On 6/2l/23 9:01, Stephan Neuhaus wrote:
I'm not sure about the Configuring NAT section being
correct. I still maintain that the documentation and
observed behaviour are different.
I was lazy when I said that. I meant the example I quoted from that
section in the original reply is correct. Everything else that says
otherwise (including the two people that said that part was wrong) is
incorrect. Explicitly the following rule _is_ correct:
match out on interface [af] \
from src_addr to dst_addr \
nat-to ext_addr [pool_type] [static-port]
[...]
pass out [log] on interface [af] [proto protocol] \
from ext_addr [port src_port] \
to dst_addr [port dst_port]
There is only so many ways that this can be shown. If the pass out rule
had "src_addr" instead of "ext_addr", it would be wrong. The diff that
"fixes" that example needs to be rejected. It is the _other_ example
that is wrong.
If you tried using the above example to get NAT to work, you will find
that it will work. The last e-mail I sent clearly follows the above
example except I chose to use stateless rules to help show more
thoroughly all the rules that are necessary. Additionally, I prefer
"quick" rules; but the conclusion is very clear: the match out rule
applies and "sticks" which in turn means "src_addr" is replaced with
"ext_addr" which in turn means the pass out rule must have "ext_addr".
