NAME

appjail-nat — Mapping local IPv4 address to an external IPv4 address

SYNOPSIS

DESCRIPTION

The appjail nat utility performs NAT for jails and networks. It uses virtual networks to do this, that is, it performs NAT to allow jails to communicate with the outside. The difference between per-jail NAT and per-network NAT is how it is applied: in the first case, NAT is only applied to one jail and the second case is applied to the entire network, which includes all jails that have an IPv4 address assigned from the network the NAT rule is applied. For those cases where you want to apply a per-network NAT rule but do not want to apply NAT to a particular jail, you can apply a rule known as (NO)NAT.

The options are as follows:

add jail -n network [-e interface] [-I address] [-l [-|options]] [-o interface] jail

Configure a new rule to perform NAT.

-n network

Use the IPv4 address assigned from this network address pool as the local IPv4 address.

-e interface

Interface to obtain the external IPv4 address. If not set, the interface specified by the EXT_IF parameter is used.

-I address

Use address as the external IPv4 address instead of the first matching IPv4 address. The IPv4 address must exist on the specified external interface before executing this command.

-l [-|options]

Firewall-specific logging options. Use a minus sign to enable logging, but without options.

-o interface

Apply rules to packets coming in on, or going out through, this interface. If not set, the interface specified by the ON_IF parameter is used.

add jail -N -n network [-e interface] [-o interface] jail

Perform (NO)NAT.

-N

Configure a new rule to perform (NO)NAT.

Useful when NAT is applied per network and you don't want to apply NAT for a particular jail.

-n, -e, -o

All of these options perform the same task as the options described in add jail.

get jail [-eHIpt] [-n network] jail [keyword ...]

Get information about current rules, that is, the keyword that represent the information to be obtained. Multiple keywords can be specified, which are displayed as a table-like interface in the order in which they are specified. If no keyword is specified, the defaults are name, network and rule.

See KEYWORDS for a list of available keywords.

-e

Not required when using -p. The \t character is used to delimit columns, so as not to show strange values, this option shows <TAB> instead of \t in the case that a value contains the latter.

-H

Shows the name of the columns.

-I

Include empty values. By default, a minus sign is displayed when a value is empty.

-p

Columnate the list.

-t

Tabulate columns and values.

-n network

Identifier.

list jail [-eHIpt] [-n network] jail [keyword ...]

Similar to get jail but shows each keyword for each rule in a nice table.

-e, -H, -I, -p, -t

All of these options perform the opposite task of the options described in get jail.

-n network

Only show information for network.

off jail jail

Flush the rules currently in use.

on jail jail

Load enabled rules configured by add jail.

remove jail -n network jail

Remove the given rule.

status jail jail

Shows the rule that is currently in use or an error if it is not yet applied.

add network [-e interface] [-I address] [-l [-|options]] [-o interface] network

Same as add jail but for networks.

boot [off|on] network network

Enable (on) or disable (off) NAT per-network using appjail-startup(1).

get network [-eHIpt] network [keyword ...]

Same as get jail but for networks.

list network [-eHIpt] [-n network] [keyword ...]

Same as get jail but for networks.

off network network

Same as off jail but for networks.

on network network

Same as on jail but for networks.

remove network network

Same as remove jail but for networks.

status network network

Same as status jail but for networks.

KEYWORDS

EXIT STATUS

The appjail nat utility exits 0 on success, and >0 if an error occurs.

SEE ALSO

appjail-network(1) appjail-startup(1) sysexits(3)

AUTHORS

Jesús Daniel Colmenares Oviedo <DtxdF@disroot.org>