Allow runtime address variables as the server IP in DNAT rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 15:43:30 +01:00 · 2017-08-12 12:18:16 -07:00 · 2017-08-12 12:18:16 -07:00 · 1a2647618e
commit 1a2647618e
parent 72293883dd
2 changed files with 16 additions and 3 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -6324,7 +6324,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }

-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
    $net eq ALLIP ? '' : "-d $net ";
 }

@ -6405,7 +6405,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }

-    $net = validate_net $net, 1;
+    $net = validate_net $net, 1 unless $net =~ /^\$/; # Don't validate if runtime address variable
    $net eq ALLIP ? () : ( d =>  $net );
 }

@ -7528,6 +7528,11 @@ sub isolate_dest_interface( $$$$ ) {

 	    $rule .= "-d $variable ";
 	}
+    } elsif ( $dest =~ /^\$/ ) {
+	#
+	# Runtime address variable
+	#
+	$dnets  = $dest;
    } elsif ( $family == F_IPV4 ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@ -941,7 +941,15 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
 	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
+
+	    my @servers;
+
+	    if ( ( $server =~ /^([&%])(.+)/ ) ) {
+		@servers = ( record_runtime_address( $1, $2 ) );
+	    } else {
+		@servers = validate_address $server, 1;
+	    }
+
 	    $server = join ',', @servers;
 	}