holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Support '=' in SOURCE PORT(S) columns

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-03-04 09:56:10 -08:00
parent fbfd265c0d
commit 49918b654e
12 changed files with 101 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -4158,9 +4158,12 @@ sub do_proto( $$$;$ )
{ {
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) { if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
my $multiport = 0; my $multiport = 0;
my $srcndst = 0;
if ( $ports ne '' ) { if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : ''; $invert = $ports =~ s/^!// ? '! ' : '';
$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 ); fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
@ -4174,18 +4177,19 @@ sub do_proto( $$$;$ )
} }
$ports = validate_port_list $pname , $ports; $ports = validate_port_list $pname , $ports;
$output .= "-m multiport ${invert}--dports ${ports} "; $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " );
$multiport = 1; $multiport = 1;
} else { } else {
fatal_error "Missing DEST PORT" unless supplied $ports; fatal_error "Missing DEST PORT" unless supplied $ports;
$ports = validate_portpair $pname , $ports; $ports = validate_portpair $pname , $ports;
$output .= "${invert}--dport ${ports} "; $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
} }
} else { } else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE ); $multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
} }
if ( $sports ne '' ) { if ( $sports ne '' ) {
fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
$invert = $sports =~ s/^!// ? '! ' : ''; $invert = $sports =~ s/^!// ? '! ' : '';
if ( $multiport ) { if ( $multiport ) {
@ -4348,9 +4352,12 @@ sub do_iproto( $$$ )
{ {
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) { if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
my $multiport = 0; my $multiport = 0;
my $srcndst = 0;
if ( $ports ne '' ) { if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : ''; $invert = $ports =~ s/^!// ? '! ' : '';
$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 ); fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
@ -4364,18 +4371,24 @@ sub do_iproto( $$$ )
} }
$ports = validate_port_list $pname , $ports; $ports = validate_port_list $pname , $ports;
push @output, multiport => "${invert}--dports ${ports}"; push @output, multiport => ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " );
$multiport = 1; $multiport = 1;
} else { } else {
fatal_error "Missing DEST PORT" unless supplied $ports; fatal_error "Missing DEST PORT" unless supplied $ports;
$ports = validate_portpair $pname , $ports; $ports = validate_portpair $pname , $ports;
push @output, dport => "${invert}${ports}";
if ( $srcndst ) {
push @output, multiport => "${invert}--ports ${ports}";
} else {
push @output, dport => "${invert}${ports}";
}
} }
} else { } else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE ); $multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
} }
if ( $sports ne '' ) { if ( $sports ne '' ) {
fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
$invert = $sports =~ s/^!// ? '! ' : ''; $invert = $sports =~ s/^!// ? '! ' : '';
if ( $multiport ) { if ( $multiport ) {
@ -4448,7 +4461,6 @@ sub do_iproto( $$$ )
last PROTO; } last PROTO; }
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne ''; fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
} # PROTO } # PROTO

6
Shorewall/manpages/shorewall-accounting.xml
View File

@ -452,6 +452,12 @@
<para>You may place a comma-separated list of port numbers in this <para>You may place a comma-separated list of port numbers in this
column if your kernel and iptables include multiport match column if your kernel and iptables include multiport match
support.</para> support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -384,6 +384,12 @@
ranges of the form ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para> if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
Shorewall/manpages/shorewall-routestopped.xml
View File

@ -161,6 +161,12 @@
include port ranges of the form include port ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para> if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

26
Shorewall/manpages/shorewall-rules.xml
View File

@ -1045,6 +1045,12 @@
port is acceptable. Specified as a comma- separated list of port port is acceptable. Specified as a comma- separated list of port
names, port numbers or port ranges.</para> names, port numbers or port ranges.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
<warning> <warning>
<para>Unless you really understand IP, you should leave this <para>Unless you really understand IP, you should leave this
column empty or place a dash (<emphasis role="bold">-</emphasis>) column empty or place a dash (<emphasis role="bold">-</emphasis>)
@ -1052,20 +1058,18 @@
wrong.</para> wrong.</para>
</warning> </warning>
<blockquote> <para>If you don't want to restrict client ports but need to specify
<para>If you don't want to restrict client ports but need to an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
specify an <emphasis role="bold">ORIGINAL DEST</emphasis> in the column, then place "-" in this column.</para>
next column, then place "-" in this column.</para>
<para>If your kernel contains multi-port match support, then only <para>If your kernel contains multi-port match support, then only a
a single Netfilter rule will be generated if in this list and the single Netfilter rule will be generated if in this list and the
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para> <emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
<para>1. There are 15 or less ports listed.</para> <para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and iptables <para>2. No port ranges are included or your kernel and iptables
contain extended multiport match support.</para> contain extended multiport match support.</para>
</blockquote>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
Shorewall/manpages/shorewall-stoppedrules.xml
View File

@ -125,6 +125,12 @@
include port ranges of the form include port ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para> if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

6
Shorewall6/manpages/shorewall6-accounting.xml
View File

@ -393,6 +393,12 @@
<para>You may place a comma-separated list of port numbers in this <para>You may place a comma-separated list of port numbers in this
column if your kernel and ip6tables include multiport match column if your kernel and ip6tables include multiport match
support.</para> support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -276,6 +276,12 @@
ranges of the form ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para> if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

24
Shorewall6/manpages/shorewall6-rules.xml
View File

@ -998,6 +998,12 @@
acceptable. Specified as a comma- separated list of port names, port acceptable. Specified as a comma- separated list of port names, port
numbers or port ranges.</para> numbers or port ranges.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
<warning> <warning>
<para>Unless you really understand IP, you should leave this <para>Unless you really understand IP, you should leave this
column empty or place a dash (<emphasis role="bold">-</emphasis>) column empty or place a dash (<emphasis role="bold">-</emphasis>)
@ -1005,19 +1011,17 @@
wrong.</para> wrong.</para>
</warning> </warning>
<blockquote> <para>If you don't want to restrict client ports but need to specify
<para>If you don't want to restrict client ports but need to a later column, then place "-" in this column.</para>
specify a later column, then place "-" in this column.</para>
<para>If your kernel contains multi-port match support, then only <para>If your kernel contains multi-port match support, then only a
a single Netfilter rule will be generated if in this list and the single Netfilter rule will be generated if in this list and the
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para> <emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
<para>1. There are 15 or less ports listed.</para> <para>1. There are 15 or less ports listed.</para>
<para>2. No port ranges are included or your kernel and ip6tables <para>2. No port ranges are included or your kernel and ip6tables
contain extended multiport match support.</para> contain extended multiport match support.</para>
</blockquote>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
Shorewall6/manpages/shorewall6-secmarks.xml
View File

@ -269,6 +269,12 @@
<para>Optional source port(s). If omitted, any source port is <para>Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma-separated list of port names, port acceptable. Specified as a comma-separated list of port names, port
numbers or port ranges.</para> numbers or port ranges.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

6
Shorewall6/manpages/shorewall6-stoppedrules.xml
View File

@ -125,6 +125,12 @@
include port ranges of the form include port ranges of the form
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable> <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
if your kernel and iptables include port range support.</para> if your kernel and iptables include port range support.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

6
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -809,6 +809,12 @@ Normal-Service =&gt; 0x00</programlisting>
<para>An entry in this field requires that the PROTO column specify <para>An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
the following fields is supplied.</para> the following fields is supplied.</para>
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
column, provided that the DEST PORT(S) column is non-empty. This
causes the rule to match when either the source port or the
destination port in a packet matches one of the ports specified in
DEST PORTS(S).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>