From 728e1c6073cb216d3cb8b66f519bd590458165e6 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Tue, 12 May 2020 18:44:20 +0200
Subject: nat: T2198: add new ipv4-range validator

---
 interface-definitions/nat.xml.in |  7 ++++++-
 src/validators/ipv4-range        | 30 ++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100755 src/validators/ipv4-range

diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in
index bcbdb37af..af9dd1eff 100644
--- a/interface-definitions/nat.xml.in
+++ b/interface-definitions/nat.xml.in
@@ -95,7 +95,12 @@
                         <format>masquerade</format>
                         <description>NAT to the primary address of outbound-interface</description>
                       </valueHelp>
-                      <!-- TODO: add general iptables constraint script -->
+                      <constraint>
+                        <validator name="ipv4-prefix"/>
+                        <validator name="ipv4-address"/>
+                        <validator name="ipv4-range"/>
+                        <regex>(masquerade)</regex>
+                      </constraint>
                     </properties>
                   </leafNode>
                   #include <include/nat-translation-port.xml.i>
diff --git a/src/validators/ipv4-range b/src/validators/ipv4-range
new file mode 100755
index 000000000..0d707d6c5
--- /dev/null
+++ b/src/validators/ipv4-range
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# snippet from https://stackoverflow.com/questions/10768160/ip-address-converter
+ip2dec () {
+    local a b c d ip=$@
+    IFS=. read -r a b c d <<< "$ip"
+    printf '%d\n' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))"
+}
+
+# This only works with real bash (<<<) - split IP addresses into array with
+# hyphen as delimiter
+readarray -d - -t strarr <<< $1
+
+ipaddrcheck --is-ipv4-single ${strarr[0]}
+if [ $? -gt 0 ]; then
+  exit 1
+fi
+
+ipaddrcheck --is-ipv4-single ${strarr[1]}
+if [ $? -gt 0 ]; then
+  exit 1
+fi
+
+start=$(ip2dec ${strarr[0]})
+stop=$(ip2dec ${strarr[1]})
+if [ $start -ge $stop ]; then
+  exit 1
+fi
+
+exit 0
-- 
cgit v1.2.3