service names with hyphen need to be escaped using square brackets.

2 files changed, 27 insertions, 12 deletions

diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm
index 607333c..583085e 100755
--- a/lib/Vyatta/IpTables/IpSet.pm
+++ b/lib/Vyatta/IpTables/IpSet.pm
@@ -337,12 +337,14 @@ sub add_member_range {
 }
 
 sub add_member {
-    my ($self, $member, $alias) = @_;
+    my ($self, $member, $alias, $hyphenated_port) = @_;
 
     return "Error: undefined group name" if ! defined $self->{_name};
     return "Error: group [$self->{_name}] doesn't exists\n" if !$self->exists();
 
-    if ($member =~ /^([^-]+)-([^-]+)$/) {
+    # service name or port name may contain a hyphen, which needs to be escaped
+    # using square brackets in ipset, to avoid confusion with port ranges
+    if (($member =~ /^([^-]+)-([^-]+)$/) and ($hyphenated_port eq 'false')) {
 	return $self->add_member_range($1, $2, $alias);
     }
 
@@ -378,12 +380,14 @@ sub delete_member_range {
 }
 
 sub delete_member {
-    my ($self, $member) = @_;
+    my ($self, $member, $hyphenated_port) = @_;
 
     return "Error: undefined group name" if ! defined $self->{_name};
     return "Error: group [$self->{_name}] doesn't exists\n" if !$self->exists();
 
-    if ($member =~ /^([^-]+)-([^-]+)$/) {
+    # service name or port name may contain a hyphen, which needs to be escaped
+    # using square brackets in ipset, to avoid confusion with port ranges
+    if (($member =~ /^([^-]+)-([^-]+)$/) and ($hyphenated_port eq 'false')) {
 	return $self->delete_member_range($1, $2);
     }
 
diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl
index 90abc34..ef964f3 100755
--- a/scripts/firewall/vyatta-ipset.pl
+++ b/scripts/firewall/vyatta-ipset.pl
@@ -62,19 +62,30 @@ sub ipset_check_member {
 }
 
 sub ipset_add_member {
-    my ($set_name, $member, $alias) = @_;
-    
+    my ($set_name, $member, $alias, $set_type) = @_;
+    my $hyphenated_port = 'false'; 
+    if (($set_type eq 'port') and ($member =~ /^\D\w+-\w*/)){
+      $member = "\[$member]";
+      $hyphenated_port = 'true';
+    }
+
     die "Error: undefined member" if ! defined $member; 
     my $group = new Vyatta::IpTables::IpSet($set_name);
-    return $group->add_member($member, $alias);
+    return $group->add_member($member, $alias, $hyphenated_port);
 }
 
 sub ipset_delete_member {
-    my ($set_name, $member) = @_;
+    my ($set_name, $member, $set_type) = @_;
+
+    my $hyphenated_port = 'false'; 
+    if (($set_type eq 'port') and ($member =~ /^\D\w+-\w*/)){
+      $member = "\[$member]";
+      $hyphenated_port = 'true';
+    }
 
     die "Error: undefined member" if ! defined $member; 
     my $group = new Vyatta::IpTables::IpSet($set_name);
-    return $group->delete_member($member);
+    return $group->delete_member($member, $hyphenated_port);
 }
 
 sub ipset_check_set_type {
@@ -245,11 +256,11 @@ sub update_set {
   my %vals = $cfg->compareValueLists(\@ovals, \@nvals);
   while (1) {
     for my $d (@{$vals{deleted}}) {
-      last if (($rc = ipset_delete_member($tmpset, $d)));
+      last if (($rc = ipset_delete_member($tmpset, $d, $set_type)));
     }
     last if ($rc);
     for my $a (@{$vals{added}}) {
-      last if (($rc = ipset_add_member($tmpset, $a, $set_name)));
+      last if (($rc = ipset_add_member($tmpset, $a, $set_name, $set_type)));
     }
     last;
   }
@@ -306,7 +317,7 @@ $rc = ipset_delete($set_name) if $action eq 'delete-set';
 $rc = ipset_check_member($set_name, $set_type, $member) 
     if $action eq 'check-member';
 
-$rc = ipset_add_member($set_name, $member, $alias) if $action eq 'add-member';
+$rc = ipset_add_member($set_name, $member, $alias, $set_type) if $action eq 'add-member';
 
 $rc = ipset_delete_member($set_name, $member) if $action eq 'delete-member';