated subchain herite the "--protocol" from the calling line

tst2005 opened this issue 5 years ago · 5 comments

tst2005 commented 5 years ago

Considere the small and stupid ferm config samples

Sample 1

domain ip table filter {
	chain in_test1;
	chain INPUT {
		protocol tcp daddr 1.2.3.4 jump in_test1;
	}
	chain in_test1 {
		DROP;
	}
}

Sample 2

domain ip table filter {
	chain INPUT {
		protocol tcp daddr 1.2.3.4 @subchain in_test1 {
			DROP;
		}
	}
}

The difference between the both results:

*filter
 :INPUT ACCEPT [0:0]
 :in_test1 - [0:0]
 -A INPUT --protocol tcp --destination 1.2.3.4 --jump in_test1
--A in_test1 --jump DROP
+-A in_test1 --protocol tcp --jump DROP
 COMMIT

Why the --protocol tcp is added ?
Is it a bug ?

I also tried a way to force to discard the protocol option, without success.
Sample 3

domain ip table filter {
	chain INPUT {
		protocol tcp daddr 1.2.3.4 @subchain in_test1 {
			protocol all DROP;
		}
	}
}

I got -A in_test1 --protocol tcp --protocol all --jump DROP

Answer 1 · 2019-09-16T13:46:09.000Z

I think this part of the code do that.

But why ?!

See the folllowing sample that use a common chain between different protocol.
It shows how the result can be ugly.
Sample 4:

domain ip table filter {
	chain INPUT {
		protocol tcp daddr 1.2.3.4 @subchain common_log_drop {
			# LOG stuff here;
			protocol (udp tcp icmp) DROP;
		}
	}
	chain OUTPUT {
		protocol (udp icmp) jump common_log_drop;
	}	
}

Result:

*filter
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:common_log_drop - [0:0]
-A INPUT --protocol tcp --destination 1.2.3.4 --jump common_log_drop
-A OUTPUT --protocol udp --jump common_log_drop
-A OUTPUT --protocol icmp --jump common_log_drop
-A common_log_drop --protocol tcp --protocol udp --jump DROP
-A common_log_drop --protocol tcp --protocol tcp --jump DROP
-A common_log_drop --protocol tcp --protocol icmp --jump DROP
COMMIT

Answer 2 · 2019-10-25T08:29:05.000Z

Imagine this:

proto tcp @subchain { dport http ACCEPT; }

Without copying the protocol to the subchain, this breaks.

Answer 3 · 2019-11-26T13:02:53.000Z

I understand you don't want to break existing behavior.
Can you consider a new keyword like @rawsubchain to allow to make sub chain without protocol inherance ?
Do you want a separated issue/feature request ?

Answer 4 · 2019-11-26T13:05:44.000Z

I already fixed this by checking whether dport and other specifications exist inside the subchain. Check the closes this in .... message above your post!

Answer 5 · 2019-11-26T13:19:44.000Z

Oh! I didn't see the commit.

Perfect ! it is better than I expected.
Thanks a lot!