From e3a1d391206d419fadf1f78896dd1dc7f6c9b0b4 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Thu, 27 Feb 2014 12:52:05 +0100 Subject: [PATCH] improve multiport rule generator It is not allowed to use --sports and --dports together! --- PVE/Firewall.pm | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index 8fc3898..fde72fd 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -724,10 +724,14 @@ sub ruleset_generate_rule { $cmd .= " -d $rule->{dest}" if $rule->{dest}; $cmd .= " -p $rule->{proto}" if $rule->{proto}; - if (($rule->{nbdport} && $rule->{nbdport} > 1) || - ($rule->{nbsport} && $rule->{nbsport} > 1)) { - $cmd .= " --match multiport" - } + my $multiport = 0; + $multiport++ if $rule->{nbdport} && ($rule->{nbdport} > 1); + $multiport++ if $rule->{nbsport} && ($rule->{nbsport} > 1); + + $cmd .= " --match multiport" if $multiport; + + die "multiport: option '--sports' cannot be used together with '--dports'\n" + if ($multiport == 2) && ($rule->{dport} ne $rule->{sport}); if ($rule->{dport}) { if ($rule->{proto} && $rule->{proto} eq 'icmp') { @@ -736,7 +740,11 @@ sub ruleset_generate_rule { $cmd .= " -m icmp --icmp-type $rule->{dport}"; } else { if ($rule->{nbdport} && $rule->{nbdport} > 1) { - $cmd .= " --dports $rule->{dport}"; + if ($multiport == 2) { + $cmd .= " --ports $rule->{dport}"; + } else { + $cmd .= " --dports $rule->{dport}"; + } } else { $cmd .= " --dport $rule->{dport}"; } @@ -745,7 +753,7 @@ sub ruleset_generate_rule { if ($rule->{sport}) { if ($rule->{nbsport} && $rule->{nbsport} > 1) { - $cmd .= " --sports $rule->{sport}"; + $cmd .= " --sports $rule->{sport}" if $multiport != 2; } else { $cmd .= " --sport $rule->{sport}"; } -- 2.39.2