Correct handling of port ranges and port variables

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2017-06-12 17:07:55 -07:00 · 2017-06-12 17:07:55 -07:00 · b1ba05db2b
commit b1ba05db2b
parent 57f7cb4f3c
2 changed files with 41 additions and 2 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -885,7 +885,10 @@ sub validate_portpair( $$ ) {

    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+
+	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
+	    fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	}
    } else {
 	$what = 'port';
    }
@ -917,7 +920,10 @@ sub validate_portpair1( $$ ) {

    if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+
+	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
+	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	}
    } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@ -1903,6 +1903,39 @@ SSH(ACCEPT)    net:$MYIP      $FW
    the intefaces's run-time gateway variable are omitted.</para>
  </section>

+  <section id="Port_Variables">
+    <title>Port Variables</title>
+
+    <para>Beginning with Shorewall 5.1.5, <firstterm>Run-time Port
+    Variables</firstterm> are supported. These variables have the format
+    %{<replaceable>variable</replaceable>} and may appear any place that a
+    port number or service name may appear. Like their address-variable
+    counterparts above, Run-time Port Variables are most useful when
+    Shorewall[6]-lite is being used.</para>
+
+    <para>Example using both Run-time Address and Run-time Port
+    Variables:</para>
+
+    <para>/etc/shorewall/init:</para>
+
+    <programlisting>     SERVER_PORT=4126
+     SERVER_ADDRESS=192.0.44.12</programlisting>
+
+    <para>/etc/shorewall/rules:</para>
+
+    <programlisting>     ACCEPT         net            dmz:%{SERVER_ADDRESS}           tcp          %{SERVER_PORT}</programlisting>
+
+    <para>Rather than assigning a numerical literal to SERVER_PORT in the
+    <filename>init</filename> extension script as shown above, the variable
+    could be assigned a dynamic value based on a database lookup.</para>
+
+    <important>
+      <para>If no value is assigned to a Run-time Port Variable in the
+      <filename>init</filename> extension script, then the value 255 is
+      assumed.</para>
+    </important>
+  </section>
+
  <section id="ActionVariables">
    <title>Action Variables</title>