From fa86a604d653050b262b317f535b68ff7bb9befb Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Sun, 13 Nov 2022 02:36:50 +0100
Subject: [PATCH] Modify gaming rules.

---
 conf/default_ports.conf     | 19 +++++++-
 conf/post_decalrations.conf | 92 ++++++++++++++++++++++++++++++++++++-
 ip6t-firewall-gateway       | 50 ++++++++++++++++++++
 ipt-firewall-gateway        | 50 ++++++++++++++++++++
 4 files changed, 208 insertions(+), 3 deletions(-)

diff --git a/conf/default_ports.conf b/conf/default_ports.conf
index 233def4..5376d7d 100644
--- a/conf/default_ports.conf
+++ b/conf/default_ports.conf
@@ -361,7 +361,12 @@ standard_game_fifa21_udp_ports="3074,3478,3479,3659,6000"
 # 4380 udp (Steam client)
 #
 standard_game_steam_tcp_ports="6010,6020,6030,6040,8888,27000:27013,27014,27015,27016:27030,27031,27032:27050,44333"
-standard_game_steam_udp_ports="12000,27000:27015,27016:27030,27031,27036,3478,4379,4380"
+standard_game_steam_udp_ports="3478,4379,4380,12000,27000:27015,27016:27030,27031,27036,27037:27100"
+
+# Local Ports (Steam)
+#
+standard_game_steam_udp_local_ports="27031:27036"
+standard_game_steam_tcplocal_ports="27031:27036"
 
 # Ports game 'Call of Duty'
 #
@@ -395,7 +400,7 @@ standard_game_steam_udp_ports="12000,27000:27015,27016:27030,27031,27036,3478,43
 #    UDP: 53, 88, 500, 3074, 3075, 3076, 3077, 3078, 3079, 3544, 4500, 5223
 #    
 standard_game_call_of_duty_pc_tcp_ports="3074,27014,27015,27016:27030,27031,27032:27050"
-standard_game_call_of_duty_pc_udp_ports="3074,3075,3076,3077,3078,3079,3478,4379,4380,27000:27013,27014,27015,27016:27030,27031:27036"
+standard_game_call_of_duty_pc_udp_ports="3074,3075,3076,3077,3078,3079,3478,4379,4380,27000:27013,27014,27015,27016:27030,27031,27032:27035,27036"
 
 standard_game_call_of_duty_ps_tcp_ports="80,443,1935,3074,3478,3479,3480,5223"
 standard_game_call_of_duty_ps_udp_ports="3074,3075,3076,3077,3078,3079,3478,3479,3658,5223"
@@ -403,6 +408,16 @@ standard_game_call_of_duty_ps_udp_ports="3074,3075,3076,3077,3078,3079,3478,3479
 standard_game_call_of_duty_xbox_tcp_ports="53,80,3074"
 standard_game_call_of_duty_xbox_udp_ports="53,88,500,3074,3075,3076,3077,3078,3079,3544,4500,5223"
 
+# Local Ports (mostly dedicated to 'Call of Duty' game)
+#
+standard_game_call_of_duty_udp_local_ports="3074,41900,62976"
+
+
+# Other ports not dedicated to a specific game
+#
+standard_game_universell_udp=""
+standard_game_universell_tcp=""
+
 
 # -------------
 # --- Predefined Ports
diff --git a/conf/post_decalrations.conf b/conf/post_decalrations.conf
index df49eb6..e73d153 100644
--- a/conf/post_decalrations.conf
+++ b/conf/post_decalrations.conf
@@ -540,6 +540,11 @@ done
 declare -a out_udp_port_arr=()
 declare -a out_tcp_port_arr=()
 
+# Servives local ports
+#
+declare -a out_udp_local_port_arr=()
+declare -a out_tcp_local_port_arr=()
+
 # ---
 # - DNS out only
 # ---
@@ -1429,17 +1434,87 @@ done
 # ---
 # Gaming
 # ---
-if $allow_game_xbox_one_out \
+
+if $allow_game_steam_out \
+   || $allow_game_call_of_duty \
+   || $allow_game_xbox_one_out \
    || $allow_game_xbox_360_out \
    || $allow_game_ps3_out \
    || $allow_game_ps4_out \
    || $allow_game_fifa21_out ; then
 
+   
    allow_gaming_out=true
 else
    allow_gaming_out=false
 fi
+
+
+# Games local ports
+#
+declare -a game_ports_local_udp_arr=()
+if $allow_game_steam_out ; then
+   IFS=',' ; for _port in $standard_game_steam_udp_local_ports ; do
+
+      if containsElement "${_port}" "${out_udp_local_port_arr[@]}" ; then
+         continue
+      fi
+
+      out_udp_local_port_arr+=("$_port")
+
+      game_ports_local_udp_arr+=("$_port")
+   done
+   IFS="$CUR_IFS"
+fi
+
+if $allow_game_call_of_duty ; then
+   IFS=',' ; for _port in $standard_game_call_of_duty_udp_local_ports ; do
+
+      if containsElement "${_port}" "${out_udp_local_port_arr[@]}" ; then
+         continue
+      fi
+
+      out_udp_local_port_arr+=("$_port")
+
+      game_ports_local_udp_arr+=("$_port")
+   done
+   IFS="$CUR_IFS"
+fi
+
+declare -a game_ports_local_tcp_arr=()
+if $allow_game_steam_out ; then
+   IFS=',' ; for _port in $standard_game_steam_tcplocal_ports ; do
+
+      if containsElement "${_port}" "${out_tcp_local_port_arr[@]}" ; then
+         continue
+      fi
+
+      out_tcp_local_port_arr+=("$_port")
+
+      game_ports_local_tcp_arr+=("$_port")
+   done
+   IFS="$CUR_IFS"
+fi
+
+
+
+# Games (remote) ports
+#
 declare -a game_ports_udp_arr=()
+if $allow_gaming_out ; then
+   IFS=',' ; for _port in $standard_game_universell_udp ; do
+
+      if containsElement "${_port}" "${out_udp_port_arr[@]}" ; then
+         continue
+      fi
+
+      game_ports_udp_arr+=("$_port")
+
+      out_udp_port_arr+=("$_port")
+
+   done
+   IFS="$CUR_IFS"
+fi
 if $allow_game_xbox_360_out ; then
    IFS=',' ; for _port in $standard_game_xbox_one_udp_ports ; do
 
@@ -1565,6 +1640,21 @@ fi
 
 
 declare -a game_ports_tcp_arr=()
+if $allow_gaming_out ; then
+   IFS=',' ; for _port in $standard_game_universell_tcp ; do
+
+      if containsElement "${_port}" "${out_tcp_port_arr[@]}" ; then
+         continue
+      fi
+      
+      game_ports_tcp_arr+=("$_port")
+
+      out_tcp_port_arr+=("$_port")
+
+   done
+
+   IFS="$CUR_IFS"
+fi
 if $allow_game_xbox_360_out ; then
    IFS=',' ; for _port in $standard_game_xbox_one_tcp_ports ; do
 
diff --git a/ip6t-firewall-gateway b/ip6t-firewall-gateway
index 11fc362..f54cdfe 100755
--- a/ip6t-firewall-gateway
+++ b/ip6t-firewall-gateway
@@ -2183,6 +2183,16 @@ if $allow_http_request_out && ! $permit_local_net_to_inet ; then
       if $kernel_forward_between_interfaces && ! $permit_local_net_to_inet ; then
          $ip6t -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
       fi
+
+      # - Note:
+      # - If (local) alias interfaces like eth1:0 in use, youe need a further
+      # - special rule.
+      # -
+      if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
+         $ip6t -A FORWARD -p tcp -o $_dev -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
+         $ip6t -A FORWARD -p tcp -i $_dev -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
+      fi
+
    done
    echo_done
 else
@@ -4695,6 +4705,46 @@ fi
 # ---
 
 echo ""
+ec:,hononl "\t\tGaming UDP local Ports out"
+if $allow_gaming_out ; then
+
+   for _dev in ${ext_if_arr[@]} ; do
+      for _port in ${game_ports_local_udp_arr[@]} ; do
+         $ip6t -A FORWARD -o $_dev -p udp --sport $_port  -m conntrack --ctstate NEW -j ACCEPT
+      done
+   done
+
+   echo_done
+else
+   echo_skipped
+
+fi
+
+echononl "\t\tGaming TCP local Ports out"
+if $allow_gaming_out ; then
+
+   for _dev in ${ext_if_arr[@]} ; do
+      for _port in ${game_ports_local_tcp_arr[@]} ; do
+         $ip6t -A FORWARD -o $_dev -p tcp --sport $_port  -m conntrack --ctstate NEW -j ACCEPT
+      done
+
+
+      # - Rule is needed if (local) interface aliases in use (like eth0:1)
+      # -
+      if $kernel_forward_between_interfaces && $local_alias_interfaces ; then
+         $ip6t -A FORWARD -p tcp -o $_dev --sport $_port --tcp-flag ACK ACK -j ACCEPT
+         $ip6t -A FORWARD -p tcp -i $_dev --dport $_port --tcp-flag ACK ACK -j ACCEPT
+      fi
+
+   done
+
+   echo_done
+else
+   echo_skipped
+
+fi
+
+
 echononl "\t\tGaming UDP Ports out"
 
 if $allow_gaming_out && ! $permit_local_net_to_inet ; then
diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway
index d1b1995..8538615 100755
--- a/ipt-firewall-gateway
+++ b/ipt-firewall-gateway
@@ -2941,6 +2941,17 @@ if $allow_http_request_out && ! $permit_local_net_to_inet ; then
       if $kernel_activate_forwarding && ! $permit_local_net_to_inet ; then
          $ipt -A FORWARD -o $_dev -p tcp -m multiport --dports $standard_http_ports -m conntrack --ctstate NEW -j ACCEPT
       fi
+
+
+      # - Note:
+      # - If (local) alias interfaces like eth1:0 in use, youe need a further
+      # - special rule.
+      # -
+      if $kernel_activate_forwarding && $local_alias_interfaces ; then
+         $ipt -A FORWARD -p tcp -o $_dev -m multiport --dports $http_ports --tcp-flag ACK ACK -j ACCEPT
+         $ipt -A FORWARD -p tcp -i $_dev -m multiport --sports $http_ports --tcp-flag ACK ACK -j ACCEPT
+      fi
+
    done
    echo_done
 else
@@ -5499,6 +5510,45 @@ fi
 # ---
 
 echo ""
+echononl "\t\tGaming UDP local Ports out"
+if $allow_gaming_out ; then
+
+   for _dev in ${ext_if_arr[@]} ; do
+      for _port in ${game_ports_local_udp_arr[@]} ; do
+         $ipt -A FORWARD -o $_dev -p udp --sport $_port  -m conntrack --ctstate NEW -j ACCEPT
+      done
+   done
+
+   echo_done
+else
+   echo_skipped
+
+fi
+
+echononl "\t\tGaming TCP local Ports out"
+if $allow_gaming_out ; then
+
+   for _dev in ${ext_if_arr[@]} ; do
+      for _port in ${game_ports_local_tcp_arr[@]} ; do
+         $ipt -A FORWARD -o $_dev -p tcp --sport $_port  -m conntrack --ctstate NEW -j ACCEPT
+      done
+
+
+      # - Rule is needed if (local) interface aliases in use (like eth0:1)
+      # -
+      if $kernel_activate_forwarding && $local_alias_interfaces ; then
+         $ipt -A FORWARD -p tcp -o $_dev --sport $_port --tcp-flag ACK ACK -j ACCEPT
+         $ipt -A FORWARD -p tcp -i $_dev --dport $_port --tcp-flag ACK ACK -j ACCEPT
+      fi
+
+   done
+
+   echo_done
+else
+   echo_skipped
+
+fi
+
 echononl "\t\tGaming UDP Ports out"
 
 if $allow_gaming_out && ! $permit_local_net_to_inet ; then