Bug#591329: host objects: ignore ipv6 addresses in ipv4 context and vice versa
Martin, On Mon, Aug 02, 2010 at 10:31:06AM +0200, martin f krafft wrote: All of my hosts are IPv4 and IPv6 connected. Hence, every host has at least one address in each of the (ip ip6) domains. I'd really like to be able to think about a host as a single entity and thus would love to see the concept of host objects in ferm. In general, however, a host object needs not be more than a variable: @def $MYHOST = (77.109.139.85 2001:1620:2018:2::4d6d:8b55); Unfortunately, this does not work: daddr $MYHOST ACCEPT; causes the following rules to be created in both (ip ip6) domains: -A in-new --destination 77.109.139.85 --jump ACCEPT -A in-new --destination 2001:1620:2018:2::4d6d:8b55 --jump ACCEPT I am thinking that all that is needed is a simple domain-specific regexp to filter only the applicable addresses when expanding variable arrays in an address context. Unfortunately, I couldn't figure out where this is happening in 15 minutes of studying the code. I raised the same issue on the mailing list (unaware of your bug report!), see the thread starting from: http://foo-projects.org/pipermail/ferm/2011-July/59.html Max implemented *two* solutions to the problem that are now on ferm's git. Have a look at the implementation there to see if that satisfies your use case. Regards, Faidon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#591329: host objects: ignore ipv6 addresses in ipv4 context and vice versa
Package: ferm Version: 2.0.7-1 Severity: wishlist Tags: upstream, ipv6 Forwarded: Max Kellermann m...@duempel.org All of my hosts are IPv4 and IPv6 connected. Hence, every host has at least one address in each of the (ip ip6) domains. I'd really like to be able to think about a host as a single entity and thus would love to see the concept of host objects in ferm. In general, however, a host object needs not be more than a variable: @def $MYHOST = (77.109.139.85 2001:1620:2018:2::4d6d:8b55); Unfortunately, this does not work: daddr $MYHOST ACCEPT; causes the following rules to be created in both (ip ip6) domains: -A in-new --destination 77.109.139.85 --jump ACCEPT -A in-new --destination 2001:1620:2018:2::4d6d:8b55 --jump ACCEPT I am thinking that all that is needed is a simple domain-specific regexp to filter only the applicable addresses when expanding variable arrays in an address context. Unfortunately, I couldn't figure out where this is happening in 15 minutes of studying the code. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.35-rc6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ferm depends on: ii debconf 1.5.33 Debian configuration management sy ii iptables 1.4.8-3administration tools for packet fi ii lsb-base 3.2-23.1 Linux Standard Base 3.2 init scrip ii perl 5.10.1-13 Larry Wall's Practical Extraction Versions of packages ferm recommends: ii libnet-dns-perl 0.66-2 Perform DNS queries from a Perl sc ferm suggests no packages. -- Configuration Files: /etc/default/ferm changed [not included] /etc/ferm/ferm.conf changed [not included] -- debconf information excluded -- .''`. martin f. krafft madd...@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)