I think having an option for using an address list that could be used for DST-NAT (or SRC-NAT) would be very useful for improving the flexibility of the RouterOS firewall system.
An Example:
We have begun to automate many of our SSL server deployments, and we do have numerous deployments. Historically we bought 3 Year signed certificates, and it wasn't that bad to upon renewal. However since the switch to max 1 year signed certificates a few years back, and our own growth (more servers, more services, more need to deploy/renew/maintain the signed certificates) the process have become a pain.
In order to simply the process and limit costs we have begun to use services like Let's Encrypt / ZeroSSL etc.
We have no need of the more expensive SSL certificates from and these simple signed certificates work fine. However I have always hated the verification process using random source servers, requiring port 80 or 443. For some services we can use a reverse proxy to assist. However for some services, reverse proxy is undesired or not possible, using automated DNS verification is not doable in many cases, and at some locations we have many servers behind limited IP addresses.
I have been using port knocking and firewall rules to automate the opening of port 80 for a short time on our RouterOS firewalls when a server is doing its verification process with the certificate provider. The issue is when I have many servers all needing to do verifications (different time periods), but I only have a single public IP address. The port forwarding rules required cannot dynamically change the DST-NAT 'to address' and while I could script it, that becomes a pain and I hate running scripts on short time intervals, something that would be required to do as the verification occurs fairly quick.
This comes to my feature suggestion, currently when I preform the port knock, the internal server knocks the Routeros, the Routeros add's the server's IP to an address list with a 05:00 timeout. Once that occurs a firewall rule in the forward chain of the filters will allow traffic to flow to port 80 of the server doing the verification. Verification completes, and five minutes later the address expires and my filter rule is now blocking port 80 traffic.
If I could use a address-list for the DST-NAT 'to-address' I could have these same rules work for any number of servers doing verification on port 80 (or any port), all on a single WAN/public IP address.
The main feature would be the change of the DST-NAT 'to-address' to allow an address list to be specified.
The second feature would be to have a check-box on adding to an address-list called 'single address only' or something like that. This flag would trigger RouterOS to limit an address-list to a single entry. This second feature would be optional, and it isn't required. Without this limit it would just be up to the user to ensure they don't populate and address list with multiple entries when it is being specified for DST-NAT / SRC-NAT or they would get undesired affects.
I do understand that a rule of this sort would add some load to the router, but I do think it would be one heck of a useful feature for targeted applications.