Add a NAT rule option to force masquerading instead of SNAT.

2026-06-25 02:19:37 +02:00 · 2018-03-05 20:06:22 +01:00
parent edb302187e
commit 2336bbb1f9
6 changed files with 56 additions and 4 deletions
--- a/src/iptlib/NATCompiler_ipt.cpp
+++ b/src/iptlib/NATCompiler_ipt.cpp
@@ -1324,6 +1324,23 @@ bool NATCompiler_ipt::dynamicInterfaceInTSrc::processNext()
    return true;
 }

+bool NATCompiler_ipt::alwaysUseMasquerading::processNext()
+{
+    NATRule *rule=getNext(); if (rule==NULL) return false;
+    FWOptions  *ruleopt =rule->getOptionsObject();
+    bool use_masq = ruleopt->getBool("ipt_use_masq");
+
+    tmp_queue.push_back(rule);
+
+    if (use_masq && rule->getRuleType()==NATRule::SNAT)
+    {
+        rule->setRuleType(NATRule::Masq);
+        if (rule->getStr("ipt_target")=="" || rule->getStr("ipt_target")=="SNAT")
+            rule->setStr("ipt_target", "MASQUERADE");
+    }
+    return true;
+}
+
 /**
 * unlike standard inspector addressRanges in the base class NATCompiler,
 * this one does not expand address ranges in TSrc and TDst because
@@ -2590,6 +2607,8 @@ void NATCompiler_ipt::compile()
    add( new dynamicInterfaceInODst("split if dynamic interface in ODst") );
    add( new dynamicInterfaceInTSrc(
             "set target if dynamic interface in TSrc" ) );
+    add( new alwaysUseMasquerading(
+             "always use masquerading target instead of SNAT" ) );

    add( new ConvertToAtomicForItfInb("convert to atomic for inbound interface") );
    add( new ConvertToAtomicForItfOutb("convert to atomic for outbound interface"));
--- a/src/iptlib/NATCompiler_ipt.h
+++ b/src/iptlib/NATCompiler_ipt.h
@@ -284,6 +284,11 @@ namespace fwcompiler
 	 */
        DECLARE_NAT_RULE_PROCESSOR(dynamicInterfaceInTSrc);

+	/**
+         *  forces use of masquerading instead of SNAT in all cases.
+         */
+        DECLARE_NAT_RULE_PROCESSOR(alwaysUseMasquerading);
+
 	/**
 	 *  takes care of dynamic interfaces in ODst  (if ODst contains
 	 *  interface and its address is dynamic, replace it with any)
--- a/src/libgui/FWObjectPropertiesFactory.cpp
+++ b/src/libgui/FWObjectPropertiesFactory.cpp
@@ -1335,6 +1335,8 @@ QString FWObjectPropertiesFactory::getNATRuleOptions(Rule *rule)
        {
            if (ropt->getBool("ipt_use_snat_instead_of_masq"))
                res += QObject::tr("use SNAT instead of MASQ<br>");
+            if (ropt->getBool("ipt_use_masq"))
+                res += QObject::tr("always use MASQUERADE<br>");
            if (ropt->getBool("ipt_nat_random"))      res += QObject::tr("random<br>");
            if (ropt->getBool("ipt_nat_persistent"))  res += QObject::tr("persistent<br>");
        }
--- a/src/libgui/NATRuleOptionsDialog.cpp
+++ b/src/libgui/NATRuleOptionsDialog.cpp
@@ -100,6 +100,8 @@ void NATRuleOptionsDialog::loadFWObject(FWObject *o)
    {
        data.registerOption(m_dialog->ipt_use_snat_instead_of_masq, ropt,
                            "ipt_use_snat_instead_of_masq");
+        data.registerOption(m_dialog->ipt_use_masq, ropt,
+                            "ipt_use_masq");
        data.registerOption(m_dialog->ipt_nat_random, ropt,
                            "ipt_nat_random");
        data.registerOption(m_dialog->ipt_nat_persistent, ropt,
--- a/src/libgui/natruleoptionsdialog_q.ui
+++ b/src/libgui/natruleoptionsdialog_q.ui
@@ -98,7 +98,14 @@
         </property>
        </widget>
       </item>
-       <item row="2" column="0">
+       <item row="2" column="0" colspan="2">
+        <widget class="QCheckBox" name="ipt_use_masq">
+         <property name="text">
+          <string>Always use MASQUERADE target instead of SNAT</string>
+         </property>
+        </widget>
+       </item>
+       <item row="3" column="0">
        <spacer name="verticalSpacer_2">
         <property name="orientation">
          <enum>Qt::Vertical</enum>
@@ -114,21 +121,21 @@
         </property>
        </spacer>
       </item>
-       <item row="3" column="0" colspan="2">
+       <item row="4" column="0" colspan="2">
        <widget class="QCheckBox" name="ipt_nat_random">
         <property name="text">
          <string>Randomize port mapping (translates to --random)</string>
         </property>
        </widget>
       </item>
-       <item row="4" column="0" colspan="2">
+       <item row="5" column="0" colspan="2">
        <widget class="QCheckBox" name="ipt_nat_persistent">
         <property name="text">
          <string>Give a client the same source-/destination-address for each connection (translates to --persistent, requires iptables 1.4.3 or later).</string>
         </property>
        </widget>
       </item>
-       <item row="5" column="1">
+       <item row="6" column="1">
        <spacer name="verticalSpacer">
         <property name="orientation">
          <enum>Qt::Vertical</enum>
@@ -571,6 +578,22 @@
    </hint>
   </hints>
  </connection>
+  <connection>
+   <sender>ipt_use_masq</sender>
+   <signal>toggled(bool)</signal>
+   <receiver>NATRuleOptionsDialog_q</receiver>
+   <slot>changed()</slot>
+   <hints>
+    <hint type="sourcelabel">
+     <x>58</x>
+     <y>23</y>
+    </hint>
+    <hint type="destinationlabel">
+     <x>470</x>
+     <y>172</y>
+    </hint>
+   </hints>
+  </connection>
 </connections>
 <slots>
  <slot>changed()</slot>
--- a/src/libgui/platforms.cpp
+++ b/src/libgui/platforms.cpp
@@ -365,6 +365,7 @@ bool isDefaultNATRuleOptions(FWOptions *opt)
 	if (platform=="iptables")
        {
            res = !opt->getBool("ipt_use_snat_instead_of_masq") &&
+                !opt->getBool("ipt_use_masq") &&
                !opt->getBool("ipt_nat_random") &&
                !opt->getBool("ipt_nat_persistent");
        }