Clarification on ACL and NAT Interaction in TNSR
-
Hi
In the documentation for TNSR, it's stated that ACL rules are always processed before NAT on interfaces where NAT is applied, in any direction.
However, in my testing scenario, I've observed that packets first pass through the acl-plugin-in-ip4-fa node, then through the nodes related to nat44, and finally through acl-plugin-out-ip4-fa.Could someone please clarify whether this behavior aligns with the documented behavior, or if there might be other factors affecting the processing order of ACL and NAT rules?
I'd appreciate any insights or explanations on this matter. -
For outbound ("in2out") traffic, translation is done first and then output ACLs are evaluated. For inbound ("out2in"), it's the opposite. Input ACLs are evaluated and then translation.
This matches the documentation here:
https://docs.netgate.com/tnsr/en/latest/acl/acl-nat.html#acl-and-nat-interaction
Where in the documentation did you see it is the same in both directions so it can be evaluated and corrected if necessary?
