As the allowedrules table was being updated, we found the need to have a number of entries between distinct sources and destinations for high ports (49152-65535) over 16,000 ports per source/destination combination. Quickly we found that the mvrange and mvexpand option above, grew the allowedrules table too large to be effective (actually, there must be a limit to an inputlookup or our limits.conf needed to be re-configured because we would find that the table would not grow larger that 12,000 entries. So I am back trying to come up with a better option.
I have tried a map search looking for the source, destination and protocol, then parsing the Port (if it contains a "-") to then compare the port (if startport <= Port AND endport >= Port).
lookup doesn't work because there could be multiple allowedrules for the same source/destination/protocol combination - then the Port value(s) returned from the lookup may have
also, this works for events where the Port falls within the range, but for those that fail the where, how do you still capture the original source, destination, protocol and destinationport and indicate "needs reviewed"
example: we need to verify each event in the table and add a field that indicates the status - communication is allowed or is not found in our allowed rules, so it should be reviewed.