From 14bcb9a23d6d96fedaf0d5d71f65a8e7a8e6a4eb Mon Sep 17 00:00:00 2001
From: Alexander Marx <amarx@ipfire.org>
Date: Tue, 12 Nov 2013 09:27:16 +0100
Subject: [PATCH] Firewall: New feature: Now it is possible to define a custom
 service with a portrange. When using this service in a rule or in a
 servciegroup, the rule is applied correctly.

---
 config/firewall/firewall-lib.pl |  6 ++----
 config/firewall/rules.pl        | 12 +++++++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index f1e8403da..8cff76bb5 100755
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -108,10 +108,8 @@ sub get_srv_port
 	my $field=shift;
 	my $prot=shift;
 	foreach my $key (sort {$a <=> $b} keys %customservice){
-		if($customservice{$key}[0] eq $val){
-			if($customservice{$key}[2] eq $prot){
-				return $customservice{$key}[$field];
-			}
+		if($customservice{$key}[0] eq $val && $customservice{$key}[2] eq $prot){
+			return $customservice{$key}[$field];
 		}
 	}
 }
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index c724aa840..f1584f3d2 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -86,8 +86,8 @@ close(CONN1);
 #    DEBUG/TEST #
 #################
 my $MODE=0;     # 0 - normal operation
-				# 1 - print configline and rules to console
-				#
+                # 1 - print configline and rules to console
+                #
 #################
 my $param=shift;
 
@@ -577,6 +577,7 @@ sub get_port
 	my $hash=shift;
 	my $key=shift;
 	my $prot=shift;
+	#Get manual defined Ports from SOURCE
 	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
 		if ($$hash{$key}[10] ne ''){
 			$$hash{$key}[10] =~ s/\|/,/g;
@@ -590,6 +591,7 @@ sub get_port
 				}
 			}
 		}
+		#Get manual ports from TARGET
 	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
 		if($$hash{$key}[14] eq 'TGT_PORT'){
 			if ($$hash{$key}[15] ne ''){
@@ -605,16 +607,20 @@ sub get_port
 					 }
 				}
 			}
+		#Get ports defined in custom Service (firewall-groups)
 		}elsif($$hash{$key}[14] eq 'cust_srv'){
 			if ($prot ne 'ICMP'){
 				if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
-					return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+					my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+					$ports =~ s/\:/-/g;
+					return ":".$ports
 				}else{
 					return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
 				}
 			}elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){        #When PROT is ICMP and "use targetport is checked, this is an icmp-service
 				return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
 			}
+		#Get ports from services which are used in custom servicegroups (firewall-groups)
 		}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
 			if 	($prot ne 'ICMP'){
 				return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
-- 
2.39.2