From a66dde8dce3105d3cc98594942a12bfda4d3aac0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sat, 22 Apr 2023 09:41:38 +0200
Subject: [PATCH] firewall-lib.pl: Use an ipset set if a service group contains
 more than 15 ports.

The iptables multiport only supports up to 15 ports (ranges costs more).
To avoid this kind of limitation, now an ipset set will be used which
could handle up to 65k ports at once.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/firewall/firewall-lib.pl | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 54bc21ca4..b5d0f3287 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -143,8 +143,17 @@ sub get_srvgrp_port
 		}
 	}
 	if($prot ne 'ICMP'){
-		if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
-	}elsif ($prot eq 'ICMP'){
+		# Get amount of ports.
+		my $amount = @ips;
+
+		if ($amount eq 1) {
+			$back = "--dport ";
+		} elsif ($amount > 1 and $amount <= 15) {
+			$back = "-m multiport --dports ";
+		} else {
+			return "-m set --match-set $val\_$prot dst";
+		}
+	} elsif ($prot eq 'ICMP'){
 		$back="--icmp-type ";
 	}
 	
-- 
2.39.5