From 64b74db83819a38f14d94da0f4b0163dc66ea384 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sat, 22 Apr 2023 09:41:38 +0200
Subject: [PATCH] firewall-lib.pl: Use an ipset set if a service group contains
 more than 15 ports.

The iptables multiport only supports up to 15 ports (ranges costs more).
To avoid this kind of limitation, now an ipset set will be used which
could handle up to 65k ports at once.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/firewall/firewall-lib.pl | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 54bc21ca44..b5d0f32879 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -143,8 +143,17 @@ sub get_srvgrp_port
 		}
 	}
 	if($prot ne 'ICMP'){
-		if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
-	}elsif ($prot eq 'ICMP'){
+		# Get amount of ports.
+		my $amount = @ips;
+
+		if ($amount eq 1) {
+			$back = "--dport ";
+		} elsif ($amount > 1 and $amount <= 15) {
+			$back = "-m multiport --dports ";
+		} else {
+			return "-m set --match-set $val\_$prot dst";
+		}
+	} elsif ($prot eq 'ICMP'){
 		$back="--icmp-type ";
 	}
 	
-- 
2.39.5