diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-01-08 09:31:56 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-01-08 09:31:56 +0000 |
| commit | a552b62097977063fbf11685c37d74a95ab1c2d0 (patch) | |
| tree | 87ca8f952e95e91705845aba4aa423c30ae7c477 /share | |
| parent | af921bec4f4a1f61a028d8032af5f3316641778e (diff) | |
Add "no nat/rdr/binat" to nat.conf. The first matching rule applies.
If it is a "no" rule, no translation occurs. Useful to exclude certain
packets from translation. Suggested by Henning Brauer.
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man5/nat.conf.5 | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/share/man/man5/nat.conf.5 b/share/man/man5/nat.conf.5 index 6079fbe8fa4..405aa629ed3 100644 --- a/share/man/man5/nat.conf.5 +++ b/share/man/man5/nat.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nat.conf.5,v 1.19 2001/12/03 23:02:13 dhartmei Exp $ +.\" $OpenBSD: nat.conf.5,v 1.20 2002/01/08 09:31:55 dhartmei Exp $ .\" .\" Copyright (c) 2001 Ian Darwin. All rights reserved. .\" @@ -62,16 +62,16 @@ to another host and optionally a different port. .Sh GRAMMAR Syntax for filter rules in BNF: .Bd -literal -rule = nat_rule | binat_rule | rdr_rule . +rule = "no" ( nat_rule | binat_rule | rdr_rule ) . nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] "from" ipspec - "to" ipspec "->" address . + "to" ipspec [ "->" address ] . binat_rule = "binat" "on" ifname [ protospec ] "from" address - "to" ipspec "->" address . + "to" ipspec [ "->" address ] . rdr_rule = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec - "to" ipspec portspec "->" address portspec . + "to" ipspec [ portspec ] [ "->" address [ portspec ] ] . protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) . @@ -79,11 +79,15 @@ ipspec = "any" | host . host = [ "!" ] address [ "/" mask-bits ] . -portspec = "port" ( number | name ) . +portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] . .Ed .Pp -Rules are processed in the order read, one rule per line. Comments begin with the character `#'; empty lines are ignored. +Rules are processed in the order read, one rule per line. +The first matching rule is applied. +Rules prefixed with "no" lead to no translation. +Such rules can be used to exclude certain connections from being +translated. .Pp An .Em ifname @@ -146,8 +150,10 @@ nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111 .Ed .Pp In the example below, fxp1 is the outside interface; the machine sits between a -fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100: +fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100. +The "no nat" rule excludes protocol AH from being translated. .Bd -literal +no nat on fxp1 proto ah from 144.19.74.0/24 to any nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100 .Ed .Pp |