From 6a2589b8f2d04b820e25fbdd1d9e36791ee82274 Mon Sep 17 00:00:00 2001 From: Brielle Bruns Date: Thu, 9 Apr 2020 10:15:22 -0600 Subject: [PATCH] Multiport support for v2.2 --- CHANGELOG | 3 +++ bin/srfirewall | 2 +- lib/iptables.inc | 19 ++++++++++++++----- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index e59e5d0..b2726c8 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +2.2 - 04/09/2020 + - Add multiport support to acl/forward + 2.1p2 - 02/27/2020 - Fix issue with NAT variable not being reset after being changed diff --git a/bin/srfirewall b/bin/srfirewall index 50cc5e5..5585dd0 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -19,7 +19,7 @@ # along with this program. If not, see . # Static config options, normally do not need to change -FW_VERSION="2.1p2" +FW_VERSION="2.2" # Important directory locations FWPREFIX="/usr/local" diff --git a/lib/iptables.inc b/lib/iptables.inc index eaa37b3..9f34fb4 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -353,6 +353,15 @@ function enable_filtering { ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}" + dstmultiport="no" + srcmultiport="no" + [[ ${dstport} =~ (-|:|,) ]] && dstmultiport="yes" + [[ ${srcport} =~ (-|:|,) ]] && srcmultiport="yes" + ([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}" + ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--dport ${srcport}" + ([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}" + ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}" + # Blank variables that we're not going to use. [[ ${interface} == "-" ]] && interface="" [[ ${dstport} == "-" ]] && dstport="" @@ -418,12 +427,12 @@ function enable_forwarding { [[ ${syn} == "notsyn" ]] && syn="! --syn" dstmultiport="no" srcmultiport="no" - [[ ${dstport} =~ "," ]] && dstmultiport="yes" - [[ ${srcport} =~ "," ]] && srcmultiport="yes" + [[ ${dstport} =~ (-|:|,) ]] && dstmultiport="yes" + [[ ${srcport} =~ (-|:|,) ]] && srcmultiport="yes" ([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}" - ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--dport ${srcport}" + ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--sport ${srcport}" ([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}" - ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --dports ${srcport}" + ([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}" ([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport=${srcport/sport/dport} ([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport=${dstport/dport/sport} #[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}" @@ -551,7 +560,7 @@ function enable_services { && ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue [[ ${protocol} == "-" ]] \ && ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue - [[ ${service} =~ "," ]] && multiport="yes" + [[ ${service} =~ (-|:|,) ]] && multiport="yes" # Do some creative work with variables to make building the iptables rules fairly painless ([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}" ([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"