Bug#521827: marked as done (doesn't support !mark in connmark or MARK filters)

Sun, 19 Jul 2009 06:57:40 -0700 

Your message dated Sun, 19 Jul 2009 13:32:04 +0000
with message-id <[email protected]>
and subject line Bug#521827: fixed in ferm 2.0.6-1
has caused the Debian Bug report #521827,
regarding doesn't support !mark in connmark or MARK filters
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
521827: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521827
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: ferm
Version: 2.0.3-1
Severity: normal
Tags: patch

(also applies to the version in sid)

The following works OK in iptables

  iptables -t mangle -A PREROUTING -m connmark \! --mark 0 \
    -j CONNMARK --restore-mark

but the corresponding ferm snippet doesn't:

  table mangle chain PREROUTING mod connmark 
      !mark 0 CONNMARK restore-mark;

trying to feed that into ferm gives:

$ sudo /usr/sbin/ferm --lines --noexec test.ferm 
Error in test.ferm line 1:
table mangle chain PREROUTING mod connmark ! mark 0 <--
Doesn't support negation: mark

Applying the following trivial patch to connmark definition allows
negation of the mark parameter:

diff --git a/src/ferm b/src/ferm
index 4845cfe..bcdb220 100755
--- a/src/ferm
+++ b/src/ferm
@@ -234,7 +234,7 @@ add_match_def 'comment', qw(comment=s);
 add_match_def 'condition', qw(condition!);
 add_match_def 'connbytes', qw(!connbytes connbytes-dir connbytes-mode);
 add_match_def 'connlimit', qw(!connlimit-above connlimit-mask);
-add_match_def 'connmark', qw(mark);
+add_match_def 'connmark', qw(!mark);
 add_match_def 'conntrack', qw(ctstate=c ctproto ctorigsrc! ctorigdst!),
   qw(ctreplsrc! ctrepldst! ctstatus ctexpire=s);
 add_match_def 'dscp', qw(dscp dscp-class);

The resulting rules for the above example are:

 # Generated by ferm 2.0.5 on Mon Mar 30 12:57:12 2009
 *mangle
 :PREROUTING ACCEPT [0:0]
 -A PREROUTING --match connmark ! --mark 0 --jump CONNMARK --restore-mark
 COMMIT


Thanks for considering,
    dam


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (450, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=bg_BG.UTF-8, LC_CTYPE=bg_BG.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ferm depends on:
ii  debconf                       1.5.26     Debian configuration management sy
ii  iptables                      1.4.2-6    administration tools for packet fi
ii  lsb-base                      3.2-22     Linux Standard Base 3.2 init scrip
ii  perl                          5.10.0-19  Larry Wall's Practical Extraction 

ferm recommends no packages.

ferm suggests no packages.

-- debconf information:
* ferm/enable: true

--- End Message ---
--- Begin Message --- 
Source: ferm
Source-Version: 2.0.6-1

We believe that the bug you reported is fixed in the latest version of
ferm, which is due to be installed in the Debian FTP archive:

ferm_2.0.6-1.diff.gz
  to pool/main/f/ferm/ferm_2.0.6-1.diff.gz
ferm_2.0.6-1.dsc
  to pool/main/f/ferm/ferm_2.0.6-1.dsc
ferm_2.0.6-1_all.deb
  to pool/main/f/ferm/ferm_2.0.6-1_all.deb
ferm_2.0.6.orig.tar.gz
  to pool/main/f/ferm/ferm_2.0.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <[email protected]> (supplier of updated ferm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 19 Jul 2009 15:10:57 +0200
Source: ferm
Binary: ferm
Architecture: source all
Version: 2.0.6-1
Distribution: unstable
Urgency: low
Maintainer: ferm maintainers <[email protected]>
Changed-By: Alexander Wirt <[email protected]>
Description: 
 ferm       - maintain and setup complicated firewall rules
Closes: 521827 522359 525438 525440 525444 525450 525452 525458 525671 525678 
528500 528654
Changes: 
 ferm (2.0.6-1) unstable; urgency=low
 .
   [ Max Kellermann ]
   * new upstream release
     - support negation in mark/connmark/set (Closes: #521827, #522359)
     - added automatic variable $FILENAME (Closes: #525452)
     - create a new stack frame for @subchain (Closes: #525450)
     - doc: added real-world example for @if (Closes: #525458)
     - enable @include to run a program (Closes: #525678)
   * updated upstream home page (Closes: #525671)
   * invalidate cache after kernel upgrade (Closes: #528654)
   * improve the "ENABLED" .default variable description (Closes: #525438)
   * check $CONFIG after sourcing the .default file (Closes: #525440)
   * fix bashisms in init script, and run with /bin/sh
   * print a warning when "/etc/init.d/ferm start" fails and the module
     ip_tables is not loaded (Closes: #525444)
 .
   [ Alexander Wirt ]
   * Recommend libnet-dns-perl (Closes: #528500)
   * Bump standards version (No changes)
Checksums-Sha1: 
 4244510430c48af745b8fad3d87f0993aa0cbfbb 1095 ferm_2.0.6-1.dsc
 3f915c5f77edcefbcb492fec98f160e722d0c173 110566 ferm_2.0.6.orig.tar.gz
 8c1232d101e372476b298f68eb40581959d6cbe2 11220 ferm_2.0.6-1.diff.gz
 8d16e20e557ca9fb0cda4fccbe9be17ebc51c651 104164 ferm_2.0.6-1_all.deb
Checksums-Sha256: 
 4d62eb1b75183af0dd43c2a1594c6fc507647bf109808f94088cdde8a16112b2 1095 
ferm_2.0.6-1.dsc
 ab7fbc48e939813ee6639ddd218941466ad972064582b737d36741532db4de55 110566 
ferm_2.0.6.orig.tar.gz
 b142026b9c2778f9d44942827ac2e97d0c285e0589ce127b5e09f6e3f2d0016b 11220 
ferm_2.0.6-1.diff.gz
 6bdc76c869e15fc66b6943c275b816b08210b61d9bae93aae8019559e0df51c8 104164 
ferm_2.0.6-1_all.deb
Files: 
 bf98f204501b2640a5919b7ae96265ee 1095 net optional ferm_2.0.6-1.dsc
 d0d32a140e0e1e403cfc7b4cd40346e8 110566 net optional ferm_2.0.6.orig.tar.gz
 018ca82adba6fe9a3370ee0e1595f2b5 11220 net optional ferm_2.0.6-1.diff.gz
 537580355c94d7fd4081980718009c60 104164 net optional ferm_2.0.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpjG8MACgkQ01u8mbx9AgosLgCgsC+hCF7WieRv0Xl0Rpsj/vd5
+ZkAoL/4Sp6H5SRJqpIWNzoi2ea7dzc9
=mkHS
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to