From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sat, 22 Apr 2023 07:41:38 +0000 (+0200)
Subject: firewall-lib.pl: Use an ipset set if a service group contains more than
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a66dde8dce3105d3cc98594942a12bfda4d3aac0;p=people%2Fstevee%2Fipfire-2.x.git

firewall-lib.pl: Use an ipset set if a service group contains more than
15 ports.

The iptables multiport only supports up to 15 ports (ranges costs more).
To avoid this kind of limitation, now an ipset set will be used which
could handle up to 65k ports at once.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 54bc21ca4..b5d0f3287 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -143,8 +143,17 @@ sub get_srvgrp_port
 		}
 	}
 	if($prot ne 'ICMP'){
-		if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
-	}elsif ($prot eq 'ICMP'){
+		# Get amount of ports.
+		my $amount = @ips;
+
+		if ($amount eq 1) {
+			$back = "--dport ";
+		} elsif ($amount > 1 and $amount <= 15) {
+			$back = "-m multiport --dports ";
+		} else {
+			return "-m set --match-set $val\_$prot dst";
+		}
+	} elsif ($prot eq 'ICMP'){
 		$back="--icmp-type ";
 	}