Page MenuHomeVyOS Platform

Make DNAT/SNAT a valid state in firewall rules.
Closed, ResolvedPublicFEATURE REQUEST


According to the iptables man page, SNAT/DNAT are valid ctstate options along with related/established/new/invalid. Of course this doesn't necessarily mean they are valid where needed in the firewall setup code, so I have no idea the difficulty or possibility of this.

It would be nice to be able to have a single firewall rule to allow all DNATed connections, instead of one rule per DNAT. Other platforms allow this and it eliminates a lot of repetition when it comes to creating destination NAT configurations.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

kroy updated the task description. (Show Details)
syncer triaged this task as Wishlist priority.Nov 10 2018, 12:02 PM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
erkin set Issue type to Feature (new functionality).Sep 1 2021, 10:49 AM
n.fort changed the task status from Open to Needs testing.May 9 2022, 10:03 PM