SNAT from Trusted
It would be nice to have the ability to create an SNAT action for trusted networks, (or to go one step further, an SNAT action that applies to all interfaces).
I've been playing around with some plans for VLAN segregation and a graylog server lately, and one thing I thought would be clever would be to configure all devices that send logs to use the gateway address as the log server IP, and let the firewall static NAT it to the graylog server wherever it happens to be. That way, the firewall can act as gateway, DNS forwarder (for VLANs with no dedicated DHCP/DNS server), NTP server, and also as a faux target syslog server.
Additionally, since binding to port 514 is a little quirky with graylog due to the way inputs are configured as non-root, an SNAT would allow me to redirect port 514 to the graylog input port for syslog.
So a policy example would be From:"Any-Trusted,Any-Optional" To:"SNAT->Any:514->mylogserver.mydomain.com:1514"