From owner-freebsd-net@freebsd.org  Wed Mar  8 16:36:31 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 287D4D038EE
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Wed,  8 Mar 2017 16:36:31 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id AA35236B
 for <freebsd-net@freebsd.org>; Wed,  8 Mar 2017 16:36:30 +0000 (UTC)
 (envelope-from smithi@nimnet.asn.au)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v28GaQVh084045;
 Thu, 9 Mar 2017 03:36:26 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Thu, 9 Mar 2017 03:36:26 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Andrea Venturoli <ml@netfence.it>
cc: freebsd-net@freebsd.org
Subject: Re: Some questions about in-kernel NAT
In-Reply-To: <caf27e0a-2d53-624b-5152-d62f2d9a1cde@netfence.it>
Message-ID: <20170309032407.M80813@sola.nimnet.asn.au>
References: <caf27e0a-2d53-624b-5152-d62f2d9a1cde@netfence.it>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 16:36:31 -0000

On Wed, 8 Mar 2017 16:52:36 +0100, Andrea Venturoli wrote:

Just on one point:

 > Second question:
 > _ if I issue "ipfw nat 2 config if re0", I'll see the output "ipfw nat 2
 > config if re0";
 > _ if I issue "ipfw nat 2 config ip 192.168.0.1", I'll see the output "ipfw
 > nat 2 config ip 192.168.0.1";
 > _ however if I issue "ipfw nat 2 config if re0 ip 192.168.0.1", output will
 > be "ipfw nat 2 config if re0".
 > Does this mean the "ip" part was ignored? Are "if" and "ip" mutually
 > exclusive?

Yes, they are.

 > I don't think this is mentioned in the man page...

No, it's not.  The NAT description is pretty terse, virtually assuming 
familiarity with predecessor natd(8), which is usually worth referring 
to for greater detail; it mostly matches funtionality 1:1 .. see:
    -alias_address | -a address
and
    -interface | -n interface
which clarify that you need to specify one or the other.

cheers, Ian