On Sun, Apr 06, 2008 at 07:53:39PM +0900, Ryan McBride wrote: > On Wed, Apr 02, 2008 at 04:27:17PM -0700, Adam Richards wrote: > > Is there a "no state" directive for nat rules, similar to the > > no-state directive for filter rules? Or another clever way to > > use nat/rdr/filter statements? Even though I wasn't able to find > > any affirmative evidence in pf.conf(5) manpage I thought I'd ask > > anyway. > > > > While I'd prefer a "yes pf can do this" answer, I will accept a > > "no...but here are the code sections you'll want to look at to > > start your patch work" answer. ;) > > No, PF does not do this. > > Keeping state is required for NAT to work, because you need to keep > track of the mapping so that the return packets can be translated back > the other way;
Required? Technically, no (although it's a good idea for many reasons in most situations). It's possible to contrive situations where NAT is perhaps more desireable to provide better control knobs for presenting services to the Internet than your network's dynamic routing protocol provides (perhaps because of the lack of stability with really large IGP databases, or to simplify management of complex provisioning systems). Maybe for resilliency, or for ISP cost reasons, you want to take advantage of asymetric routing, or "nearest-exit" routing, in a unified multi-site network? That is, routing where no Traffic Engineering priciples are used. Clearly stateful tracking inhibits nearest-exit routing by nature. (Side note: to ensure TCP connections are maintained in a stateless enviornment you'd obviously need to enforce 1:1 binat mappings). Anyway, if you google around you can find others that are interested in stateless NAT. I cite one here: Quoting from <http://lists.openwall.net/netdev/2007/09/27/55> " Stateless NAT is useful in controlled environments where restrictions are placed on through traffic such that we don't need connection tracking to correctly NAT protocol-specific data. "In particular, this is of interest when the number of flows or the number of addresses being NATed is large, or if connection tracking information has to be replicated and where it is not practical to do so. So what would it take modify pf code to allow for a pf.conf option to disable NAT stateful tracking where it's desired? Am I the only one interested in this potential feature? :) Thanks! -Adam