Re: [Shorewall-users] inverted port list

[Tom Eastep]

On 4/11/19 3:16 PM, Tom Eastep wrote:
> On 4/10/19 7:24 PM, Vieri Di Paola wrote:
>> On Wed, Apr 10, 2019 at 9:45 PM Tom Eastep <teas...@shorewall.net> wrote:
>>>> ADD(POL_BL:src):info:polbl,add2polbl
>>>> net1,net2,net3:!+POL_BL,+GLOBAL_WL,+NORMAL_WL   all     tcp,udp -
>>>>  !+POL_BL_EXCL
>>>>
>>>
>>> That is a good solution. Another would be to create an action with
>>> multiple leading CONTINUE rules (that together specify the ports that
>>> you want to exclude) followed by an ADD rule.
>>
>> Unfortunately, I cannot use an ipset for that because I get an error:
>>
>> ERROR: Invalid/Unknown tcp port/service (+POL_BL_EXCL)
> 
> Ah yes -- I failed to notice that you want to exclude based on the
> source port (why do you want to do that?)
> 

But if that is really what you want to do, here is a patch that corrects
handling of an ipset in the SOURCE PORT(S) column.

        patch path/to/Chains.pm < SRCPORTSET.patch

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index d5920a482..e4bf6886f 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -4991,10 +4991,10 @@ sub do_proto( $$$;$ )
 
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
+			if ( $sports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
-			    $output .= get_set_flags( $ports, 'src' );
+			    $output .= get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5207,8 +5207,8 @@ sub do_iproto( $$$ )
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
-			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			if ( $sports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users