Allow port lists in tcrules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2484 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-08-12 22:11:30 +00:00 · 2005-08-12 22:11:30 +00:00 · 1625a7c4f3
commit 1625a7c4f3
parent 5822b2855f
2 changed files with 42 additions and 7 deletions
--- a/Shorewall/accounting
+++ b/Shorewall/accounting
@ -49,7 +49,7 @@
 #	PROTOCOL	A protocol name (from /etc/protocols), a protocol
 #			number, or "ipp2p"
 #
-#	DEST PORT	Destination Port number. If the PROTOCOL is "ipp2p"
+#	DEST PORT(S)	Destination Port number. If the PROTOCOL is "ipp2p"
 #			then this column must contain an ipp2p option
 #			("iptables -m ipp2p --help") without the leading
 #			"--". If no option is given in this column, "ipp2p"
@ -59,12 +59,20 @@
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17).
 #
-#	SOURCE PORT	Source Port number
+#			You may place a comma-separated list of port numbers in
+#			this column if your kernel and iptables include 
+#			multiport match support.
+#
+#	SOURCE PORT(S)	Source Port number
 #
 #			Service name from /etc/services or port number. May
 #			only be specified if the protocol is TCP or UDP (6
 #			or 17).
 #
+#			You may place a comma-separated list of port numbers in
+#			this column if your kernel and iptables include 
+#			multiport match support.
+#
 #	USER/GROUP	This column may only be non-empty if the CHAIN is
 #			OUTPUT.
 #			
@ -94,5 +102,5 @@
 #
 #####################################################################################
 #ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
-#							PORT		PORT	GROUP
+#							PORT(S)		PORT(S)	GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -2982,6 +2982,8 @@ process_tc_rule()
 	    esac
 	fi

+	multiport=
+
 	if [ "x$proto" = xipp2p ]; then
 	    [ "x$port" = "x-" ] && port="ipp2p"
 	    r="${r}-p tcp -m ipp2p --${port} "
@ -2989,10 +2991,24 @@ process_tc_rule()
 	    [ "x$proto"  = "x-"  ] && proto=all
 	    [ "x$proto"  = "x"   ] && proto=all
 	    [ "$proto"   = "all" ] || r="${r}-p $proto "
-	    [ "x$port"   = "x-"  ] || r="${r}--dport $port "
+	    
+	    if [ "x$port" != "x-"  ]; then
+		if [ -n "$MULTIPORT" ]; then
+		    r="${r}-m multiport --dports $port "
+		    multiport=Yes
+		else
+		    r="${r}--dport $port "
+		fi
+	    fi
 	fi

-	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "
+	if [ "x$sport" != "x-"  ]; then
+	    if [ -n "$MULTIPORT" ]; then
+		[ -n "$multiport" ] && r="${r}--sports $sport " || r="${r}-m multiport --sports $sport "
+	    else
+		r="${r}--sport $sport "
+	    fi
+	fi

 	case $chain in
 	    tcpost)
@ -3297,11 +3313,18 @@ process_accounting_rule() {
 	    ;;
    esac

+    multiport=
+
    [ -n "$port" ] && case $port in
 	-|any|all)
 	    ;;
 	*)
-	    rule="$rule --dport $port"
+	    if [ -n "$MULTIPORT" ]; then
+		rule="$rule -m multiport --dports $port"
+		multiport=Yes
+	    else
+		rule="$rule --dport $port"	
+	    fi
 	    ;;
    esac

@ -3309,7 +3332,11 @@ process_accounting_rule() {
 	-|any|all)
 	    ;;
 	*)
-	    rule="$rule --sport $sport"
+	    if [ -n "$MULTIPORT" ]; then
+		[ -n "$multiport" ] && rule="$rule --sports $sport" || rule="$rule -m multiport --sports $sport"
+	    else
+		rule="$rule --sport $sport"
+	    fi
 	    ;;
    esac