for security or filtering reasons it may be important to limit access to nat ports to defined source ip
for security a workaround is to define accept / deny rules in the container, but it would be more practical and readable if the nat rule could limit the source ip
simple example :
I want to nat port 389 to the container blabla but limit access to the public ip x.x.x.x only so as not to expose the ldap directory to the whole web, like -A PREROUTING -s x.x.x.x/32 -p tcp -m tcp --dport 389 -j DNAT --to-destination 10.x.x.x:389
other exemple:
I want to route port 21 to multiple containers
I think this would be best posted at https://github.com/lxc/lxd/issues as an idea that we can discuss further based on your prescribed use case.
It maybe that adding this to the proxy device isn’t ideal (because it would only be relevant when using nat=true) and instead maybe we add it to the the “network forwarding” feature (Network Forwards | LXD) .