On Sat, 24 Jun 2023 07:33 -0600, Zack Newman wrote: > On 6/2l/23 9:01, Stephan Neuhaus wrote: > > I'm not sure about the Configuring NAT section being > > correct. I still maintain that the documentation and > > observed behaviour are different. > > I was lazy when I said that. I meant the example I quoted from that > section in the original reply is correct. Everything else that says > otherwise (including the two people that said that part was wrong) is > incorrect. Explicitly the following rule _is_ correct: > > match out on interface [af] \ > from src_addr to dst_addr \ > nat-to ext_addr [pool_type] [static-port] > [...] > pass out [log] on interface [af] [proto protocol] \ > from ext_addr [port src_port] \ > to dst_addr [port dst_port] > > There is only so many ways that this can be shown. If the pass out rule > had "src_addr" instead of "ext_addr", it would be wrong. The diff that > "fixes" that example needs to be rejected. It is the _other_ example > that is wrong. > > If you tried using the above example to get NAT to work, you will find > that it will work. The last e-mail I sent clearly follows the above > example except I chose to use stateless rules to help show more > thoroughly all the rules that are necessary. Additionally, I prefer > "quick" rules; but the conclusion is very clear: the match out rule > applies and "sticks" which in turn means "src_addr" is replaced with > "ext_addr" which in turn means the pass out rule must have "ext_addr". >
I forgot about that diff until I read your mail today. You're right, I just tested that and your logic is sound. This is a good reminder to me to test before sending diffs. I'm glad it wasn't committed. Thank you for investigating that.
