Comment 2 for bug 1911126

How about using address_groups (https://blueprints.launchpad.net/neutron/+spec/address-groups-in-sg-rules) for that? You don't need all those 4 cases then, just:

1. Enabled for all (like it's now, controlled by enable_snat)
2. Enabled for some IP addresses, confiugred by address group - it can be IP of single VM, subnet's cidr or some other IPs range - this may work only if enable_snat==True

What do You think?