From 99a35c1bf05b2a5b05667d64ca0fc01411ee60d8 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 23 Nov 2009 09:33:16 -0800
Subject: [PATCH] Allow <zone>::<serverport> in the rules file DEST column

---
 Shorewall/Perl/Shorewall/Rules.pm | 18 +++++++++++-------
 Shorewall/changelog.txt           |  2 ++
 Shorewall/releasenotes.txt        | 15 ++++++++++++++-
 3 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 3b3990816..ad85061b1 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1237,10 +1237,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		    $origdest = ALLIP;
 		}
 	    }
-	} else {
-	    fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
-
-	    if ( $server =~ /^(.+)-(.+)$/ ) {
+	} else {            
+	    if ( $server eq '' ) {
+		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
+	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
 		validate_range( $1, $2 );
 	    } else {
 		my @servers = validate_address $server, 1;
@@ -1249,9 +1249,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 
 	    if ( $action eq 'DNAT' ) {
 		$target = '-j DNAT ';
-		$serverport = ":$serverport" if $serverport;
-		for my $serv ( split /,/, $server ) {
-		    $target .= "--to-destination ${serv}${serverport} ";
+		if ( $server ) {
+		    $serverport = ":$serverport" if $serverport;
+		    for my $serv ( split /,/, $server ) {
+			$target .= "--to-destination ${serv}${serverport} ";
+		    }
+		} else {
+		    $target .= "--to-destination :$serverport ";
 		}
 	    }
 
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index d78b6cf18..5de3297b5 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -7,3 +7,5 @@ Changes in 4.5.0
 3)  Fix handling of interfaces with the 'bridge' option.
 
 4)  Flag port 0 as an error.
+
+5)  Allow zone::serverport in rules DEST column.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index c34344062..099bde6c3 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -40,5 +40,18 @@ None.
     	     $FW             dmz             REJECT          info
     	     $FW             all             ACCEPT
 
-  
+2)  Shorewall now allows DNAT rules that change only the destination
+    port.
+
+    Example:
+
+	DNAT	loc	net::456	udp	234
+
+    That rule will modify the destination port in UDP packets received
+    from the 'loc' zone from 456 to 234. Note that if the destination
+    is the firewall itself, then the destination port will be rewritten
+    but that no ACCEPT rule from the loc zone to the $FW zone will have
+    been created to handle the request. So such rules should probably
+    exclude the firewall's IP addresses in the ORIGINAL DEST column.
+