Allow runtime address variables in the ADDRESS column of the masq file

Shorewall/Perl/Shorewall/Chains.pm

@@ -145,6 +145,7 @@ our %EXPORT_TAGS = (
 				       do_helper
 				       do_headers
 				       have_ipset_rules
+				       record_runtime_address
 				       match_source_dev
 				       match_dest_dev
 				       iprange_match

Shorewall/Perl/Shorewall/Nat.pm

@@ -186,7 +186,10 @@ sub process_one_masq( )
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^.*\..*\..*\./ ) {
+			if ( $addr =~ /^&(.+)$/ ) {
+			    $target = 'SNAT ';
+			    $addrlist .= '--to-source ' . record_runtime_address $1;
+			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
@@ -197,8 +200,11 @@ sub process_one_masq( )
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    $addr =~ s/^://;
-			    $addrlist .= "--to-ports $addr ";
+			    my $ports = $addr; 
+			    $ports =~ s/^://;
+			    $ports =~ s/:/-/;
+			    validate_portpair( $proto, $ports );
+			    $addrlist .= "--to-ports $ports ";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    }

Shorewall/changelog.txt

@@ -10,7 +10,7 @@ Changes in Shorewall 4.4.17 Beta 1
 
 5)  Add 'USE_LOCAL_MODULES' option.
 
-6)  Implement runtime address variables (&interface)
+6)  Implement run-time address variables (&interface)
 
 Changes in Shorewall 4.4.17 Beta 1
 

Shorewall/releasenotes.txt

@@ -21,7 +21,7 @@ Beta 2
     diagnostic.
 
 2)  Previously, the uninstall.sh scripts used insserv (if installed) on
-    Debian-based systems. These scripts now used the preferred tool
+    Debian-based systems. These scripts now use the preferred tool
     (updaterc.d).
 
 3)  Beginning with 4.4.16, compilation would fail if an empty shell
@@ -33,9 +33,9 @@ Beta 2
     (unoptimized). Similarly, if OPTIMIZE=9 then the ruleset displayed
     was the same as when OPTIMIZE=1.
 
-5)  Startup could previously fail on a system where module autoloading
-    was not available and where TC_ENABLED=Simple was specified in
-    shorewall.conf.
+5)  Startup could previously fail on a system where kernel module
+    autoloading was not available and where TC_ENABLED=Simple was
+    specified in shorewall.conf.
 
 Beta 1
 
@@ -58,8 +58,9 @@ Beta 2
 
 1)  Traditionally, the -lite products have used the modules (or
     helpers) file on the firewall system unless there is a modules (or
-    helpers) file in the configuration directory.  This release
-    introduces the USE_LOCAL_MODULES option in shorewall[6].conf.
+    helpers) file in the configuration directory on the administrative
+    system. This release introduces the USE_LOCAL_MODULES option in
+    shorewall[6].conf.
 
     When USE_LOCAL_MODULES=Yes, the modules (helpers) file on the
     administrative system will be used to determine the set of modules
@@ -96,6 +97,9 @@ Beta 2
 	   macro files
 	   rules
 
+    They may also be used in the SOURCE and ADDRESS columns of the masq
+    file.
+
     For optional interfaces, if the interface is not usable at the time
     that the firewall starts the all-zero address will be used (0.0.0.0
     in IPv4 and :: in IPv6), resulting in no packets matching the rule.