firewall-lib.pl: Use an ipset set if a service group contains more than

15 ports.

The iptables multiport only supports up to 15 ports (ranges costs more).
To avoid this kind of limitation, now an ipset set will be used which
could handle up to 65k ports at once.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 54bc21ca44bc2f35d60559123e573d07a418bbb4..b5d0f328796d9c955ddae99198ef9678e6fc095b 100644 (file)
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -143,8 +143,17 @@ sub get_srvgrp_port
                }
        }
        if($prot ne 'ICMP'){
-               if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
-       }elsif ($prot eq 'ICMP'){
+               # Get amount of ports.
+               my $amount = @ips;
+
+               if ($amount eq 1) {
+                       $back = "--dport ";
+               } elsif ($amount > 1 and $amount <= 15) {
+                       $back = "-m multiport --dports ";
+               } else {
+                       return "-m set --match-set $val\_$prot dst";
+               }
+       } elsif ($prot eq 'ICMP'){
                $back="--icmp-type ";
        }