From b5906812a2c1a96f41766b0de000ab27d9cba2de Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 14 Oct 2016 10:10:03 -0700
Subject: [PATCH] Accept '-' as the separator in a port range.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/IPAddrs.pm | 15 ++++++++++-----
 docs/configuration_file_basics.xml  | 10 ++++++++--
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm
index c9d6abb1b..2d1ae2603 100644
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -432,13 +432,18 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
     my ($proto, $portpair) = @_;
     my $what;
+    my $pair = $portpair;
+    #
+    # Accept '-' as a port-range separator
+    #
+    $pair =~ tr/-/:/;
 
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
+    fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
 
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+    $pair = "0$pair"       if substr( $pair,  0, 1 ) eq ':';
+    $pair = "${pair}65535" if substr( $pair, -1, 1 ) eq ':';
 
-    my @ports = split /:/, $portpair, 2;
+    my @ports = split /:/, $pair, 2;
 
     my $protonum = resolve_proto( $proto ) || 0;
 
@@ -497,7 +502,7 @@ sub validate_port_list( $$ ) {
     my ( $proto, $list ) = @_;
     my @list   = split_list( $list, 'port' );
 
-    if ( @list > 1 && $list =~ /:/ ) {
+    if ( @list > 1 && $list =~ /[:-]/ ) {
 	require_capability( 'XMULTIPORT' , 'Port ranges in a port list', '' );
     }
 
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 8c84a48aa..fb4ffb6bd 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -2619,6 +2619,12 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     <para>Also, unless otherwise documented, a port range can be preceded by
     '!' to specify "All ports except those in this range" (e.g.,
     "!4000:4100").</para>
+
+    <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
+    separate the two port numbers.</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>
   </section>
 
   <section id="Portlists">
@@ -2969,8 +2975,8 @@ redirect                      =&gt; 137</programlisting>
           then again for another hour from 23:00 onwards. If this is unwanted,
           e.g. if you would like 'match for two hours from Montay 23:00
           onwards' you need to also specify the <emphasis
-          role="bold">contiguous</emphasis> option in the example above.
-          </para>
+          role="bold">contiguous</emphasis> option in the example
+          above.</para>
         </listitem>
       </varlistentry>
     </variablelist>