Add information for release

CHANGELOG

@@ -1,3 +1,40 @@
+2.2.1 - 04/17/2021
+	- Add support for iptables options via IPTABLESOPT and IP6TABLESOPT.  These options are
+	applied at the beginning of the command line options to EVERY instance of $IPTABLES.
+	Useful for '-w' to deal with xtables lock issues.
+
+2.2 - 04/09/2020
+	- Add multiport support to acl/forward
+
+2.1p2 - 02/27/2020
+	- Fix issue with NAT variable not being reset after being changed
+
+2.1p1 - 01/01/2020
+	- Refactor NETMAP NAT target so its more flexible.  See new example nat.conf file for details
+
+2.1 Final - 07/12/2019
+	- Fix flush tables rule for raw
+	- Final 2.1 release since we've had 2.1 for 5 years now without being 'released'
+
+2.1 Beta 1 - 11/19/2018
+	- Add run-after  and run-before rules (custom/runafter.sh and custom/runbefore.sh)
+
+2.1 Alpha 3 - 04/25/2016
+	- Fix issue with erasing variables in two different setups
+	- mss clamp fix for fwd target
+
+2.1 Alpha 2 - 03/15/2015
+	- Unset variables in loops to make sure theres no leakage of
+		variables into the next run of the loop
+	04/09/2015
+	- Allow use of 'all' in MSS rules to match all forwarding/out traffic
+
+2.1 Alpha 1 - 11/29/2014
+	- Added support for custom fields in NAT and ACL rules, as this allows
+		definition of Policy rules in the ACL files (mostly useful for IPSec)
+	- NAT rules no longer add accept state rules, should be added in forward.conf
+		manually
+
 2.01 Alpha 1 - 07/27/2014
 	- Fix executable bits on .sh files in custom
 	- Make MSS clamp optional and allow setting MSS size manually

INSTALL

@@ -1,4 +1,4 @@
-SRFirewall v2.0 http://www.sosdg.org/freestuff/firewall
+SRFirewall v2.2.1 http://www.sosdg.org/freestuff/firewall
 Written by: Brielle Bruns <bruns@2mbit.com>
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
@@ -21,14 +21,14 @@ it:
 
 === Begin commands ===
 cd /usr/src
-svn checkout http://firewall-sosdg.googlecode.com/svn/srfirewall srfirewall-trunk
-ln -s /usr/src/srfirewall-trunk/lib /usr/local/lib/srfirewall
-ln -s /usr/src/srfirewall-trunk/bin/srfirewall /usr/local/bin/srfirewall
-cp -R /usr/src/srfirewall-trunk/etc /usr/local/etc/srfirewall
+git clone https://git.sosdg.org/brielle/SRFirewall.git
+ln -s /usr/src/srfirewall/lib /usr/local/lib/srfirewall
+ln -s /usr/src/srfirewall/bin/srfirewall /usr/local/bin/srfirewall
+cp -R /usr/src/srfirewall/etc /usr/local/etc/srfirewall
 === End commands ===
 
 Then when you want to update to bleeding edge, all you have to run is
-'svn update'.
+'git pull'.
 
 You _will_ need to look for newly changed/added files and update
 appropriately.

README

@@ -1,5 +1,6 @@
-SRFirewall v2.0 http://www.sosdg.org/freestuff/firewall Written by:
-Brielle Bruns <bruns@2mbit.com>
+SRFirewall v2.2.1
+http://www.sosdg.org/freestuff/firewall
+Written by: Brielle Bruns <bruns@2mbit.com>
 
 SRFirewall is a complete rewrite of Firewall/SOSDG v1.1, from scratch,
 with a completely new and reorganized config and file layout.

bin/srfirewall

@@ -19,7 +19,7 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Static config options, normally do not need to change
-FW_VERSION="2.0"
+FW_VERSION="2.2.1"
 
 # Important directory locations
 FWPREFIX="/usr/local"
@@ -155,6 +155,16 @@ if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "$
 	fi
 fi
 
+# Splice in iptables options via IPTABLESOPT and IP6TABLESOPT
+if [ -x "${IPTABLES}" ] &&  [ -x "${IPTABLESOPT}" ]; then
+	IPTABLES="${IPTABLES} ${IPTABLESOPT}"
+fi
+
+if [ -x "${IP6TABLES}" ] && [ -x "${IP6TABLESOPT}" ]; then
+	IPTABLES="${IP6TABLES} ${IP6TABLESOPT}"
+fi
+
+
 # Set up proper state matching variables, since there is old and new style.
 if [ "$StateMatching" ]; then
 	case $StateMatching in
@@ -174,6 +184,10 @@ fi
 
 # Do IPv4 IPTables Rules
 if [ "${EnableIPv4}" == "yes" ]; then
+
+	# Commands to run before everything else
+	if [ -x ${FWCONFIGDIR}/ipv4/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runbefore.sh; fi
+	
 	# First flush all rules
 	iptables_rules_flush ipv4
 	
@@ -203,10 +217,16 @@ if [ "${EnableIPv4}" == "yes" ]; then
 	[[ ${Enablev4NAT} == "yes" ]] && enable_nat ipv4
 	[[ ${Enablev4PortForwarding} == "yes" ]] && enable_portfw ipv4
 	
+	# Commands to run after everything else
+	if [ -x ${FWCONFIGDIR}/ipv4/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv4/custom/runafter.sh; fi
+	
 fi
 
 # Do IPv6 IPTables Rules
 if [ "${EnableIPv6}" == "yes" ]; then
+	# Commands to run before everything else
+	if [ -x ${FWCONFIGDIR}/ipv6/custom/runbefore.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runbefore.sh; fi
+	
 	# First flush all rules
 	iptables_rules_flush ipv6
 	
@@ -237,5 +257,7 @@ if [ "${EnableIPv6}" == "yes" ]; then
 	[[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6
 	[[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6
 	[[ ${EnableSysctlTweaks} == "yes" ]] && sysctl_tweaks
+	# Commands to run after everything else
+	if [ -x ${FWCONFIGDIR}/ipv6/custom/runafter.sh ]; then . ${FWCONFIGDIR}/ipv6/custom/runafter.sh; fi
 fi
 

etc/ipv4/acl.conf

@@ -2,7 +2,7 @@
 # Use this file to set up more complex access control lists.
 # Use tabs or single space to separate
 #
-# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
+# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom>
 #
 # Direction: Required ( IN | OUT )
 # Action: Required (ACCEPT | DROP)
@@ -14,10 +14,12 @@
 # Protocol: Optional, Required if port is specified ( tcp | udp )
 # Syn: Optional, only match (not) syn packets (syn | notsyn )
 # State: Optional, set the connection tracking states ( comma separated list )
-
+# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
+#
 # You can use '-' for optional fields
 #============================================================
-#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
+#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom>
 #IN ACCEPT eth0 10.0.0.1 22 - - tcp -
 #IN DROP - - - - 22 tcp syn
+#IN ACCEPT eth0 192.168.0.0/24 - 192.168.1.0/24 - - - -m policy --dir in --pol ipsec --proto esp
 

etc/ipv4/custom/runafter.sh

@@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# After all other things are done when the script loads

etc/ipv4/custom/runbefore.sh

@@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before all other things are done when the script loads

etc/ipv4/forward.conf

@@ -2,7 +2,7 @@
 # Use this file to set up network address translation rules
 # Use tabs or single space to separate
 #
-# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
+# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom>
 #
 # Action: Required ( ACCEPT | DROP )
 # Source Interface: Optional ( interface name, aka eth0 )
@@ -17,13 +17,15 @@
 # Protocol:	Optional, required if port numbers specified ( tcp | udp )
 # Syn: Optional, only match (not) syn packets (syn | notsyn )
 # State: Optional, set the connection tracking states ( comma separated list )
+# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
 #
 # You can use '-' for optional fields
 #============================================================
-#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
+#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom>
 #ACCEPT eth0 - eth1 - yes
 #DROP eth1 192.168.2.0/24 eth0 0/0 no
 #DROP eth0 - eth1 192.168.0.0/24 no - 1:1024 tcp syn NEW
 #ACCEPT eth1 - eth0 - no - - udp - NEW,ESTABLISHED,RELATED
+#IN ACCEPT eth0 192.168.0.0/24 eth1 192.168.1.0/24 yes - - - - - -m policy --dir in --pol ipsec --proto esp
 
 

etc/ipv4/nat.conf

@@ -2,17 +2,20 @@
 # Use this file to set up network address translation rules
 # Use tabs or single space to separate
 #
-# <type> <src-interface> <src-address> <dst-interface> <dst-address>
+# <type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
 #
-# Type: Required ( SNAT | MASQ | NETMAP )
-# Source Interface: Optional ( interface name, aka eth0 )
+# Type: Required ( SNAT | MASQ | NETMAP | ACCEPT)
+# Source Interface: Optional, ignored by NETMAP ( interface name, aka eth0 )
 # Source Address: Optional ( IP address with optional netmask )
 # Destination Interface: Optional for all but MASQ ( interface name, aka eth0 )
-# Destination Address: Required for all but MASQ ( IP address with optional netmask )
+# Destination Address: Required for all but MASQ and NETMAP ( IP address with optional netmask )
+# Custom: Optional for all except NETMAP, set custom section after the source/dest and before ACCEPT/DROP
+# Custom: Required for NETMAP, address to map TO, then all other custom options (see example)
 # You can use '-' for optional fields
 #============================================================
-#<type> <src-interface> <src-address> <dst-interface> <dst-address>
+#<type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
 #SNAT eth1 10.0.0.0/24 eth0 172.16.1.1
 #MASQ - - eth0 -
-#NETMAP eth1 192.168.0.0/24 vpn0 172.16.10.0/24
+#NETMAP - 192.168.0.0/24 vpn0 - 172.16.0.0/24
+#^ ex: map src of 192.168.0.0/24 to 172.16.0.0/24 when it leaves via vpn0
 

etc/ipv6/acl.conf

@@ -2,7 +2,7 @@
 # Use this file to set up more complex access control lists.
 # Use tabs or single space to separate
 #
-# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
+# <direction> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom>
 #
 # Direction: Required ( IN | OUT )
 # Action: Required (ACCEPT | DROP)
@@ -14,10 +14,11 @@
 # Protocol: Optional, Required if port is specified ( tcp | udp )
 # Syn: Optional, only match (not) syn packets (syn | notsyn )
 # State: Optional, set the connection tracking states ( comma separated list )
+# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
 #
 # You can use '-' for optional fields
 #============================================================
-#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state>
+#<dir> <action> <interface> <src-address> <src-port> <dst-address> <dst-port> <protocol> <syn> <state> <custom>
 #IN ACCEPT eth0 2002:dead:beef::/64 22	- -	tcp -
 #IN DROP - - - - 22 tcp syn
-
+#IN ACCEPT eth0 2002:dead:beef::/64 - 2002:dead:bfff::/64 - - - -m policy --dir in --pol ipsec --proto esp

etc/ipv6/custom/runafter.sh

@@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# After all other things are done when the script loads

etc/ipv6/custom/runbefore.sh

@@ -0,0 +1,6 @@
+# This file is sourced by the main srfirewall program to inject
+# custom commands/rules during specific moments of the firewall
+# setup.
+#
+# In particular this file injects/commands rules:
+# Before all other things are done when the script loads

etc/ipv6/forward.conf

@@ -2,7 +2,7 @@
 # Use this file to set up network address translation rules
 # Use tabs or single space to separate
 #
-# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
+# <action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom>
 #
 # Action: Required ( ACCEPT | DROP )
 # Source Interface: Optional ( interface name, aka eth0 )
@@ -17,11 +17,13 @@
 # Protocol:	Optional, required if port numbers specified ( tcp | udp )
 # Syn: Optional, only match (not) syn packets (syn | notsyn )
 # State: Optional, set the connection tracking states ( comma separated list )
+# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
 #
 # You can use '-' for optional fields
 #============================================================
-#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state>
+#<action> <src-interface> <src-address> <dst-interface> <dst-address> <bidirectional> <src-port> <dst-port> <protocol> <syn> <state> <custom>
 #ACCEPT eth0 - eth1 - yes
 #DROP eth1 2002::/64 eth0 2001::/3 no
 #DROP eth0 2001::/3 eth1 2002:dead:beef::/64 no - 1:1024 tcp syn
 #ACCEPT eth1 - eth0 - no - - udp - NEW,ESTABLISHED,RELATED
+#IN ACCEPT eth0 2002:dead:beef::/64 eth1 2002:dead:bfff::/64 yes - - - - - -m policy --dir in --pol ipsec --proto esp

etc/ipv6/nat.conf

@@ -2,16 +2,18 @@
 # Use this file to set up network address translation rules
 # Use tabs or single space to separate
 #
-# <type> <src-interface> <src-address> <dst-interface> <dst-address>
+# <type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
 #
-# Type: Required ( SNAT | MASQ | NETMAP )
+# Type: Required ( SNAT | MASQ | NETMAP | ACCEPT)
 # Source Interface: Optional ( interface name, aka eth0 )
 # Source Address: Optional ( IP address with optional netmask )
 # Destination Interface: Optional for all but MASQ ( interface name, aka eth0 )
 # Destination Address: Required for all but MASQ ( IP address with optional netmask )
+# Custom: Optional, set custom section after the source/dest and before ACCEPT/DROP
+#
 # You can use '-' for optional fields
 #============================================================
-#<type> <src-interface> <src-address> <dst-interface> <dst-address>
+#<type> <src-interface> <src-address> <dst-interface> <dst-address> <custom>
 #SNAT eth1 2002::/64 eth0 2001::1
 #MASQ - - eth0 -
 #NETMAP eth1 2002::/64 vpn0 fc00::/64

lib/iptables.inc

@@ -42,6 +42,8 @@ function iptables_rules_flush {
 	${VER_IPTABLES} -t nat -X &>/dev/null
 	${VER_IPTABLES} -t mangle -F &>/dev/null
 	${VER_IPTABLES} -t mangle -X &>/dev/null
+	${VER_IPTABLES} -t raw -F &>/dev/null
+	${VER_IPTABLES} -t raw -X &>/dev/null
 	for i in `cat $TABLE_NAMES`; do
 		${VER_IPTABLES} -F -t $i &>/dev/null
 	done
@@ -175,19 +177,25 @@ function enable_mss_clamp {
 		while read -r interface mss type msssize; do
 			[[ ${interface} = \#* ]] && continue
 			[[ ${interface} = "" ]] && continue
-			[[ -z ${mss} ]] && mss="-"
-			[[ ${mss} == "-" ]] && mss="1400:1536"
+			[[ ${interface} == "all" ]] && isallinterfaces="yes"
+			#[[ -z ${mss} ]] && mss="-"
+			[[ ${mss} != "-" ]] && mss="-m tcpmss --mss ${mss}"
+			[[ ${mss} == "-" ]] && mss=""
 			[[ -z ${type} ]] && type="-"
-			[[ ${type} == "-" ]] && type="${OutFilter}"
+			[[ ${type} == "-" ]] && type="out"
 			[[ ${type} == "out" ]] && type="${OutFilter}"
 			[[ ${type} == "fwd" ]] && type="${FwdFilter}"
 			[[ -z ${msssize} ]] && msssize="-"
 			[[ ${msssize} != "-" ]] && msssize="--set-mss ${msssize}"
 			[[ ${msssize} == "-" ]] && msssize="--clamp-mss-to-pmtu"
+			#[[ ${interface} != "all" ]] && interface="-o ${interface}"
+			[[ ${type} == "${OutFilter}" ]] && interface="-o ${interface}"
+			[[ ${type} == "${FwdFilter}" ]] && interface="-o ${interface}"
+			[[ ${isallinterfaces} == "yes" ]] && interface=""
 			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type} ${msssize}"
 			${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
-				 -o ${interface} -m tcpmss --mss ${mss} ${msssize}
-			unset interface mss type msssize
+				 ${interface} ${mss} ${msssize}
+			unset interface mss type msssize isallinterfaces
 		done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
 
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
@@ -317,7 +325,7 @@ function enable_filtering {
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/acl.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/acl.conf successful"
-		while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state; do
+		while read -r direction action interface srcaddress srcport dstaddress dstport protocol syn state custom; do
 			[[ ${direction} = \#* ]] && continue
 			[[ ${direction} = "" ]] && continue
 			([[ ${direction} != "IN" ]] && [[ ${direction} != "OUT" ]]) \
@@ -330,8 +338,8 @@ function enable_filtering {
 			[[ -z ${state} ]] && state="-"
 			([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
 			([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
-			[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
-			[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
+			#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
+			#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
 			[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
 			[[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
 			([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
@@ -343,7 +351,16 @@ function enable_filtering {
 			[[ ${syn} == "syn" ]] && syn="--syn"
 			[[ ${syn} == "notsyn" ]] && syn="! --syn"
 			
-			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn}"
+			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}"
+			
+			dstmultiport="no"
+			srcmultiport="no"
+			([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
+			([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
+			([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
+			([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--dport ${srcport}"
+			([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
+			([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
 
 			# Blank variables that we're not going to use.
 			[[ ${interface} == "-" ]] && interface=""
@@ -353,8 +370,10 @@ function enable_filtering {
 			[[ ${srcaddress} == "-" ]] && srcaddress=""
 			[[ ${protocol} == "-" ]] && protocol=""
 			[[ ${syn} == "-" ]] && syn=""
+			[[ ${custom} == "-" ]] && custom=""
 			
-			${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} -j ${action}
+			${VER_IPTABLES} -A ${chain} ${interface} ${protocol} ${srcaddress} ${srcport} ${syn} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
+			unset direction action interface srcaddress srcport dstaddress dstport protocol syn state custom conntrack_state
 		done < "${FWCONFIGDIR}/ipv${IPVER}/acl.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi
@@ -371,7 +390,7 @@ function enable_forwarding {
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/forward.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/forward.conf successful"
-		while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state; do
+		while read -r action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom; do
 			unset conntrack_state conntrack_udp_new revsrcaddress revdstaddress revdstinterface revsrcinterface revsrcport revdstport
 			[[ ${action} = \#* ]] && continue
 			[[ -z ${action} ]] && continue
@@ -389,8 +408,8 @@ function enable_forwarding {
 			[[ -z ${syn} ]] && syn="-"
 			[[ -z ${state} ]] && state="-"
 			
-			([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
-			([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
+			#([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
+			#([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ESTABLISHED,RELATED"
 			([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
 			([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
 			
@@ -406,10 +425,20 @@ function enable_forwarding {
 			([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
 			[[ ${syn} == "syn" ]] && syn="--syn"
 			[[ ${syn} == "notsyn" ]] && syn="! --syn"
-			[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
-			[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
-			([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
-			([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
+			dstmultiport="no"
+			srcmultiport="no"
+			([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
+			([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
+			([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
+			([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--sport ${srcport}"
+			([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
+			([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
+			([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport=${srcport/sport/dport}
+			([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport=${dstport/dport/sport}
+			#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
+			#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
+			#([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
+			#([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
 			[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
 			
 			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
@@ -425,9 +454,11 @@ function enable_forwarding {
 			[[ ${state} == "-" ]] && state=""
 			[[ ${protocol} == "-" ]] && protocol=""
 			[[ ${bidirectional} == "-" ]] && bidirectional="no"
+			[[ ${custom} == "-" ]] && custom=""
 
-			${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} -j ${action}
-			[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} -j ${action}
+			${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${srcinterface} ${srcaddress} ${srcport} ${syn} ${dstinterface} ${dstaddress} ${dstport} ${conntrack_state} ${custom} -j ${action}
+			[[ ${bidirectional} == "yes" ]] && ${VER_IPTABLES} -A ${FwdFilter} ${protocol} ${revsrcinterface} ${revsrcaddress} ${revsrcport} ${syn} ${revdstinterface} ${revdstaddress} ${revdstport} ${conntrack_state} ${custom} -j ${action}
+			unset action srcinterface srcaddress dstinterface dstaddress bidirectional srcport dstport protocol syn state custom conntrack_state
 		done < "${FWCONFIGDIR}/ipv${IPVER}/forward.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi
@@ -447,44 +478,60 @@ function enable_nat {
 
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/nat.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/nat.conf successful"
-		while read -r type srcinterface srcaddress dstinterface dstaddress; do
+		ORIG_NAT=${NAT}
+		while read -r type srcinterface srcaddress dstinterface dstaddress custom; do
+			NAT=${ORIG_NAT}
 			[[ ${type} = \#* ]] && continue
 			[[ ${type} = "" ]] && continue
-			([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]]) \
-					&& ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" && continue
+			([[ ${type} != "SNAT" ]] && [[ ${type} != "MASQ" ]] && [[ ${type} != "NETMAP" ]] && [[ ${type} != "ACCEPT" ]]) \
+					&& ${display} RED "nat.conf: Error - must begin with SNAT/MASQ/NETMAP/ACCEPT: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" && continue
 
 			# Do some creative work with variables to make building the iptables rules fairly painless
-			[[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
-			[[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
-			[[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
-			[[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
+			#[[ ${srcaddress} != "-" ]] && revsrcaddress="-d ${srcaddress}"
+			#[[ ${dstinterface} != "-" ]] && revdstinterface="-i ${dstinterface}"
+			#[[ ${srcinterface} != "-" ]] && revsrcinterface="-o ${srcinterface}"
+			#[[ ${srcinterface} != "-" ]] && srcinterface="-i ${srcinterface}"
 			[[ ${dstinterface} != "-" ]] && dstinterface="-o ${dstinterface}"
-			([[ ${srcaddress} != "-" ]] && [[ ${type} != "NETMAP" ]]) && srcaddress="-s ${srcaddress}"
+			[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
+			([[ ${srcinterface} != "-" ]] && [[ ${type} == "SNAT" ]]) && srcinterface="-"
 			
 			([[ ${dstinterface} != "-" ]] && [[ ${type} == "MASQ" ]]) && action="-j MASQUERADE" 
 			([[ ${dstinterface} == "-" ]] && [[ ${type} == "MASQ" ]]) && \
 					${display} RED "nat.conf: Error - MASQ rule can not have empty destination interface: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
 					&& continue
 
+			([[ ${dstaddress} != "-" ]] && [[ ${type} == "ACCEPT" ]]) && action="-j ACCEPT" && dstaddress="-d ${dstaddress}"
 			([[ ${dstaddress} != "-" ]] && [[ ${type} == "SNAT" ]]) && action="-j SNAT" && dstaddress="--to-source ${dstaddress}"
 			([[ ${dstaddress} == "-" ]] && [[ ${type} == "SNAT" ]]) && \
 					${display} RED "nat.conf: Error - SNAT rule can not have empty destination address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress}" \
 					&& continue
 
-			([[ ${srcaddress} != "-" ]] && [[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && action="-j NETMAP" && srcaddress="-d ${srcaddress}" && dstaddress="--to ${dstaddress}"
+			[[ ${type} == "NETMAP" ]] && action="-j NETMAP"
+			([[ ${custom} == "" ]] && [[ ${type} == "NETMAP" ]]) && \
+					${display} RED "nat.conf: Error - NETMAP rule can not have empty custom address: ${DEFAULT_COLOR}${type} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${custom}" \
+					&& continue
+			([[ ${custom} != "" ]] && [[ ${type} == "NETMAP" ]]) && custom="--to ${custom}"
+			([[ ${dstaddress} != "-" ]] && [[ ${type} == "NETMAP" ]]) && dstaddress="-d ${dstaddress}"
+
+			# If we use a source interface, the rule can't go in a POSTROUTING table like what NAT is, so we punt it to PREROUTING
+			# or it won't work.  Plus we remove the destination interface too.
+			([[ ${srcinterface} != "-" ]] && [[ ${type} != "SNAT" ]]) && NAT="PREROUTING" && dstinterface="-" && srcinterface="-i ${srcinterface}"
+			#[[ ${srcinterface} != "-" ]] && NAT="PREROUTING" && dstinterface="-" && srcinterface="-i ${srcinterface}"
 			
 
-			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol}"
+			${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${srcinterface} ${srcaddress} ${srcport} ${dstinterface} ${dstaddress} ${dstport} ${protocol} ${custom}"
 			
 			# Blank variables that we're not going to use.
 			[[ ${srcinterface} == "-" ]] && srcinterface=""
 			[[ ${dstinterface} == "-" ]] && dstinterface=""
 			[[ ${dstaddress} == "-" ]] && dstaddress=""
 			[[ ${srcaddress} == "-" ]] && srcaddress=""
+			[[ ${custom} == "-" ]] && custom=""
 
-			${VER_IPTABLES} -A ${NAT} -t nat ${srcaddress} ${action} ${dstinterface} ${dstaddress}
-			${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
-			${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
+			${VER_IPTABLES} -A ${NAT} -t nat ${srcinterface} ${srcaddress} ${action} ${dstinterface} ${dstaddress} ${custom}
+			#${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED,NEW ${srcinterface} ${srcaddress} ${dstinterface} -j ACCEPT
+			#${VER_IPTABLES} -A ${FwdFilter} ${M_STATE} ${C_STATE} RELATED,ESTABLISHED ${revsrcinterface} ${revsrcaddress} ${revdstinterface} -j ACCEPT
+			unset type srcinterface srcaddress dstinterface dstaddress custom
 			done < "${FWCONFIGDIR}/ipv${IPVER}/nat.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi
@@ -502,10 +549,10 @@ function enable_services {
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/services.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/services.conf successful"
-		use_conntrack="no"
-		([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
-		([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
 		while read -r service protocol interface address srcaddress; do
+			use_conntrack="no"
+			([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
+			([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
 			multiport="no"
 			[[ ${service} = \#* ]] && continue
 			[[ -z ${service} ]] && continue
@@ -513,7 +560,7 @@ function enable_services {
 					&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
 			[[ ${protocol} == "-" ]] \
 					&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
-			[[ ${service} =~ "," ]] && multiport="yes"
+			[[ ${service} =~ (-|:|,) ]] && multiport="yes"
 			# Do some creative work with variables to make building the iptables rules fairly painless
 			([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
 			([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
@@ -530,9 +577,10 @@ function enable_services {
 			[[ ${srcaddress} == "-" ]] && srcaddress=""
 			
 			${VER_IPTABLES} -A ${InFilter} ${protocol} ${service} ${interface} ${address} ${srcaddress} ${conntrack_state} -j ACCEPT
-			
+			unset service protocol interface address srcaddress conntrack_state
 		done < "${FWCONFIGDIR}/ipv${IPVER}/services.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
+		unset service protocol interface address srcaddress
 	fi
 }
 
@@ -575,10 +623,10 @@ function enable_portfw {
 	${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading"
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/portfw.conf successful"
-		use_conntrack="no"
-		([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
-		([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
 		while read -r service protocol intip intport interface address srcaddress; do
+			use_conntrack="no"
+			([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
+			([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) && conntrack_state="${M_STATE} ${C_STATE} NEW"
 			[[ ${service} = \#* ]] && continue
 			[[ -z ${service} ]] && continue
 			[[ ${service} == "-" ]] \
@@ -613,7 +661,7 @@ function enable_portfw {
 			
 			${VER_IPTABLES} -A ${PortForward} -t nat ${protocol} ${service} ${interface} ${address} ${srcaddress} -j DNAT ${intdest}
 			${VER_IPTABLES} -A ${FwdFilter} ${interface} ${intip} ${protocol} ${intport} ${srcaddress} ${conntrack_state} -j ACCEPT
-			
+			unset service protocol intip intport interface address srcaddress conntrack_state
 		done < "${FWCONFIGDIR}/ipv${IPVER}/portfw.conf"
 		${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"
 	fi

release.json

@@ -0,0 +1,7 @@
+{
+    "version": "2.2.1",
+    "state": "stable",
+    "scope": "minor fixes",
+    "changes": "See CHANGELOG",
+    "download": "https://git.sosdg.org/brielle/SRFirewall/releases"
+}