Support port based exclude

Author: vStone

client.py

@@ -151,10 +151,10 @@ def check(self):
 
     def start(self):
         self.pfile.write('ROUTES\n')
-        for (ip,width) in self.subnets_include+self.auto_nets:
-            self.pfile.write('%d,0,%s\n' % (width, ip))
-        for (ip,width) in self.subnets_exclude:
-            self.pfile.write('%d,1,%s\n' % (width, ip))
+        for (ip,width,port) in self.subnets_include+self.auto_nets:
+            self.pfile.write('%d,%d,0,%s\n' % (width, port, ip))
+        for (ip,width,port) in self.subnets_exclude:
+            self.pfile.write('%d,%d,1,%s\n' % (width, port, ip))
         self.pfile.write('GO\n')
         self.pfile.flush()
         line = self.pfile.readline()

firewall.py

@@ -1,3 +1,5 @@
+# vim: set tabstop=4 expandtab :
+
 import re, errno, socket, select, signal, struct
 import compat.ssubprocess as ssubprocess
 import helpers, ssyslog
@@ -92,17 +94,24 @@ def do_iptables(port, dnsport, subnets):
         # to least-specific, and at any given level of specificity, we want
         # excludes to come first.  That's why the columns are in such a non-
         # intuitive order.
-        for swidth,sexclude,snet in sorted(subnets, reverse=True):
+        for swidth,sport,sexclude,snet in sorted(subnets, reverse=True):
             if sexclude:
-                ipt('-A', chain, '-j', 'RETURN',
-                    '--dest', '%s/%s' % (snet,swidth),
-                    '-p', 'tcp')
+                if sport > 0:
+                    ipt('-A', chain, '-j', 'RETURN',
+                        '--dest', '%s/%s' % (snet,swidth),
+                        '-m', 'tcp',
+                        '--dport', '%d' % sport,
+                        '-p', 'tcp')
+                else:
+                    ipt('-A', chain, '-j', 'RETURN',
+                        '--dest', '%s/%s' % (snet,swidth),
+                        '-p', 'tcp')
             else:
                 ipt_ttl('-A', chain, '-j', 'REDIRECT',
                         '--dest', '%s/%s' % (snet,swidth),
                         '-p', 'tcp',
                         '--to-ports', str(port))
-                
+
     if dnsport:
         nslist = resolvconf_nameservers()
         for ip in nslist:
@@ -508,10 +517,10 @@ def main(port, dnsport, syslog):
         elif line == 'GO\n':
             break
         try:
-            (width,exclude,ip) = line.strip().split(',', 2)
+            (width,dport,exclude,ip) = line.strip().split(',', 3)
         except:
             raise Fatal('firewall: expected route or GO but got %r' % line)
-        subnets.append((int(width), bool(int(exclude)), ip))
+        subnets.append((int(width), int(dport), bool(int(exclude)), ip))
 
     try:
         if line:

main.py

@@ -1,3 +1,4 @@
+# vim: set tabstop=4 expandtab :
 import sys, os, re
 import helpers, options, client, server, firewall, hostwatch
 import compat.ssubprocess as ssubprocess
@@ -9,11 +10,16 @@
 def parse_subnets(subnets_str):
     subnets = []
     for s in subnets_str:
-        m = re.match(r'(\d+)(?:\.(\d+)\.(\d+)\.(\d+))?(?:/(\d+))?$', s)
+        m = re.match(r'(\d+)?(?:\.(\d+)\.(\d+)\.(\d+))?(?:/(\d+))?(:\d+)?$', s)
         if not m:
             raise Fatal('%r is not a valid IP subnet format' % s)
-        (a,b,c,d,width) = m.groups()
+        (a,b,c,d,width,port) = m.groups()
         (a,b,c,d) = (int(a or 0), int(b or 0), int(c or 0), int(d or 0))
+        if port == None:
+            port = 0
+        else:
+            port = int(re.sub('^:','',port))
+
         if width == None:
             width = 32
         else:
@@ -22,7 +28,10 @@ def parse_subnets(subnets_str):
             raise Fatal('%d.%d.%d.%d has numbers > 255' % (a,b,c,d))
         if width > 32:
             raise Fatal('*/%d is greater than the maximum of 32' % width)
-        subnets.append(('%d.%d.%d.%d' % (a,b,c,d), width))
+        if port > 65535:
+            raise Fatal('*:%d is greater than the maximum of 65535' % port)
+        subnets.append(('%d.%d.%d.%d' % (a,b,c,d), width, port))
+
     return subnets