HP-UX IPFilter V17.05 Administrator Guide HP-UX 11i v2 and HP-UX 11i v3
6 Configuring and loading NAT rules
6.1 NAT rules configuration file
IPFilter loads and evaluates NAT rules separately from filter rules. Do not configure NAT rules in
the same file with filter rules. The default name for the HP-UX IPFilter NAT rules file is /etc/opt/
ipf/ipnat.conf. To specify an alternate NAT rules file name, set the IPNAT_CONF parameter
in the IPFilter startup file, /etc/rc.config.d/ipfconf.
To load NAT rules, use the ipnat utility. See Section 6.6 (page 47) for more information. See
also, Section 3.9 (page 30).
NOTE: NAT rules are not supported with IPv6 addresses or interfaces.
6.1.1 Format
Entries in IPFilter rule files must meet the following requirements:
• Each rule must be contained on one line. Line continuation characters are not supported.
• IPFilter interprets all text to the right of a number symbol (#) as a comment.
• Extra white space is allowed and encouraged to keep the rules readable.
6.1.2 Rule order and processing
Rules are processed in order from top to bottom of the rules file. By default, IPFilter uses the first
NAT rule that matches the packet it is evaluating.
NOTE: The selection algorithm that IPFilter uses for NAT rules (use the first matching rule) is the
opposite of the default selection algorithm it uses for filter rules (use the last matching rule).
6.1.2.1 Using NAT rules with filter rules
The order that IPFilter evaluates NAT rules and filter rules depends on the direction of the packet.
6.1.2.1.1 Inbound packets
When processing inbound packets, IPFilter evaluates rules in the following order:
1. NAT rules
2. Filter rules
If you want to use filter and NAT rules to process inbound packets, you must specify the translated
(target) IP address in the filter rules.
6.1.2.1.2 Outbound packets
When processing outbound packets, IPFilter evaluates rules in the following order:
1. Filter rules
2. NAT rules
6.2 NAT keywords
IPFilter supports the following keywords for NAT (Network Address Translation) functionality:
• map and mapblock
The map and mapblock keywords rewrite or translate source addresses and port numbers
for outbound packets.
42 Configuring and loading NAT rules