Add iprange support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1609 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/action.template

@@ -65,6 +65,10 @@
 #
 #			155.186.235.0/24	Subnet 155.186.235.0/24
 #
+#			10.0.0.4-10.0.0.9	Range of IP addresses; your
+#						kernel and iptables must have
+#						iprange match support. 
+#
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
@@ -81,10 +85,6 @@
 #	DEST		Location of Server. Same as above with the exception that
 #			MAC addresses are not allowed.
 #
-#			Unlike in the SOURCE column, you may specify a range of
-#			up to 256 IP addresses using the syntax
-#			<first ip>-<last ip>.
-#
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
 #

Shorewall2/blacklist

@@ -7,7 +7,9 @@
 #
 # Columns are:
 #
-#	ADDRESS/SUBNET 	- Host address, subnetwork or MAC address
+#	ADDRESS/SUBNET 	- Host address, subnetwork, MAC address or IP address
+#			  range (if your kernel and iptables contain iprange
+#			  match support).
 #
 # 			  MAC addresses must be prefixed with "~" and use "-"
 #			  as a separator.

Shorewall2/bogons

@@ -14,7 +14,9 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed)
+# 	SUBNET		The subnet (host addresses also allowed as are IP
+#			address ranges provided that your kernel and iptables
+#			include iprange match support).
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet

Shorewall2/ecn

@@ -12,7 +12,9 @@
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
 #			  If left empty or supplied as "-",
-#			  0.0.0.0/0 is assumed.
+#			  0.0.0.0/0 is assumed. If your kernel and iptables
+#			  include iprange match support then IP address ranges
+#			  are also permitted.
 ##############################################################################
 #INTERFACE	HOST(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall2/firewall

@@ -507,6 +507,36 @@ first_chains() #$1 = interface
    echo ${c}_fwd ${c}_in
 }
 
+#
+# Source IP range
+#
+source_ip_range() # $1 = Address or Address Range
+{
+    case $1 in
+	*.*.*.*-*.*.*.*)
+	    echo "-m iprange --src-range $1"
+	    ;;
+	*)
+	    echo "-s $1"
+	    ;;
+    esac
+}
+
+#
+# Destination IP range
+#
+dest_ip_range() # $1 = Address or Address Range
+{
+    case $1 in
+	*.*.*.*-*.*.*.*)
+	    echo "-m iprange --dst-range $1"
+	    ;;
+	*)
+	    echo "-d $1"
+	    ;;
+    esac
+}
+
 #
 # Horrible hack to work around an iptables bug
 #
@@ -529,17 +559,17 @@ match_source_hosts()
     if [ -n "$BRIDGING" ]; then
 	case $1 in
 	    *:*)
-		physdev_echo "--physdev-in ${1%:*} -s ${1#*:}"
+		physdev_echo "--physdev-in ${1%:*} $(source_ip_range ${1#*:})"
 		;;
 	    *.*.*.*)
-		echo -s $1
+		echo $(source_ip_range $1)
 		;;
 	    *)
 		physdev_echo "--physdev-in $1"
 		;;
 	esac
     else
-	echo -s $1
+	echo $(source_ip_range $1)
     fi
 }
 
@@ -548,17 +578,17 @@ match_dest_hosts()
     if [ -n "$BRIDGING" ]; then
 	case $1 in
 	    *:*)
-		physdev_echo "--physdev-out ${1%:*} -d ${1#*:}"
+		physdev_echo "--physdev-out ${1%:*} $(dest_ip_range ${1#*:})"
 		;;
 	    *.*.*.*)
-		echo -d $1
+		echo $(dest_ip_range $1)
 		;;
 	    *)
 		physdev_echo "--physdev-out $1"
 		;;
 	esac
     else
-	echo -d $1
+	echo $(dest_ip_range $1)
     fi
 }
 
@@ -638,6 +668,15 @@ match_ipsec_out() # $1 = zone, $2 = host
     fi
 }
 
+#
+# Jacket for ip_range() that takes care of iprange match
+#
+
+firewall_ip_range() # $1 = IP address or range
+{
+    [ -n "$IPRANGE_MATCH" ] && echo $1 || ip_range $1
+}
+
 #
 #
 # Find hosts in a given zone
@@ -1352,7 +1391,7 @@ stop_firewall() {
 			else
 			    routeback=Yes
 			    for h in $(separate_list $host); do
-				iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT
+				iptables -A FORWARD -i $interface -s $h -o $interface $(dest_ip_range $h) -j ACCEPT
 			    done
 			fi
 			;;
@@ -1370,10 +1409,10 @@ stop_firewall() {
 	networks=${host#*:}
 	iptables -A INPUT  -i $interface -s $networks -j ACCEPT
 	[ -z "$ADMINISABSENTMINDED" ] && \
-	    iptables -A OUTPUT -o $interface -d $networks -j ACCEPT
+	    iptables -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
 
 	for host1 in $hosts; do
-	    [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} -d ${host1#*:} -j ACCEPT
+	    [ "$host" != "$host1" ] && iptables -A FORWARD -i $interface -s $networks -o ${host1%:*} $(dest_ip_range ${host1#*:}) -j ACCEPT
 	done
     done
 
@@ -1472,11 +1511,11 @@ setup_tunnels() # $1 = name of tunnels file
 	[ $kind = IPSEC ] && kind=ipsec
 
 	options="-m state --state NEW -j ACCEPT"
-	addrule $inchain	  -p 50	 -s $1 -j ACCEPT
+	addrule $inchain	  -p 50	 $(source_ip_range $1) -j ACCEPT
-	addrule $outchain	  -p 50	 -d $1 -j ACCEPT
+	addrule $outchain	  -p 50	 $(dest_ip_range $1)   -j ACCEPT
 	if [ -z "$noah" ]; then
-	    run_iptables -A $inchain  -p 51	 -s $1 -j ACCEPT
+	    run_iptables -A $inchain  -p 51 $(source_ip_range $1) -j ACCEPT
-	    run_iptables -A $outchain -p 51	 -d $1 -j ACCEPT
+	    run_iptables -A $outchain -p 51 $(dest_ip_range $1)   -j ACCEPT
 	fi
 
 	run_iptables -A $outchain -p udp -d $1 --dport 500 $options
@@ -1507,17 +1546,17 @@ setup_tunnels() # $1 = name of tunnels file
 
     setup_one_other() # $1 = TYPE, $2 = gateway, $3 = protocol
     {
-	addrule $inchain  -p $3 -s $2 -j ACCEPT
+	addrule $inchain  -p $3 $(source_ip_range $2) -j ACCEPT
-	addrule $outchain -p $3 -d $2 -j ACCEPT
+	addrule $outchain -p $3 $(dest_ip_range $2) -j ACCEPT
 
 	progress_message "   $1 tunnel to $2 defined."
     }
 
     setup_pptp_client() # $1 = gateway
     {
-	addrule $outchain -p 47               -d $1 -j ACCEPT
+	addrule $outchain -p 47               $(dest_ip_range $1) -j ACCEPT
-	addrule $inchain  -p 47               -j ACCEPT
+	addrule $inchain  -p 47                                   -j ACCEPT
-	addrule $outchain -p tcp --dport 1723 -d $1 -j ACCEPT
+	addrule $outchain -p tcp --dport 1723 $(dest_ip_range $1) -j ACCEPT
 
 	progress_message "   PPTP tunnel to $1 defined."
     }
@@ -1542,8 +1581,8 @@ setup_tunnels() # $1 = name of tunnels file
 		;;
 	esac
 
-	addrule $inchain  -p udp -s $1 --sport $p --dport $p -j ACCEPT
+	addrule $inchain  -p udp $(source_ip_range $1) --sport $p --dport $p -j ACCEPT
-	addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT
+	addrule $outchain -p udp $(dest_ip_range $1)   --sport $p --dport $p -j ACCEPT
 
 	progress_message "   OPENVPN tunnel to $1:$p defined."
     }
@@ -1570,8 +1609,8 @@ setup_tunnels() # $1 = name of tunnels file
 
 	p=${p:+--dport $p}
 
-	addrule $inchain  -p $protocol -s $1 $p -j ACCEPT
+	addrule $inchain  -p $protocol $(source_ip_range $1) $p -j ACCEPT
-	addrule $outchain -p $protocol -d $1 $p -j ACCEPT
+	addrule $outchain -p $protocol $(dest_ip_range $1)   $p -j ACCEPT
 
 	for z in $(separate_list $3); do
 	    if validate_zone $z; then
@@ -2129,7 +2168,7 @@ setup_ecn() # $1 = file name
 	for host in $hosts; do
 	    interface=${host%:*}
 	    h=${host#*:}
-	    run_iptables -t mangle -A $(ecn_chain $interface) -p tcp -d $h -j ECN --ecn-tcp-remove
+	    run_iptables -t mangle -A $(ecn_chain $interface) -p tcp $(dest_ip_range $h) -j ECN --ecn-tcp-remove
 	    progress_message "   ECN Disabled to $h through $interface"
 	done
     fi
@@ -2184,7 +2223,7 @@ process_tc_rule()
 	    esac
 	fi
 
-	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
+	[ "x$dest"   = "x-"  ] || r="${r}$(dest_ip_range $dest) "
 	[ "x$proto"  = "x-"  ] && proto=all
 	[ "x$proto"  = "x"   ] && proto=all
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
@@ -2374,10 +2413,10 @@ process_accounting_rule() {
     [ -n "$dest" ] && case $dest in
 	*:*)
 	    accounting_interface_verify ${dest%:*}
-	    rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
+	    rule="$rule $(dest_ip_range ${dest#*:}) $(match_dest_dev ${dest%:*})"
 	    ;;
 	*.*.*.*)
-	    rule="$rule -d $dest"
+	    rule="$rule $(dest_ip_range $dest)"
 	    ;;
 	-|all|any)
 	    ;;
@@ -2741,14 +2780,14 @@ add_an_action()
     if [ $COMMAND != check ]; then
        if [ -n "${serv}" ]; then
 	    for serv1 in $(separate_list $serv); do
-		for srv in $(ip_range $serv1); do
+		for srv in $(firewall_ip_range $serv1); do
 		    if [ -n "$loglevel" ]; then
 			log_rule_limit $loglevel $chain $action $logtarget "$ratelimit" "$logtag" $userandgroup \
-			    $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
+			    $(fix_bang $proto $sports $multiport $cli $(source_ip_range $srv) $dports)
 		    fi
 		    
 		    run_iptables2 -A $chain $proto $multiport $cli $sports \
-			-d $srv $dports $ratelimit $userandgroup -j $target
+			$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
 		done
 	    done
 	else
@@ -3476,11 +3515,11 @@ add_nat_rule() {
 		createnatchain $chain
 
 		for adr in $(separate_list $addr); do
-		    run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports -d $adr -j $chain
+		    run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain
 		done
 
 		for adr in $excludedests; do
-		    addnatrule $chain -d $adr -j RETURN
+		    addnatrule $chain $(dest_ip_range $adr) -j RETURN
 		done
 
 		if [ -n "$loglevel" ]; then
@@ -3492,10 +3531,10 @@ add_nat_rule() {
 		for adr in $(separate_list $addr); do
 		    if [ -n "$loglevel" ]; then
 			log_rule_limit $loglevel OUTPUT OUTPUT $logtarget "$ratelimit" "$logtag" -t nat \
-			    $(fix_bang $proto $cli $sports $userandgroup -d $adr $multiport $dports)
+			    $(fix_bang $proto $cli $sports $userandgroup $(dest_ip_range $adr) $multiport $dports)
 		    fi
 
-		    run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup -d $adr $multiport $dports -j $target1
+		    run_iptables2 -t nat -A OUTPUT $ratelimit $proto $sports $userandgroup $(dest_ip_range $adr) $multiport $dports -j $target1
 		done
 	    fi
 	else
@@ -3507,7 +3546,7 @@ add_nat_rule() {
 		createnatchain $chain
 
 		for adr in $(separate_list $addr); do
-		    addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports -d $adr -j $chain
+		    addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain
 		done
 
 		for z in $(separate_list $excludezones); do
@@ -3518,7 +3557,7 @@ add_nat_rule() {
 		done
 
 		for adr in $excludedests; do
-		    addnatrule $chain -d $adr -j RETURN
+		    addnatrule $chain $(dest_ip_range $adr) -j RETURN
 		done
 
 		if [ -n "$loglevel" ]; then
@@ -3531,7 +3570,7 @@ add_nat_rule() {
 		    if [ -n "$loglevel" ]; then
 			ensurenatchain $chain
 			log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -t nat \
-			    $(fix_bang $proto $cli $sports -d $adr $multiport $dports)
+			    $(fix_bang $proto $cli $sports $(dest_ip_range $adr) $multiport $dports)
 		    fi
 		    
 		    addnatrule $chain $proto $ratelimit $cli $sports \
@@ -3618,10 +3657,10 @@ add_a_rule()
 	;;
     *:*)
 	rule_interface_verify ${client%:*}
-	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
+	cli="$(match_source_dev ${client%:*}) $(source_ip_range ${client#*:})"
 	;;
     *.*.*)
-	cli="-s $client"
+	cli="$(source_ip_range $client)"
 	;;
     ~*)
 	cli=$(mac_match $client)
@@ -3734,30 +3773,30 @@ add_a_rule()
 	    if [ -z "$dnat_only" ]; then
 		if [ -n "$serv" ]; then
 		    for serv1 in $(separate_list $serv); do
-			for srv in $(ip_range $serv1); do
+			for srv in $(firewall_ip_range $serv1); do
 			    if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
 				for adr in $(separate_list $addr); do
 				    if [ -n "$loglevel" -a -z "$natrule" ]; then
 					log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" -m conntrack --ctorigdst $adr \
-					    $userandgroup $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
+					    $userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
 				    fi
 
 				    run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \
-					-d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target
+					$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $userandgroup -j $target
 				done
 			    else
 				if [ -n "$loglevel" -a -z "$natrule" ]; then
 				    log_rule_limit $loglevel $chain $chain $logtarget "$ratelimit" "$logtag" $userandgroup \
-					$(fix_bang $proto $sports $multiport $cli -d $srv $dports)
+					$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
 				fi
 				
 				[ -n "$nonat" ] && \
 				    addnatrule $(dnat_chain $source) $proto $multiport \
-				        $cli $sports -d $srv $dports $ratelimit $userandgroup -j RETURN
+				        $cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN
 
 				[ "$logtarget" != NONAT ] && \
 				    run_iptables2 -A $chain $proto $multiport $cli $sports \
-					-d $srv $dports $ratelimit $userandgroup -j $target
+					$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target
 			    fi
 			done
 		    done
@@ -4043,29 +4082,25 @@ process_rule() # $1 = target
 	        # 16 ports are listed - use multiport match.
 	        #
 		multioption="-m multiport"
-		for clientrange in $(separate_list ${clients:=-}); do
+		for client in $(separate_list ${clients:=-}); do
-		    for client in $(ip_range $clientrange); do
+		    #
-		        #
+		    # add_a_rule() modifies these so we must set their values each time
-		        # add_a_rule() modifies these so we must set their values each time
+		    #
-		        #
+		    server=${servers:=-}
-			server=${servers:=-}
+		    port=${ports:=-}
-			port=${ports:=-}
+		    cport=${cports:=-}
-			cport=${cports:=-}
+		    add_a_rule
-			add_a_rule
-		    done
 		done
 	    else
 	        #
 	        # MULTIPORT is disabled or the rule isn't compatible with multiport match
 	        #
 		multioption=
-		for clientrange in $(separate_list ${clients:=-}); do
+		for client in $(separate_list ${clients:=-}); do
-		    for client in $(ip_range $clientrange); do
+		    for port in $(separate_list ${ports:=-}); do
-			for port in $(separate_list ${ports:=-}); do
+			for cport in $(separate_list ${cports:=-}); do
-			    for cport in $(separate_list ${cports:=-}); do
+			    server=${servers:=-}
-				server=${servers:=-}
+			    add_a_rule
-				add_a_rule
-			    done
 			done
 		    done
 		done
@@ -4085,16 +4120,14 @@ process_rule() # $1 = target
 	        # 16 ports are listed - use multiport match.
 	        #
 		multioption="-m multiport"
-		for clientrange in $(separate_list ${clients:=-}); do
+		for client in $(separate_list ${clients:=-}); do
-		    for client in $(ip_range $clientrange); do
+		    for server in $(separate_list ${servers:=-}); do
-			for server in $(separate_list ${servers:=-}); do
+		        #
-		            #
+		        # add_a_rule() modifies these so we must set their values each time
-		            # add_a_rule() modifies these so we must set their values each time
+		        #
-		            #
+			port=${ports:=-}
-			    port=${ports:=-}
+			cport=${cports:=-}
-			    cport=${cports:=-}
+			add_a_rule
-			    add_a_rule
-			done
 		    done
 		done
 	    else
@@ -4102,13 +4135,11 @@ process_rule() # $1 = target
 	        # MULTIPORT is disabled or the rule isn't compatible with multiport match
 	        #
 		multioption=
-		for clientrange in $(separate_list ${clients:=-}); do
+		for client in $(separate_list ${clients:=-}); do
-		    for client in $(ip_range $clientrange); do
+		    for server in $(separate_list ${servers:=-}); do
-			for server in $(separate_list ${servers:=-}); do
+			for port in $(separate_list ${ports:=-}); do
-			    for port in $(separate_list ${ports:=-}); do
+			    for cport in $(separate_list ${cports:=-}); do
-				for cport in $(separate_list ${cports:=-}); do
+				add_a_rule
-				    add_a_rule
-				done
 			    done
 			done
 		    done
@@ -4238,7 +4269,7 @@ process_tos_rule() {
 	    #
 	    # IP Address or networks
 	    #
-	    src="-s $src"
+	    src="$(source_ip_range $src)"
 	    ;;
 	~*)
 	    src=$(mac_match $src)
@@ -4335,7 +4366,7 @@ process_tos_rule() {
     esac
 
     for dest in $dst; do
-	dest="-d $dest"
+	dest="$(dest_ip_range $dest)"
 
 	case $srczone in
 	$FW)
@@ -4797,12 +4828,12 @@ setup_masq()
 		destnets=${destnets#!}
 
 		for destnet in $(separate_list $destnets); do
-		    addnatrule $newchain -d $destnet -j RETURN
+		    addnatrule $newchain $(dest_ip_range $destnet) -j RETURN
 		done
 
 		if [ -n "$networks" ]; then
 		    for s in $networks; do
-			addnatrule $chain -s $s $proto $ports $policy -j $newchain
+			addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain
 		    done
 		    networks=
 		else
@@ -4818,7 +4849,7 @@ setup_masq()
 
 		if [ -n "$nomasq" ]; then
 		    for addr in $(separate_list $nomasq); do
-			addnatrule $chain -s $addr -j RETURN
+			addnatrule $chain $(source_ip_range $addr) -j RETURN
 		    done
 		    source="$source except $nomasq"
 		fi
@@ -4831,12 +4862,12 @@ setup_masq()
 		    if [ -n "$networks" ]; then
 			for s in $networks; do
 			    for destnet in $(separate_list $destnets); do
-				addnatrule $chain -d $destnet -s $s $proto $ports -j $newchain
+				addnatrule $chain $(dest_ip_range $destnet) $(source_ip_range $s) $proto $ports -j $newchain
 			    done
 			done
 		    else
 			for destnet in $(separate_list $destnets); do
-			    addnatrule $chain -d $destnet $proto $ports $policy -j $newchain
+			    addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain
 			done
 		    fi
 
@@ -4849,7 +4880,7 @@ setup_masq()
 		    policy=
 
 		    for addr in $(separate_list $nomasq); do
-			addnatrule $chain -s $addr -j RETURN
+			addnatrule $chain $(source_ip_range $addr) -j RETURN
 		    done
 
 		    source="$source except $nomasq"
@@ -4877,7 +4908,7 @@ setup_masq()
 	if [ -n "$networks" ]; then
 	    for network in $networks; do
 		for destnet in $(separate_list $destnets); do
-		    addnatrule $chain -s $network -d $destnet $proto $ports $policy -j $target $addrlist
+		    addnatrule $chain $(source_ip_range $network) $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
 		done
 
 		if [ -n "$addresses" ]; then
@@ -4888,7 +4919,7 @@ setup_masq()
 	    done
 	else
 	    for destnet in $(separate_list $destnets); do
-		addnatrule $chain -d $destnet $proto $ports $policy -j $target $addrlist
+		addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist
 	    done
 	    
 	    if [ -n "$addresses" ]; then
@@ -4946,7 +4977,7 @@ process_blacklist_rec() {
 	    source="--match mac --mac-source $addr"
 	    ;;
 	*)
-	    source="-s $addr"
+	    source="$(source_ip_range $addr)"
 	    ;;
 	esac
 
@@ -5205,13 +5236,14 @@ determine_capabilities() {
     MULTIPORT=
     POLICY_MATCH=
     PHYSDEV_MATCH=
+    IPRANGE_MATCH=
 
     if qt iptables -N fooX1234 ; then
-	qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
+	qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
-        qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT   && MULTIPORT=Yes
+        qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
-	qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT       && POLICY_MATCH=Yes
+	qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
-	qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT         && PHYSDEV_MATCH=Yes
+	qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
-	
+	qt iptables -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
 
 	qt iptables -F fooX1234
 	qt iptables -X fooX1234
@@ -5245,6 +5277,7 @@ report_capabilities() {
     report_capability $PKTTYPE "Packet Type Match"
     report_capability $POLICY_MATCH "Policy Match"
     report_capability $PHYSDEV_MATCH "Physdev Match"
+    report_capability $IPRANGE_MATCH "IP range Match"
 }
 
 #
@@ -5395,7 +5428,7 @@ initialize_netfilter () {
 	    while read target ignore1 ignore2 address rest; do
 		case $target in
 		    DROP|reject)
-			run_iptables2 -A dynamic -s $address -j $target
+			run_iptables2 -A dynamic $(source_ip_range $address) -j $target
 			;;
 		    *)
 			;;
@@ -5434,7 +5467,7 @@ add_common_rules() {
     #
     for address in $broadcasts ; do
 	[ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address
-	run_iptables -A smurfs -s $address -j DROP
+	run_iptables -A smurfs $(source_ip_range $address) -j DROP
     done
     #
     # Reject Rules -- Don't respond to broadcasts with an ICMP
@@ -5577,7 +5610,7 @@ add_common_rules() {
 		    ;;
 	    esac
 
-	    run_iptables2 -A norfc1918 -s $networks -j $target
+	    run_iptables2 -A norfc1918 $(source_ip_range $networks) -j $target
 
 	    if [ -n "$CONNTRACK_MATCH" ]; then
 		#
@@ -5589,7 +5622,7 @@ add_common_rules() {
 		# No connection tracking match but we have mangling -- add a rule to
 		# the mangle table
 		#
-		run_iptables2 -t mangle -A man1918 -d $networks -j $target
+		run_iptables2 -t mangle -A man1918 $(dest_ip_range $networks) -j $target
 	    fi
 	done < $TMP_DIR/rfc1918
 
@@ -5638,7 +5671,7 @@ add_common_rules() {
 		    ;;
 	    esac
 
-	    run_iptables2 -A nobogons -s $networks -j $target
+	    run_iptables2 -A nobogons $(source_ip_range $networks) -j $target
 
 	done < $TMP_DIR/bogons
 
@@ -6354,7 +6387,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     chain=${zone}_dnat
 
     if nat_chain_exists $chain; then
-	do_iptables -t nat -A $(dynamic_in $interface) -s $host $policyin -j $chain
+	do_iptables -t nat -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
     fi
     #
     # Insert new rules into the filter table for the passed interface
@@ -6362,7 +6395,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
     while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		do_iptables -A $(dynamic_in $interface) -s $host $policyin -j $chain
+		do_iptables -A $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@@ -6372,7 +6405,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -A $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
+			do_iptables -A $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
 		    fi
 		done
 	    fi
@@ -6381,7 +6414,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		#
 		# Add a rule to the dynamic out chain for the interface
 		#
-		do_iptables -A $(dynamic_out $interface) -d $host $policyout -j $chain
+		do_iptables -A $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
 
@@ -6390,7 +6423,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain
+			do_iptables -A $(dynamic_fwd $iface) $rulenum $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
 		    fi
 		done
 	    fi
@@ -6505,14 +6538,14 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
     #
     # Delete any nat table entries for the host(s)
     #
-    qt iptables -t nat -D $(dynamic_in $interface) -s $host $policyin -j ${zone}_dnat
+    qt iptables -t nat -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j ${zone}_dnat
     #
     # Delete rules rules the input chains for the passed interface
     #
     while read z1 z2 chain; do
 	if [ "$z1" = "$zone" ]; then
 	    if [ "$z2" = "$FW" ]; then
-		qt iptables -D $(dynamic_in $interface) -s $host $policyin -j $chain
+		qt iptables -D $(dynamic_in $interface) $(source_ip_range $host) $policyin -j $chain
 	    else
 		source_chain=$(dynamic_fwd $interface)
 		eval dest_hosts=\"\$${z2}_hosts\"
@@ -6522,13 +6555,13 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $source_chain -s $host -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
+			qt iptables -D $source_chain $(source_ip_range $host) -o $iface $(match_dest_hosts $hosts) $policyout -j $chain
 		    fi
 		done
 	    fi
 	elif [ "$z2" = "$zone" ]; then
 	    if [ "$z1" = "$FW" ]; then
-		qt iptables -D $(dynamic_out $interface) -d $host $policyout -j $chain
+		qt iptables -D $(dynamic_out $interface) $(dest_ip_range $host) $policyout -j $chain
 	    else
 		eval source_hosts=\"\$${z1}_hosts\"
 		
@@ -6537,7 +6570,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 		    hosts=${h#*:}
 
 		    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-			qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface -d $host $policyout -j $chain
+			qt iptables -D $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(dest_ip_range $host) $policyout -j $chain
 		    fi
 		done
 	    fi

Shorewall2/help

@@ -46,7 +46,9 @@ add)
 address|host)
         echo "<$1>: 
     May be either a host IP address such as 192.168.1.4 or a network address in
-    CIDR format like 192.168.1.0/24"
+    CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
+    match support then IP address ranges of the form <low address>-<high address>
+    are also permitted."
 	;;
 
 allow)

Shorewall2/hosts

@@ -28,12 +28,15 @@
 #			a) The IP address of a host
 #			b) A subnetwork in the form
 #			   <subnet-address>/<mask width>
-#			c) A physical port name; only allowed when the
+#			c) An IP address range of the form <low address>-<high
+#			   address>. Your kernel and iptables must have iprange
+#			   match support.
+#			d) A physical port name; only allowed when the
 #			   interface names a bridge created by the
 #			   brctl addbr command. This port must not
 #			   be defined in /etc/shorewall/interfaces and may
 #			   optionally followed by a colon (":") and a
-#			   host or network IP.
+#			   host or network IP or a range.
 #			   See http://www.shorewall.net/Bridge.html for details.
 #
 #		  Examples:
@@ -43,6 +46,7 @@
 #			eth3:192.168.2.0/24,192.168.3.1
 #			br0:eth4
 #			br0:eth0:192.168.1.16/28
+#			eth4:192.168.1.44-192.168.1.49
 #
 #	OPTIONS - A comma-separated list of options. Currently-defined
 #		  options are:

Shorewall2/maclist

@@ -15,7 +15,9 @@
 #
 #	IP ADDRESSES	Optional -- if specified, both the MAC and IP address
 #			must match. This column can contain a comma-separated
-#			list of host and/or subnet addresses.
+#			list of host and/or subnet addresses. If your kernel
+#			and iptables have iprange match support then IP 
+#			address ranges are also allowed.
 ##############################################################################
 #INTERFACE	        MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall2/releasenotes.txt

@@ -432,10 +432,8 @@ New Features:
 13) Shorewall now verifies that your kernel and iptables have physdev
     match support if BRIDGING=Yes in shorewall.conf.
 
-14) IP address ranges are now allowed in the SOURCE column of the
+14) Beginning with this release, if your kernel and iptables have
-    /etc/shorewall/rules file.
+    iprange match support (see the output from "shorewall check"), then
-    
+    with the exception of the /etc/shorewall/netmap file, anywhere that
-    Example:
+    a network address may appear an IP address range of the form <low
-
+    address>-<high address> may also appear.
-	ACCEPT	net:192.0.2.9-192.9.2.17	fw	tcp	25
-

Shorewall2/rfc1918

@@ -12,7 +12,9 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed)
+# 	SUBNET		The subnet (host addresses also allowed as are IP
+#			address ranges provided that your kernel and iptables
+#			have iprange match support).
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet

Shorewall2/routestopped

@@ -12,6 +12,10 @@
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
 #	HOST(S)		- (Optional) Comma-separated list of IP/subnet
+#			  addresses. If your kernel and iptables include
+#			  iprange match support, IP address ranges are also
+#			  allowed.
+#
 #			  If left empty or supplied as "-",
 #			  0.0.0.0/0 is assumed.
 #	OPTIONS         - (Optional) A comma-separated list of

Shorewall2/rules

@@ -119,7 +119,8 @@
 #			"-" as a separator.
 #
 #			Hosts may be specified as an IP address range using the
-#			syntax <low address>-<high address>.
+#			syntax <low address>-<high address>. This requires that
+#			your kernel and iptables contain iprange match support.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #

Shorewall2/tcrules

@@ -27,7 +27,9 @@
 #
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses
-#			and/or subnets. Use $FW if the packet originates on
+#			and/or subnets. If your kernel and iptables include
+#			iprange match support, IP address ranges are also
+#			allowed. Use $FW if the packet originates on
 #			the firewall in which case the MARK column may NOT
 #			specify either ":P" or ":F" (marking always occurs
 #			in the OUTPUT chain).
@@ -38,7 +40,9 @@
 #			Example: ~00-A0-C9-15-39-78
 #
 #	DEST		Destination of the packet. Comma separated list of
-#			IP addresses and/or subnets.
+#			IP addresses and/or subnets. If your kernel and 
+#			iptables include iprange match support, IP address
+#			ranges are also allowed.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
 #			or "all".

Shorewall2/tunnels

@@ -34,7 +34,10 @@
 #
 #	GATEWAY	    --	The IP address of the remote tunnel gateway. If the
 #			remote getway has no fixed address (Road Warrior)
-#			then specify the gateway as 0.0.0.0/0.
+#			then specify the gateway as 0.0.0.0/0. May be 
+#			specified as a network address and if your kernel and
+#			iptables include iprange match support then IP address
+#			ranges are also allowed.
 #
 #	GATEWAY
 #	ZONES --	Optional. If the gateway system specified in the third