From 7e9e21dc008a2dc929c279ab84b64ce9ee99a5fa Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 6 Feb 2009 20:30:14 +0000
Subject: [PATCH] Apply ctorigdstport fix to trunk

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9422 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-perl/Shorewall/Chains.pm | 11 ++++++-----
 Shorewall-perl/Shorewall/Rules.pm  |  7 +++++++
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index 60c0d1032..2a6f788c5 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -110,6 +110,7 @@ our %EXPORT_TAGS = (
 				       source_exclusion
 				       dest_exclusion
 				       clearrule
+				       port_count
 				       do_proto
 				       mac_match
 				       verify_mark
@@ -2251,7 +2252,7 @@ sub expand_rule( $$$$$$$$$$$ )
     if ( $origdest ) {
 	if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
 	    $origdest = '';
-	    $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1;
+	    $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
 	} elsif ( $origdest =~ /^detect:(.*)$/ ) {
 	    #
 	    # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
@@ -2272,7 +2273,7 @@ sub expand_rule( $$$$$$$$$$$ )
 		push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
 
 		$rule .= '-m conntrack --ctorigdst $address ';
-		$rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1;
+		$rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
 	    } else {
 		my $interface = $interfaces[0];
 		my $variable  = get_interface_address( $interface );
@@ -2280,7 +2281,7 @@ sub expand_rule( $$$$$$$$$$$ )
 		push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface );
 
 		$rule .= "-m conntrack --ctorigdst $variable ";
-		$rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1;
+		$rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
 	    }
 
 	    $origdest = '';
@@ -2306,11 +2307,11 @@ sub expand_rule( $$$$$$$$$$$ )
 		}
 	    }
 
-	    $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1;
+	    $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
 	}
     } else {
 	$oexcl = '';
-	$rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1;
+	$rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
     }
 
     #
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 3cf4d1201..1e63961b9 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -1226,6 +1226,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    $server = $1;      # May be empty
 	    $serverport = $3;  # Not Empty due to RE 
 	    $origdstports = $ports;
+	    
+	    if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
+		$origdstports = validate_port( $proto, $origdstports );
+	    } else {
+		$origdstports = '';
+	    }
+	    
 	    if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
 		#
 		# Server Port Range