Missing -m set option when matching source and destination against ipsets

[kBite]

Description

iptables rules generated by ferm from it's config are missing the second -m set option when matching source and destination against ipsets

should be:

-A FORWARD --match set --match-set ipset_src src --match set --match-set ipset_dst dst --jump ACCEPT

instead of:

-A FORWARD --match set --match-set ipset_src src             --match-set ipset_dst dst --jump ACCEPT

How to reproduce:

1. create ipsets

# ipset create ipset_src iphash
# ipset add ipset_src 127.0.0.1
# ipset create ipset_dst iphash
# ipset add ipset_dst 127.0.0.2

2. remove existing firewall rules

# iptables-save > saved_iptables_rules
# iptables -F
# iptables -vnL
Chain INPUT (policy ACCEPT 105 packets, 16899 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 82 packets, 18020 bytes)
 pkts bytes target     prot opt in     out     source               destination

3. configure an iptables rule matching source and destination against ipsets

# iptables -A FORWARD  -m set --match-set ipset_src src --match set --match-set ipset_dst dst --jump ACCEPT
# iptables -vnL
Chain INPUT (policy ACCEPT 66 packets, 9546 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ipset_src src match-set ipset_dst dst

Chain OUTPUT (policy ACCEPT 48 packets, 9101 bytes)
pkts bytes target     prot opt in     out     source               destination

4. display iptables rules generated by ferm

# iptables-save | import-ferm | ferm --noexec --shell -
/sbin/iptables-restore <<EOT
# Generated by ferm 2.2 on Thu Apr 29 14:43:14 2021
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD --match set --match-set ipset_src src --match-set ipset_dst dst --jump ACCEPT
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
EOT

5. verify against latest version of ferm

# iptables-save | import-ferm | ferm_latest --noexec --shell -
/usr/sbin/iptables-restore <<EOT
# Generated by ferm 2.7~git (iptables-save) on Thu Apr 29 14:43:34 2021
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD --match set --match-set ipset_src src --match-set ipset_dst dst --jump ACCEPT
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
EOT

[markkrj]

This is because ferm keeps only one match module in output, even if specified multiple times in config, and ipset (set modules) doesn't allow multiple --match-set for a single -m set...