Feature Request: can `ferm -nl --domain ip` output match iptables-save

Question

Feature Request: can `ferm -nl --domain ip` output match iptables-save

b4ldr opened this issue 5 years ago · 1 comments

We currently use ferm in our puppet manifest and i would like to be able to run a test which can validate that all the rules loaded in iptables are the same rules configured in ferm. This would allow us to create a puppet managed service that ensures the loaded firewall rules match the rules configured so if someone manually added a rule or flushes the table puppet restore rules on the next run.

The simplest way to do this would be something like the following sudo code

if [ "$(iptables-save)" -ne "(ferm -nl --domain ip)" -o   "$(ip6tables-save)" -ne "(ferm -nl --domain ip6)" ] ;then
  systemctl reload ferm
fi

however the output from iptables-save and ferm use slightly different rules for producing output short options vs long options and some difference in the order of selectors. Would it be possible to update ferm so it uses the same rules for its output as iptables-save

in case others come across this im currently trying to work around this with the following script
https://gerrit.wikimedia.org/r/c/operations/puppet/+/576101/5/modules/ferm/files/ferm_status.py#153

thanks

Answer 1 · 2020-04-15T16:27:35.000Z

But is there really a canonical output of iptables-save and where is its specification?
In the distant past, the output has changed a lot.
The ferm unit test suite uses various kludges to compare generated rules, such as the import-ferm script and test/sort.pl.