Hi,
Please Cc: me when replying, I'm not subscribed.
I've never used a "binat" rule but I came to debate about it with
a colleague recently. I've read the manual (which is not very
clear about the subject, IMHO; I might propose a small patch to
explain better if others agree with me) as well as the FAQ.
Naturally I've also performed some tests.
My understanding is that it performs a 1-1 mapping between two
subnets. The differences between a classic "nat" rule with the
"bitmask" pool option are:
- Port numbers are never translated with a binat-rule, although I
don't see the point in translating the port numbers in case of
a bitmask pool type;
- Incoming connections gets translated (i.e. redirected) as well,
not only outgoing ones.
For instance, assume we have the following setup:
A ----------------- (em0) G (em1) ----------------- B
.3 [10.0.0.0/24] .10 .10 [10.2.2.0/24] .7
Let's say G's pf.conf(5) contains:
% binat on em1 from 10.0.0.0/24 to any -> 10.1.1.0/24
If A connects B, B will see a connection from 10.1.1.3 (IOW, in the
manner of a "nat" rule); if B wants to connects A, it will connect
10.1.1.3 and the packed will be translated to 10.0.0.3 (IOW, in
the manner of an "rdr" rule).
Finally, this rule can't be practically replaced with a set of "nat"
and "rdr" rules since this would require 65535 "rdr" rules, one for
each existing port number.
Am I right?
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
