Fixed port range option

diff --git a/ipfilter/CHANGELOG b/ipfilter/CHANGELOG
index 9a8858c..ee0e700 100644 (file)
--- a/ipfilter/CHANGELOG
+++ b/ipfilter/CHANGELOG
@@ -5,3 +5,5 @@ The firewall configuration can now be copied automatically to multiple hosts in
 Added the ability to view and edit NAT rules, so that you can setup masquerading and port redirection.
 ---- Changes since 1.240 ----
 On Solaris 10 systems IPfilter is now enabled at boot time using SMF, rather than an init script.
+---- Changes since 1.340 ----
+Added an option to match ports NOT within some range (and fixed the old option to match ports within a range).

diff --git a/ipfilter/ipfilter-lib.pl b/ipfilter/ipfilter-lib.pl
index 26f3f07..e293f8d 100644 (file)
--- a/ipfilter/ipfilter-lib.pl
+++ b/ipfilter/ipfilter-lib.pl
@@ -422,11 +422,16 @@ if ($r->{$f.'-port-comp'}) {
                $r->{$f.'-port-comp'},
                "<b>".$r->{$f.'-port-num'}."</b>"));
        }
-elsif ($r->{$f.'-port-range'}) {
+elsif ($r->{$f.'-port-range'} eq '><') {
        push(@rv, &text('desc_portrange_'.$f,
                "<b>".$r->{$f.'-port-start'}."</b>",
                "<b>".$r->{$f.'-port-end'}."</b>"));
        }
+elsif ($r->{$f.'-port-range'} eq '<>') {
+       push(@rv, &text('desc_portrangenot_'.$f,
+               "<b>".$r->{$f.'-port-start'}."</b>",
+               "<b>".$r->{$f.'-port-end'}."</b>"));
+       }
 return @rv;
 }
 
@@ -1400,7 +1405,52 @@ $pt .= &ui_oneradio($f."_port", "range",
     &text('edit_portrange',
          &ui_textbox($f."_portstart", $rule->{$f."-port-start"}, 6),
          &ui_textbox($f."_portend", $rule->{$f."-port-end"}, 6)),
-    $rule->{$f."-port-range"})."<br>\n";
+    $rule->{$f."-port-range"} eq '><')."<br>\n";
+$pt .= &ui_oneradio($f."_port", "rangenot",
+    &text('edit_portrangenot',
+         &ui_textbox($f."_portstartnot", $rule->{$f."-port-start"}, 6),
+         &ui_textbox($f."_portendnot", $rule->{$f."-port-end"}, 6)),
+    $rule->{$f."-port-range"} eq '<>')."<br>\n";
+
+return ($ft, $pt);
+}
+
+# parse_object_input(rule, prefix)
+sub parse_object_input
+{
+local ($rule, $f) = @_;
+delete($rule->{$f."-any"});
+delete($rule->{$f."-thishost"});
+delete($rule->{$f."-host"});
+delete($rule->{$f."-numhost"});
+if ($in{$f} eq "any") {
+       $rule->{$f."-any"} = 1;
+       }
+elsif ($in{$f} eq "thishost") {
+       $rule->{$f."-thishost"} = 1;
+       }
+elsif ($in{$f} eq "host") {
+       gethostbyname($in{$f."_host"}) ||
+               &error($text{'save_ehost'.$f});
+       $rule->{$f."-host"} = $in{$f."_host"};
+       &check_ipaddress($in{$f."_mask"}) ||
+               &error($text{'save_emask'.$f});
+       $rule->{$f."-mask"} = $in{$f."_mask"};
+       }
+elsif ($in{$f} eq "numhost") {
+       gethostbyname($in{$f."_numhost"}) ||
+               &error($text{'save_ehost'.$f});
+       $rule->{$f."-numhost"} = $in{$f."_numhost"};
+       $in{$f."_nummask"} = "32" if ($in{$f."_nummask"} eq "");
+       $in{$f."_nummask"} =~ /^\d+$/ &&
+           $in{$f."_nummask"} <= 32 ||
+               &error($text{'save_enummask'.$f});
+       $rule->{$f."-nummask"} = $in{$f."_nummask"};
+       }
+
+# Parse port section
+delete($rule->{$f."-port-comp"});
+delete($rule->{$f."-port-range"});
 
 return ($ft, $pt);
 }
@@ -1452,10 +1502,19 @@ elsif ($in{$f."_port"} eq "range") {
                &error($text{'save_eportstart'.$f});
        &valid_port($in{$f."_portend"}) ||
                &error($text{'save_eportend'.$f});
-       $rule->{$f."-port-range"} ||= "<>";
+       $rule->{$f."-port-range"} = "><";
        $rule->{$f."-port-start"} = $in{$f."_portstart"};
        $rule->{$f."-port-end"} = $in{$f."_portend"};
        }
+elsif ($in{$f."_port"} eq "rangenot") {
+       &valid_port($in{$f."_portstartnot"}) ||
+               &error($text{'save_eportstart'.$f});
+       &valid_port($in{$f."_portendnot"}) ||
+               &error($text{'save_eportend'.$f});
+       $rule->{$f."-port-range"} = "<>";
+       $rule->{$f."-port-start"} = $in{$f."_portstartnot"};
+       $rule->{$f."-port-end"} = $in{$f."_portendnot"};
+       }
 }
 
 # protocol_input(name, value, add-any, add-tcp-udp)

diff --git a/ipfilter/lang/en b/ipfilter/lang/en
index f68f10a..befba90 100644 (file)
--- a/ipfilter/lang/en
+++ b/ipfilter/lang/en
@@ -103,6 +103,7 @@ edit_portto=Destination ports
 edit_anyport=Any port
 edit_portcomp=Port is $1 $2
 edit_portrange=Port is between $1 and $2
+edit_portrangenot=Port is not between $1 and $2
 edit_header3=Other conditions to match
 edit_proto=Protocol
 edit_protoany=<Any protocol>
@@ -186,6 +187,9 @@ desc_portcomp_to=destination port $1 $2
 desc_portrange_from=source port is between $1 and $2
 desc_portrange_fromto=$desc_portrange_to
 desc_portrange_to=destination port is between $1 and $2
+desc_portrangenot_from=source port is not between $1 and $2
+desc_portrangenot_fromto=$desc_portrange_to
+desc_portrangenot_to=destination port is not between $1 and $2
 desc_where=where $1
 desc_all=for all packets
 desc_natfrom=from network $1 netmask $2