Andrew Zhoglo
2003-Oct-31 04:44 UTC
[Shorewall-users] patch for patch-o-matic mport extensons
Hi Shorewall-users,
I patch kernel with patch-o-matic and have "mport match extension":
Multiple port with ranges match support
This module is an enhanced multiport match. It has support for byte
ranges as well as for single ports.
Examples:
# iptables -A FORWARD -p tcp -m mport --ports 23:42,65
Next patch allow it in shorewall-1.4.7c, for examples:
ACCEPT loc net tcp 21:23,25
work well for me.
-------------------
diff -uNr shorewall-1.4.7c/firewall shorewall-1.4.7c.mport/firewall
--- shorewall-1.4.7c/firewall Sun Oct 26 17:27:14 2003
+++ shorewall-1.4.7c.mport/firewall Mon Oct 27 11:48:52 2003
@@ -67,6 +67,14 @@
arg_count `separate_list $@`
}
+list_countcol() {
+ arg_count() {
+ echo $#
+ }
+
+ arg_count `separate_listcol $@`
+}
+
list_count1() {
echo $#
}
@@ -2777,7 +2785,26 @@
case $logtarget in
DNAT*)
- if [ -n "$MULTIPORT" ] && \
+ if [ -n "$MULTIRPORT" ] && \
+ ! list_search $protocol "icmp" "ICMP"
"1" && \
+ [ `list_countcol $ports` -le 15 -a \
+ `list_countcol $cports` -le 15 ]
+ then
+ #
+ # MULTIRPORT is enabled, there are no port ranges in the rule
and less than
+ # 16 ports are listed - use multiport match.
+ #
+ multioption="-m mport"
+ for client in `separate_list ${clients:=-}`; do
+ #
+ # add_a_rule() modifies these so we must set their values
each time
+ #
+ server=${servers:=-}
+ port=${ports:=-}
+ cport=${cports:=-}
+ add_a_rule
+ done
+ elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP"
"1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@@ -2815,7 +2842,27 @@
;;
*)
- if [ -n "$MULTIPORT" ] && \
+ if [ -n "$MULTIRPORT" ] && \
+ ! list_search $protocol "icmp" "ICMP"
"1" && \
+ [ `list_countcol $ports` -le 15 -a \
+ `list_countcol $cports` -le 15 ]
+ then
+ #
+ # MULTIRPORT is enabled, there are no port ranges in the rule
and less than
+ # 16 ports are listed - use multiport match.
+ #
+ multioption="-m mport"
+ for client in `separate_list ${clients:=-}`; do
+ for server in `separate_list ${servers:=-}`; do
+ #
+ # add_a_rule() modifies these so we must set their
values each time
+ #
+ port=${ports:=-}
+ cport=${cports:=-}
+ add_a_rule
+ done
+ done
+ elif [ -n "$MULTIPORT" ] && \
! list_search $protocol "icmp" "ICMP"
"1" && \
[ "$ports" = "${ports%:*}" -a \
"$cports" = "${cports%:*}" -a \
@@ -3534,7 +3581,12 @@
case $protocol in
tcp|TCP|6|udp|UDP|17)
if [ -n "$ports" ]; then
- if [ -n "$MULTIPORT" -a \
+ if [ -n "$MULTIRPORT" -a \
+ `list_countcol $ports` -le 15 ]
+ then
+ dport="-m mport --dports $ports"
+ add_blacklist_rule
+ elif [ -n "$MULTIPORT" -a \
"$ports" != "${ports%,*}" -a \
"$ports" = "${ports%:*}" -a \
`list_count $ports` -le 15 ]
@@ -3744,10 +3796,12 @@
CONNTRACK_MATCH MULTIPORT+ MULTIRPORT
if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
&& CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT
&& MULTIPORT=Yes
+ qt iptables -A fooX1234 -p tcp -m mport --dports 21:23,25 -j ACCEPT
&& MULTIRPORT=Yes
qt iptables -F fooX1234
qt iptables -X fooX1234
@@ -3768,6 +3822,7 @@
report_capability $NAT_ENABLED "NAT"
report_capability $MANGLE_ENABLED "Packet Mangling"
report_capability $MULTIPORT "Multi-port Match"
+ report_capability $MULTIRPORT "Multi-port w/range Match"
report_capability $CONNTRACK_MATCH "Connection Tracking Match"
}
diff -uNr shorewall-1.4.7c/functions shorewall-1.4.7c.mport/functions
--- shorewall-1.4.7c/functions Wed Oct 22 01:00:45 2003
+++ shorewall-1.4.7c.mport/functions Mon Oct 27 11:41:12 2003
@@ -59,6 +59,52 @@
}
#
+# Replace commas and colons with spaces and echo the result
+#
+separate_listcol() {
+ local list
+ local part
+ local newlist
+ #
+ # There''s been whining about us not catching embedded white space
in
+ # comma-separated lists. This is an attempt to snag some of the cases.
+ #
+ # The ''terminator'' function will be set by the
''firewall'' script to
+ # either ''startup_error'' or
''fatal_error'' depending on the command and
+ # command phase
+ #
+ case "$@" in
+ *,|,*|*,,*|*[[:space:]]*)
+ [ -n "$terminator" ] && \
+ $terminator "Invalid comma-separated list
\"$@\""
+ echo "Warning -- invalid comma-separated list
\"$@\"" >&2
+ ;;
+ esac
+
+ list="$@"
+ part="${list%%,*}"
+ newlist="$part"
+
+ while [ "x$part" != "x$list" ]; do
+ list="${list#*,}";
+ part="${list%%,*}";
+ newlist="$newlist $part";
+ done
+
+ list="$newlist"
+ part="${list%%:*}"
+ newlist="$part"
+
+ while [ "x$part" != "x$list" ]; do
+ list="${list#*:}";
+ part="${list%%:*}";
+ newlist="$newlist $part";
+ done
+
+ echo "$newlist"
+}
+
+#
# Find the zones
#
find_zones() # $1 = name of the zone file
-------------------
--
Best regards,
Andrew mailto:azh@tut.by