From fa130f7ea64f4f5793c3d56ef2ce681bdaf45348 Mon Sep 17 00:00:00 2001
From: Matteo Di Lorenzi <matteo.dilorenzi@nethesis.it>
Date: Wed, 18 Feb 2026 17:17:16 +0100
Subject: [PATCH 1/2] feat(port-forward): add traffic type selection and
 enhance destination address options

---
 .../CreateOrEditPortForwardDrawer.vue         | 170 +++++++++++++-----
 .../standalone/firewall/PortForwardTable.vue  |  16 +-
 src/i18n/en.json                              |  11 +-
 src/i18n/it.json                              |  11 +-
 src/views/standalone/firewall/PortForward.vue |   2 +-
 5 files changed, 150 insertions(+), 60 deletions(-)

diff --git a/src/components/standalone/firewall/CreateOrEditPortForwardDrawer.vue b/src/components/standalone/firewall/CreateOrEditPortForwardDrawer.vue
index e98ed8f85..8239cce86 100644
--- a/src/components/standalone/firewall/CreateOrEditPortForwardDrawer.vue
+++ b/src/components/standalone/firewall/CreateOrEditPortForwardDrawer.vue
@@ -99,6 +99,18 @@ const supportedDestinationZones = computed<NeComboboxOption[]>(() => {
   }
 })
 
+const trafficType = ref<'select_protocols' | 'all_traffic'>('select_protocols')
+const trafficTypeOptions = [
+  {
+    id: 'select_protocols',
+    label: t('standalone.port_forward.select_protocols')
+  },
+  {
+    id: 'all_traffic',
+    label: t('standalone.port_forward.all_traffic')
+  }
+]
+
 // Form fields
 const id = ref('')
 const name = ref('')
@@ -125,7 +137,7 @@ const reflectionZones = ref<NeComboboxOption[]>([])
 const reflectionZonesRef = ref()
 const destinationZone = ref('')
 const destinationZoneRef = ref()
-const destinationAddressType = ref<'address' | 'object'>('address')
+const destinationAddressType = ref<'address' | 'object' | 'firewall'>('address')
 const destinationAddressObject = ref('')
 const destinationObjectRef = ref()
 const restrictType = ref<'address' | 'object'>('address')
@@ -140,6 +152,10 @@ const destinationAddressOptions = ref([
   {
     id: 'object',
     label: t('standalone.port_forward.select_an_object')
+  },
+  {
+    id: 'firewall',
+    label: t('standalone.port_forward.firewall')
   }
 ])
 
@@ -186,7 +202,13 @@ const restrictObjectsComboboxOptions = computed(() => {
   return [noObjectOption, ...restrictOptions]
 })
 
-const anyProtocolSelected = computed(() => protocols.value.length == 0)
+const filteredDestinationAddressOptions = computed(() => {
+  // when traffic type is 'all_traffic', exclude the firewall option
+  if (trafficType.value === 'all_traffic') {
+    return destinationAddressOptions.value.filter((option) => option.id !== 'firewall')
+  }
+  return destinationAddressOptions.value
+})
 
 function resetForm() {
   validationErrorBag.value.clear()
@@ -203,11 +225,16 @@ function resetForm() {
       destinationAddressType.value = 'object'
       destinationIP.value = ''
       destinationAddressObject.value = props.initialItem.ns_dst
-    } else {
-      // destination address is an IP address
+    } else if (props.initialItem.dest_ip && props.initialItem.dest_ip !== '127.0.0.1') {
+      // destination address is a custom IP address
       destinationAddressType.value = 'address'
       destinationIP.value = props.initialItem.dest_ip
       destinationAddressObject.value = ''
+    } else {
+      // destination address is 127.0.0.1 (firewall's IP)
+      destinationAddressType.value = 'firewall'
+      destinationIP.value = ''
+      destinationAddressObject.value = ''
     }
   } else {
     // creating new port forward
@@ -268,10 +295,13 @@ async function fetchOptions() {
   try {
     supportedProtocols.value = (
       await ubusCall('ns.redirects', 'list-protocols')
-    ).data.protocols.map((proto: string) => ({
-      id: proto,
-      label: proto.toUpperCase()
-    }))
+    ).data.protocols
+      // filter out 'all' protocol as there is the dedicated 'all_traffic' option in the UI
+      .filter((proto: string) => proto.toLowerCase() !== 'all')
+      .map((proto: string) => ({
+        id: proto,
+        label: proto.toUpperCase()
+      }))
   } catch (err: any) {
     error.value.notificationTitle = t('error.cannot_retrieve_protocols')
     error.value.notificationDescription = t(getAxiosErrorMessage(err))
@@ -318,6 +348,16 @@ watchEffect(() => {
   resetForm()
 })
 
+// reset destination address type to 'address' when switching to all_traffic and firewall is selected
+watch(
+  () => trafficType.value,
+  (newTrafficType) => {
+    if (newTrafficType === 'all_traffic' && destinationAddressType.value === 'firewall') {
+      destinationAddressType.value = 'address'
+    }
+  }
+)
+
 function close() {
   error.value.notificationTitle = ''
   error.value.notificationDescription = ''
@@ -346,6 +386,14 @@ function resetRestrictIPValidationErrors() {
   restrictIPValidationErrors.value = []
 }
 
+function handleSelectAllProtocolsManually() {
+  // prevent selecting all protocols
+  if (protocols.value.length === supportedProtocols.value.length && supportedProtocols.value.length > 0) {
+    // remove the last selected protocol
+    protocols.value.pop()
+  }
+}
+
 function runFieldValidators(
   validators: validationOutput[],
   fieldName: string,
@@ -399,8 +447,12 @@ function validate(): boolean {
   const sourceDestinationPortValidators: [validationOutput[], string, Ref][] = [
     [
       [
-        // if destination port is present, source port is required
-        destinationPort.value ? validateRequired(sourcePort.value) : { valid: true },
+        // source port required when destination is firewall or destination port is present
+        destinationAddressType.value === 'firewall'
+          ? validateRequired(sourcePort.value)
+          : destinationPort.value
+            ? validateRequired(sourcePort.value)
+            : { valid: true },
         sourcePort.value
           ? validateAnyOf(
               [validatePort, validatePortRange],
@@ -427,26 +479,38 @@ function validate(): boolean {
     ]
   ]
 
-  const destinationIpRequired = sourcePort.value == '' || destinationPort.value == ''
+  // if traffic type is 'select_protocols', at least one protocol must be selected from the dropdown
+  const protocolValidators: [validationOutput[], string, Ref][] =
+    trafficType.value === 'select_protocols'
+      ? [[[validateRequiredOption(protocols.value)], 'protocols', protocolsRef]]
+      : []
+
+  // destination address validation based on type
+  const destinationValidators: [validationOutput[], string, Ref][] = []
+  
+  if (destinationAddressType.value === 'address') {
+    // type is 'address', IP is required and must be valid
+    destinationValidators.push([
+      [validateRequired(destinationIP.value), validateIpAddress(destinationIP.value)],
+      'destinationIP',
+      destinationIpRef
+    ])
+  } else if (destinationAddressType.value === 'object') {
+    // type is 'object'
+    destinationValidators.push([
+      [validateRequired(destinationAddressObject.value)],
+      'destinationAddressObject',
+      destinationObjectRef
+    ])
+  }
+  // if type is 'firewall', no validation needed as the destination address is the firewall's IP
+  // and the source port is checked above in sourceDestinationPortValidators
 
   const validators: [validationOutput[], string, Ref][] = [
     [[validateRequired(name.value)], 'name', nameRef],
-    ...(anyProtocolSelected.value ? [] : sourceDestinationPortValidators),
-    destinationAddressType.value === 'address'
-      ? [
-          destinationIpRequired
-            ? [validateRequired(destinationIP.value), validateIpAddress(destinationIP.value)]
-            : destinationIP.value
-              ? [validateIpAddress(destinationIP.value)]
-              : [{ valid: true }],
-          'destinationIP',
-          destinationIpRef
-        ]
-      : [
-          [validateRequired(destinationAddressObject.value)],
-          'destinationAddressObject',
-          destinationObjectRef
-        ],
+    ...protocolValidators,
+    ...(trafficType.value === 'all_traffic' ? [] : sourceDestinationPortValidators),
+    ...destinationValidators,
     [
       reflection.value ? [validateRequiredOption(reflectionZones.value)] : [],
       'reflectionZones',
@@ -478,11 +542,11 @@ async function createOrEditPortForward() {
       const payload: CreateEditPortForwardPayload = {
         dest_ip: '',
         ns_dst: '',
-        proto: anyProtocolSelected.value
+        proto: trafficType.value === 'all_traffic'
           ? ['all']
           : protocols.value.map((protoObj: NeComboboxOption) => protoObj.id),
-        src_dport: anyProtocolSelected.value ? '' : sourcePort.value,
-        dest_port: anyProtocolSelected.value ? '' : destinationPort.value,
+        src_dport: trafficType.value === 'all_traffic' ? '' : sourcePort.value,
+        dest_port: trafficType.value === 'all_traffic' ? '' : destinationPort.value,
         name: name.value,
         src_dip: wan.value === 'any' ? '' : wan.value,
         enabled: enabled.value ? '1' : '0',
@@ -503,10 +567,11 @@ async function createOrEditPortForward() {
       if (destinationAddressType.value === 'address') {
         // destination address
         payload.dest_ip = destinationIP.value
-      } else {
+      } else if (destinationAddressType.value === 'object') {
         // destination object
         payload.ns_dst = destinationAddressObject.value
       }
+      // if destinationAddressType is 'firewall', dest_ip and ns_dst remain empty
 
       if (restrictType.value === 'address') {
         // restrict addresses
@@ -583,11 +648,26 @@ async function createOrEditPortForward() {
         :disabled="isSubmittingRequest"
         :invalid-message="validationErrorBag.getFirstFor('name')"
       />
+
+      <NeRadioSelection
+        v-model="trafficType"  
+        :label="t('standalone.port_forward.traffic_type')"
+        :options="trafficTypeOptions"
+        :disabled="isSubmittingRequest"
+      />
+
+      <NeInlineNotification
+        v-show="trafficType === 'all_traffic'"
+        kind="info"
+        :title="t('standalone.port_forward.forward_all_traffic')"
+        :description="t('standalone.port_forward.forward_all_traffic_message')"
+      />
+
       <NeCombobox
+        v-show="trafficType !== 'all_traffic'"
         ref="protocolsRef"
         v-model="protocols"
         :label="t('standalone.port_forward.protocols')"
-        :helper-text="t('standalone.port_forward.protocol_helper')"
         :multiple="true"
         :options="supportedProtocols"
         :placeholder="t('standalone.port_forward.choose_protocol')"
@@ -599,24 +679,21 @@ async function createOrEditPortForward() {
         :selected-label="t('ne_combobox.selected')"
         :user-input-label="t('ne_combobox.user_input_label')"
         :optional-label="t('common.optional')"
+        @update:model-value="handleSelectAllProtocolsManually"
       />
-      <NeInlineNotification
-        v-if="anyProtocolSelected"
-        kind="info"
-        :title="t('standalone.port_forward.any_protocol')"
-        :description="t('standalone.port_forward.any_protocol_message')"
-      />
+
       <NeTextInput
-        v-if="!anyProtocolSelected"
+        v-show="trafficType !== 'all_traffic'"
         ref="sourcePortRef"
         v-model="sourcePort"
         :label="t('standalone.port_forward.source_port')"
         :invalid-message="validationErrorBag.getFirstFor('sourcePort')"
-        :optional="true"
+        :optional="destinationAddressType !== 'firewall'"
         :disabled="isSubmittingRequest"
         :optional-label="t('common.optional')"
-        :helper-text="t('standalone.port_forward.source_destination_port_helper')"
-      >
+        :helper-text="destinationAddressType !== 'firewall' ? t('standalone.port_forward.source_destination_port_helper') : ''"
+        :placeholder="t('standalone.port_forward.port_placeholder')"
+        >
         <template #tooltip>
           <NeTooltip>
             <template #content>
@@ -640,7 +717,7 @@ async function createOrEditPortForward() {
       <NeRadioSelection
         v-model="destinationAddressType"
         :label="t('standalone.port_forward.destination_address_type')"
-        :options="destinationAddressOptions"
+        :options="filteredDestinationAddressOptions"
         :disabled="isSubmittingRequest"
       >
         <template #tooltip>
@@ -658,9 +735,8 @@ async function createOrEditPortForward() {
         v-model="destinationIP"
         :label="t('standalone.port_forward.destination_address')"
         :invalid-message="validationErrorBag.getFirstFor('destinationIP')"
-        :helper-text="t('standalone.port_forward.leave_blank_for_firewall')"
         :disabled="isSubmittingRequest"
-        optional
+        :optional-label="t('common.optional')"
       />
       <!-- destination object -->
       <NeCombobox
@@ -688,15 +764,15 @@ async function createOrEditPortForward() {
         </template>
       </NeCombobox>
       <NeTextInput
-        v-if="!anyProtocolSelected"
+        v-show="trafficType !== 'all_traffic'"
         ref="destinationPortRef"
         v-model="destinationPort"
         :label="t('standalone.port_forward.destination_port')"
         :invalid-message="validationErrorBag.getFirstFor('destinationPort')"
         :optional="true"
         :optional-label="t('common.optional')"
-        :helper-text="t('standalone.port_forward.source_destination_port_helper')"
         :disabled="isSubmittingRequest"
+        :placeholder="t('standalone.port_forward.port_placeholder')"
       >
         <template #tooltip
           ><NeTooltip
diff --git a/src/components/standalone/firewall/PortForwardTable.vue b/src/components/standalone/firewall/PortForwardTable.vue
index 906055115..7c3736701 100644
--- a/src/components/standalone/firewall/PortForwardTable.vue
+++ b/src/components/standalone/firewall/PortForwardTable.vue
@@ -96,25 +96,25 @@ function getCellClasses(item: PortForward) {
       class="z-10"
     >
       <NeTableHead>
-        <NeTableHeadCell>
+        <NeTableHeadCell style="width: 16%">
           {{ t('standalone.port_forward.name') }}
         </NeTableHeadCell>
-        <NeTableHeadCell>
+        <NeTableHeadCell style="width: 14%">
           {{ t('standalone.port_forward.source_port') }}
         </NeTableHeadCell>
-        <NeTableHeadCell>
+        <NeTableHeadCell style="width: 14%">
           {{ t('standalone.port_forward.destination_port') }}
         </NeTableHeadCell>
-        <NeTableHeadCell>
+        <NeTableHeadCell style="width: 14%">
           {{ t('standalone.port_forward.protocols') }}
         </NeTableHeadCell>
-        <NeTableHeadCell>
+        <NeTableHeadCell style="width: 14%">
           {{ t('standalone.port_forward.wan_ip') }}
         </NeTableHeadCell>
-        <NeTableHeadCell>
+        <NeTableHeadCell style="width: 14%">
           {{ t('standalone.port_forward.restrict_access_from') }}
         </NeTableHeadCell>
-        <NeTableHeadCell>
+        <NeTableHeadCell style="width: 14%">
           {{ t('standalone.port_forward.status') }}
         </NeTableHeadCell>
         <NeTableHeadCell>
@@ -165,7 +165,7 @@ function getCellClasses(item: PortForward) {
             <div v-else :class="getCellClasses(item)" class="flex flex-row items-center">
               <FontAwesomeIcon
                 :icon="item.enabled ? faCircleCheck : faCircleXmark"
-                class="mr-2 h-5 w-5"
+                :class="['mr-2', 'h-5', 'w-5', item.enabled ? 'text-green-700 dark:text-green-500' : '']" 
                 aria-hidden="true"
               />
               <p>
diff --git a/src/i18n/en.json b/src/i18n/en.json
index 4ebbf8c11..0981583c5 100644
--- a/src/i18n/en.json
+++ b/src/i18n/en.json
@@ -1506,7 +1506,7 @@
       "source_port": "Source port",
       "source_port_tooltip": "Enter a single port or a a port range (e.g. '5500-5600'). Source port is required if a destination port is specified",
       "destination_port": "Destination port",
-      "destination_port_tooltip": "If you leave this field empty, the traffic will be redirected to the same port specified in the 'Source port' field. You can enter a single port or a a port range",
+      "destination_port_tooltip": "If you leave this field empty, the traffic will be redirected to the same port specified in the 'Source port' field",
       "protocols": "Protocols",
       "wan_ip": "WAN IP",
       "restrict_access_from": "Restrict access from",
@@ -1549,7 +1549,14 @@
       "restricted_object": "Restricted object",
       "restricted_object_tooltip": "All objects supported, except host sets containing IP ranges or nested objects",
       "no_object": "No object",
-      "port_forwards_for_destination_name": "Port forwards for destination '{name}'"
+      "port_forwards_for_destination_name": "Port forwards for destination '{name}'",
+      "traffic_type": "Traffic type",
+      "select_protocols": "Select protocols",
+      "all_traffic": "All traffic",
+      "forward_all_traffic": "Forward all traffic",
+      "forward_all_traffic_message": "All incoming traffic will be forwarded to the selected destination.\nThis bypasses firewall protection, exposes the destination host, and makes firewall services (e.g. UI, SSH) unreachable on this WAN IP.",
+      "firewall": "Firewall",
+      "port_placeholder": "e.g. 8080, 5500-5600"
     },
     "firewall_rules": {
       "title": "Firewall rules",
diff --git a/src/i18n/it.json b/src/i18n/it.json
index f7d138343..9c6f8dae7 100644
--- a/src/i18n/it.json
+++ b/src/i18n/it.json
@@ -1074,7 +1074,7 @@
       "disabled": "Disabilitato",
       "choose_protocol": "Scegli protocollo",
       "filter": "Filtra",
-      "destination_port_tooltip": "Se si lascia il campo vuoto, il traffico verrà ridirezionato alla stessa porta specificata nel campo \"Porta sorgente\". È possibile inserire una porta singola o un intervallo di porte",
+      "destination_port_tooltip": "Se si lascia il campo vuoto, il traffico verrà ridirezionato alla stessa porta specificata nel campo \"Porta sorgente\"",
       "any_protocol": "Qualunque protocollo",
       "source_destination_port_helper": "Lasciare vuoto per permettere tutte le porte",
       "protocol_helper": "Lasciare senza selezione per permettere tutti i protocolli in entrata",
@@ -1092,7 +1092,14 @@
       "save_port_forward": "Salva port forward",
       "destination_object": "Oggetto di destinazione",
       "restricted_object_tooltip": "Tutti gli oggetti supportati, tranne gli host set contenenti intervalli IP o oggetti nidificati",
-      "leave_blank_for_firewall": "Lascia vuoto per firewall"
+      "leave_blank_for_firewall": "Lascia vuoto per firewall",
+      "traffic_type": "Tipo di traffico",
+      "select_protocols": "Seleziona protocolli",
+      "all_traffic": "Tutto il traffico",
+      "forward_all_traffic": "Inoltra tutto il traffico",
+      "forward_all_traffic_message": "Tutto il traffico in arrivo verrà inoltrato alla destinazione selezionata.\nQuesto bypassa la protezione del firewall, espone l'host di destinazione e rende i servizi del firewall (ad es. UI, SSH) irraggiungibili su questo IP WAN.",
+      "firewall": "Firewall",
+      "port_placeholder": "es. 8080, 5500-5600"
     },
     "routes": {
       "route_type": "Tipo di rotta",
diff --git a/src/views/standalone/firewall/PortForward.vue b/src/views/standalone/firewall/PortForward.vue
index 1105c1422..622870d39 100644
--- a/src/views/standalone/firewall/PortForward.vue
+++ b/src/views/standalone/firewall/PortForward.vue
@@ -252,7 +252,7 @@ onMounted(() => {
       <div class="ml-2 shrink-0">
         <NeButton
           v-if="Object.keys(portForwards).length > 0"
-          kind="secondary"
+          kind="primary"
           @click="openCreateEditDrawer(null)"
         >
           <template #prefix>

From 307db42c9c0f0529b9965531692895b017e30005 Mon Sep 17 00:00:00 2001
From: Matteo Di Lorenzi <matteo.dilorenzi@nethesis.it>
Date: Wed, 18 Feb 2026 17:28:07 +0100
Subject: [PATCH 2/2] style(port-forward): format code for better readability

---
 .../CreateOrEditPortForwardDrawer.vue         | 28 +++++++++++--------
 .../standalone/firewall/PortForwardTable.vue  |  7 ++++-
 2 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/src/components/standalone/firewall/CreateOrEditPortForwardDrawer.vue b/src/components/standalone/firewall/CreateOrEditPortForwardDrawer.vue
index 8239cce86..8d91c7031 100644
--- a/src/components/standalone/firewall/CreateOrEditPortForwardDrawer.vue
+++ b/src/components/standalone/firewall/CreateOrEditPortForwardDrawer.vue
@@ -293,9 +293,7 @@ async function fetchOptions() {
   loading.value.listProtocolsAndZones = true
 
   try {
-    supportedProtocols.value = (
-      await ubusCall('ns.redirects', 'list-protocols')
-    ).data.protocols
+    supportedProtocols.value = (await ubusCall('ns.redirects', 'list-protocols')).data.protocols
       // filter out 'all' protocol as there is the dedicated 'all_traffic' option in the UI
       .filter((proto: string) => proto.toLowerCase() !== 'all')
       .map((proto: string) => ({
@@ -388,7 +386,10 @@ function resetRestrictIPValidationErrors() {
 
 function handleSelectAllProtocolsManually() {
   // prevent selecting all protocols
-  if (protocols.value.length === supportedProtocols.value.length && supportedProtocols.value.length > 0) {
+  if (
+    protocols.value.length === supportedProtocols.value.length &&
+    supportedProtocols.value.length > 0
+  ) {
     // remove the last selected protocol
     protocols.value.pop()
   }
@@ -487,7 +488,7 @@ function validate(): boolean {
 
   // destination address validation based on type
   const destinationValidators: [validationOutput[], string, Ref][] = []
-  
+
   if (destinationAddressType.value === 'address') {
     // type is 'address', IP is required and must be valid
     destinationValidators.push([
@@ -542,9 +543,10 @@ async function createOrEditPortForward() {
       const payload: CreateEditPortForwardPayload = {
         dest_ip: '',
         ns_dst: '',
-        proto: trafficType.value === 'all_traffic'
-          ? ['all']
-          : protocols.value.map((protoObj: NeComboboxOption) => protoObj.id),
+        proto:
+          trafficType.value === 'all_traffic'
+            ? ['all']
+            : protocols.value.map((protoObj: NeComboboxOption) => protoObj.id),
         src_dport: trafficType.value === 'all_traffic' ? '' : sourcePort.value,
         dest_port: trafficType.value === 'all_traffic' ? '' : destinationPort.value,
         name: name.value,
@@ -650,7 +652,7 @@ async function createOrEditPortForward() {
       />
 
       <NeRadioSelection
-        v-model="trafficType"  
+        v-model="trafficType"
         :label="t('standalone.port_forward.traffic_type')"
         :options="trafficTypeOptions"
         :disabled="isSubmittingRequest"
@@ -691,9 +693,13 @@ async function createOrEditPortForward() {
         :optional="destinationAddressType !== 'firewall'"
         :disabled="isSubmittingRequest"
         :optional-label="t('common.optional')"
-        :helper-text="destinationAddressType !== 'firewall' ? t('standalone.port_forward.source_destination_port_helper') : ''"
+        :helper-text="
+          destinationAddressType !== 'firewall'
+            ? t('standalone.port_forward.source_destination_port_helper')
+            : ''
+        "
         :placeholder="t('standalone.port_forward.port_placeholder')"
-        >
+      >
         <template #tooltip>
           <NeTooltip>
             <template #content>
diff --git a/src/components/standalone/firewall/PortForwardTable.vue b/src/components/standalone/firewall/PortForwardTable.vue
index 7c3736701..1c8f3688a 100644
--- a/src/components/standalone/firewall/PortForwardTable.vue
+++ b/src/components/standalone/firewall/PortForwardTable.vue
@@ -165,7 +165,12 @@ function getCellClasses(item: PortForward) {
             <div v-else :class="getCellClasses(item)" class="flex flex-row items-center">
               <FontAwesomeIcon
                 :icon="item.enabled ? faCircleCheck : faCircleXmark"
-                :class="['mr-2', 'h-5', 'w-5', item.enabled ? 'text-green-700 dark:text-green-500' : '']" 
+                :class="[
+                  'mr-2',
+                  'h-5',
+                  'w-5',
+                  item.enabled ? 'text-green-700 dark:text-green-500' : ''
+                ]"
                 aria-hidden="true"
               />
               <p>