interface selectors showing up
Closed this issue · 2 comments
endreszabo commented
Hi Ferm Team.
I encountered another interesting issue. Out of nowhere --in-interface filter statements show up in the rendered file.
Take this ferm rule file:
@def &MACCEPT($logspec) = {
NFLOG nflog-prefix "C=$CHAIN V=ACCEPT T=$logspec ";
if @eq(@substr($CHAIN, -3, 3), _IN) {
MARK or-mark 0x8;
} @else @if @eq(@substr($CHAIN, -4, 4), _OUT) {
MARK or-mark 0x10;
}
}
@def &PVLAN($subinterface, $chain) = {
chain FORWARD interface ubr mod physdev physdev-out $subinterface jump @cat($chain,'_IN');
chain FORWARD interface ubr mod physdev physdev-in $subinterface jump @cat($chain,'_OUT');
}
table filter {
&PVLAN('enp1s0f1.3006','x');
chain x_IN {
&MACCEPT('debug1');
}
chain x_OUT {
&MACCEPT('debug2');
}
}
Which, when rendered, produces this:
Generated by ferm 2.5.1 (iptables-save) on Mon Mar 2 15:14:57 2020
*filter
:FORWARD ACCEPT [0:0]
:x_IN - [0:0]
:x_OUT - [0:0]
-A FORWARD --in-interface ubr --match physdev --physdev-out enp1s0f1.3006 --jump x_IN
-A FORWARD --in-interface ubr --match physdev --physdev-in enp1s0f1.3006 --jump x_OUT
-A x_IN --jump NFLOG --nflog-prefix "C=x_IN V=ACCEPT T=debug1 "
-A x_IN --in-interface 1 --jump MARK --or-mark 0x8
-A x_OUT --jump NFLOG --nflog-prefix "C=x_OUT V=ACCEPT T=debug2 "
-A x_OUT --in-interface 0 --jump MARK --or-mark 0x8
COMMIT
This output has two problems:
- The
&MACCEPTmacro does not specify anything that should result in--in-interface. - Wrong mark flag gets flipped, 0x10 should be set to 1 instead of 0x8 on the
_OUTchains. Maybe I am wrong with understanding how@ifand@eqworks.
Checked and @substr function works just perfectly.
MaxKellermann commented
if is a shortcut for interface.
Note how you wrote if and not @if.
endreszabo commented
Aaand I got to the same conclusion at the very same time I skipped @else.
Thanks Max and sorry for bothering.