Add and fix port range rules and update documentation for it

2025-09-01 18:19:12 +00:00 · 2021-10-13 17:34:48 +02:00 · 2021-10-13 17:34:48 +02:00 · 8a4ac913a1
commit 8a4ac913a1
parent d0c1010311
3 changed files with 23 additions and 5 deletions
--- a/profile/config.go
+++ b/profile/config.go
@ -182,12 +182,24 @@ func registerConfiguration() error {
 - Match anything: "*"

 Additionally, you may supply a protocol and port just behind that using numbers ("6/80") or names ("TCP/HTTP").  
-In this case the rule is only matched if the protocol and port also match.  
-Example: "192.168.0.1 TCP/HTTP"
+Port ranges are defined by using a hyphen ("TCP/1-1024"). Omit the port to match any.  
+Use a "*" for matching any protocol. If matching ports with any protocol, protocols without ports will not match.  
+Rules with protocol and port definitions only match if the protocol and port also match.  
+Ports are always compared to the destination port, thus, the local listening port for incoming connections.  
+Examples: "192.168.0.1 TCP/HTTP", "LAN UDP/50000-55000", "example.com */HTTPS", "1.1.1.1 ICMP"

 Important: DNS Requests are only matched against domain and filter list rules, all others require an IP address and are checked only with the following IP connection.
 `, `"`, "`")

+	rulesValidationRegex := strings.Join([]string{
+		`^(\+|\-) `,                   // Rule verdict.
+		`[A-z0-9\.:\-*/]+`,            // Entity matching.
+		`( `,                          // Start of optional matching.
+		`[A-z0-9*]+`,                  // Protocol matching.
+		`(/[A-z0-9]+(\-[A-z0-9]+)?)?`, // Port and port range matching.
+		`)?$`,                         // End of optional matching.
+	}, "")
+
 	// Endpoint Filter List
 	err = config.Register(&config.Option{
 		Name:         "Outgoing Rules",
@ -202,7 +214,7 @@ Important: DNS Requests are only matched against domain and filter list rules, a
 			config.DisplayOrderAnnotation: cfgOptionEndpointsOrder,
 			config.CategoryAnnotation:     "Rules",
 		},
-		ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`,
+		ValidationRegex: rulesValidationRegex,
 	})
 	if err != nil {
 		return err
@ -242,7 +254,7 @@ Important: DNS Requests are only matched against domain and filter list rules, a
 				},
 			},
 		},
-		ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`,
+		ValidationRegex: rulesValidationRegex,
 	})
 	if err != nil {
 		return err
--- a/profile/endpoints/endpoint.go
+++ b/profile/endpoints/endpoint.go
@ -154,6 +154,9 @@ func (ep *EndpointBase) parsePPP(typedEp Endpoint, fields []string) (Endpoint, e
 						return nil, invalidDefinitionError(fields, "port number parsing error")
 					}
 				}
+				if n16 == 0 {
+					return nil, invalidDefinitionError(fields, "port number cannot be 0")
+				}
 				ep.StartPort = n16
 				// parse end port
 				if len(portSplitted) > 1 {
@ -167,6 +170,9 @@ func (ep *EndpointBase) parsePPP(typedEp Endpoint, fields []string) (Endpoint, e
 						}
 					}
 				}
+				if n16 == 0 {
+					return nil, invalidDefinitionError(fields, "port number cannot be 0")
+				}
 				ep.EndPort = n16
 			}
 		}
--- a/profile/endpoints/reason.go
+++ b/profile/endpoints/reason.go
@ -26,7 +26,7 @@ func (r *reason) String() string {
 		prefix = "allowed by rule: "
 	}

-	return prefix + r.description + " " + r.Value
+	return prefix + r.description + " " + r.Filter[2:]
 }

 func (r *reason) Context() interface{} {