5 files changed, 71 insertions, 12 deletions

diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in
index 78a48a522..07a36093f 100644
--- a/interface-definitions/firewall.xml.in
+++ b/interface-definitions/firewall.xml.in
@@ -182,6 +182,9 @@
                     <description>Numbered port range (e.g. 1001-1050)</description>
                   </valueHelp>
                   <multi/>
+                  <constraint>
+                    <validator name="port-range"/>
+                  </constraint>
                 </properties>
               </leafNode>
             </children>
diff --git a/interface-definitions/include/firewall/port.xml.i b/interface-definitions/include/firewall/port.xml.i
index 59d92978b..3bacafff8 100644
--- a/interface-definitions/include/firewall/port.xml.i
+++ b/interface-definitions/include/firewall/port.xml.i
@@ -16,8 +16,11 @@
     </valueHelp>
     <valueHelp>
       <format> </format>
-      <description>\n\n  Multiple destination ports can be specified as a comma-separated list.\n  The whole list can also be negated using '!'.\n  For example: '!22,telnet,http,123,1001-1005'</description>
+      <description>\n\n  Multiple destination ports can be specified as a comma-separated list.\n  For example: 'telnet,http,123,1001-1005'</description>
     </valueHelp>
+    <constraint>
+      <validator name="port-multi"/>
+    </constraint>
   </properties>
 </leafNode>
 <!-- include end -->
diff --git a/src/validators/ipv4-range b/src/validators/ipv4-range
index cc59039f1..6492bfc52 100755
--- a/src/validators/ipv4-range
+++ b/src/validators/ipv4-range
@@ -7,6 +7,11 @@ ip2dec () {
     printf '%d\n' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))"
 }
 
+error_exit() {
+  echo "Error: $1 is not a valid IPv4 address range"
+  exit 1
+}
+
 # Only run this if there is a hypen present in $1
 if [[ "$1" =~ "-" ]]; then
   # This only works with real bash (<<<) - split IP addresses into array with
@@ -15,21 +20,21 @@ if [[ "$1" =~ "-" ]]; then
 
   ipaddrcheck --is-ipv4-single ${strarr[0]}
   if [ $? -gt 0 ]; then
-    exit 1
+    error_exit $1
   fi
 
   ipaddrcheck --is-ipv4-single ${strarr[1]}
   if [ $? -gt 0 ]; then
-    exit 1
+    error_exit $1
   fi
 
   start=$(ip2dec ${strarr[0]})
   stop=$(ip2dec ${strarr[1]})
   if [ $start -ge $stop ]; then
-    exit 1
+    error_exit $1
   fi
 
   exit 0
 fi
 
-exit 1
+error_exit $1
diff --git a/src/validators/port-multi b/src/validators/port-multi
new file mode 100755
index 000000000..763d34e57
--- /dev/null
+++ b/src/validators/port-multi
@@ -0,0 +1,43 @@
+#!/usr/bin/python3
+
+import sys
+import re
+
+from vyos.util import read_file
+
+services_file = '/etc/services'
+
+def get_services():
+    names = []
+    service_data = read_file(services_file, "")
+    for line in service_data.split("\n"):
+        if not line or line[0] == '#':
+            continue
+        names.append(line.split(None, 1)[0])
+    return names
+
+if __name__ == '__main__':
+    if len(sys.argv)>1:
+        ports = sys.argv[1].split(",")
+        services = get_services()
+
+        for port in ports:
+            if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port):
+                port_1, port_2 = port.split('-')
+                if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+                if int(port_1) > int(port_2):
+                    print(f'Error: {port} is not a valid port range')
+                    sys.exit(1)
+            elif port.isnumeric():
+                if int(port) not in range(1, 65535):
+                    print(f'Error: {port} is not a valid port')
+                    sys.exit(1)
+            elif port not in services:
+                print(f'Error: {port} is not a valid service name')
+                sys.exit(1)
+    else:
+        sys.exit(2)
+
+    sys.exit(0)
diff --git a/src/validators/port-range b/src/validators/port-range
index abf0b09d5..657a21e20 100755
--- a/src/validators/port-range
+++ b/src/validators/port-range
@@ -3,16 +3,21 @@
 import sys
 import re
 
+def error(port_range):
+    print(f'Error: {port_range} is not a valid port or port range')
+    sys.exit(1)
+
 if __name__ == '__main__':
     if len(sys.argv)>1:
         port_range = sys.argv[1]
-        if re.search('[0-9]{1,5}-[0-9]{1,5}', port_range):
-            for tmp in port_range.split('-'):
-                if int(tmp) not in range(1, 65535):
-                    sys.exit(1)
-        else:
-            if int(port_range) not in range(1, 65535):
-                sys.exit(1)
+        if re.match('^[0-9]{1,5}-[0-9]{1,5}$', port_range):
+            port_1, port_2 = port_range.split('-')
+            if int(port_1) not in range(1, 65535) or int(port_2) not in range(1, 65535):
+                error(port_range)
+            if int(port_1) > int(port_2):
+                error(port_range)
+        elif not port_range.isnumeric() or int(port_range) not in range(1, 65535):
+                error(port_range)
     else:
         sys.exit(2)