Hi, upstream released a minor update to address #499515 which also fixes some minor problems. The diff is very small (attached) so I ask for an exception of ferm 2.0.3 for lenny. Thanks in advance Alex -- Alexander Wirt, formorer@formorer.de CC99 2DDD D39E 75B0 B0AA B25C D35B BC99 BC7D 020A
diff -ruN ferm-2.0.2/doc/ferm.1 ferm-2.0.3/doc/ferm.1 --- ferm-2.0.2/doc/ferm.1 2008-07-26 19:31:02.000000000 +0200 +++ ferm-2.0.3/doc/ferm.1 2008-09-30 19:56:51.000000000 +0200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "FERM 1" -.TH FERM 1 "2008-07-24" "ferm 2.0.2" "FIREWALL RULES MADE EASY" +.TH FERM 1 "2008-09-30" "ferm 2.0.3~svn20080930" "FIREWALL RULES MADE EASY" .SH "NAME" \&\fBferm\fR \- a firewall rule parser for linux .SH "SYNOPSIS" @@ -1063,6 +1063,10 @@ \& mod policy mode tunnel tunnel\-dst 192.168.2.1 ACCEPT; \& mod policy strict next reqid 24 spi 0x11 ACCEPT; .Ve +.Sp +Note that the keyword \fIproto\fR is also used as a shorthand version of +\&\fIprotocol\fR (built\-in match module). You can fix this conflict by +always using the long keyword \fIprotocol\fR. .IP "\fBpsd\fR" 8 .IX Item "psd" Detect \s-1TCP/UDP\s0 port scans. diff -ruN ferm-2.0.2/doc/ferm.html ferm-2.0.3/doc/ferm.html --- ferm-2.0.2/doc/ferm.html 2008-07-26 19:31:02.000000000 +0200 +++ ferm-2.0.3/doc/ferm.html 2008-09-30 19:56:51.000000000 +0200 @@ -1231,6 +1231,11 @@ mod policy mode tunnel tunnel-dst 192.168.2.1 ACCEPT; mod policy strict next reqid 24 spi 0x11 ACCEPT;</pre> </dd> +<dd> +<p>Note that the keyword <em>proto</em> is also used as a shorthand version of +<em>protocol</em> (built-in match module). You can fix this conflict by +always using the long keyword <em>protocol</em>.</p> +</dd> </li> <dt><strong><a name="item_psd"><strong>psd</strong></a></strong> diff -ruN ferm-2.0.2/doc/ferm.pod ferm-2.0.3/doc/ferm.pod --- ferm-2.0.2/doc/ferm.pod 2008-07-26 19:31:02.000000000 +0200 +++ ferm-2.0.3/doc/ferm.pod 2008-09-30 19:56:51.000000000 +0200 @@ -925,6 +925,10 @@ mod policy mode tunnel tunnel-dst 192.168.2.1 ACCEPT; mod policy strict next reqid 24 spi 0x11 ACCEPT; +Note that the keyword I<proto> is also used as a shorthand version of +I<protocol> (built-in match module). You can fix this conflict by +always using the long keyword I<protocol>. + =item B<psd> Detect TCP/UDP port scans. diff -ruN ferm-2.0.2/doc/ferm.txt ferm-2.0.3/doc/ferm.txt --- ferm-2.0.2/doc/ferm.txt 2008-07-26 19:31:02.000000000 +0200 +++ ferm-2.0.3/doc/ferm.txt 2008-09-30 19:56:51.000000000 +0200 @@ -746,6 +746,10 @@ mod policy mode tunnel tunnel-dst 192.168.2.1 ACCEPT; mod policy strict next reqid 24 spi 0x11 ACCEPT; + Note that the keyword *proto* is also used as a shorthand + version of *protocol* (built-in match module). You can fix this + conflict by always using the long keyword *protocol*. + psd Detect TCP/UDP port scans. mod psd psd-weight-threshold 21 psd-delay-threshold 300 diff -ruN ferm-2.0.2/doc/import-ferm.1 ferm-2.0.3/doc/import-ferm.1 --- ferm-2.0.2/doc/import-ferm.1 2008-07-26 19:31:02.000000000 +0200 +++ ferm-2.0.3/doc/import-ferm.1 2008-09-30 19:56:51.000000000 +0200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "IMPORT-FERM 1" -.TH IMPORT-FERM 1 "2008-07-24" "ferm 2.0.2" "FIREWALL RULES MADE EASY" +.TH IMPORT-FERM 1 "2008-09-30" "ferm 2.0.3~svn20080930" "FIREWALL RULES MADE EASY" .SH "NAME" import\-ferm \- import existing firewall rules into ferm .SH "SYNOPSIS" diff -ruN ferm-2.0.2/NEWS ferm-2.0.3/NEWS --- ferm-2.0.2/NEWS 2008-07-26 19:31:02.000000000 +0200 +++ ferm-2.0.3/NEWS 2008-09-30 19:56:51.000000000 +0200 @@ -7,6 +7,14 @@ Auke Kok <sofar@foo-projects.org> +v2.0.3 - 30 Sep 2008 + - create chains and subchains even if they are empty + - fix includes within a rule ("Missing semicolon...") + - fix subchain in include ("Died at [...] line 1493") + - "protocol" is an alias for "proto", to fix the keyword conflict with + the "policy" module + + v2.0.2 - 26 Jul 2008 - allow duplicate specification of "table" and "chain", for better 1.3.x compatibility. Support for this will be removed in a later diff -ruN ferm-2.0.2/src/ferm ferm-2.0.3/src/ferm --- ferm-2.0.2/src/ferm 2008-07-26 19:31:02.000000000 +0200 +++ ferm-2.0.3/src/ferm 2008-09-30 19:56:51.000000000 +0200 @@ -25,7 +25,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# $Id: ferm 1270 2008-07-26 17:30:23Z max $ +# $Id: ferm 1283 2008-09-30 17:56:33Z max $ BEGIN { eval { require strict; import strict; }; @@ -47,9 +47,9 @@ use vars qw($DATE $VERSION); # subversion keyword magic -$DATE = '$Date: 2008-07-26 19:30:23 +0200 (Sat, 26 Jul 2008) $' =~ m,(\d{4})-(\d\d)-(\d\d), ? $1.$2.$3 : ''; +$DATE = '$Date: 2008-09-30 19:56:33 +0200 (Tue, 30 Sep 2008) $' =~ m,(\d{4})-(\d\d)-(\d\d), ? $1.$2.$3 : ''; -$VERSION = '2.0.2'; +$VERSION = '2.0.3'; #$VERSION .= '~svn' . $DATE; ## interface variables @@ -1608,7 +1608,7 @@ # consistency check: check if they havn't forgotten # the ';' after the last statement error('Missing semicolon before "}"') - if $rule{has_rule}; + if $rule{non_empty}; # and exit return; @@ -1658,7 +1658,7 @@ # definition of a variable or function if ($keyword eq '@def' or $keyword eq 'def') { error('"def" must be the first token in a command') - if $rule{has_rule}; + if $rule{non_empty}; my $type = require_next_token(); if ($type eq '$') { @@ -1722,6 +1722,12 @@ next; } + # this rule has something which isn't inherited by its + # parent closure. This variable is used in a lot of + # syntax checks. + + $rule{non_empty} = 1; + # def references if ($keyword eq '$') { error('variable references are only allowed as keyword parameter'); @@ -1803,7 +1809,8 @@ if ($keyword eq 'chain') { warning('Chain is already specified') if exists $rule{chain}; - $rule{chain} = $stack[0]{auto}{CHAIN} = getvalues(); + + my $chain = $rule{chain} = $stack[0]{auto}{CHAIN} = getvalues(); # ferm 1.1 allowed lower case built-in chain names foreach (ref $rule{chain} ? @{$rule{chain}} : $rule{chain}) { @@ -1817,6 +1824,14 @@ $rule{table} = 'filter' unless exists $rule{table}; + foreach my $domain (to_array $rule{domain}) { + foreach my $table (to_array $rule{table}) { + foreach my $c (to_array $chain) { + $domains{$domain}{tables}{$table}{chains}{$c} ||= {}; + } + } + } + next; } @@ -1864,6 +1879,12 @@ $subchain = 'ferm_auto_' . ++$auto_chain; } + foreach my $domain (to_array $rule{domain}) { + foreach my $table (to_array $rule{table}) { + $domains{$domain}{tables}{$table}{chains}{$subchain} ||= {}; + } + } + set_target(%rule, 'jump', $subchain); error('"{" or chain name expected after "@subchain"') @@ -1884,12 +1905,13 @@ } # enter the block - enter(1, \%inner); + enter($lev + 1, \%inner); # now handle the parent - it's a jump to the sub chain - $rule{script} = { filename => $script->{filename}, - line => $script->{line}, - }; + $rule{script} = { + filename => $script->{filename}, + line => $script->{line}, + }; mkrules(\%rule); @@ -1901,7 +1923,7 @@ # everything else must be part of a "real" rule, not just # "policy only" - $rule{has_rule}++; + $rule{has_rule} = 1; # extended parameters: if ($keyword =~ /^mod(?:ule)?$/) { @@ -1967,7 +1989,7 @@ # protocol specific options # - if ($keyword eq 'proto') { + if ($keyword eq 'proto' or $keyword eq 'protocol') { my $protocol = parse_keyword(%rule, { params => 1, negation => 1 }, \$negated); @@ -2013,7 +2035,7 @@ # consistency check: check if they havn't forgotten # the ';' before the last statement error("Missing semicolon before end of file") - if exists $rule{domain}; + if $rule{non_empty}; } sub execute_command { diff -ruN ferm-2.0.2/src/import-ferm ferm-2.0.3/src/import-ferm --- ferm-2.0.2/src/import-ferm 2008-07-26 19:31:02.000000000 +0200 +++ ferm-2.0.3/src/import-ferm 2008-09-30 19:56:51.000000000 +0200 @@ -28,7 +28,7 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# $Id: import-ferm 1263 2008-07-24 06:36:33Z max $ +# $Id: import-ferm 1279 2008-09-30 17:55:09Z max $ use strict; @@ -393,7 +393,7 @@ my %def = ( params => 1 ); my $value = parse_def_option($option, %def, $pre_negated, @$tokens); $line->{proto} = $value; - push @$cur, [ 'proto', $value ]; + push @$cur, [ 'protocol', $value ]; my $module = netfilter_canonical_protocol($value); if (exists $proto_defs{ip}{$module}) {
Attachment:
signature.asc
Description: Digital signature