Add support for port ranges in port lists

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1980 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-03-04 21:13:38 +00:00 · 2005-03-04 21:13:38 +00:00 · 04b93af30b
commit 04b93af30b
parent c9c3a79b52
2 changed files with 80 additions and 5 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -3152,7 +3152,27 @@ process_action() # $1 = chain    (Chain to add the rules to)
    [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}
-    if [ -n "$MULTIPORT" ] && \
+    if [ -n "$XMULTIPORT" ] && \
 	! list_search $protocol "icmp" "ICMP" "1" && \
 	[ $(( $(list_count $ports)  + $(list_count1 $(split $ports ) ) ))  -le 16 -a \
 	  $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ] 
 	then
 	#
 	# Extended MULTIPORT is enabled, and less than
 	# 16 ports are listed (port ranges count as two ports) - use multiport match.
 	#
 	multioption="-m multiport"
 	for client in $(separate_list ${clients:=-}); do
 	    for server in $(separate_list ${servers:=-}); do
 		#
 		# add_an_action() modifies these so we must set their values each time
 		#
 		port=${ports:=-}
 		cport=${cports:=-}
 		add_an_action
 	    done
 	done
    elif [ -n "$MULTIPORT" ] && \
 	! list_search $protocol "icmp" "ICMP" "1" && \
 	[ "$ports" = "${ports%:*}" -a \
 	"$cports" = "${cports%:*}" -a \
@ -4326,7 +4346,26 @@ process_rule() # $1 = target
    case $logtarget in
 	DNAT*)
-	    if [ -n "$MULTIPORT" ] && \
+	    if [ -n "$XMULTIPORT" ] && \
 	       ! list_search $protocol "icmp" "ICMP" "1" && \
 	       [ $(( $(list_count $ports)  + $(list_count1 $(split $ports ) ) ))  -le 16 -a \
 		 $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16 ]
 		then
 	        #
 	        # Extended MULTIPORT is enabled, and less than
 	        # 16 ports are listed (port ranges count as two ports) - use multiport match.
 	        #
 		multioption="-m multiport"
 		for client in $(separate_list ${clients:=-}); do
 		    #
 		    # add_a_rule() modifies these so we must set their values each time
 		    #
 		    server=${servers:=-}
 		    port=${ports:=-}
 		    cport=${cports:=-}
 		    add_a_rule
 		done
 	    elif [ -n "$MULTIPORT" ] && \
 	       ! list_search $protocol "icmp" "ICMP" "1" && \
 	       [ "$ports" = "${ports%:*}" -a \
 		"$cports" = "${cports%:*}" -a \
@ -4364,7 +4403,27 @@ process_rule() # $1 = target
 	    ;;
 	*)
-	    if [ -n "$MULTIPORT" ] && \
+	    if [ -n "$XMULTIPORT" ] && \
 	       ! list_search $protocol "icmp" "ICMP" "1" && \
 	       [ $(( $(list_count $ports)  + $(list_count1 $(split $ports ) ) ))  -le 16 -a \
 		 $(( $(list_count $cports) + $(list_count1 $(split $cports ) ) )) -le 16  ]
 		then
 	        #
 	        # Extended MULTIPORT is enabled, and less than
 	        # 16 ports are listed (port ranges count as two ports) - use multiport match.
 	        #
 		multioption="-m multiport"
 		for client in $(separate_list ${clients:=-}); do
 		    for server in $(separate_list ${servers:=-}); do
 		        #
 		        # add_a_rule() modifies these so we must set their values each time
 		        #
 			port=${ports:=-}
 			cport=${cports:=-}
 			add_a_rule
 		    done
 		done
 	    elif [ -n "$MULTIPORT" ] && \
 	       ! list_search $protocol "icmp" "ICMP" "1" && \
 	       [ "$ports" = "${ports%:*}" -a \
 		"$cports" = "${cports%:*}" -a \
@ -5049,7 +5108,15 @@ setup_masq()
 			if [ $listcount -gt 1 ]; then
 			    case $ports in
 				*:*)
-				    fatal_error "Port Range not allowed in list ($ports)"
+				    if [ -n "$XMULTIPORT" ]; then
 					if [ $(($listcount + $(list_count1 $(split $ports) ) )) -le 16 ]; then
 					    ports="-m multiport --dports $ports"
 					else
 					    fatal_error "More than 15 entries in port list ($ports)"
 					fi
 				    else
 					fatal_error "Port Range not allowed in list ($ports)"
 				    fi
 				    ;;
 				*)
 				    if [ -n "$MULTIPORT" ]; then
@ -5504,6 +5571,7 @@ determine_capabilities() {
    CONNTRACK_MATCH=
    MULTIPORT=
    XMULTIPORT=
    POLICY_MATCH=
    PHYSDEV_MATCH=
    IPRANGE_MATCH=
@ -5511,6 +5579,7 @@ determine_capabilities() {
    qt $IPTABLES -N fooX1234
    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
@ -5537,7 +5606,7 @@ report_capabilities() {
    echo "Shorewall has detected the following iptables/netfilter capabilities:"
    report_capability $NAT_ENABLED "NAT"
    report_capability $MANGLE_ENABLED "Packet Mangling"
-    report_capability $MULTIPORT "Multi-port Match"
+    [ -n "$XMULTIPORT" ] && report_capability $XMULTIPORT "Extended Multi-port Match" || report_capability $MULTIPORT "Multi-port Match"
    report_capability $CONNTRACK_MATCH "Connection Tracking Match"
    report_capability $PKTTYPE "Packet Type Match"
    report_capability $POLICY_MATCH "Policy Match"
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -23,6 +23,12 @@ New Features in version 2.2.2
 3) The output from 'arp -na' has been added to the 'shorewall status'
   display.
 4) The 2.6.11 Linux kernel and iptables 1.3.0 now allow port ranges
   to appear in port lists. If Shorewall detects this capability, it
   will allow port ranges to appear in port lists. Be cautioned that
   each port range counts for TWO ports and a port list can still
   specify a maximum of 15 ports.
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.1