From 4bb942f1f9a227f36560de09edaa75976f3106e9 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 16 Oct 2016 13:26:44 -0700
Subject: [PATCH] Restrict hypen as range separator to use with integers

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/IPAddrs.pm | 2 +-
 docs/configuration_file_basics.xml  | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm
index 2d1ae2603..b358848fe 100644
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -436,7 +436,7 @@ sub validate_portpair( $$ ) {
     #
     # Accept '-' as a port-range separator
     #
-    $pair =~ tr/-/:/;
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
 
     fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
 
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index fb4ffb6bd..c44954264 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -2621,7 +2621,8 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     "!4000:4100").</para>
 
     <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
-    separate the two port numbers.</para>
+    separate the two port numbers; when using service names, the colon must
+    still be used.</para>
 
     <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
 DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>