From b8f94751b59039c9a151ea086750789438c778f1 Mon Sep 17 00:00:00 2001 From: HSXX <31765320+HSXX@users.noreply.github.com> Date: Tue, 21 Oct 2025 16:32:30 +0800 Subject: [PATCH 1/6] Update fw4.uc Allow masquerade to set port Signed-off-by: HSXX <31765320+HSXX@users.noreply.github.com> --- root/usr/share/ucode/fw4.uc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 690deb0..09e35be 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -3084,8 +3084,8 @@ return { this.warn_section(data, "must not use 'snat_ip' for non-snat target, ignoring section"); return; } - else if (snat.target != "snat" && snat.snat_port) { - this.warn_section(data, "must not use 'snat_port' for non-snat target, ignoring section"); + else if (snat.target != "snat" && snat.target != "masquerade" && snat.snat_port) { + this.warn_section(data, "must not use 'snat_port' for non-snat or non-masquerade target, ignoring section"); return; } From 6e33fce6014ed629ac55efd3d8e3c458519f30fa Mon Sep 17 00:00:00 2001 From: HSXX <31765320+HSXX@users.noreply.github.com> Date: Tue, 21 Oct 2025 16:33:45 +0800 Subject: [PATCH 2/6] Update redirect.uc Allow masquerade to set port Signed-off-by: HSXX <31765320+HSXX@users.noreply.github.com> --- root/usr/share/firewall4/templates/redirect.uc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/root/usr/share/firewall4/templates/redirect.uc b/root/usr/share/firewall4/templates/redirect.uc index f24872c..7ed9ebb 100644 --- a/root/usr/share/firewall4/templates/redirect.uc +++ b/root/usr/share/firewall4/templates/redirect.uc @@ -74,8 +74,10 @@ log prefix {{ fw4.quote(redirect.log, true) }} {%+ endif -%} {% if (redirect.target == "redirect"): -%} redirect{% if (redirect.rport): %} to {{ fw4.port(redirect.rport) }}{% endif %} -{%- elif (redirect.target == "accept" || redirect.target == "masquerade"): -%} +{%- elif (redirect.target == "accept"): -%} {{ redirect.target }} +{%- elif (redirect.target == "masquerade"): -%} + {{ redirect.target }}{% if (redirect.rport): %} to :{{ fw4.port(redirect.rport) }}{% endif %} {%- else -%} {{ redirect.target }} {{ redirect.raddr ? fw4.host(redirect.raddr, redirect.rport != null) : '' }} {%- if (redirect.rport): %}:{{ fw4.port(redirect.rport) }}{% endif %} From e5215bb5430d1ec3a91a5d0d5dba1e95b0c3c6ff Mon Sep 17 00:00:00 2001 From: HSXX <31765320+HSXX@users.noreply.github.com> Date: Tue, 21 Oct 2025 19:01:13 +0800 Subject: [PATCH 3/6] Update 07_redirect Signed-off-by: HSXX <31765320+HSXX@users.noreply.github.com> --- tests/03_rules/07_redirect | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 80e24bb..7cd8daa 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -119,6 +119,15 @@ Test various address selection rules in redirect rules. "src_dport": "27", "dest_port": "27", "target": "dnat" + }, + { + ".description": "Ensure that masq to specific port or port range rules work properly", + "name": "Redirect test #9", + "family": "ipv4", + "src": "wan", + "proto": 'tcp' 'udp', + "snat_port": "61000-62900", + "target": "MASQUERADE" } ] } From 9a929bb30c0c7273648f7ad3b16728b6c02fcd20 Mon Sep 17 00:00:00 2001 From: HSXX <31765320+HSXX@users.noreply.github.com> Date: Tue, 21 Oct 2025 19:03:26 +0800 Subject: [PATCH 4/6] Update 07_redirect Signed-off-by: HSXX <31765320+HSXX@users.noreply.github.com> --- tests/03_rules/07_redirect | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 7cd8daa..ee4101b 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -125,7 +125,7 @@ Test various address selection rules in redirect rules. "name": "Redirect test #9", "family": "ipv4", "src": "wan", - "proto": 'tcp' 'udp', + "proto": "tcp udp", "snat_port": "61000-62900", "target": "MASQUERADE" } From deb464757bc13d549ce682f0bda3d586b324d817 Mon Sep 17 00:00:00 2001 From: HSXX <31765320+HSXX@users.noreply.github.com> Date: Tue, 21 Oct 2025 19:06:33 +0800 Subject: [PATCH 5/6] Update 07_redirect Signed-off-by: HSXX <31765320+HSXX@users.noreply.github.com> --- tests/03_rules/07_redirect | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index ee4101b..dd4db74 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -119,7 +119,9 @@ Test various address selection rules in redirect rules. "src_dport": "27", "dest_port": "27", "target": "dnat" - }, + } + ], + "nat": [ { ".description": "Ensure that masq to specific port or port range rules work properly", "name": "Redirect test #9", From 5598b5e9e3c92bc2fee18fc47e33a0c6dd56ec9e Mon Sep 17 00:00:00 2001 From: HSXX <31765320+HSXX@users.noreply.github.com> Date: Tue, 21 Oct 2025 19:10:55 +0800 Subject: [PATCH 6/6] Update 07_redirect Signed-off-by: HSXX <31765320+HSXX@users.noreply.github.com> --- tests/03_rules/07_redirect | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index dd4db74..bcf1a5b 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -124,7 +124,7 @@ Test various address selection rules in redirect rules. "nat": [ { ".description": "Ensure that masq to specific port or port range rules work properly", - "name": "Redirect test #9", + "name": "masq snat test #1", "family": "ipv4", "src": "wan", "proto": "tcp udp", @@ -309,6 +309,8 @@ table inet fw4 { } chain srcnat_wan { + meta nfproto ipv4 meta l4proto tcp counter masquerade to :61000-62900 comment "!fw4: masq snat test #1" + meta nfproto ipv4 meta l4proto udp counter masquerade to :61000-62900 comment "!fw4: masq snat test #1" meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic" meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 wan traffic" }