nat: allow ACCEPT-target to explicitely disable NAT

Signed-off-by: Steven Barth <steven@midlink.org>

1 files changed, 10 insertions, 5 deletions

diff --git a/snats.c b/snats.c
index 00fd57c..11bcc06 100644
--- a/snats.c
+++ b/snats.c
@@ -179,7 +179,8 @@ fw3_load_snats(struct fw3_state *state, struct uci_package *p)
 			warn_elem(e, "has no target specified, defaulting to MASQUERADE");
 			snat->target = FW3_FLAG_MASQUERADE;
 		}
-		else if (snat->target < FW3_FLAG_SNAT || snat->target > FW3_FLAG_MASQUERADE)
+		else if (snat->target != FW3_FLAG_ACCEPT && snat->target != FW3_FLAG_SNAT &&
+				snat->target != FW3_FLAG_MASQUERADE)
 		{
 			warn_elem(e, "has invalid target specified, defaulting to MASQUERADE");
 			snat->target = FW3_FLAG_MASQUERADE;
@@ -192,15 +193,15 @@ fw3_load_snats(struct fw3_state *state, struct uci_package *p)
 			fw3_free_snat(snat);
 			continue;
 		}
-		else if (snat->target == FW3_FLAG_MASQUERADE && snat->ip_snat.set)
+		else if (snat->target != FW3_FLAG_SNAT && snat->ip_snat.set)
 		{
-			warn_elem(e, "must not use 'snat_ip' for MASQUERADE");
+			warn_elem(e, "must not use 'snat_ip' for non-SNAT");
 			fw3_free_snat(snat);
 			continue;
 		}
-		else if (snat->target == FW3_FLAG_MASQUERADE && snat->port_snat.set)
+		else if (snat->target != FW3_FLAG_SNAT && snat->port_snat.set)
 		{
-			warn_elem(e, "must not use 'snat_port' for MASQUERADE");
+			warn_elem(e, "must not use 'snat_port' for non-SNAT");
 			fw3_free_snat(snat);
 			continue;
 		}
@@ -258,6 +259,10 @@ set_target(struct fw3_ipt_rule *r, struct fw3_snat *snat,
 		fw3_ipt_rule_target(r, "SNAT");
 		fw3_ipt_rule_addarg(r, false, "--to-source", buf);
 	}
+	else if (snat->target == FW3_FLAG_ACCEPT)
+	{
+		fw3_ipt_rule_target(r, "ACCEPT");
+	}
 	else
 	{
 		fw3_ipt_rule_target(r, "MASQUERADE");