multiport: add explaining comment

about ordering single port matches before multiport matches,
and improve readability by adding some blank lines after returns.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index f952978516d358473bf94ed852443266439d4a24..038d560c0ade9a5e76d297d6728e158ced2bf34e 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1890,6 +1890,7 @@ sub ipt_rule_to_cmds {
 
            my $add_dport = sub {
                return if !$rule->{dport};
+
                if ($proto eq 'icmp') {
                    # Note: we use dport to store --icmp-type
                    die "unknown icmp-type '$rule->{dport}'\n"
@@ -1911,6 +1912,7 @@ sub ipt_rule_to_cmds {
 
            my $add_sport = sub {
                return if !$rule->{sport};
+
                die "protocol $proto does not have ports\n"
                    if !$PROTOCOLS_WITH_PORTS->{$proto};
                if ($multisport) {
@@ -1920,6 +1922,7 @@ sub ipt_rule_to_cmds {
                }
            };
 
+           # order matters - single port before multiport!
            $add_dport->() if $multisport;
            $add_sport->();
            $add_dport->() if !$multisport;