Improve kernel NAT support in rc.firewall

- Allow IP in firewall_nat_interface, just like natd_interface
- Allow additional configuration parameters passed to ipfw via
  firewall_nat_flags
- Document firewall_nat_* in defaults/rc.conf

Tested by:	Albert B. Wang <abwang at gmail.com>
MFC after:	1 month

2 files changed, 10 insertions, 1 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 356cec2..78f0659 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -119,6 +119,9 @@ firewall_logdeny="NO"		# Set to YES to log default denied incoming
 firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
 				#  for which denied incoming packets are not
 				#  logged.
+firewall_nat_enable="NO"	# Enable kernel NAT (if firewall_enable == YES)
+firewall_nat_interface=""	# Public interface or IPaddress to use
+firewall_nat_flags=""		# Additional configuration parameters
 ip_portrange_first="NO"		# Set first dynamically allocated port
 ip_portrange_last="NO"		# Set last dynamically allocated port
 ike_enable="NO"			# Enable IKE daemon (usually racoon or isakmpd)
diff --git a/etc/rc.firewall b/etc/rc.firewall
index fa2558d..c3d11ab 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -131,7 +131,13 @@ case ${firewall_type} in
 	case ${firewall_nat_enable} in
 	[Yy][Ee][Ss])
 		if [ -n "${firewall_nat_interface}" ]; then
-			${fwcmd} nat 123 config if ${firewall_nat_interface} log
+			if echo "${firewall_nat_interface}" | \
+				grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
+				firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}"
+			else
+				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
+			fi
+			${fwcmd} nat 123 config log ${firewall_nat_flags}
 			${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
 		fi
 		;;