From 04b93af30bbbe37cd32ccbb6bfc039adfea7b0b7 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 4 Mar 2005 21:13:38 +0000 Subject: [PATCH] Add support for port ranges in port lists git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1980 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/firewall | 79 ++++++++++++++++++++++++++++++++++--- Shorewall2/releasenotes.txt | 6 +++ 2 files changed, 80 insertions(+), 5 deletions(-) diff --git a/Shorewall2/firewall b/Shorewall2/firewall index b446c1fbc..a20c4d9f7 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -3152,7 +3152,27 @@ process_action() # $1 = chain (Chain to add the rules to) [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all} - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_an_action() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_an_action + done + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -4326,7 +4346,26 @@ process_rule() # $1 = target case $logtarget in DNAT*) - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + server=${servers:=-} + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -4364,7 +4403,27 @@ process_rule() # $1 = target ;; *) - if [ -n "$MULTIPORT" ] && \ + if [ -n "$XMULTIPORT" ] && \ + ! list_search $protocol "icmp" "ICMP" "1" && \ + [ $(( $(list_count $ports) + $(list_count1 $(split $ports ) ) )) -le 16 -a \ + $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] + then + # + # Extended MULTIPORT is enabled, and less than + # 16 ports are listed (port ranges count as two ports) - use multiport match. + # + multioption="-m multiport" + for client in $(separate_list ${clients:=-}); do + for server in $(separate_list ${servers:=-}); do + # + # add_a_rule() modifies these so we must set their values each time + # + port=${ports:=-} + cport=${cports:=-} + add_a_rule + done + done + elif [ -n "$MULTIPORT" ] && \ ! list_search $protocol "icmp" "ICMP" "1" && \ [ "$ports" = "${ports%:*}" -a \ "$cports" = "${cports%:*}" -a \ @@ -5049,7 +5108,15 @@ setup_masq() if [ $listcount -gt 1 ]; then case $ports in *:*) - fatal_error "Port Range not allowed in list ($ports)" + if [ -n "$XMULTIPORT" ]; then + if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then + ports="-m multiport --dports $ports" + else + fatal_error "More than 15 entries in port list ($ports)" + fi + else + fatal_error "Port Range not allowed in list ($ports)" + fi ;; *) if [ -n "$MULTIPORT" ]; then @@ -5504,6 +5571,7 @@ determine_capabilities() { CONNTRACK_MATCH= MULTIPORT= + XMULTIPORT= POLICY_MATCH= PHYSDEV_MATCH= IPRANGE_MATCH= @@ -5511,6 +5579,7 @@ determine_capabilities() { qt $IPTABLES -N fooX1234 qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes + qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes @@ -5537,7 +5606,7 @@ report_capabilities() { echo "Shorewall has detected the following iptables/netfilter capabilities:" report_capability $NAT_ENABLED "NAT" report_capability $MANGLE_ENABLED "Packet Mangling" - report_capability $MULTIPORT "Multi-port Match" + [ -n "$XMULTIPORT" ] && report_capability $XMULTIPORT "Extended Multi-port Match" || report_capability $MULTIPORT "Multi-port Match" report_capability $CONNTRACK_MATCH "Connection Tracking Match" report_capability $PKTTYPE "Packet Type Match" report_capability $POLICY_MATCH "Policy Match" diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 3e444c528..ac78d0459 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -23,6 +23,12 @@ New Features in version 2.2.2 3) The output from 'arp -na' has been added to the 'shorewall status' display. +4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges + to appear in port lists. If Shorewall detects this capability, it + will allow port ranges to appear in port lists. Be cautioned that + each port range counts for TWO ports and a port list can still + specify a maximum of 15 ports. + ----------------------------------------------------------------------- Problems corrected in version 2.2.1