Feature Request - Firewall IP and Port Ranges in LUCI/firewall3

For a long time now iptables has supported the ability to interpret rules using extensions to allow arbitrary ranges of IPs and ports to be specified in rules.

There is a good summary of ranges here https://www.cyberciti.biz/tips/linux-iptables-how-to-specify-a-range-of-ip-addresses-or-ports.html

It also supports comma seperated values of arbitrary IPs and Ports in a single rule definitions.

It would be great if this could be worked into firewall3, as OpenWRT is consumer oriented it is much more logical for end users to specify ranges rather than have to calculate subnets.

Incorrect, as I've never heard OpenWrt considered as "completed firmware."

For developers, OpenWrt is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.

~ WIki Main Page


:warning: - misnumbering and mistakes could be a risk

The port example from your link (I had to specify a protocol, which means the blogger had incorrect syntax - I choose -p tcp):

Screenshot from 2020-01-04 21-33-00

This is already supported since quite a while:

root@OpenWrt:~# uci add firewall rule
root@OpenWrt:~# uci set firewall.@rule[-1].name="Testing range"
root@OpenWrt:~# uci set firewall.@rule[-1].src="*"
root@OpenWrt:~# uci set firewall.@rule[-1].src_ip=""
root@OpenWrt:~# fw3 print | grep "Testing range"
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @rule[9] (Testing range) does not specify a protocol, assuming TCP+UDP
Warning: Section @rule[9] (Testing range) has no target specified, defaulting to REJECT
iptables -t filter -A INPUT -p tcp -m iprange --src-range -m comment --comment "!fw3: Testing range" -j reject
iptables -t filter -A INPUT -p udp -m iprange --src-range -m comment --comment "!fw3: Testing range" -j reject

Note however that you need to install iptables-mod-iprange for this to work, otherwise the rule will not be created.

Then my humble suggestion would be that iptables-mod-iprange is made a standard package on non-flash-contrained platforms and that LUCI FW module is updated to allow ranges in the input field if the package is present.