iptables multiport --ports

[comel]

Besides source (--sports) or destination ports (--dports) multiport exstenion also has --ports option (match either the source or destination ports).

http://ipset.netfilter.org/iptables-extensions.man.html#lbBM

It would be great if you could add it to the parser.

[diekmann]

Dear @comel

thanks for your interest :smile:

The following should be equivalent:

-A INPUT -p protocol -m multiport --ports 8080 --something-else -j ACTION

-A INPUT -p protocol -m multiport --sports 8080 --something-else -j ACTION
-A INPUT -p protocol -m multiport --dports 8080 --something-else -j ACTION

multiport ports does not only match either-or, it also matches if both src/dst port match.

I will add support for a primitive ports as soon as I find the time (hopefully starting next week). Please ping me if you need it urgently. If you want to add the feature, I can give you support at any time. :+1:

Cheers, Cornelius

[diekmann]

Started to work on it in branch "multiportsports"

[diekmann]

@comel your feature is in the multiports branch.

For example, if you have a rule

-A FORWARD -p udp -m multiport --ports 8080:8081,8082 --something-else -j ACCEPT

It will be rewritten to

 +ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0   sports: 8080:8082 
 +ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0    dports: 8080:8082

Here is the formal semantics: https://github.com/diekmann/Iptables_Semantics/commit/c6d3e95846e36a39426712f603b5585e597525b4#diff-7312fcbd2a1e5dc576426311ee732128R23

I will merge the branch to master as soon as all integration tests have finished.

[comel]

Great, thank you!

[diekmann]

merged