[server] local NAT should not be enabled by default

server/fw_util_firewalld.c

@@ -872,8 +872,6 @@ set_fw_chain_conf(const int type, const char * const conf_str)
 int
 fw_config_init(fko_srv_options_t * const opts)
 {
-    int         enabled_local_nat = 0;
-
     memset(&fwc, 0x0, sizeof(struct fw_config));
 
     /* Set our firewall exe command path (firewall-cmd or iptables in most cases).
@@ -904,22 +902,15 @@ fw_config_init(fko_srv_options_t * const opts)
         if(set_fw_chain_conf(FIREWD_OUTPUT_ACCESS, opts->config[CONF_FIREWD_OUTPUT_ACCESS]) != 1)
             return 0;
 
-    if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_LOCAL_NAT], "Y", 1)==0)
+    /* The remaining access chains require ENABLE_FIREWD_FORWARDING
-    {
+     * or ENABLE_FIREWD_LOCAL_NAT
-        if(set_fw_chain_conf(FIREWD_DNAT_ACCESS, opts->config[CONF_FIREWD_DNAT_ACCESS]))
-            enabled_local_nat = 1;
-        else
-            return 0;
-    }
-
-    /* The remaining access chains require ENABLE_FIREWD_FORWARDING = Y
     */
-    if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_FORWARDING], "Y", 1)==0)
+    if(strncasecmp(opts->config[CONF_ENABLE_FIREWD_FORWARDING], "Y", 1)==0
+            || strncasecmp(opts->config[CONF_ENABLE_FIREWD_LOCAL_NAT], "Y", 1)==0)
     {
         if(set_fw_chain_conf(FIREWD_FORWARD_ACCESS, opts->config[CONF_FIREWD_FORWARD_ACCESS]) != 1)
             return 0;
 
-        if (! enabled_local_nat)
         if(set_fw_chain_conf(FIREWD_DNAT_ACCESS, opts->config[CONF_FIREWD_DNAT_ACCESS]) != 1)
             return 0;
 

server/fw_util_iptables.c

@@ -864,8 +864,6 @@ set_fw_chain_conf(const int type, const char * const conf_str)
 int
 fw_config_init(fko_srv_options_t * const opts)
 {
-    int         enabled_local_nat = 0;
-
     memset(&fwc, 0x0, sizeof(struct fw_config));
 
     /* Set our firewall exe command path (iptables in most cases).
@@ -889,22 +887,15 @@ fw_config_init(fko_srv_options_t * const opts)
         if(set_fw_chain_conf(IPT_OUTPUT_ACCESS, opts->config[CONF_IPT_OUTPUT_ACCESS]) != 1)
             return 0;
 
-    if(strncasecmp(opts->config[CONF_ENABLE_IPT_LOCAL_NAT], "Y", 1)==0)
-    {
-        if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]))
-            enabled_local_nat = 1;
-        else
-            return 0;
-    }
-
     /* The remaining access chains require ENABLE_IPT_FORWARDING = Y
     */
-    if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0)
+    if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0
+            || strncasecmp(opts->config[CONF_ENABLE_IPT_LOCAL_NAT], "Y", 1)==0)
+
     {
         if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
             return 0;
 
-        if(! enabled_local_nat)
         if(set_fw_chain_conf(IPT_DNAT_ACCESS, opts->config[CONF_IPT_DNAT_ACCESS]) != 1)
             return 0;
 

server/fwknopd_common.h

@@ -142,7 +142,7 @@
   #define DEF_FLUSH_FIREWD_AT_INIT         "Y"
   #define DEF_FLUSH_FIREWD_AT_EXIT         "Y"
   #define DEF_ENABLE_FIREWD_FORWARDING     "N"
-  #define DEF_ENABLE_FIREWD_LOCAL_NAT      "Y"
+  #define DEF_ENABLE_FIREWD_LOCAL_NAT      "N"
   #define DEF_ENABLE_FIREWD_SNAT           "N"
   #define DEF_ENABLE_FIREWD_OUTPUT         "N"
   #define DEF_ENABLE_FIREWD_COMMENT_CHECK  "Y"
@@ -162,7 +162,7 @@
   #define DEF_FLUSH_IPT_AT_INIT         "Y"
   #define DEF_FLUSH_IPT_AT_EXIT         "Y"
   #define DEF_ENABLE_IPT_FORWARDING     "N"
-  #define DEF_ENABLE_IPT_LOCAL_NAT      "Y"
+  #define DEF_ENABLE_IPT_LOCAL_NAT      "N"
   #define DEF_ENABLE_IPT_SNAT           "N"
   #define DEF_ENABLE_IPT_OUTPUT         "N"
   #define DEF_ENABLE_IPT_COMMENT_CHECK  "Y"