From d8bb9fb89911cef8f0a15107df81739b0063c063 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Tue, 17 Jun 2025 11:47:23 +0200
Subject: [PATCH 01/13] update dependencies

---
 Cargo.lock | 161 ++++++++++++++++++++++++++---------------------------
 flake.lock |  12 ++--
 2 files changed, 85 insertions(+), 88 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f26d83ea..1b3beb22 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -13,9 +13,9 @@ dependencies = [
 
 [[package]]
 name = "adler2"
-version = "2.0.0"
+version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
 
 [[package]]
 name = "aho-corasick"
@@ -28,9 +28,9 @@ dependencies = [
 
 [[package]]
 name = "anstream"
-version = "0.6.18"
+version = "0.6.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8acc5369981196006228e28809f761875c0327210a891e941f4c683b3a99529b"
+checksum = "301af1932e46185686725e0fad2f8f2aa7da69dd70bf6ecc44d6b703844a3933"
 dependencies = [
  "anstyle",
  "anstyle-parse",
@@ -43,33 +43,33 @@ dependencies = [
 
 [[package]]
 name = "anstyle"
-version = "1.0.10"
+version = "1.0.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9"
+checksum = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd"
 
 [[package]]
 name = "anstyle-parse"
-version = "0.2.6"
+version = "0.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9"
+checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2"
 dependencies = [
  "utf8parse",
 ]
 
 [[package]]
 name = "anstyle-query"
-version = "1.1.2"
+version = "1.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c"
+checksum = "6c8bdeb6047d8983be085bab0ba1472e6dc604e7041dbf6fcd5e71523014fae9"
 dependencies = [
  "windows-sys 0.59.0",
 ]
 
 [[package]]
 name = "anstyle-wincon"
-version = "3.0.8"
+version = "3.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6680de5231bd6ee4c6191b8a1325daa282b415391ec9d3a37bd34f2060dc73fa"
+checksum = "403f75924867bb1033c59fbf0797484329750cfbe3c4325cd33127941fabc882"
 dependencies = [
  "anstyle",
  "once_cell_polyfill",
@@ -281,9 +281,9 @@ checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
 
 [[package]]
 name = "cc"
-version = "1.2.25"
+version = "1.2.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d0fc897dc1e865cc67c0e05a836d9d3f1df3cbe442aa4a9473b18e12624a4951"
+checksum = "d487aa071b5f64da6f19a3e848e3578944b726ee5a4854b82172f02aa876bfdc"
 dependencies = [
  "jobserver",
  "libc",
@@ -292,9 +292,9 @@ dependencies = [
 
 [[package]]
 name = "cfg-if"
-version = "1.0.0"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+checksum = "9555578bc9e57714c812a1f84e4fc5b4d21fcb063490c624de019f7464c91268"
 
 [[package]]
 name = "cfg_aliases"
@@ -304,9 +304,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
 [[package]]
 name = "clap"
-version = "4.5.39"
+version = "4.5.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fd60e63e9be68e5fb56422e397cf9baddded06dae1d2e523401542383bc72a9f"
+checksum = "40b6887a1d8685cebccf115538db5c0efe625ccac9696ad45c409d96566e910f"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -314,9 +314,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.39"
+version = "4.5.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "89cc6392a1f72bbeb820d71f32108f61fdaf18bc526e1d23954168a67759ef51"
+checksum = "e0c66c08ce9f0c698cbce5c0279d0bb6ac936d8674174fe48f736533b964f59e"
 dependencies = [
  "anstream",
  "anstyle",
@@ -326,9 +326,9 @@ dependencies = [
 
 [[package]]
 name = "clap_derive"
-version = "4.5.32"
+version = "4.5.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09176aae279615badda0765c0c0b3f6ed53f4709118af73cf4655d85d1530cd7"
+checksum = "d2c7947ae4cc3d851207c1adb5b5e260ff0cca11446b1d6d1423788e442257ce"
 dependencies = [
  "heck",
  "proc-macro2",
@@ -338,15 +338,15 @@ dependencies = [
 
 [[package]]
 name = "clap_lex"
-version = "0.7.4"
+version = "0.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"
+checksum = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675"
 
 [[package]]
 name = "colorchoice"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
+checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
 
 [[package]]
 name = "core-foundation"
@@ -608,9 +608,9 @@ checksum = "1d674e81391d1e1ab681a28d99df07927c6d4aa5b027d7da16ba32d1d21ecd99"
 
 [[package]]
 name = "flate2"
-version = "1.1.1"
+version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ced92e76e966ca2fd84c8f7aa01a4aea65b0eb6648d72f7c8f3e2764a67fece"
+checksum = "4a3d7db9596fecd151c5f638c0ee5d5bd487b6e0ea232e5dc96d5250f6f94b1d"
 dependencies = [
  "crc32fast",
  "miniz_oxide",
@@ -688,7 +688,7 @@ checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592"
 dependencies = [
  "cfg-if",
  "libc",
- "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasi 0.11.1+wasi-snapshot-preview1",
 ]
 
 [[package]]
@@ -749,9 +749,9 @@ checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888"
 
 [[package]]
 name = "hashbrown"
-version = "0.15.3"
+version = "0.15.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84b26c544d002229e640969970a2e74021aadf6e2f96372b9c58eff97de08eb3"
+checksum = "5971ac85611da7067dbfcabef3c70ebb5606018acd9e2a3903a0da507521e0d5"
 
 [[package]]
 name = "heck"
@@ -852,9 +852,9 @@ dependencies = [
 
 [[package]]
 name = "hyper-util"
-version = "0.1.13"
+version = "0.1.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1c293b6b3d21eca78250dc7dbebd6b9210ec5530e038cbfe0661b5c47ab06e8"
+checksum = "dc2fdfdbff08affe55bb779f33b053aa1fe5dd5b54c257343c17edfa55711bdb"
 dependencies = [
  "bytes",
  "futures-channel",
@@ -1001,7 +1001,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e"
 dependencies = [
  "equivalent",
- "hashbrown 0.15.3",
+ "hashbrown 0.15.4",
 ]
 
 [[package]]
@@ -1033,9 +1033,9 @@ checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
 
 [[package]]
 name = "jiff"
-version = "0.2.14"
+version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a194df1107f33c79f4f93d02c80798520551949d59dfad22b6157048a88cca93"
+checksum = "be1f93b8b1eb69c77f24bbb0afdf66f54b632ee39af40ca21c4365a1d7347e49"
 dependencies = [
  "jiff-static",
  "log",
@@ -1046,9 +1046,9 @@ dependencies = [
 
 [[package]]
 name = "jiff-static"
-version = "0.2.14"
+version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c6e1db7ed32c6c71b759497fae34bf7933636f75a251b9e736555da426f6442"
+checksum = "03343451ff899767262ec32146f6d559dd759fdadf42ff0e227c7c48f72594b4"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1067,9 +1067,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.172"
+version = "0.2.173"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
+checksum = "d8cfeafaffdbc32176b64fb251369d52ea9f0a8fbc6f8759edffef7b525d64bb"
 
 [[package]]
 name = "libgit2-sys"
@@ -1127,9 +1127,9 @@ checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
 
 [[package]]
 name = "memchr"
-version = "2.7.4"
+version = "2.7.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
+checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0"
 
 [[package]]
 name = "memoffset"
@@ -1148,9 +1148,9 @@ checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
 [[package]]
 name = "miniz_oxide"
-version = "0.8.8"
+version = "0.8.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3be647b768db090acb35d5ec5db2b0e1f1de11133ca123b9eacf5137868f892a"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
 dependencies = [
  "adler2",
 ]
@@ -1162,7 +1162,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "78bed444cc8a2160f01cbcf811ef18cac863ad68ae8ca62092e8db51d51c761c"
 dependencies = [
  "libc",
- "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasi 0.11.1+wasi-snapshot-preview1",
  "windows-sys 0.59.0",
 ]
 
@@ -1405,9 +1405,9 @@ checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
 
 [[package]]
 name = "portable-atomic"
-version = "1.11.0"
+version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "350e9b48cbc6b0e028b0473b114454c6316e57336ee184ceab6e53f72c178b3e"
+checksum = "f84267b20a16ea918e43c6a88433c2d54fa145c92a811b5b047ccbe153674483"
 
 [[package]]
 name = "portable-atomic-util"
@@ -1444,9 +1444,9 @@ dependencies = [
 
 [[package]]
 name = "prettyplease"
-version = "0.2.33"
+version = "0.2.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9dee91521343f4c5c6a63edd65e54f31f5c92fe8978c40a4282f8372194c6a7d"
+checksum = "6837b9e10d61f45f987d50808f83d1ee3d206c66acf650c3e4ae2e1f6ddedf55"
 dependencies = [
  "proc-macro2",
  "syn",
@@ -1524,9 +1524,9 @@ dependencies = [
 
 [[package]]
 name = "r-efi"
-version = "5.2.0"
+version = "5.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "74765f6d916ee2faa39bc8e68e4f3ed8949b48cccdac59983d287a7cb71ce9c5"
+checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
 
 [[package]]
 name = "rand"
@@ -1603,9 +1603,9 @@ dependencies = [
 
 [[package]]
 name = "rustc-demangle"
-version = "0.1.24"
+version = "0.1.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
+checksum = "989e6739f80c4ad5b13e0fd7fe89531180375b18520cc8c82080e4dc4035b84f"
 
 [[package]]
 name = "rustc_version"
@@ -1631,9 +1631,9 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.23.27"
+version = "0.23.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "730944ca083c1c233a75c09f199e973ca499344a2b7ba9e755c457e86fb4a321"
+checksum = "7160e3e10bf4535308537f3c4e1641468cd0e485175d6163087c0393c7d46643"
 dependencies = [
  "log",
  "once_cell",
@@ -1779,9 +1779,9 @@ dependencies = [
 
 [[package]]
 name = "serde_spanned"
-version = "0.6.8"
+version = "0.6.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87607cb1398ed59d48732e575a4c28a7a8ebf2454b964fe3f224f2afc07909e1"
+checksum = "bf41e0cfaf7226dca15e8197172c295a782857fcb97fad1808a166870dee75a3"
 dependencies = [
  "serde",
 ]
@@ -1815,18 +1815,15 @@ dependencies = [
 
 [[package]]
 name = "slab"
-version = "0.4.9"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
-dependencies = [
- "autocfg",
-]
+checksum = "04dc19736151f35336d325007ac991178d504a119863a2fcb3758cdb5e52c50d"
 
 [[package]]
 name = "smallvec"
-version = "1.15.0"
+version = "1.15.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8917285742e9f3e1683f0a9c4e6b57960b7314d0b08d30d1ecd426713ee2eee9"
+checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
 
 [[package]]
 name = "socket2"
@@ -1858,9 +1855,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.101"
+version = "2.0.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8ce2b7fc941b3a24138a0a7cf8e858bfc6a992e7978a068a5c760deb0ed43caf"
+checksum = "e4307e30089d6fd6aff212f2da3a1f9e32f3223b1f010fb09b7c95f90f3ca1e8"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2056,9 +2053,9 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "0.8.22"
+version = "0.8.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05ae329d1f08c4d17a59bed7ff5b5a769d062e64a62d34a3261b219e62cd5aae"
+checksum = "dc1beb996b9d83529a9e75c17a1686767d148d70663143c7854d8b4a09ced362"
 dependencies = [
  "serde",
  "serde_spanned",
@@ -2068,18 +2065,18 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "0.6.9"
+version = "0.6.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3da5db5a963e24bc68be8b17b6fa82814bb22ee8660f192bb182771d498f09a3"
+checksum = "22cddaf88f4fbc13c51aebbf5f8eceb5c7c5a9da2ac40a13519eb5b0a0e8f11c"
 dependencies = [
  "serde",
 ]
 
 [[package]]
 name = "toml_edit"
-version = "0.22.26"
+version = "0.22.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "310068873db2c5b3e7659d2cc35d21855dbafa50d1ce336397c666e3cb08137e"
+checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 dependencies = [
  "indexmap 2.9.0",
  "serde",
@@ -2198,9 +2195,9 @@ dependencies = [
 
 [[package]]
 name = "tracing-attributes"
-version = "0.1.28"
+version = "0.1.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d"
+checksum = "1b1ffbcf9c6f6b99d386e7444eb608ba646ae452a36b39737deb9663b610f662"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2209,9 +2206,9 @@ dependencies = [
 
 [[package]]
 name = "tracing-core"
-version = "0.1.33"
+version = "0.1.34"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c"
+checksum = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678"
 dependencies = [
  "once_cell",
 ]
@@ -2313,9 +2310,9 @@ dependencies = [
 
 [[package]]
 name = "wasi"
-version = "0.11.0+wasi-snapshot-preview1"
+version = "0.11.1+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
 
 [[package]]
 name = "wasi"
@@ -2328,9 +2325,9 @@ dependencies = [
 
 [[package]]
 name = "windows-link"
-version = "0.1.1"
+version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38"
+checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a"
 
 [[package]]
 name = "windows-sys"
@@ -2416,9 +2413,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
 [[package]]
 name = "winnow"
-version = "0.7.10"
+version = "0.7.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c06928c8748d81b05c9be96aad92e1b6ff01833332f281e8cfca3be4b35fc9ec"
+checksum = "74c7b26e3480b707944fc872477815d29a8e429d2f93a1ce000f5fa84a15cbcd"
 dependencies = [
  "memchr",
 ]
diff --git a/flake.lock b/flake.lock
index 19484013..41d4dcde 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1746904237,
-        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
+        "lastModified": 1749794982,
+        "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
+        "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747190175,
-        "narHash": "sha256-s33mQ2s5L/2nyllhRTywgECNZyCqyF4MJeM3vG/GaRo=",
+        "lastModified": 1750127910,
+        "narHash": "sha256-FIgEIS0RAlOyXGqoj/OufTfcKItYq668yPYL4SXdU0M=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "58160be7abad81f6f8cb53120d5b88c16e01c06d",
+        "rev": "45418795a73b77b7726c62ce265d68cf541ffb49",
         "type": "github"
       },
       "original": {

From 5e532b99b3a198254a3416c0ec2e884b937b8a80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Tue, 17 Jun 2025 11:48:01 +0200
Subject: [PATCH 02/13] update protos

---
 proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proto b/proto
index d72ced89..f0c030a9 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit d72ced898411c4b8144bb13a9ad48f65e2f6a1ec
+Subproject commit f0c030a9725a0fd055efa69b58e0d7ee42654583

From cecc6a13e12d005c58a009e81d5c622ef2e86019 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Tue, 17 Jun 2025 12:43:52 +0200
Subject: [PATCH 03/13] parse received SNAT bindings

---
 src/enterprise/firewall/api.rs          |  5 +++-
 src/enterprise/firewall/mod.rs          | 39 +++++++++++++++++++++++++
 src/enterprise/firewall/nftables/mod.rs |  6 +++-
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/src/enterprise/firewall/api.rs b/src/enterprise/firewall/api.rs
index 67960927..2d8fce12 100644
--- a/src/enterprise/firewall/api.rs
+++ b/src/enterprise/firewall/api.rs
@@ -4,7 +4,7 @@ use std::fs::{File, OpenOptions};
 #[cfg(target_os = "linux")]
 use nftnl::Batch;
 
-use super::{FirewallError, FirewallRule, Policy};
+use super::{FirewallError, FirewallRule, Policy, SnatBinding};
 
 #[cfg(any(target_os = "freebsd", target_os = "macos", target_os = "netbsd"))]
 const DEV_PF: &str = "/dev/pf";
@@ -45,6 +45,9 @@ pub(crate) trait FirewallManagementApi {
     /// Add fireall `rules`.
     fn add_rules(&mut self, rules: Vec<FirewallRule>) -> Result<(), FirewallError>;
 
+    /// Add SNAT firewall rules
+    fn add_snat_bindings(&mut self, snat_bindings: Vec<SnatBinding>) -> Result<(), FirewallError>;
+
     /// Set masquerade status.
     fn set_masquerade_status(&mut self, enabled: bool) -> Result<(), FirewallError>;
 
diff --git a/src/enterprise/firewall/mod.rs b/src/enterprise/firewall/mod.rs
index 49174ec7..964e452a 100644
--- a/src/enterprise/firewall/mod.rs
+++ b/src/enterprise/firewall/mod.rs
@@ -200,10 +200,19 @@ pub(crate) struct FirewallRule {
     pub ipv4: bool, // FIXME: is that really needed?
 }
 
+#[derive(Debug, Clone, PartialEq)]
+pub(crate) struct SnatBinding {
+    pub id: i64,
+    pub source_addrs: Vec<Address>,
+    pub public_ip: IpAddr,
+    pub comment: Option<String>,
+}
+
 #[derive(Debug, Clone, PartialEq)]
 pub(crate) struct FirewallConfig {
     pub rules: Vec<FirewallRule>,
     pub default_policy: Policy,
+    pub snat_bindings: Vec<SnatBinding>,
 }
 
 impl FirewallConfig {
@@ -212,6 +221,7 @@ impl FirewallConfig {
     ) -> Result<Self, FirewallError> {
         debug!("Parsing following received firewall proto configuration: {config:?}");
         let mut rules = Vec::new();
+        let mut snat_bindings = Vec::new();
         let default_policy =
             Policy::from_proto(config.default_policy.try_into().map_err(|err| {
                 FirewallError::TypeConversionError(format!("Invalid default policy: {err:?}"))
@@ -220,6 +230,7 @@ impl FirewallConfig {
             "Default firewall policy defined: {default_policy:?}. Proceeding to parsing rules..."
         );
 
+        // parse received firewall rules
         for rule in config.rules {
             debug!("Parsing the following received Defguard ACL proto rule: {rule:?}");
             let mut source_addrs = Vec::new();
@@ -271,9 +282,37 @@ impl FirewallConfig {
             rules.push(firewall_rule);
         }
 
+        // parse received SNAT bindings
+        for binding in config.snat_bindings {
+            debug!("Parsing the following received SNAT binding proto: {binding:?}");
+
+            let mut source_addrs = Vec::new();
+            for addr in binding.source_addrs {
+                source_addrs.push(Address::from_proto(&addr)?);
+            }
+
+            let public_ip = binding.public_ip.parse().map_err(|err| {
+                FirewallError::TypeConversionError(format!(
+                    "Invalid public IP address format: {err}"
+                ))
+            })?;
+
+            let snat_binding = SnatBinding {
+                id: binding.id,
+                source_addrs,
+                public_ip,
+                comment: binding.comment,
+            };
+
+            debug!("Parsed received proto SNAT binding as: {snat_binding:?}");
+
+            snat_bindings.push(snat_binding);
+        }
+
         Ok(Self {
             rules,
             default_policy,
+            snat_bindings,
         })
     }
 }
diff --git a/src/enterprise/firewall/nftables/mod.rs b/src/enterprise/firewall/nftables/mod.rs
index d5e5574b..3fbd622f 100644
--- a/src/enterprise/firewall/nftables/mod.rs
+++ b/src/enterprise/firewall/nftables/mod.rs
@@ -10,7 +10,7 @@ use nftnl::Batch;
 
 use super::{
     api::{FirewallApi, FirewallManagementApi},
-    Address, FirewallError, FirewallRule, Policy, Port, Protocol,
+    Address, FirewallError, FirewallRule, Policy, Port, Protocol, SnatBinding,
 };
 
 static SET_ID_COUNTER: AtomicU32 = AtomicU32::new(0);
@@ -227,6 +227,10 @@ impl FirewallManagementApi for FirewallApi {
         Ok(())
     }
 
+    fn add_snat_bindings(&mut self, snat_bindings: Vec<SnatBinding>) -> Result<(), FirewallError> {
+        unimplemented!()
+    }
+
     fn begin(&mut self) -> Result<(), FirewallError> {
         if self.batch.is_none() {
             debug!("Starting new firewall transaction");

From f62b011d99ca12609a1d981a3fecfca753c8b8b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Wed, 18 Jun 2025 08:22:39 +0200
Subject: [PATCH 04/13] fix warning

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 16ba3ccb..d27a3ccb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM rust:1-slim as builder
+FROM rust:1-slim AS builder
 
 RUN apt-get update && apt-get -y install protobuf-compiler libnftnl-dev libmnl-dev
 WORKDIR /app

From bcc07de0e005f86ca378c91817e2477e83255c9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Wed, 25 Jun 2025 12:54:30 +0200
Subject: [PATCH 05/13] sketch out process for setting up NAT

---
 src/enterprise/firewall/api.rs                | 13 ++++----
 src/enterprise/firewall/nftables/mod.rs       | 31 ++++++-------------
 src/enterprise/firewall/nftables/netfilter.rs | 29 +++++++++++------
 src/enterprise/firewall/packetfilter/api.rs   |  8 +++--
 src/gateway.rs                                | 12 +++----
 5 files changed, 48 insertions(+), 45 deletions(-)

diff --git a/src/enterprise/firewall/api.rs b/src/enterprise/firewall/api.rs
index 2d8fce12..9fb4c4af 100644
--- a/src/enterprise/firewall/api.rs
+++ b/src/enterprise/firewall/api.rs
@@ -42,14 +42,15 @@ pub(crate) trait FirewallManagementApi {
     /// Clean up the firewall rules.
     fn cleanup(&mut self) -> Result<(), FirewallError>;
 
-    /// Add fireall `rules`.
+    /// Add firewall rules.
     fn add_rules(&mut self, rules: Vec<FirewallRule>) -> Result<(), FirewallError>;
 
-    /// Add SNAT firewall rules
-    fn add_snat_bindings(&mut self, snat_bindings: Vec<SnatBinding>) -> Result<(), FirewallError>;
-
-    /// Set masquerade status.
-    fn set_masquerade_status(&mut self, enabled: bool) -> Result<(), FirewallError>;
+    /// Setup Network Address Translation using POSTROUTING chain rules
+    fn setup_nat(
+        &mut self,
+        masquerade_enabled: bool,
+        snat_bindings: &[SnatBinding],
+    ) -> Result<(), FirewallError>;
 
     /// Begin rule transaction.
     fn begin(&mut self) -> Result<(), FirewallError>;
diff --git a/src/enterprise/firewall/nftables/mod.rs b/src/enterprise/firewall/nftables/mod.rs
index 3fbd622f..a5bd53ec 100644
--- a/src/enterprise/firewall/nftables/mod.rs
+++ b/src/enterprise/firewall/nftables/mod.rs
@@ -4,7 +4,7 @@ use std::sync::atomic::{AtomicU32, Ordering};
 
 use netfilter::{
     allow_established_traffic, apply_filter_rules, drop_table, ignore_unrelated_traffic,
-    init_firewall, send_batch, set_masq,
+    init_firewall, send_batch, set_nat_rules,
 };
 use nftnl::Batch;
 
@@ -194,27 +194,20 @@ impl FirewallManagementApi for FirewallApi {
         Ok(())
     }
 
-    // Allows for changing the default policy of the firewall.
-    // fn set_firewall_default_policy(&mut self, policy: Policy) -> Result<(), FirewallError> {
-    //     debug!("Setting default firewall policy to: {policy:?}");
-    //     if let Some(batch) = &mut self.batch {
-    //         set_default_policy(policy, batch, &self.ifname)?;
-    //     } else {
-    //         return Err(FirewallError::TransactionNotStarted);
-    //     }
-    //     debug!("Set firewall default policy to {policy:?}");
-    //     Ok(())
-    // }
+    fn setup_nat(
+        &mut self,
+        masquerade_enabled: bool,
+        snat_bindings: &[SnatBinding],
+    ) -> Result<(), FirewallError> {
+        debug!("Setting up POSTROUTING chain rules with masquerade status: {masquerade_enabled} and SNAT bindings: {snat_bindings:?}");
 
-    /// Allows for changing the masquerade status of the firewall.
-    fn set_masquerade_status(&mut self, enabled: bool) -> Result<(), FirewallError> {
-        debug!("Setting masquerade status to: {enabled:?}");
         if let Some(batch) = &mut self.batch {
-            set_masq(&self.ifname, enabled, batch)?;
+            set_nat_rules(batch, &self.ifname, masquerade_enabled, snat_bindings)?;
         } else {
             return Err(FirewallError::TransactionNotStarted);
         }
-        debug!("Set masquerade status to: {enabled:?}");
+
+        debug!("Finished POSTROUTING chain rules setup");
         Ok(())
     }
 
@@ -227,10 +220,6 @@ impl FirewallManagementApi for FirewallApi {
         Ok(())
     }
 
-    fn add_snat_bindings(&mut self, snat_bindings: Vec<SnatBinding>) -> Result<(), FirewallError> {
-        unimplemented!()
-    }
-
     fn begin(&mut self) -> Result<(), FirewallError> {
         if self.batch.is_none() {
             debug!("Starting new firewall transaction");
diff --git a/src/enterprise/firewall/nftables/netfilter.rs b/src/enterprise/firewall/nftables/netfilter.rs
index 7174d9b0..0469a95b 100644
--- a/src/enterprise/firewall/nftables/netfilter.rs
+++ b/src/enterprise/firewall/nftables/netfilter.rs
@@ -16,7 +16,7 @@ use nftnl::{
 };
 
 use super::{get_set_id, Address, FilterRule, Policy, Port, Protocol, State};
-use crate::enterprise::firewall::{iprange::IpAddrRange, FirewallError};
+use crate::enterprise::firewall::{iprange::IpAddrRange, FirewallError, SnatBinding};
 
 const FILTER_TABLE: &str = "filter";
 const NAT_TABLE: &str = "nat";
@@ -591,24 +591,35 @@ pub(super) fn drop_chain(
     Ok(())
 }
 
-/// Applies masquerade on the specified interface for the outgoing packets
-pub(super) fn set_masq(
-    ifname: &str,
-    enabled: bool,
+/// Applies NAT rules on the specified interface for the outgoing packets
+pub(super) fn set_nat_rules(
     batch: &mut Batch,
+    ifname: &str,
+    masquerade_enabled: bool,
+    snat_bindings: &[SnatBinding],
 ) -> Result<(), FirewallError> {
+    // cleanup existing POSTROUTING chain rules
     let table = Tables::Defguard(ProtoFamily::Inet).to_table(ifname);
     batch.add(&table, nftnl::MsgType::Add);
 
     drop_chain(&Chains::Postrouting, batch, ifname)?;
 
+    // initialize new POSTROUTING chain
     let mut nat_chain = Chains::Postrouting.to_chain(&table);
     nat_chain.set_hook(nftnl::Hook::PostRouting, POSTROUTING_PRIORITY);
     nat_chain.set_policy(nftnl::Policy::Accept);
     nat_chain.set_type(nftnl::ChainType::Nat);
     batch.add(&nat_chain, nftnl::MsgType::Add);
 
-    let nat_rule = NatRule {
+    // add SNAT bindings
+    for binding in snat_bindings {
+        let snat_rule = todo!();
+
+        // batch.add(&snat_rule, nftnl::MsgType::Add);
+    }
+
+    // add MASQUERADE rule
+    let masquerade_rule = NatRule {
         oifname: Some(LOOPBACK_IFACE.to_string()),
         negated_oifname: true,
         counter: true,
@@ -616,10 +627,10 @@ pub(super) fn set_masq(
     }
     .to_chain_rule(&nat_chain, batch)?;
 
-    if enabled {
-        batch.add(&nat_rule, nftnl::MsgType::Add);
+    if masquerade_enabled {
+        batch.add(&masquerade_rule, nftnl::MsgType::Add);
     } else {
-        batch.add(&nat_rule, nftnl::MsgType::Del);
+        batch.add(&masquerade_rule, nftnl::MsgType::Del);
     }
 
     Ok(())
diff --git a/src/enterprise/firewall/packetfilter/api.rs b/src/enterprise/firewall/packetfilter/api.rs
index baad67cd..a3d7bcb7 100644
--- a/src/enterprise/firewall/packetfilter/api.rs
+++ b/src/enterprise/firewall/packetfilter/api.rs
@@ -72,8 +72,12 @@ impl FirewallManagementApi for FirewallApi {
         Ok(())
     }
 
-    /// Set masquerade status.
-    fn set_masquerade_status(&mut self, _enabled: bool) -> Result<(), FirewallError> {
+    /// Setup Network Address Translation using POSTROUTING chain rules
+    fn setup_nat(
+        &mut self,
+        masquerade_enabled: bool,
+        snat_bindings: &[SnatBinding],
+    ) -> Result<(), FirewallError> {
         Ok(())
     }
 
diff --git a/src/gateway.rs b/src/gateway.rs
index 406828d0..9d5d1d8c 100644
--- a/src/gateway.rs
+++ b/src/gateway.rs
@@ -260,6 +260,7 @@ impl Gateway {
 
     /// Checks whether the firewall config changed
     fn has_firewall_config_changed(&self, new_fw_config: &FirewallConfig) -> bool {
+        // TODO: check SNAT bindings
         if let Some(current_config) = &self.firewall_config {
             return current_config.default_policy != new_fw_config.default_policy
                 || self.have_firewall_rules_changed(&new_fw_config.rules);
@@ -317,9 +318,8 @@ impl Gateway {
                 self.firewall_api.begin()?;
                 self.firewall_api
                     .setup(fw_config.default_policy, self.config.fw_priority)?;
-                if self.config.masquerade {
-                    self.firewall_api.set_masquerade_status(true)?;
-                }
+                self.firewall_api
+                    .setup_nat(self.config.masquerade, &fw_config.snat_bindings)?;
                 self.firewall_api.add_rules(fw_config.rules.clone())?;
                 self.firewall_api.commit()?;
                 self.firewall_config = Some(fw_config.clone());
@@ -331,9 +331,7 @@ impl Gateway {
             debug!("Received firewall configuration is empty, cleaning up firewall rules...");
             self.firewall_api.begin()?;
             self.firewall_api.cleanup()?;
-            if self.config.masquerade {
-                self.firewall_api.set_masquerade_status(true)?;
-            }
+            self.firewall_api.setup_nat(self.config.masquerade, &[])?;
             self.firewall_api.commit()?;
             self.firewall_config = None;
             debug!("Cleaned up firewall rules");
@@ -582,7 +580,7 @@ impl Gateway {
             #[cfg(target_os = "linux")]
             if self.config.masquerade {
                 self.firewall_api.begin()?;
-                self.firewall_api.set_masquerade_status(true)?;
+                self.firewall_api.setup_nat(self.config.masquerade, &[])?;
                 self.firewall_api.commit()?;
             }
         }

From 9ddbd9e9e9272130278f3b774494f41820028284 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Wed, 25 Jun 2025 13:07:14 +0200
Subject: [PATCH 06/13] update dependencies

---
 Cargo.lock | 135 +++++++++++++++++++++++++++++++++++++++++------------
 flake.lock |  12 ++---
 2 files changed, 110 insertions(+), 37 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 1b3beb22..f85dd300 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -123,9 +123,9 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 
 [[package]]
 name = "autocfg"
-version = "1.4.0"
+version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
 [[package]]
 name = "axum"
@@ -252,7 +252,7 @@ dependencies = [
  "miniz_oxide",
  "object",
  "rustc-demangle",
- "windows-targets",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -580,12 +580,12 @@ checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
 
 [[package]]
 name = "errno"
-version = "0.3.12"
+version = "0.3.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cea14ef9355e3beab063703aa9dab15afd25f0667c341310c1e5274bb1d0da18"
+checksum = "778e2ac28f6c47af28e4907f13ffd1e1ddbd400980a9abd7c8df189bf578a5ad"
 dependencies = [
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -677,7 +677,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc257fdb4038301ce4b9cd1b3b51704509692bb3ff716a410cbd07925d9dae55"
 dependencies = [
  "rustix",
- "windows-targets",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -1067,15 +1067,15 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.173"
+version = "0.2.174"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8cfeafaffdbc32176b64fb251369d52ea9f0a8fbc6f8759edffef7b525d64bb"
+checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
 
 [[package]]
 name = "libgit2-sys"
-version = "0.18.1+1.9.0"
+version = "0.18.2+1.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1dcb20f84ffcdd825c7a311ae347cce604a6f084a767dec4a4929829645290e"
+checksum = "1c42fe03df2bd3c53a3a9c7317ad91d80c81cd1fb0caec8d7cc4cd2bfa10c222"
 dependencies = [
  "cc",
  "libc",
@@ -1444,9 +1444,9 @@ dependencies = [
 
 [[package]]
 name = "prettyplease"
-version = "0.2.34"
+version = "0.2.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6837b9e10d61f45f987d50808f83d1ee3d206c66acf650c3e4ae2e1f6ddedf55"
+checksum = "061c1221631e079b26479d25bbf2275bfe5917ae8419cd7e34f13bfc2aa7539a"
 dependencies = [
  "proc-macro2",
  "syn",
@@ -1855,9 +1855,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
-version = "2.0.103"
+version = "2.0.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e4307e30089d6fd6aff212f2da3a1f9e32f3223b1f010fb09b7c95f90f3ca1e8"
+checksum = "17b6f705963418cdb9927482fa304bc562ece2fdd4f616084c50b7023b435a40"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2195,9 +2195,9 @@ dependencies = [
 
 [[package]]
 name = "tracing-attributes"
-version = "0.1.29"
+version = "0.1.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b1ffbcf9c6f6b99d386e7444eb608ba646ae452a36b39737deb9663b610f662"
+checksum = "81383ab64e72a7a8b8e13130c49e3dab29def6d0c7d76a03087b3cf71c5c6903"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2335,7 +2335,7 @@ version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
 dependencies = [
- "windows-targets",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -2344,7 +2344,16 @@ version = "0.59.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
 dependencies = [
- "windows-targets",
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
+dependencies = [
+ "windows-targets 0.53.2",
 ]
 
 [[package]]
@@ -2353,14 +2362,30 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
 dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_gnullvm",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
+ "windows_aarch64_gnullvm 0.52.6",
+ "windows_aarch64_msvc 0.52.6",
+ "windows_i686_gnu 0.52.6",
+ "windows_i686_gnullvm 0.52.6",
+ "windows_i686_msvc 0.52.6",
+ "windows_x86_64_gnu 0.52.6",
+ "windows_x86_64_gnullvm 0.52.6",
+ "windows_x86_64_msvc 0.52.6",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.53.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c66f69fcc9ce11da9966ddb31a40968cad001c5bedeb5c2b82ede4253ab48aef"
+dependencies = [
+ "windows_aarch64_gnullvm 0.53.0",
+ "windows_aarch64_msvc 0.53.0",
+ "windows_i686_gnu 0.53.0",
+ "windows_i686_gnullvm 0.53.0",
+ "windows_i686_msvc 0.53.0",
+ "windows_x86_64_gnu 0.53.0",
+ "windows_x86_64_gnullvm 0.53.0",
+ "windows_x86_64_msvc 0.53.0",
 ]
 
 [[package]]
@@ -2369,48 +2394,96 @@ version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764"
+
 [[package]]
 name = "windows_aarch64_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c"
+
 [[package]]
 name = "windows_i686_gnu"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
 
+[[package]]
+name = "windows_i686_gnu"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1dc67659d35f387f5f6c479dc4e28f1d4bb90ddd1a5d3da2e5d97b42d6272c3"
+
 [[package]]
 name = "windows_i686_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11"
+
 [[package]]
 name = "windows_i686_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 
+[[package]]
+name = "windows_i686_msvc"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d"
+
 [[package]]
 name = "windows_x86_64_gnu"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba"
+
 [[package]]
 name = "windows_x86_64_gnullvm"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57"
+
 [[package]]
 name = "windows_x86_64_msvc"
 version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.53.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"
+
 [[package]]
 name = "winnow"
 version = "0.7.11"
@@ -2473,18 +2546,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.25"
+version = "0.8.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1702d9583232ddb9174e01bb7c15a2ab8fb1bc6f227aa1233858c351a3ba0cb"
+checksum = "1039dd0d3c310cf05de012d8a39ff557cb0d23087fd44cad61df08fc31907a2f"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.25"
+version = "0.8.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "28a6e20d751156648aa063f3800b706ee209a32c0b4d9f24be3d980b01be55ef"
+checksum = "9ecf5b4cc5364572d7f4c329661bcc82724222973f2cab6f050a4e5c22f75181"
 dependencies = [
  "proc-macro2",
  "quote",
diff --git a/flake.lock b/flake.lock
index 41d4dcde..c176c2b4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1749794982,
-        "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=",
+        "lastModified": 1750741721,
+        "narHash": "sha256-Z0djmTa1YmnGMfE9jEe05oO4zggjDmxOGKwt844bUhE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81",
+        "rev": "4b1164c3215f018c4442463a27689d973cffd750",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750127910,
-        "narHash": "sha256-FIgEIS0RAlOyXGqoj/OufTfcKItYq668yPYL4SXdU0M=",
+        "lastModified": 1750819193,
+        "narHash": "sha256-XvkupGPZqD54HuKhN/2WhbKjAHeTl1UEnWspzUzRFfA=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "45418795a73b77b7726c62ce265d68cf541ffb49",
+        "rev": "1ba3b9c59b68a4b00156827ad46393127b51b808",
         "type": "github"
       },
       "original": {

From 9ef1652160f695b9c3a0ba159bf0d648bb0b7684 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Wed, 25 Jun 2025 23:21:47 +0200
Subject: [PATCH 07/13] try adding snat rules

---
 src/enterprise/firewall/dummy/mod.rs          |  12 +-
 src/enterprise/firewall/mod.rs                |  10 +-
 src/enterprise/firewall/nftables/netfilter.rs | 156 +++++++++++++-----
 src/enterprise/firewall/packetfilter/mod.rs   |   2 +-
 src/gateway.rs                                |   7 +
 5 files changed, 136 insertions(+), 51 deletions(-)

diff --git a/src/enterprise/firewall/dummy/mod.rs b/src/enterprise/firewall/dummy/mod.rs
index 9129f91f..db783c17 100644
--- a/src/enterprise/firewall/dummy/mod.rs
+++ b/src/enterprise/firewall/dummy/mod.rs
@@ -16,10 +16,6 @@ impl FirewallManagementApi for FirewallApi {
         Ok(())
     }
 
-    fn set_masquerade_status(&mut self, _enabled: bool) -> Result<(), FirewallError> {
-        Ok(())
-    }
-
     fn add_rules(&mut self, _rules: Vec<FirewallRule>) -> Result<(), FirewallError> {
         Ok(())
     }
@@ -31,4 +27,12 @@ impl FirewallManagementApi for FirewallApi {
     fn commit(&mut self) -> Result<(), FirewallError> {
         Ok(())
     }
+
+    fn setup_nat(
+        &mut self,
+        masquerade_enabled: bool,
+        snat_bindings: &[super::SnatBinding],
+    ) -> Result<(), FirewallError> {
+        Ok(())
+    }
 }
diff --git a/src/enterprise/firewall/mod.rs b/src/enterprise/firewall/mod.rs
index 964e452a..e6d84bc3 100644
--- a/src/enterprise/firewall/mod.rs
+++ b/src/enterprise/firewall/mod.rs
@@ -1,8 +1,8 @@
 pub mod api;
-#[cfg(test)]
-mod dummy;
+// #[cfg(test)]
+// mod dummy;
 mod iprange;
-#[cfg(all(not(test), target_os = "linux"))]
+#[cfg(target_os = "linux")]
 mod nftables;
 #[cfg(any(target_os = "freebsd", target_os = "macos", target_os = "netbsd"))]
 mod packetfilter;
@@ -206,6 +206,8 @@ pub(crate) struct SnatBinding {
     pub source_addrs: Vec<Address>,
     pub public_ip: IpAddr,
     pub comment: Option<String>,
+    /// Whether a rule uses IPv4 (true) or IPv6 (false)
+    pub ipv4: bool, // FIXME: is that really needed?
 }
 
 #[derive(Debug, Clone, PartialEq)]
@@ -302,6 +304,8 @@ impl FirewallConfig {
                 source_addrs,
                 public_ip,
                 comment: binding.comment,
+                // we assume source IPs have already been filtered and are compatible with chosen public IP
+                ipv4: public_ip.is_ipv4(),
             };
 
             debug!("Parsed received proto SNAT binding as: {snat_binding:?}");
diff --git a/src/enterprise/firewall/nftables/netfilter.rs b/src/enterprise/firewall/nftables/netfilter.rs
index 0469a95b..06e8ce45 100644
--- a/src/enterprise/firewall/nftables/netfilter.rs
+++ b/src/enterprise/firewall/nftables/netfilter.rs
@@ -9,7 +9,7 @@ use ipnetwork::IpNetwork;
 #[cfg(test)]
 use ipnetwork::{Ipv4Network, Ipv6Network};
 use nftnl::{
-    expr::{Expression, InterfaceName},
+    expr::{Expression, Immediate, InterfaceName, Nat, NatType, Register},
     nft_expr, nftnl_sys,
     set::{Set, SetKey},
     Batch, Chain, FinalizedBatch, ProtoFamily, Rule, Table,
@@ -435,18 +435,14 @@ impl FirewallRule for FilterRule<'_> {
     }
 }
 
-#[derive(Debug, Default)]
-struct NatRule {
-    src_ip: Option<IpAddr>,
-    dest_ip: Option<IpAddr>,
-    oifname: Option<String>,
-    iifname: Option<String>,
+#[derive(Debug)]
+struct MasqueradeRule {
+    oifname: String,
     negated_oifname: bool,
-    negated_iifname: bool,
     counter: bool,
 }
 
-impl FirewallRule for NatRule {
+impl FirewallRule for MasqueradeRule {
     fn to_chain_rule<'a>(
         &self,
         chain: &'a Chain,
@@ -454,49 +450,116 @@ impl FirewallRule for NatRule {
     ) -> Result<Rule<'a>, FirewallError> {
         let mut rule = Rule::new(chain);
 
-        if let Some(src_ip) = self.src_ip {
-            if src_ip.is_ipv4() {
-                rule.add_expr(&nft_expr!(payload ipv4 saddr));
-            } else {
-                rule.add_expr(&nft_expr!(payload ipv6 saddr));
-            }
-            rule.add_expr(&nft_expr!(cmp == src_ip));
+        rule.add_expr(&nft_expr!(meta oifname));
+        let exact = InterfaceName::Exact(CString::new(self.oifname.as_str()).unwrap());
+        if self.negated_oifname {
+            rule.add_expr(&nft_expr!(cmp != exact));
+        } else {
+            rule.add_expr(&nft_expr!(cmp == exact));
         }
 
-        if let Some(dest_ip) = self.dest_ip {
-            if dest_ip.is_ipv4() {
-                rule.add_expr(&nft_expr!(payload ipv4 daddr));
-            } else {
-                rule.add_expr(&nft_expr!(payload ipv6 daddr));
-            }
-            rule.add_expr(&nft_expr!(cmp == dest_ip));
+        if self.counter {
+            rule.add_expr(&nft_expr!(counter));
         }
 
-        if let Some(iifname) = &self.iifname {
-            rule.add_expr(&nft_expr!(meta iifname));
-            let exact = InterfaceName::Exact(CString::new(iifname.as_str()).unwrap());
-            if self.negated_iifname {
-                rule.add_expr(&nft_expr!(cmp != exact));
+        rule.add_expr(&nft_expr!(masquerade));
+
+        Ok(rule)
+    }
+}
+
+#[derive(Debug)]
+struct SnatRule<'a> {
+    src_ips: &'a [Address],
+    public_ip: &'a IpAddr,
+    oifname: String,
+    negated_oifname: bool,
+    counter: bool,
+    ipv4: bool,
+}
+
+impl FirewallRule for SnatRule<'_> {
+    fn to_chain_rule<'a>(
+        &self,
+        chain: &'a Chain,
+        batch: &mut Batch,
+    ) -> Result<Rule<'a>, FirewallError> {
+        let mut rule = Rule::new(chain);
+
+        if !self.src_ips.is_empty() {
+            if self.ipv4 {
+                let set = new_anon_set::<Ipv4Addr>(chain.get_table(), ProtoFamily::Inet, true)?;
+                batch.add(&set, nftnl::MsgType::Add);
+
+                for ip in self.src_ips {
+                    add_address_to_set(set.as_ptr(), ip)?;
+                }
+
+                // ip saddr {x.x.x.x, x.x.x.x}
+                set.elems_iter().for_each(|elem| {
+                    batch.add(&elem, nftnl::MsgType::Add);
+                });
+
+                rule.add_expr(&nft_expr!(meta nfproto));
+                rule.add_expr(&nft_expr!(cmp == libc::NFPROTO_IPV4 as u8));
+                rule.add_expr(&nft_expr!(payload ipv4 saddr));
+
+                rule.add_expr(&nft_expr!(lookup & set));
             } else {
-                rule.add_expr(&nft_expr!(cmp == exact));
+                let set = new_anon_set::<Ipv6Addr>(chain.get_table(), ProtoFamily::Inet, true)?;
+                batch.add(&set, nftnl::MsgType::Add);
+
+                for ip in self.src_ips {
+                    add_address_to_set(set.as_ptr(), ip)?;
+                }
+
+                // ip6 saddr {x.x.x.x, x.x.x.x}
+                set.elems_iter().for_each(|elem| {
+                    batch.add(&elem, nftnl::MsgType::Add);
+                });
+
+                rule.add_expr(&nft_expr!(meta nfproto));
+                rule.add_expr(&nft_expr!(cmp == libc::NFPROTO_IPV6 as u8));
+                rule.add_expr(&nft_expr!(payload ipv6 saddr));
+
+                rule.add_expr(&nft_expr!(lookup & set));
             }
+            debug!(
+                "Added source IP addresses match to nftables expression: {:?}",
+                self.src_ips
+            );
         }
 
-        if let Some(oifname) = &self.oifname {
-            rule.add_expr(&nft_expr!(meta oifname));
-            let exact = InterfaceName::Exact(CString::new(oifname.as_str()).unwrap());
-            if self.negated_oifname {
-                rule.add_expr(&nft_expr!(cmp != exact));
-            } else {
-                rule.add_expr(&nft_expr!(cmp == exact));
-            }
+        rule.add_expr(&nft_expr!(meta oifname));
+        let exact = InterfaceName::Exact(CString::new(self.oifname.as_str()).unwrap());
+        if self.negated_oifname {
+            rule.add_expr(&nft_expr!(cmp != exact));
+        } else {
+            rule.add_expr(&nft_expr!(cmp == exact));
         }
 
         if self.counter {
             rule.add_expr(&nft_expr!(counter));
         }
 
-        rule.add_expr(&nft_expr!(masquerade));
+        let public_ip_bytes = match self.public_ip {
+            IpAddr::V4(ipv4_addr) => ipv4_addr.octets().to_vec(),
+            IpAddr::V6(ipv6_addr) => ipv6_addr.octets().to_vec(),
+        };
+        rule.add_expr(&Immediate::new(public_ip_bytes, Register::Reg1));
+        let family = if self.ipv4 {
+            ProtoFamily::Ipv4
+        } else {
+            ProtoFamily::Ipv6
+        };
+        let snat_expr = Nat {
+            nat_type: NatType::SNat,
+            family,
+            ip_register: Register::Reg1,
+            port_register: None,
+        };
+
+        rule.add_expr(&snat_expr);
 
         Ok(rule)
     }
@@ -613,17 +676,24 @@ pub(super) fn set_nat_rules(
 
     // add SNAT bindings
     for binding in snat_bindings {
-        let snat_rule = todo!();
+        let snat_rule = SnatRule {
+            oifname: LOOPBACK_IFACE.to_string(),
+            negated_oifname: true,
+            counter: true,
+            src_ips: &binding.source_addrs,
+            public_ip: &binding.public_ip,
+            ipv4: binding.ipv4,
+        }
+        .to_chain_rule(&nat_chain, batch)?;
 
-        // batch.add(&snat_rule, nftnl::MsgType::Add);
+        batch.add(&snat_rule, nftnl::MsgType::Add);
     }
 
     // add MASQUERADE rule
-    let masquerade_rule = NatRule {
-        oifname: Some(LOOPBACK_IFACE.to_string()),
+    let masquerade_rule = MasqueradeRule {
+        oifname: LOOPBACK_IFACE.to_string(),
         negated_oifname: true,
         counter: true,
-        ..Default::default()
     }
     .to_chain_rule(&nat_chain, batch)?;
 
diff --git a/src/enterprise/firewall/packetfilter/mod.rs b/src/enterprise/firewall/packetfilter/mod.rs
index 81cccdce..fe377a23 100644
--- a/src/enterprise/firewall/packetfilter/mod.rs
+++ b/src/enterprise/firewall/packetfilter/mod.rs
@@ -92,5 +92,5 @@ impl FirewallApi {
     }
 }
 
-#[cfg(not(test))]
+// #[cfg(not(test))]
 mod api;
diff --git a/src/gateway.rs b/src/gateway.rs
index 9d5d1d8c..55fd2327 100644
--- a/src/gateway.rs
+++ b/src/gateway.rs
@@ -835,11 +835,13 @@ mod tests {
         let config1 = FirewallConfig {
             rules: vec![rule1.clone(), rule2.clone()],
             default_policy: Policy::Allow,
+            snat_bindings: vec![],
         };
 
         let config_empty = FirewallConfig {
             rules: Vec::new(),
             default_policy: Policy::Allow,
+            snat_bindings: vec![],
         };
 
         #[cfg(target_os = "macos")]
@@ -899,16 +901,19 @@ mod tests {
         let config1 = FirewallConfig {
             rules: Vec::new(),
             default_policy: Policy::Allow,
+            snat_bindings: vec![],
         };
 
         let config2 = FirewallConfig {
             rules: Vec::new(),
             default_policy: Policy::Deny,
+            snat_bindings: vec![],
         };
 
         let config3 = FirewallConfig {
             rules: Vec::new(),
             default_policy: Policy::Allow,
+            snat_bindings: vec![],
         };
 
         #[cfg(target_os = "macos")]
@@ -954,6 +959,7 @@ mod tests {
                 ipv4: true,
             }],
             default_policy: Policy::Allow,
+            snat_bindings: vec![],
         };
         gateway.firewall_config = Some(config1);
         assert!(gateway.has_firewall_config_changed(&config4));
@@ -971,6 +977,7 @@ mod tests {
                 ipv4: false,
             }],
             default_policy: Policy::Allow,
+            snat_bindings: vec![],
         };
         gateway.firewall_config = Some(config4);
         assert!(gateway.has_firewall_config_changed(&config5));

From 46c2df42d7021e1d81401f6e0bb81eb6b8fc750c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Thu, 26 Jun 2025 09:20:14 +0200
Subject: [PATCH 08/13] check for snat rule changes

---
 src/gateway.rs | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/src/gateway.rs b/src/gateway.rs
index 55fd2327..8933507f 100644
--- a/src/gateway.rs
+++ b/src/gateway.rs
@@ -30,7 +30,7 @@ use crate::{
     config::Config,
     enterprise::firewall::{
         api::{FirewallApi, FirewallManagementApi},
-        FirewallConfig, FirewallRule,
+        FirewallConfig, FirewallRule, SnatBinding,
     },
     error::GatewayError,
     execute_command, mask,
@@ -260,10 +260,10 @@ impl Gateway {
 
     /// Checks whether the firewall config changed
     fn has_firewall_config_changed(&self, new_fw_config: &FirewallConfig) -> bool {
-        // TODO: check SNAT bindings
         if let Some(current_config) = &self.firewall_config {
             return current_config.default_policy != new_fw_config.default_policy
-                || self.have_firewall_rules_changed(&new_fw_config.rules);
+                || self.have_firewall_rules_changed(&new_fw_config.rules)
+                || self.have_snat_bindings_changed(&new_fw_config.snat_bindings);
         }
 
         true
@@ -301,6 +301,38 @@ impl Gateway {
         }
     }
 
+    /// Checks whether SNAT bindings have changed.
+    fn have_snat_bindings_changed(&self, new_bindings: &[SnatBinding]) -> bool {
+        debug!("Checking if SNAT bindings have changed");
+        if let Some(current_config) = &self.firewall_config {
+            let current_bindings = &current_config.snat_bindings;
+            if current_bindings.len() != new_bindings.len() {
+                debug!("Number of SNAT bindings is different, so the bindings have changed");
+                return true;
+            }
+
+            for binding in new_bindings {
+                if !current_bindings.contains(binding) {
+                    debug!("Found a new SNAT binding: {binding:?}. Bindings have changed.");
+                    return true;
+                }
+            }
+
+            for binding in current_bindings {
+                if !new_bindings.contains(binding) {
+                    debug!("Found a removed SNAT binding: {binding:?}. Bindings have changed.");
+                    return true;
+                }
+            }
+
+            debug!("SNAT bindings are the same. Bindings have not changed. My bindings: {current_bindings:?}, new bindings: {new_bindings:?}");
+            false
+        } else {
+            debug!("There are new SNAT bindings in the new configuration, but we don't have any in the current one. Bindings have changed.");
+            true
+        }
+    }
+
     /// Process and apply firewall configuration changes.
     /// - If the main config changed (default policy), reconfigure the whole firewall.
     /// - If only the rules changed, apply the new rules. Currently also reconfigures the whole firewall but that

From 00bcfab3b3aa642590a6959425ea0670c6de4e0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Thu, 26 Jun 2025 10:21:44 +0200
Subject: [PATCH 09/13] fix setting public IP in SNAT rule

---
 src/enterprise/firewall/mod.rs                |  4 ----
 src/enterprise/firewall/nftables/netfilter.rs | 21 ++++++++++---------
 2 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/src/enterprise/firewall/mod.rs b/src/enterprise/firewall/mod.rs
index e6d84bc3..4b7d883a 100644
--- a/src/enterprise/firewall/mod.rs
+++ b/src/enterprise/firewall/mod.rs
@@ -206,8 +206,6 @@ pub(crate) struct SnatBinding {
     pub source_addrs: Vec<Address>,
     pub public_ip: IpAddr,
     pub comment: Option<String>,
-    /// Whether a rule uses IPv4 (true) or IPv6 (false)
-    pub ipv4: bool, // FIXME: is that really needed?
 }
 
 #[derive(Debug, Clone, PartialEq)]
@@ -304,8 +302,6 @@ impl FirewallConfig {
                 source_addrs,
                 public_ip,
                 comment: binding.comment,
-                // we assume source IPs have already been filtered and are compatible with chosen public IP
-                ipv4: public_ip.is_ipv4(),
             };
 
             debug!("Parsed received proto SNAT binding as: {snat_binding:?}");
diff --git a/src/enterprise/firewall/nftables/netfilter.rs b/src/enterprise/firewall/nftables/netfilter.rs
index 06e8ce45..9c338516 100644
--- a/src/enterprise/firewall/nftables/netfilter.rs
+++ b/src/enterprise/firewall/nftables/netfilter.rs
@@ -542,15 +542,16 @@ impl FirewallRule for SnatRule<'_> {
             rule.add_expr(&nft_expr!(counter));
         }
 
-        let public_ip_bytes = match self.public_ip {
-            IpAddr::V4(ipv4_addr) => ipv4_addr.octets().to_vec(),
-            IpAddr::V6(ipv6_addr) => ipv6_addr.octets().to_vec(),
-        };
-        rule.add_expr(&Immediate::new(public_ip_bytes, Register::Reg1));
-        let family = if self.ipv4 {
-            ProtoFamily::Ipv4
-        } else {
-            ProtoFamily::Ipv6
+        // determine if public IP is IPv4 or IPv6 and store the address in a register
+        let family = match self.public_ip {
+            IpAddr::V4(ipv4_addr) => {
+                rule.add_expr(&Immediate::new(*ipv4_addr, Register::Reg1));
+                ProtoFamily::Ipv4
+            }
+            IpAddr::V6(ipv6_addr) => {
+                rule.add_expr(&Immediate::new(*ipv6_addr, Register::Reg1));
+                ProtoFamily::Ipv6
+            }
         };
         let snat_expr = Nat {
             nat_type: NatType::SNat,
@@ -682,7 +683,7 @@ pub(super) fn set_nat_rules(
             counter: true,
             src_ips: &binding.source_addrs,
             public_ip: &binding.public_ip,
-            ipv4: binding.ipv4,
+            ipv4: binding.public_ip.is_ipv4(),
         }
         .to_chain_rule(&nat_chain, batch)?;
 

From 1e1650792f50b1fdcb3be5eecb6fe1b3be4a1e7f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Thu, 26 Jun 2025 12:39:56 +0200
Subject: [PATCH 10/13] add comments to snat rules

---
 src/enterprise/firewall/nftables/netfilter.rs | 46 ++++++++++++-------
 1 file changed, 30 insertions(+), 16 deletions(-)

diff --git a/src/enterprise/firewall/nftables/netfilter.rs b/src/enterprise/firewall/nftables/netfilter.rs
index 9c338516..6cef7be1 100644
--- a/src/enterprise/firewall/nftables/netfilter.rs
+++ b/src/enterprise/firewall/nftables/netfilter.rs
@@ -148,6 +148,26 @@ fn add_protocol_to_set(
     Ok(())
 }
 
+fn add_rule_comment(rule: &mut Rule, comment: &str) -> Result<(), FirewallError> {
+    debug!("Adding comment to nftables expression: {comment:?}");
+    // Since we are interoping with C, truncate the string to 255 *bytes* (not UTF-8 characters)
+    // 256 is the maximum length of a comment string in nftables, leave 1 byte for the null terminator
+    let maybe_truncated_str = if comment.len() > 255 {
+        warn!("Comment string {comment} is too long, truncating to 255 bytes");
+        &comment[..=255]
+    } else {
+        comment
+    };
+    let comment = &CString::new(maybe_truncated_str).map_err(|e| {
+        FirewallError::NetlinkError(format!(
+            "Failed to create CString from string {comment}. Error: {e:?}"
+        ))
+    })?;
+    rule.set_comment(comment);
+    debug!("Added comment to nftables expression: {comment:?}");
+    Ok(())
+}
+
 impl FirewallRule for FilterRule<'_> {
     fn to_chain_rule<'a>(
         &self,
@@ -408,22 +428,7 @@ impl FirewallRule for FilterRule<'_> {
 
         // comment <comment>
         if let Some(comment_string) = &self.comment {
-            debug!("Adding comment to nftables expression: {comment_string:?}");
-            // Since we are interoping with C, truncate the string to 255 *bytes* (not UTF-8 characters)
-            // 256 is the maximum length of a comment string in nftables, leave 1 byte for the null terminator
-            let maybe_truncated_str = if comment_string.len() > 255 {
-                warn!("Comment string {comment_string} is too long, truncating to 255 bytes");
-                &comment_string[..=255]
-            } else {
-                comment_string.as_str()
-            };
-            let comment = &CString::new(maybe_truncated_str).map_err(|e| {
-                FirewallError::NetlinkError(format!(
-                    "Failed to create CString from string {comment_string}. Error: {e:?}"
-                ))
-            })?;
-            rule.set_comment(comment);
-            debug!("Added comment to nftables expression: {comment_string:?}");
+            add_rule_comment(&mut rule, comment_string)?;
         } else {
             debug!("No comment provided for nftables expression");
         }
@@ -476,6 +481,7 @@ struct SnatRule<'a> {
     negated_oifname: bool,
     counter: bool,
     ipv4: bool,
+    comment: Option<String>,
 }
 
 impl FirewallRule for SnatRule<'_> {
@@ -562,6 +568,13 @@ impl FirewallRule for SnatRule<'_> {
 
         rule.add_expr(&snat_expr);
 
+        // comment <comment>
+        if let Some(comment_string) = &self.comment {
+            add_rule_comment(&mut rule, comment_string)?;
+        } else {
+            debug!("No comment provided for nftables expression");
+        }
+
         Ok(rule)
     }
 }
@@ -684,6 +697,7 @@ pub(super) fn set_nat_rules(
             src_ips: &binding.source_addrs,
             public_ip: &binding.public_ip,
             ipv4: binding.public_ip.is_ipv4(),
+            comment: binding.comment.clone(),
         }
         .to_chain_rule(&nat_chain, batch)?;
 

From 44a89c9cc8de1cba0394117011f23aaef833cdbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Thu, 26 Jun 2025 12:52:08 +0200
Subject: [PATCH 11/13] remove dummy module

---
 src/enterprise/firewall/dummy/mod.rs        | 38 ---------------------
 src/enterprise/firewall/mod.rs              |  2 --
 src/enterprise/firewall/packetfilter/mod.rs |  1 -
 3 files changed, 41 deletions(-)
 delete mode 100644 src/enterprise/firewall/dummy/mod.rs

diff --git a/src/enterprise/firewall/dummy/mod.rs b/src/enterprise/firewall/dummy/mod.rs
deleted file mode 100644
index db783c17..00000000
--- a/src/enterprise/firewall/dummy/mod.rs
+++ /dev/null
@@ -1,38 +0,0 @@
-use super::{
-    api::{FirewallApi, FirewallManagementApi},
-    FirewallError, FirewallRule, Policy,
-};
-
-impl FirewallManagementApi for FirewallApi {
-    fn setup(
-        &mut self,
-        _default_policy: Policy,
-        _priority: Option<i32>,
-    ) -> Result<(), FirewallError> {
-        Ok(())
-    }
-
-    fn cleanup(&mut self) -> Result<(), FirewallError> {
-        Ok(())
-    }
-
-    fn add_rules(&mut self, _rules: Vec<FirewallRule>) -> Result<(), FirewallError> {
-        Ok(())
-    }
-
-    fn begin(&mut self) -> Result<(), FirewallError> {
-        Ok(())
-    }
-
-    fn commit(&mut self) -> Result<(), FirewallError> {
-        Ok(())
-    }
-
-    fn setup_nat(
-        &mut self,
-        masquerade_enabled: bool,
-        snat_bindings: &[super::SnatBinding],
-    ) -> Result<(), FirewallError> {
-        Ok(())
-    }
-}
diff --git a/src/enterprise/firewall/mod.rs b/src/enterprise/firewall/mod.rs
index 4b7d883a..d5db1458 100644
--- a/src/enterprise/firewall/mod.rs
+++ b/src/enterprise/firewall/mod.rs
@@ -1,6 +1,4 @@
 pub mod api;
-// #[cfg(test)]
-// mod dummy;
 mod iprange;
 #[cfg(target_os = "linux")]
 mod nftables;
diff --git a/src/enterprise/firewall/packetfilter/mod.rs b/src/enterprise/firewall/packetfilter/mod.rs
index fe377a23..6495ceb6 100644
--- a/src/enterprise/firewall/packetfilter/mod.rs
+++ b/src/enterprise/firewall/packetfilter/mod.rs
@@ -92,5 +92,4 @@ impl FirewallApi {
     }
 }
 
-// #[cfg(not(test))]
 mod api;

From 4ed92a8201ec6a7733d936e13f9043bf92556975 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Wed, 2 Jul 2025 08:50:00 +0200
Subject: [PATCH 12/13] update protos

---
 proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proto b/proto
index f0c030a9..c0aef683 160000
--- a/proto
+++ b/proto
@@ -1 +1 @@
-Subproject commit f0c030a9725a0fd055efa69b58e0d7ee42654583
+Subproject commit c0aef68395720f46a7f038b6766de3bb30e02930

From 3a7a174a04acd80000cdb0f2eebae8aa566ea35e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= <maciek@wjck.pl>
Date: Wed, 2 Jul 2025 08:50:49 +0200
Subject: [PATCH 13/13] update dependencies

---
 Cargo.lock |  4 ++--
 flake.lock | 12 ++++++------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index c65dda20..3b7558a2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -724,9 +724,9 @@ dependencies = [
 
 [[package]]
 name = "h2"
-version = "0.4.10"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a9421a676d1b147b16b82c9225157dc629087ef8ec4d5e2960f9437a90dac0a5"
+checksum = "17da50a276f1e01e0ba6c029e47b7100754904ee8a278f886546e98575380785"
 dependencies = [
  "atomic-waker",
  "bytes",
diff --git a/flake.lock b/flake.lock
index c176c2b4..b227bc8e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1750741721,
-        "narHash": "sha256-Z0djmTa1YmnGMfE9jEe05oO4zggjDmxOGKwt844bUhE=",
+        "lastModified": 1751271578,
+        "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4b1164c3215f018c4442463a27689d973cffd750",
+        "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750819193,
-        "narHash": "sha256-XvkupGPZqD54HuKhN/2WhbKjAHeTl1UEnWspzUzRFfA=",
+        "lastModified": 1751423951,
+        "narHash": "sha256-AowKhJGplXRkAngSvb+32598DTiI6LOzhAnzgvbCtYM=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "1ba3b9c59b68a4b00156827ad46393127b51b808",
+        "rev": "1684ed5b15859b655caf41b467d046e29a994d04",
         "type": "github"
       },
       "original": {