Allow <zone>::<serverport> in the rules file DEST column

2009-11-23 09:56:15 -08:00 · 2009-11-23 09:56:15 -08:00 · b30cae89e3
commit b30cae89e3
parent 2eaf396f5a
3 changed files with 26 additions and 8 deletions
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1238,9 +1238,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		}
 	    }
 	} else {            
-	    fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
-
-	    if ( $server =~ /^(.+)-(.+)$/ ) {
+	    if ( $server eq '' ) {
+		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
+	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
 		validate_range( $1, $2 );
 	    } else {
 		my @servers = validate_address $server, 1;
@ -1249,9 +1249,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {

 	    if ( $action eq 'DNAT' ) {
 		$target = '-j DNAT ';
-		$serverport = ":$serverport" if $serverport;
-		for my $serv ( split /,/, $server ) {
-		    $target .= "--to-destination ${serv}${serverport} ";
+		if ( $server ) {
+		    $serverport = ":$serverport" if $serverport;
+		    for my $serv ( split /,/, $server ) {
+			$target .= "--to-destination ${serv}${serverport} ";
+		    }
+		} else {
+		    $target .= "--to-destination :$serverport ";
 		}
 	    }

--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -6,6 +6,8 @@ Changes in Shorewall 4.4.5

 3)  Generate error for port number 0

+4)  Allow zone::serverport in rules DEST column.
+
 Changes in Shorewall 4.4.4

 1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -201,7 +201,19 @@ None.
                N E W   F E A T U R E S   I N   4 . 4 . 5
 ----------------------------------------------------------------------------

-None.
+1)  Shorewall now allows DNAT rules that change only the destination
+    port.
+
+    Example:
+
+	DNAT	loc	net::456	udp	234
+
+    That rule will modify the destination port in UDP packets received
+    from the 'loc' zone from 456 to 234. Note that if the destination
+    is the firewall itself, then the destination port will be rewritten
+    but that no ACCEPT rule from the loc zone to the $FW zone will have
+    been created to handle the request. So such rules should probably
+    exclude the firewall's IP addresses in the ORIGINAL DEST column.

 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 0