From b1ba05db2b84cc4d5a4538600835115668fceed5 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 12 Jun 2017 17:07:55 -0700
Subject: [PATCH] Correct handling of port ranges and port variables

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 10 +++++++--
 docs/configuration_file_basics.xml | 33 ++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index d02319d75..3db73a729 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -885,7 +885,10 @@ sub validate_portpair( $$ ) {
 
     if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+
+	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
+	    fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+	}
     } else {
 	$what = 'port';
     }
@@ -917,7 +920,10 @@ sub validate_portpair1( $$ ) {
 
     if ( @ports == 2 ) {
 	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+
+	unless ($ports[0] =~ /^\$/ || $ports[1] =~ /^\$/ ) {
+	    fatal_error "Invalid port range ($portpair)" unless $ports[0] && $ports[0] < $ports[1];
+	}
     } else {
 	$what = 'port';
 	fatal_error 'Invalid port number (0)' unless $portpair;
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index ea5755b97..89177e02a 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1903,6 +1903,39 @@ SSH(ACCEPT)    net:$MYIP      $FW
     the intefaces's run-time gateway variable are omitted.</para>
   </section>
 
+  <section id="Port_Variables">
+    <title>Port Variables</title>
+
+    <para>Beginning with Shorewall 5.1.5, <firstterm>Run-time Port
+    Variables</firstterm> are supported. These variables have the format
+    %{<replaceable>variable</replaceable>} and may appear any place that a
+    port number or service name may appear. Like their address-variable
+    counterparts above, Run-time Port Variables are most useful when
+    Shorewall[6]-lite is being used.</para>
+
+    <para>Example using both Run-time Address and Run-time Port
+    Variables:</para>
+
+    <para>/etc/shorewall/init:</para>
+
+    <programlisting>     SERVER_PORT=4126
+     SERVER_ADDRESS=192.0.44.12</programlisting>
+
+    <para>/etc/shorewall/rules:</para>
+
+    <programlisting>     ACCEPT         net            dmz:%{SERVER_ADDRESS}           tcp          %{SERVER_PORT}</programlisting>
+
+    <para>Rather than assigning a numerical literal to SERVER_PORT in the
+    <filename>init</filename> extension script as shown above, the variable
+    could be assigned a dynamic value based on a database lookup.</para>
+
+    <important>
+      <para>If no value is assigned to a Run-time Port Variable in the
+      <filename>init</filename> extension script, then the value 255 is
+      assumed.</para>
+    </important>
+  </section>
+
   <section id="ActionVariables">
     <title>Action Variables</title>