Re: [Shorewall-users] Quick question re shorewall multiport match

Tom Eastep Mon, 04 Mar 2013 09:25:21 -0800

On 03/02/2013 07:41 PM, Matt Joyce wrote:
> lol, wrote that a bit quickly so completely missed the -p specifier,
> iptables wouldn't have liked me much lol.
> Guess for now will work around it with the start file and the
> run_iptables hook, heh, every time I find myself coming up with ideas I
> can't implement in shell I keep saying I need to find time to go learn
> perl getting to be a long list so is going to happen sooner or later no
> doubt perhaps will manage to learn enough to write some patches one day.
>


Attached is a patch against 4.5.14 RC 1 that implements the feature you
requested.

To generate -m multiport --ports ...., place the port list in the DEST
PORT(S) column and place '=' in the SOURCE PORT(S) column.

e.g.

#ACTION         CHAIN    SOURCE   DEST    PROTO   DEST    SOURCE
#                                                 PORT(S) PORT(S)
COUNT           -       br0       -       tcp     80      =

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 91c8bbd..a72b416 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -4158,9 +4158,12 @@ sub do_proto( $$$;$ )
 	    {
 		if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
 		    my $multiport = 0;
+		    my $srcndst   = 0;
 
 		    if ( $ports ne '' ) {
 			$invert = $ports =~ s/^!// ? '! ' : '';
+			$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
+
 			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
 			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 );
 			    fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
@@ -4174,12 +4177,12 @@ sub do_proto( $$$;$ )
 			    }
 
 			    $ports = validate_port_list $pname , $ports;
-			    $output .= "-m multiport ${invert}--dports ${ports} ";
+			    $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " );
 			    $multiport = 1;
 			}  else {
 			    fatal_error "Missing DEST PORT" unless supplied $ports;
 			    $ports   = validate_portpair $pname , $ports;
-			    $output .= "${invert}--dport ${ports} ";
+			    $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
 			}
 		    } else {
 			$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
@@ -4348,9 +4351,12 @@ sub do_iproto( $$$ )
 	    {
 		if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
 		    my $multiport = 0;
+		    my $srcndst   = 0;
 
 		    if ( $ports ne '' ) {
-			$invert = $ports =~ s/^!// ? '! ' : '';
+			$invert  = $ports =~ s/^!// ? '! ' : '';
+			$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
+
 			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
 			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
 			    fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
@@ -4364,12 +4370,17 @@ sub do_iproto( $$$ )
 			    }
 
 			    $ports = validate_port_list $pname , $ports;
-			    push @output, multiport => "${invert}--dports ${ports}";
+			    push @output, multiport => ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "-m multiport ${invert}--dports ${ports} " );
 			    $multiport = 1;
 			}  else {
 			    fatal_error "Missing DEST PORT" unless supplied $ports;
 			    $ports   = validate_portpair $pname , $ports;
-			    push @output, dport => "${invert}${ports}";
+			    
+			    if ( $srcndst ) {
+				push @output, multiport => "${invert}--ports ${ports}";
+			    } else {
+				push @output, dport => "${invert}${ports}";
+			    }
 			}
 		    } else {
 			$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Quick question re shorewall multiport match

Reply via email to