From 3f68814a38a64ee2df0b9dbb51ac04a0e91dbe97 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 31 Oct 2016 15:15:35 -0700 Subject: [PATCH] Disallow more than one address[-range] in SNAT rules Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Nat.pm | 2 +- Shorewall/Perl/Shorewall/Rules.pm | 4 +++- Shorewall/manpages/shorewall-masq.xml | 2 +- Shorewall/manpages/shorewall-snat.xml | 2 +- Shorewall6/manpages/shorewall6-masq.xml | 2 +- Shorewall6/manpages/shorewall6-snat.xml | 2 +- 6 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 7449f2187..9f45695f0 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -232,7 +232,7 @@ sub process_one_masq1( $$$$$$$$$$$$ ) my $addrlist = ''; my @addrs = split_list $addresses, 'address'; - fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1; + fatal_error "Only one ADDRESS may be specified" if @addrs > 1; for my $addr ( @addrs ) { if ( $addr =~ /^([&%])(.+)$/ ) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 61d0a6749..34afae4e7 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -5456,6 +5456,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { my $rule = ''; my $saveaddresses = $addresses; my $savetarget = $target; + my $savebaserule = $baserule; my $interface = $fullinterface; $interface =~ s/:.*//; #interface name may include 'alias' @@ -5509,7 +5510,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { my $addrlist = ''; my @addrs = split_list $addresses, 'address'; - fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1; + fatal_error "Only one ADDRESS may be specified" if @addrs > 1; for my $addr ( @addrs ) { if ( $addr =~ /^([&%])(.+)$/ ) { @@ -5724,6 +5725,7 @@ sub process_snat1( $$$$$$$$$$$$ ) { $addresses = $saveaddresses; $target = $savetarget; + $baserule = $savebaserule; } progress_message " Snat record \"$currentline\" $done" diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml index e3c0f5b8d..c255b67e6 100644 --- a/Shorewall/manpages/shorewall-masq.xml +++ b/Shorewall/manpages/shorewall-masq.xml @@ -164,7 +164,7 @@ ADDRESS (Optional) - [-|NONAT|[address-or-address-range[,address-or-address-range]...][:lowportNONAT|[address-or-address-range][:lowport-highport][:random][:persistent]|detect| SNAT[+]([address-or-address-range[,address-or-address-range]...][:lowportSNAT[+]([address-or-address-range][:lowport-highport][:random][:]|detect| diff --git a/Shorewall6/manpages/shorewall6-masq.xml b/Shorewall6/manpages/shorewall6-masq.xml index df59b1fee..cdd9e9532 100644 --- a/Shorewall6/manpages/shorewall6-masq.xml +++ b/Shorewall6/manpages/shorewall6-masq.xml @@ -125,7 +125,7 @@ ADDRESS (Optional) - [-|NONAT|[address-or-address-range[,address-or-address-range]...][:lowportNONAT|[address-or-address-range][:lowport-highport][:random][:persistent]|detect| SNAT[+]([address-or-address-range[,address-or-address-range]...][:lowportSNAT[+]([address-or-address-range][:lowport-highport][:random][:]|detect|