forked from extern/shorewall_code
Support '=' in SOURCE PORT(S) columns
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
fbfd265c0d
commit
49918b654e
@ -4158,9 +4158,12 @@ sub do_proto( $$$;$ )
|
||||
{
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
|
||||
my $multiport = 0;
|
||||
my $srcndst = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
|
||||
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
@ -4174,18 +4177,19 @@ sub do_proto( $$$;$ )
|
||||
}
|
||||
|
||||
$ports = validate_port_list $pname , $ports;
|
||||
$output .= "-m multiport ${invert}--dports ${ports} ";
|
||||
$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " );
|
||||
$multiport = 1;
|
||||
} else {
|
||||
fatal_error "Missing DEST PORT" unless supplied $ports;
|
||||
$ports = validate_portpair $pname , $ports;
|
||||
$output .= "${invert}--dport ${ports} ";
|
||||
$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
|
||||
}
|
||||
} else {
|
||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
|
||||
}
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
|
||||
$invert = $sports =~ s/^!// ? '! ' : '';
|
||||
if ( $multiport ) {
|
||||
|
||||
@ -4348,9 +4352,12 @@ sub do_iproto( $$$ )
|
||||
{
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
|
||||
my $multiport = 0;
|
||||
my $srcndst = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
|
||||
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
@ -4364,18 +4371,24 @@ sub do_iproto( $$$ )
|
||||
}
|
||||
|
||||
$ports = validate_port_list $pname , $ports;
|
||||
push @output, multiport => "${invert}--dports ${ports}";
|
||||
push @output, multiport => ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " );
|
||||
$multiport = 1;
|
||||
} else {
|
||||
fatal_error "Missing DEST PORT" unless supplied $ports;
|
||||
$ports = validate_portpair $pname , $ports;
|
||||
|
||||
if ( $srcndst ) {
|
||||
push @output, multiport => "${invert}--ports ${ports}";
|
||||
} else {
|
||||
push @output, dport => "${invert}${ports}";
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
|
||||
}
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
|
||||
$invert = $sports =~ s/^!// ? '! ' : '';
|
||||
if ( $multiport ) {
|
||||
|
||||
@ -4448,7 +4461,6 @@ sub do_iproto( $$$ )
|
||||
|
||||
last PROTO; }
|
||||
|
||||
|
||||
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
|
||||
|
||||
} # PROTO
|
||||
|
@ -452,6 +452,12 @@
|
||||
<para>You may place a comma-separated list of port numbers in this
|
||||
column if your kernel and iptables include multiport match
|
||||
support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -384,6 +384,12 @@
|
||||
ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -161,6 +161,12 @@
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -1045,6 +1045,12 @@
|
||||
port is acceptable. Specified as a comma- separated list of port
|
||||
names, port numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
|
||||
<warning>
|
||||
<para>Unless you really understand IP, you should leave this
|
||||
column empty or place a dash (<emphasis role="bold">-</emphasis>)
|
||||
@ -1052,20 +1058,18 @@
|
||||
wrong.</para>
|
||||
</warning>
|
||||
|
||||
<blockquote>
|
||||
<para>If you don't want to restrict client ports but need to
|
||||
specify an <emphasis role="bold">ORIGINAL DEST</emphasis> in the
|
||||
next column, then place "-" in this column.</para>
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
|
||||
column, then place "-" in this column.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only
|
||||
a single Netfilter rule will be generated if in this list and the
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
<para>2. No port ranges are included or your kernel and iptables
|
||||
contain extended multiport match support.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -125,6 +125,12 @@
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -393,6 +393,12 @@
|
||||
<para>You may place a comma-separated list of port numbers in this
|
||||
column if your kernel and ip6tables include multiport match
|
||||
support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -276,6 +276,12 @@
|
||||
ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -998,6 +998,12 @@
|
||||
acceptable. Specified as a comma- separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
|
||||
<warning>
|
||||
<para>Unless you really understand IP, you should leave this
|
||||
column empty or place a dash (<emphasis role="bold">-</emphasis>)
|
||||
@ -1005,19 +1011,17 @@
|
||||
wrong.</para>
|
||||
</warning>
|
||||
|
||||
<blockquote>
|
||||
<para>If you don't want to restrict client ports but need to
|
||||
specify a later column, then place "-" in this column.</para>
|
||||
<para>If you don't want to restrict client ports but need to specify
|
||||
a later column, then place "-" in this column.</para>
|
||||
|
||||
<para>If your kernel contains multi-port match support, then only
|
||||
a single Netfilter rule will be generated if in this list and the
|
||||
<para>If your kernel contains multi-port match support, then only a
|
||||
single Netfilter rule will be generated if in this list and the
|
||||
<emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
|
||||
|
||||
<para>1. There are 15 or less ports listed.</para>
|
||||
|
||||
<para>2. No port ranges are included or your kernel and ip6tables
|
||||
contain extended multiport match support.</para>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -269,6 +269,12 @@
|
||||
<para>Optional source port(s). If omitted, any source port is
|
||||
acceptable. Specified as a comma-separated list of port names, port
|
||||
numbers or port ranges.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -125,6 +125,12 @@
|
||||
include port ranges of the form
|
||||
<replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
|
||||
if your kernel and iptables include port range support.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -809,6 +809,12 @@ Normal-Service => 0x00</programlisting>
|
||||
<para>An entry in this field requires that the PROTO column specify
|
||||
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
|
||||
the following fields is supplied.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.15, you may place '=' in this
|
||||
column, provided that the DEST PORT(S) column is non-empty. This
|
||||
causes the rule to match when either the source port or the
|
||||
destination port in a packet matches one of the ports specified in
|
||||
DEST PORTS(S).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user