From 392e586a3a0e8d49b89661380c8404a690913cad Mon Sep 17 00:00:00 2001 From: Faidon Liambotis Date: Wed, 31 Oct 2012 20:05:21 +0200 Subject: [PATCH] Fix regression: functions containing domain (ip ip6) Commit 729e3e introduced support for individual evaluation of rules per-domain. As part of that, inside a domain statement, execution forks into two inner rules and then individually executed. However, the inner rule is entered starting with level $lev, which can never be zeroed back, since its contents are collected via a call to collect_tokens(), which is a zero-summed collection. This worked on most cases, since domain is usually defined on level zero. A notable exception is when domain (ip ip6) is defined inside a function. Fix this by entering the inner rule with an initial zero level and add a test case to the test suite. This is a fix for a ferm 2.1 regression. --- NEWS | 1 + src/ferm | 2 +- test/ipv6/mixed.ferm | 7 +++++++ test/ipv6/mixed.result | 2 ++ 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 8dbbc00..cca269d 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,7 @@ v2.1.2 - not yet released - updated netfilter modules: * hashlimit: allow list after hashlimit-mode + - fix functions containing mixed domains v2.1.1 - 29 Jul 2012 diff --git a/src/ferm b/src/ferm index 745cbda..e43318b 100755 --- a/src/ferm +++ b/src/ferm @@ -2063,7 +2063,7 @@ sub enter($$) { new_level(%inner, \%rule); set_domain(%inner, $domain) or next; $script->{tokens} = [ @$tokens ]; - enter($lev, \%inner); + enter(0, \%inner); } $script->{tokens} = $old_tokens; diff --git a/test/ipv6/mixed.ferm b/test/ipv6/mixed.ferm index 8ffa5a7..b043adc 100644 --- a/test/ipv6/mixed.ferm +++ b/test/ipv6/mixed.ferm @@ -9,6 +9,13 @@ domain (ip6 ip) chain INPUT { LOG log-prefix $DOMAIN; } +@def &SERVICE($proto, $port) = { + domain (ip ip6) chain INPUT { + proto $proto dport $port ACCEPT; + } +} +&SERVICE(tcp, smtp); + domain $both chain INPUT @if (@eq($DOMAIN,ip)) LOG log-prefix "four"; domain $both chain INPUT @if (@eq($DOMAIN,ip6)) LOG log-prefix "six"; diff --git a/test/ipv6/mixed.result b/test/ipv6/mixed.result index 4ffdc6a..297cdd2 100644 --- a/test/ipv6/mixed.result +++ b/test/ipv6/mixed.result @@ -2,6 +2,7 @@ iptables -t filter -P OUTPUT DROP iptables -t filter -A INPUT -j DROP iptables -t filter -A INPUT -p tcp --dport ssh -j ACCEPT iptables -t filter -A INPUT -j LOG --log-prefix ip +iptables -t filter -A INPUT -p tcp --dport smtp -j ACCEPT iptables -t filter -A INPUT -j LOG --log-prefix four iptables -t filter -A INPUT -j LOG --log-prefix four2 iptables -t filter -A INPUT -j LOG --log-prefix four3 @@ -9,6 +10,7 @@ iptables -t filter -A INPUT -j REJECT ip6tables -t filter -P OUTPUT DROP ip6tables -t filter -A INPUT -p tcp --dport ssh -j ACCEPT ip6tables -t filter -A INPUT -j LOG --log-prefix ip6 +ip6tables -t filter -A INPUT -p tcp --dport smtp -j ACCEPT ip6tables -t filter -A INPUT -j LOG --log-prefix six ip6tables -t filter -A INPUT -j LOG --log-prefix six2 ip6tables -t filter -A INPUT -j LOG --log-prefix six3 -- 2.11.4.GIT