Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: www/faq/pf/nat.html: ambiguous examples for NAT configuration
To:
tech@openbsd.org
Date:
Wed, 1 Jul 2026 10:14:05 +0100

Download raw body.

Thread
On 2026/07/01 00:55, Lucas de Sena wrote:
> At the very beginning of the "Configuring NAT" section at
> <https://www.openbsd.org/faq/pf/nat.html#config>, there's this

This faq page is incorrect and needs rewriting.

> general format for pf rules for NATing (uppercase syntactical
> variables and omitted optional parts by me):
> 
> > match out on INTERFACE from SRC_ADDR to DST_ADDR nat-to EXT_ADDR
> > [...]
> > pass out on INTERFACE from EXT_ADDR to DST_ADDR
> 
> Later, comes an actual example instantiating that general format:
> 
> > match out on tl0 from 192.168.1.0/24 to any nat-to 198.51.100.1
> > pass on tl0 from 192.168.1.0/24 to any
> 
> Something does not match in the general format and the actual example:
> 
> On the general format, the source address for the "match" rule is
> "from SRC_ADDR", and the source address for the "pass" rule is
> "from EXT_ADDR".
> 
> On the actual example, the syntactical variables are instantiated as
> follows, in the "match" rule:
> - SRC_ADDR: "192.168.1.0/24" (address of the internal subnet)
> - DST_ADDR: "any"
> - EXT_ADDR: "198.51.100.1" (address of gateway's external interface,
>   outside the internal subnet block).
> 
> But the "pass" rule of the actual example uses "192.168.1.0/24"
> (SRC_ADDR), where, according to the general format, it should be
> "198.51.100.1" (EXT_ADDR) instead.
> 
> Should the source address of the pass rule be that after address
> translation (as in the general format) or the original one before
> address translation (as in the actual example)?
> 
> Is it the general format or the actual example which is correct?
> 
> -- 
> Lucas de Sena
>