Add information for release

CHANGELOG

@@ -1,3 +1,11 @@
+2.2.1 - 04/17/2021
+	- Add support for iptables options via IPTABLESOPT and IP6TABLESOPT.  These options are
+	applied at the beginning of the command line options to EVERY instance of $IPTABLES.
+	Useful for '-w' to deal with xtables lock issues.
+
+2.2 - 04/09/2020
+	- Add multiport support to acl/forward
+
 2.1p2 - 02/27/2020
 	- Fix issue with NAT variable not being reset after being changed
 

INSTALL

@@ -1,4 +1,4 @@
-SRFirewall v2.0 http://www.sosdg.org/freestuff/firewall
+SRFirewall v2.2.1 http://www.sosdg.org/freestuff/firewall
 Written by: Brielle Bruns <bruns@2mbit.com>
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
@@ -21,14 +21,14 @@ it:
 
 === Begin commands ===
 cd /usr/src
-svn checkout http://firewall-sosdg.googlecode.com/svn/srfirewall srfirewall-trunk
-ln -s /usr/src/srfirewall-trunk/lib /usr/local/lib/srfirewall
-ln -s /usr/src/srfirewall-trunk/bin/srfirewall /usr/local/bin/srfirewall
-cp -R /usr/src/srfirewall-trunk/etc /usr/local/etc/srfirewall
+git clone https://git.sosdg.org/brielle/SRFirewall.git
+ln -s /usr/src/srfirewall/lib /usr/local/lib/srfirewall
+ln -s /usr/src/srfirewall/bin/srfirewall /usr/local/bin/srfirewall
+cp -R /usr/src/srfirewall/etc /usr/local/etc/srfirewall
 === End commands ===
 
 Then when you want to update to bleeding edge, all you have to run is
-'svn update'.
+'git pull'.
 
 You _will_ need to look for newly changed/added files and update
 appropriately.

README

@@ -1,4 +1,4 @@
-SRFirewall v2.1
+SRFirewall v2.2.1
 http://www.sosdg.org/freestuff/firewall
 Written by: Brielle Bruns <bruns@2mbit.com>
 

bin/srfirewall

@@ -19,7 +19,7 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Static config options, normally do not need to change
-FW_VERSION="2.1p2"
+FW_VERSION="2.2.1"
 
 # Important directory locations
 FWPREFIX="/usr/local"
@@ -155,6 +155,16 @@ if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "$
 	fi
 fi
 
+# Splice in iptables options via IPTABLESOPT and IP6TABLESOPT
+if [ -x "${IPTABLES}" ] &&  [ -x "${IPTABLESOPT}" ]; then
+	IPTABLES="${IPTABLES} ${IPTABLESOPT}"
+fi
+
+if [ -x "${IP6TABLES}" ] && [ -x "${IP6TABLESOPT}" ]; then
+	IPTABLES="${IP6TABLES} ${IP6TABLESOPT}"
+fi
+
+
 # Set up proper state matching variables, since there is old and new style.
 if [ "$StateMatching" ]; then
 	case $StateMatching in

lib/iptables.inc

@@ -338,8 +338,8 @@ function enable_filtering {
 			[[ -z ${state} ]] && state="-"
 			([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
 			([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
-			[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
-			[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
+			#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
+			#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
 			[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
 			[[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
 			([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
@@ -353,6 +353,15 @@ function enable_filtering {
 			
 			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}"
 			
+			dstmultiport="no"
+			srcmultiport="no"
+			([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
+			([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
+			([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
+			([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--dport ${srcport}"
+			([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
+			([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
+
 			# Blank variables that we're not going to use.
 			[[ ${interface} == "-" ]] && interface=""
 			[[ ${dstport} == "-" ]] && dstport=""
@@ -416,10 +425,20 @@ function enable_forwarding {
 			([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
 			[[ ${syn} == "syn" ]] && syn="--syn"
 			[[ ${syn} == "notsyn" ]] && syn="! --syn"
-			[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
-			[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
-			([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
-			([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
+			dstmultiport="no"
+			srcmultiport="no"
+			([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
+			([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
+			([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
+			([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--sport ${srcport}"
+			([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
+			([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
+			([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport=${srcport/sport/dport}
+			([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport=${dstport/dport/sport}
+			#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
+			#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
+			#([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
+			#([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
 			[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
 			
 			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
@@ -541,7 +560,7 @@ function enable_services {
 					&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
 			[[ ${protocol} == "-" ]] \
 					&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
-			[[ ${service} =~ "," ]] && multiport="yes"
+			[[ ${service} =~ (-|:|,) ]] && multiport="yes"
 			# Do some creative work with variables to make building the iptables rules fairly painless
 			([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
 			([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"

release.json

@@ -1,7 +1,7 @@
 {
-    "version": "2.1p2",
+    "version": "2.2.1",
     "state": "stable",
     "scope": "minor fixes",
     "changes": "See CHANGELOG",
-    "download": "https://source.sosdg.org/brielle/srfirewall/repository/archive.tar.bz2?ref=v2.1p2"
+    "download": "https://git.sosdg.org/brielle/SRFirewall/releases"
 }