diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 91c8bbd2f..03efdb744 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -4158,9 +4158,12 @@ sub do_proto( $$$;$ )
{
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
my $multiport = 0;
+ my $srcndst = 0;
if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : '';
+ $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
+
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
@@ -4174,18 +4177,19 @@ sub do_proto( $$$;$ )
}
$ports = validate_port_list $pname , $ports;
- $output .= "-m multiport ${invert}--dports ${ports} ";
+ $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " );
$multiport = 1;
} else {
fatal_error "Missing DEST PORT" unless supplied $ports;
$ports = validate_portpair $pname , $ports;
- $output .= "${invert}--dport ${ports} ";
+ $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
}
} else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
}
if ( $sports ne '' ) {
+ fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
$invert = $sports =~ s/^!// ? '! ' : '';
if ( $multiport ) {
@@ -4348,9 +4352,12 @@ sub do_iproto( $$$ )
{
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
my $multiport = 0;
+ my $srcndst = 0;
if ( $ports ne '' ) {
- $invert = $ports =~ s/^!// ? '! ' : '';
+ $invert = $ports =~ s/^!// ? '! ' : '';
+ $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
+
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
@@ -4364,18 +4371,24 @@ sub do_iproto( $$$ )
}
$ports = validate_port_list $pname , $ports;
- push @output, multiport => "${invert}--dports ${ports}";
+ push @output, multiport => ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " );
$multiport = 1;
} else {
fatal_error "Missing DEST PORT" unless supplied $ports;
$ports = validate_portpair $pname , $ports;
- push @output, dport => "${invert}${ports}";
+
+ if ( $srcndst ) {
+ push @output, multiport => "${invert}--ports ${ports}";
+ } else {
+ push @output, dport => "${invert}${ports}";
+ }
}
} else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
}
if ( $sports ne '' ) {
+ fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
$invert = $sports =~ s/^!// ? '! ' : '';
if ( $multiport ) {
@@ -4448,7 +4461,6 @@ sub do_iproto( $$$ )
last PROTO; }
-
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
} # PROTO
diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml
index b4990f2fe..974e1e136 100644
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -452,6 +452,13 @@
You may place a comma-separated list of port numbers in this
column if your kernel and iptables include multiport match
support.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index efbfba528..0b41e1f30 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -384,6 +384,13 @@
ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
diff --git a/Shorewall/manpages/shorewall-routestopped.xml b/Shorewall/manpages/shorewall-routestopped.xml
index ff5e267ff..ce2cd3087 100644
--- a/Shorewall/manpages/shorewall-routestopped.xml
+++ b/Shorewall/manpages/shorewall-routestopped.xml
@@ -161,6 +161,13 @@
include port ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index b2b7bae46..9182eeb52 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -1045,6 +1045,13 @@
port is acceptable. Specified as a comma- separated list of port
names, port numbers or port ranges.
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
+
Unless you really understand IP, you should leave this
column empty or place a dash (-)
@@ -1052,20 +1059,18 @@
wrong.
-
- If you don't want to restrict client ports but need to
- specify an ORIGINAL DEST in the
- next column, then place "-" in this column.
+ If you don't want to restrict client ports but need to specify
+ an ORIGINAL DEST in the next
+ column, then place "-" in this column.
- If your kernel contains multi-port match support, then only
- a single Netfilter rule will be generated if in this list and the
- DEST PORT(S) list above:
+ If your kernel contains multi-port match support, then only a
+ single Netfilter rule will be generated if in this list and the
+ DEST PORT(S) list above:
- 1. There are 15 or less ports listed.
+ 1. There are 15 or less ports listed.
- 2. No port ranges are included or your kernel and iptables
- contain extended multiport match support.
-
+ 2. No port ranges are included or your kernel and iptables
+ contain extended multiport match support.
diff --git a/Shorewall/manpages/shorewall-stoppedrules.xml b/Shorewall/manpages/shorewall-stoppedrules.xml
index 29cc18768..0046b2f37 100644
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -125,6 +125,13 @@
include port ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml
index a2f8d4aa0..fa3e5bd7b 100644
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -933,6 +933,13 @@ Normal-Service => 0x00
An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
the following fields is supplied.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml
index ffcb10274..38c34592c 100644
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -393,6 +393,13 @@
You may place a comma-separated list of port numbers in this
column if your kernel and ip6tables include multiport match
support.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index 25bd14464..f504252a7 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -276,6 +276,12 @@
ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S).
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index a3c07b53d..0ed504394 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -998,6 +998,13 @@
acceptable. Specified as a comma- separated list of port names, port
numbers or port ranges.
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
+
Unless you really understand IP, you should leave this
column empty or place a dash (-)
@@ -1005,19 +1012,17 @@
wrong.
-
- If you don't want to restrict client ports but need to
- specify a later column, then place "-" in this column.
+ If you don't want to restrict client ports but need to specify
+ a later column, then place "-" in this column.
- If your kernel contains multi-port match support, then only
- a single Netfilter rule will be generated if in this list and the
- DEST PORT(S) list above:
+ If your kernel contains multi-port match support, then only a
+ single Netfilter rule will be generated if in this list and the
+ DEST PORT(S) list above:
- 1. There are 15 or less ports listed.
+ 1. There are 15 or less ports listed.
- 2. No port ranges are included or your kernel and ip6tables
- contain extended multiport match support.
-
+ 2. No port ranges are included or your kernel and ip6tables
+ contain extended multiport match support.
diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml
index 547683b45..ec6d36b83 100644
--- a/Shorewall6/manpages/shorewall6-secmarks.xml
+++ b/Shorewall6/manpages/shorewall6-secmarks.xml
@@ -269,6 +269,13 @@
Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma-separated list of port names, port
numbers or port ranges.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
diff --git a/Shorewall6/manpages/shorewall6-stoppedrules.xml b/Shorewall6/manpages/shorewall6-stoppedrules.xml
index f3250def5..c129d1d13 100644
--- a/Shorewall6/manpages/shorewall6-stoppedrules.xml
+++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml
@@ -125,6 +125,13 @@
include port ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.
diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml
index 6ac580ee4..f40b27337 100644
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -809,6 +809,13 @@ Normal-Service => 0x00
An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
the following fields is supplied.
+
+ Beginning with Shorewall 4.5.15, you may place '=' in this
+ column, provided that the DEST PORT(S) column is non-empty. This
+ causes the rule to match when either the source port or the
+ destination port in a packet matches one of the ports specified in
+ DEST PORTS(S). Use of '=' requires multiport match in your iptables
+ and kernel.