Bug#521827: doesn't support negation on connmark mark matching

Mon, 30 Mar 2009 03:11:27 -0700 

Package: ferm
Version: 2.0.3-1
Severity: normal
Tags: patch

(also applies to the version in sid)

The following works OK in iptables

  iptables -t mangle -A PREROUTING -m connmark \! --mark 0 \
    -j CONNMARK --restore-mark

but the corresponding ferm snippet doesn't:

  table mangle chain PREROUTING mod connmark 
      !mark 0 CONNMARK restore-mark;

trying to feed that into ferm gives:

$ sudo /usr/sbin/ferm --lines --noexec test.ferm 
Error in test.ferm line 1:
table mangle chain PREROUTING mod connmark ! mark 0 <--
Doesn't support negation: mark

Applying the following trivial patch to connmark definition allows
negation of the mark parameter:

diff --git a/src/ferm b/src/ferm
index 4845cfe..bcdb220 100755
--- a/src/ferm
+++ b/src/ferm
@@ -234,7 +234,7 @@ add_match_def 'comment', qw(comment=s);
 add_match_def 'condition', qw(condition!);
 add_match_def 'connbytes', qw(!connbytes connbytes-dir connbytes-mode);
 add_match_def 'connlimit', qw(!connlimit-above connlimit-mask);
-add_match_def 'connmark', qw(mark);
+add_match_def 'connmark', qw(!mark);
 add_match_def 'conntrack', qw(ctstate=c ctproto ctorigsrc! ctorigdst!),
   qw(ctreplsrc! ctrepldst! ctstatus ctexpire=s);
 add_match_def 'dscp', qw(dscp dscp-class);

The resulting rules for the above example are:

 # Generated by ferm 2.0.5 on Mon Mar 30 12:57:12 2009
 *mangle
 :PREROUTING ACCEPT [0:0]
 -A PREROUTING --match connmark ! --mark 0 --jump CONNMARK --restore-mark
 COMMIT


Thanks for considering,
    dam


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (450, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ferm depends on:
ii  debconf                       1.5.26     Debian configuration management sy
ii  iptables                      1.4.2-6    administration tools for packet fi
ii  lsb-base                      3.2-22     Linux Standard Base 3.2 init scrip
ii  perl                          5.10.0-19  Larry Wall's Practical Extraction 

ferm recommends no packages.

ferm suggests no packages.

-- debconf information:
* ferm/enable: true



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to