npf, map and pass stateful out all

To: netbsd-users <netbsd-users%NetBSD.org@localhost>
Subject: npf, map and pass stateful out all
From: Rocky Hotas <rockyhotas%firemail.cc@localhost>
Date: Tue, 20 Oct 2020 11:27:07 +0200

Hello!
Between the documentation about npf, another very useful document is:

 <http://www.netbsd.org/~rmind/pub/npf_manual_netbsd_6.pdf>

As it is written here, and exactly as Martin said in a previous
thread, `pass stateful out all' ``allows the packet to go out, and
also creates a NAT state entry so any answers are allowed back in''.

But also this line enables NAT:

map $ext_if dynamic $localnet -> $ext_if

So, assume that my npf.conf has:

map $ext_if dynamic $localnet -> $ext_if

group (name "external", interface $ext_if) {
	pass stateful out all
}

Given the `map' line which creates a NAT, is `pass stateful out all'
(which allows any packet creating a NAT) really necessary? A NAT has
already been created with `map'.
Or, viceversa, with `pass stateful out all', is `map' really
necessary?

Rocky

Follow-Ups:
- Re: npf, map and pass stateful out all
  - From: Greg Troxel

Prev by Date: Re: Raspberry Pi, swapping cards.
Next by Date: Re: npf, map and pass stateful out all
Previous by Thread: PR 55714
Next by Thread: Re: npf, map and pass stateful out all
Indexes:

Home | Main Index | Thread Index | Old Index