Feature #3887
closed
Add a "No binat" checkbox to 1:1 NAT for exclusions
100%
Description
In some cases it is necessary to create exclusions from a broad definition of a more general 1:1 NAT rule, such as:
- No 1:1 NAT for x.x.x.1
- No 1:1 NAT for x.x.x.2
- 1:1 NAT for y.y.y.0/24 -> x.x.x.0/24
That way NAT could be performed for the entire subnet on that interface except for the gateway and the firewall itself.
Updated by
Updated by Anonymous almost 9 years ago
1-to-1 rules can already be dragged to reorder. I can add a "no binat" (or "exclude") checkbox, save the setting, and display a suitable icon when it is checked.
JimP - can you help with creating the NAT rule correctly on "Apply" ?
Updated by Jim Pingle almost 9 years ago
The rule should look like the current rule but have "no " before the rest of the line. For example source:src/etc/inc/filter.inc#L1877 line 1877 shows where the binat line is made, if the negation box is checked then that line should start with "no binat" rather than "binat". And now that I look there, the NAT reflection bits above and below there should be skipped as well if the negation box is checked.
Also "-> {$target}{$sn1}" is not required for no binat
Updated by Anonymous almost 9 years ago
- Status changed from New to Assigned
- Assignee changed from Anonymous to Jim Pingle
Implemented as requested.
Swinging it over to JimP for testing
Updated by Anonymous almost 9 years ago
- Status changed from Assigned to Feedback
Applied in changeset 1716852ac3f818dc9fb22f3e4f7eb4301296a3c0.
Updated by Jim Pingle almost 9 years ago
- Status changed from Feedback to Resolved
Seems to do the job. Rules look like I expect, pf doesn't complain.