* iptables.g (multiport_tcp_udp_port_spec): see #2245 fixed bug in

parser for iptables that prevented correct import of iptables rules
using module "multiport" with port range matches.

VERSION

@@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
 # build number is like "nano" version number. I am incrementing build
 # number during development cycle
 #
-BUILD_NUM="3526"
+BUILD_NUM="3527"
 
 VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"
 

VERSION.h

@@ -1,2 +1,2 @@
-#define VERSION      "4.2.0.3526"
+#define VERSION      "4.2.0.3527"
 #define GENERATION   "4.2"

doc/ChangeLog

@@ -1,3 +1,9 @@
+2011-04-15  vadim  <vadim@netcitadel.com>
+
+	* iptables.g (multiport_tcp_udp_port_spec): see #2245 fixed bug in
+	parser for iptables that prevented correct import of iptables rules
+	using module "multiport" with port range matches.
+
 2011-04-14  vadim  <vadim@netcitadel.com>
 
 	* CompilerDriver_pix_run.cpp (pixSecurityLevelChecks): see #2351

packaging/fwbuilder-static-qt.spec

@@ -3,7 +3,7 @@
 
 
 %define name    fwbuilder
-%define version 4.2.0.3526
+%define version 4.2.0.3527
 %define release 1
 
 %if "%_vendor" == "MandrakeSoft"

packaging/fwbuilder.control

@@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
 Priority: extra
 Section: checkinstall
 Maintainer: vadim@fwbuilder.org
-Version: 4.2.0.3526-1
+Version: 4.2.0.3527-1
 Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
 Description: Firewall Builder GUI and policy compilers

packaging/fwbuilder.spec

@@ -1,6 +1,6 @@
 
 %define name    fwbuilder
-%define version 4.2.0.3526
+%define version 4.2.0.3527
 %define release 1
 
 %if "%_vendor" == "MandrakeSoft"

src/parsers/IPTCfgParser.cpp

@@ -1406,7 +1406,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
 				
 #line 1408 "IPTCfgParser.cpp"
 			}
-			port_def_no_range();
+			port_def_with_range();
 			if ( inputState->guessing==0 ) {
 #line 899 "iptables.g"
 				
@@ -1418,7 +1418,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
 			for (;;) {
 				if ((LA(1) == COMMA)) {
 					match(COMMA);
-					port_def_no_range();
+					port_def_with_range();
 					if ( inputState->guessing==0 ) {
 #line 903 "iptables.g"
 						
@@ -1449,7 +1449,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
 				
 #line 1451 "IPTCfgParser.cpp"
 			}
-			port_def_no_range();
+			port_def_with_range();
 			if ( inputState->guessing==0 ) {
 #line 915 "iptables.g"
 				
@@ -1461,7 +1461,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
 			for (;;) {
 				if ((LA(1) == COMMA)) {
 					match(COMMA);
-					port_def_no_range();
+					port_def_with_range();
 					if ( inputState->guessing==0 ) {
 #line 919 "iptables.g"
 						
@@ -1492,7 +1492,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
 				
 #line 1494 "IPTCfgParser.cpp"
 			}
-			port_def_no_range();
+			port_def_with_range();
 			if ( inputState->guessing==0 ) {
 #line 931 "iptables.g"
 				
@@ -1504,7 +1504,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
 			for (;;) {
 				if ((LA(1) == COMMA)) {
 					match(COMMA);
-					port_def_no_range();
+					port_def_with_range();
 					if ( inputState->guessing==0 ) {
 #line 935 "iptables.g"
 						
@@ -3561,47 +3561,6 @@ void IPTCfgParser::pkt_type_spec() {
 	}
 }
 
-void IPTCfgParser::port_def_no_range() {
-	
-	try {      // for error handling
-		{
-		switch ( LA(1)) {
-		case WORD:
-		{
-			match(WORD);
-			break;
-		}
-		case INT_CONST:
-		{
-			match(INT_CONST);
-			break;
-		}
-		default:
-		{
-			throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
-		}
-		}
-		}
-		if ( inputState->guessing==0 ) {
-#line 983 "iptables.g"
-			
-			importer->tmp_port_range_start = LT(0)->getText();
-			importer->tmp_port_range_end = LT(0)->getText();
-			*dbg << " PORT=" << LT(0)->getText();
-			
-#line 3593 "IPTCfgParser.cpp"
-		}
-	}
-	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
-		if( inputState->guessing == 0 ) {
-			reportError(ex);
-			recover(ex,_tokenSet_9);
-		} else {
-			throw;
-		}
-	}
-}
-
 /****************************************************************
  * port definition that allows for port range. That parser should
  * recognize constructs
@@ -3639,7 +3598,7 @@ void IPTCfgParser::port_def_with_range() {
 			importer->tmp_port_range_end = LT(0)->getText();
 			*dbg << " PORT=" << LT(0)->getText();
 			
-#line 3643 "IPTCfgParser.cpp"
+#line 3602 "IPTCfgParser.cpp"
 		}
 		{
 		switch ( LA(1)) {
@@ -3670,6 +3629,7 @@ void IPTCfgParser::port_def_with_range() {
 			case OPT_PROTO:
 			case OPT_TARGET:
 			case OPT_FRAGM:
+			case COMMA:
 			case MATCH_LIMIT:
 			case MATCH_LIMIT_BURST:
 			case MATCH_IPRANGE_SRC:
@@ -3701,7 +3661,7 @@ void IPTCfgParser::port_def_with_range() {
 				importer->tmp_port_range_end = LT(0)->getText();
 				*dbg << ":" << LT(0)->getText();
 				
-#line 3705 "IPTCfgParser.cpp"
+#line 3665 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3717,6 +3677,7 @@ void IPTCfgParser::port_def_with_range() {
 		case OPT_PROTO:
 		case OPT_TARGET:
 		case OPT_FRAGM:
+		case COMMA:
 		case MATCH_LIMIT:
 		case MATCH_LIMIT_BURST:
 		case MATCH_IPRANGE_SRC:
@@ -3746,7 +3707,48 @@ void IPTCfgParser::port_def_with_range() {
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
 		if( inputState->guessing == 0 ) {
 			reportError(ex);
-			recover(ex,_tokenSet_5);
+			recover(ex,_tokenSet_9);
+		} else {
+			throw;
+		}
+	}
+}
+
+void IPTCfgParser::port_def_no_range() {
+	
+	try {      // for error handling
+		{
+		switch ( LA(1)) {
+		case WORD:
+		{
+			match(WORD);
+			break;
+		}
+		case INT_CONST:
+		{
+			match(INT_CONST);
+			break;
+		}
+		default:
+		{
+			throw ANTLR_USE_NAMESPACE(antlr)NoViableAltException(LT(1), getFilename());
+		}
+		}
+		}
+		if ( inputState->guessing==0 ) {
+#line 983 "iptables.g"
+			
+			importer->tmp_port_range_start = LT(0)->getText();
+			importer->tmp_port_range_end = LT(0)->getText();
+			*dbg << " PORT=" << LT(0)->getText();
+			
+#line 3746 "IPTCfgParser.cpp"
+		}
+	}
+	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
+		if( inputState->guessing == 0 ) {
+			reportError(ex);
+			recover(ex,_tokenSet_0);
 		} else {
 			throw;
 		}
@@ -3782,7 +3784,7 @@ void IPTCfgParser::port_def_with_incomplete_range() {
 			importer->tmp_port_range_end = LT(0)->getText();
 			*dbg << "PORT 0:" << LT(0)->getText();
 			
-#line 3786 "IPTCfgParser.cpp"
+#line 3788 "IPTCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -3810,7 +3812,7 @@ void IPTCfgParser::syn() {
 			importer->tcp_flags_comp.clear();
 			importer->tcp_flags_comp.push_back(libfwbuilder::TCPService::SYN);
 			
-#line 3814 "IPTCfgParser.cpp"
+#line 3816 "IPTCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -3834,7 +3836,7 @@ void IPTCfgParser::tcp_flags() {
 			importer->tcp_flags_mask = importer->tmp_tcp_flags_list;
 			importer->tmp_tcp_flags_list.clear();
 			
-#line 3838 "IPTCfgParser.cpp"
+#line 3840 "IPTCfgParser.cpp"
 		}
 		tcp_flags_list();
 		if ( inputState->guessing==0 ) {
@@ -3849,7 +3851,7 @@ void IPTCfgParser::tcp_flags() {
 			foreach(int x, importer->tcp_flags_comp)
 			*dbg << x << "|";
 			
-#line 3853 "IPTCfgParser.cpp"
+#line 3855 "IPTCfgParser.cpp"
 		}
 	}
 	catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@@ -3889,7 +3891,7 @@ void IPTCfgParser::tcp_flag_word() {
 			if ( inputState->guessing==0 ) {
 #line 1118 "iptables.g"
 				importer->tmp_tcp_flag_code = libfwbuilder::TCPService::SYN;
-#line 3893 "IPTCfgParser.cpp"
+#line 3895 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3899,7 +3901,7 @@ void IPTCfgParser::tcp_flag_word() {
 			if ( inputState->guessing==0 ) {
 #line 1120 "iptables.g"
 				importer->tmp_tcp_flag_code = libfwbuilder::TCPService::ACK;
-#line 3903 "IPTCfgParser.cpp"
+#line 3905 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3909,7 +3911,7 @@ void IPTCfgParser::tcp_flag_word() {
 			if ( inputState->guessing==0 ) {
 #line 1122 "iptables.g"
 				importer->tmp_tcp_flag_code = libfwbuilder::TCPService::FIN;
-#line 3913 "IPTCfgParser.cpp"
+#line 3915 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3919,7 +3921,7 @@ void IPTCfgParser::tcp_flag_word() {
 			if ( inputState->guessing==0 ) {
 #line 1124 "iptables.g"
 				importer->tmp_tcp_flag_code = libfwbuilder::TCPService::RST;
-#line 3923 "IPTCfgParser.cpp"
+#line 3925 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3929,7 +3931,7 @@ void IPTCfgParser::tcp_flag_word() {
 			if ( inputState->guessing==0 ) {
 #line 1126 "iptables.g"
 				importer->tmp_tcp_flag_code = libfwbuilder::TCPService::URG;
-#line 3933 "IPTCfgParser.cpp"
+#line 3935 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3939,7 +3941,7 @@ void IPTCfgParser::tcp_flag_word() {
 			if ( inputState->guessing==0 ) {
 #line 1128 "iptables.g"
 				importer->tmp_tcp_flag_code = libfwbuilder::TCPService::PSH;
-#line 3943 "IPTCfgParser.cpp"
+#line 3945 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3949,7 +3951,7 @@ void IPTCfgParser::tcp_flag_word() {
 			if ( inputState->guessing==0 ) {
 #line 1130 "iptables.g"
 				importer->tmp_tcp_flag_code = 99;
-#line 3953 "IPTCfgParser.cpp"
+#line 3955 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3959,7 +3961,7 @@ void IPTCfgParser::tcp_flag_word() {
 			if ( inputState->guessing==0 ) {
 #line 1132 "iptables.g"
 				importer->tmp_tcp_flag_code = 98;
-#line 3963 "IPTCfgParser.cpp"
+#line 3965 "IPTCfgParser.cpp"
 			}
 			break;
 		}
@@ -3989,7 +3991,7 @@ void IPTCfgParser::tcp_flags_list() {
 			importer->tmp_tcp_flags_list.clear();
 			importer->tmp_tcp_flag_code = 0;
 			
-#line 3993 "IPTCfgParser.cpp"
+#line 3995 "IPTCfgParser.cpp"
 		}
 		tcp_flag_word();
 		if ( inputState->guessing==0 ) {
@@ -3997,7 +3999,7 @@ void IPTCfgParser::tcp_flags_list() {
 			
 			importer->tmp_tcp_flags_list.push_back(importer->tmp_tcp_flag_code);
 			
-#line 4001 "IPTCfgParser.cpp"
+#line 4003 "IPTCfgParser.cpp"
 		}
 		{ // ( ... )*
 		for (;;) {
@@ -4010,7 +4012,7 @@ void IPTCfgParser::tcp_flags_list() {
 					importer->tmp_tcp_flags_list.push_back(
 					importer->tmp_tcp_flag_code);
 					
-#line 4014 "IPTCfgParser.cpp"
+#line 4016 "IPTCfgParser.cpp"
 				}
 			}
 			else {

src/parsers/IPTCfgParser.hpp

@@ -144,8 +144,8 @@ public:
 	public: void recent_args_param();
 	public: void length_spec();
 	public: void pkt_type_spec();
-	public: void port_def_no_range();
 	public: void port_def_with_range();
+	public: void port_def_no_range();
 	public: void port_def_with_incomplete_range();
 	public: void syn();
 	public: void tcp_flags();

src/parsers/iptables.g

@@ -895,11 +895,11 @@ multiport_tcp_udp_port_spec :
                     importer->startSrcMultiPort();
                     *dbg << " SRC MULTIPORT=";
                 }
-                port_def_no_range
+                port_def_with_range
                 {
                     importer->pushTmpPortSpecToSrcPortList();
                 }
-                ( COMMA port_def_no_range
+                ( COMMA port_def_with_range
                     {
                         importer->pushTmpPortSpecToSrcPortList();
                     }
@@ -911,11 +911,11 @@ multiport_tcp_udp_port_spec :
                     importer->startDstMultiPort();
                     *dbg << " DST MULTIPORT=";
                 }
-                port_def_no_range
+                port_def_with_range
                 {
                     importer->pushTmpPortSpecToDstPortList();
                 }
-                ( COMMA port_def_no_range
+                ( COMMA port_def_with_range
                     {
                         importer->pushTmpPortSpecToDstPortList();
                     }
@@ -927,11 +927,11 @@ multiport_tcp_udp_port_spec :
                     importer->startBothMultiPort();
                     *dbg << " MULTIPORT PORTS=";
                 }
-                port_def_no_range
+                port_def_with_range
                 {
                     importer->pushTmpPortSpecToBothPortList();
                 }
-                ( COMMA port_def_no_range
+                ( COMMA port_def_with_range
                     {
                         importer->pushTmpPortSpecToBothPortList();
                     }

src/unit_tests/ImporterTest/test_data/ipt.output

@@ -25,59 +25,59 @@
 42: New interface: eth0
 42: Warning: Creating branch ruleset 'Policy_eth1' to match inbound and outbound interfaces -i eth0 -o eth1
 103: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
-193: Created branch user_chain_42_mod_match
-197: Created branch user_chain_43_mod_match
-198: Created branch user_chain_44_mod_match
-199: Created branch user_chain_45_mod_match
-202: Created branch user_chain_46_mod_match
-205: Created branch user_chain_47_mod_match
-208: Created branch user_chain_48_mod_match
-208: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
-208: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
-209: Created branch user_chain_49_mod_match
-209: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
-209: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
-220: New ruleset: mangle / PREROUTING
-220: Default action: Accept
-221: New ruleset: mangle / INPUT
-221: Default action: Accept
-222: New ruleset: mangle / FORWARD
-222: Default action: Accept
-223: New ruleset: mangle / OUTPUT
-223: Default action: Accept
-224: New ruleset: mangle / POSTROUTING
-224: Default action: Accept
-227: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
-227: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
-230: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
-230: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
-231: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
-231: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
-237: Warning: Skipping command with '-j CONNMARK --restore-mark' This rule is generated automatically.
-240: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-240: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-241: Warning: Turned option on in previous rule with action Mark for '-j CONNMARK --save-mark' 
-244: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-244: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-245: New interface: eth2
-245: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-245: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-249: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-249: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-250: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-250: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
-255: New ruleset: nat / PREROUTING
-255: Default action: Accept
-256: New ruleset: nat / POSTROUTING
-256: Default action: Accept
-257: New ruleset: nat / OUTPUT
-257: Default action: Accept
-261: New interface: eth+
-288: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT
-288: Warning: Line 222: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled)
-288: Warning: Line 222: Added rule to reproduce default policy ACCEPT in mangle/FORWARD
-288: Warning: Line 221: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled)
-288: Warning: Line 221: Added rule to reproduce default policy ACCEPT in mangle/INPUT
-288: Warning: Line 223: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT
-288: Warning: Line 224: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING
-288: Warning: Line 220: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING
+212: Created branch user_chain_54_mod_match
+216: Created branch user_chain_55_mod_match
+217: Created branch user_chain_56_mod_match
+218: Created branch user_chain_57_mod_match
+221: Created branch user_chain_58_mod_match
+224: Created branch user_chain_59_mod_match
+227: Created branch user_chain_60_mod_match
+227: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
+227: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
+228: Created branch user_chain_61_mod_match
+228: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
+228: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
+239: New ruleset: mangle / PREROUTING
+239: Default action: Accept
+240: New ruleset: mangle / INPUT
+240: Default action: Accept
+241: New ruleset: mangle / FORWARD
+241: Default action: Accept
+242: New ruleset: mangle / OUTPUT
+242: Default action: Accept
+243: New ruleset: mangle / POSTROUTING
+243: Default action: Accept
+246: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
+246: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
+249: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
+249: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
+250: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
+250: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
+256: Warning: Skipping command with '-j CONNMARK --restore-mark' This rule is generated automatically.
+259: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+259: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+260: Warning: Turned option on in previous rule with action Mark for '-j CONNMARK --save-mark' 
+263: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+263: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+264: New interface: eth2
+264: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+264: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+268: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+268: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+269: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+269: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
+274: New ruleset: nat / PREROUTING
+274: Default action: Accept
+275: New ruleset: nat / POSTROUTING
+275: Default action: Accept
+276: New ruleset: nat / OUTPUT
+276: Default action: Accept
+280: New interface: eth+
+309: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT
+309: Warning: Line 241: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled)
+309: Warning: Line 241: Added rule to reproduce default policy ACCEPT in mangle/FORWARD
+309: Warning: Line 240: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled)
+309: Warning: Line 240: Added rule to reproduce default policy ACCEPT in mangle/INPUT
+309: Warning: Line 242: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT
+309: Warning: Line 243: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING
+309: Warning: Line 239: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING

src/unit_tests/ImporterTest/test_data/ipt.test

@@ -179,6 +179,25 @@
 -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201,202,204,206 -j ACCEPT
 -A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 2222 -j ACCEPT
 
+# various port range cases
+# it is unclear if multiport supports open-ended ranges such as ":1024" or "1024:"
+#
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 201:206,311 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 548,201:206 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 548,201:206,311:315 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --dports 201:206,311:315,548 -j ACCEPT
+
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 201:206,311 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 548,201:206 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 548,201:206,311:315 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --sports 201:206,311:315,548 -j ACCEPT
+
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 201:206,311 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201:206 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 548,201:206,311:315 -j ACCEPT
+-A user_chain -m multiport -s 128.143.0.0/16 -p tcp --ports 201:206,311:315,548 -j ACCEPT
+
+
 # icmp
 -A user_chain -p icmp -s 128.143.0.0/16 --icmp-type any  -j ACCEPT
 -A user_chain -p icmp -s 128.143.0.0/16 --icmp-type 3  -j ACCEPT
@@ -274,6 +293,8 @@ COMMIT
 -A PREROUTING  -p tcp -m tcp   -d 222.222.222.222 --dport 4000:4010 -j DNAT --to-destination 192.168.1.10:4000-4010 
 -A PREROUTING  -p tcp -m tcp -m multiport   -d 222.222.222.222 --dports 6667,3128,113,53,21,80,119,25,22,23,540,70,13,2105,443 -j DNAT --to-destination 192.168.1.10 
 
+-A PREROUTING -d 222.222.222.13/32 -p tcp -m multiport --dports 1720,3230:3243 -j DNAT --to-destination 192.168.1.212
+
 # numeric protocol spec
 -A PREROUTING -d 192.168.3.145 -i eth0 -p 47 -j DNAT --to-destination 1.1.1.1