The standard translation function used by all other NAT functions
(dynamic, virtual server,...) does static translation. It gets a pointer
to the buffer holding the IP packet and the new source and destination
addresses that shall be inserted, including a network mask. This mask
is 255.255.255.255 when the function is called by the dynamic NAT
functions, since only with static NAT entire networks can be translated
using the same parameters for this function. All others have no 1:1
mapping and have to keep track of the real IP to NAT-IP mapping.
Included is the ability to rewrite source and destination UDP and
TCP ports, which enhances this NAT implementation further.However,
this function must be used with care. Since we do not keep state information
about every connection we cannot determine the port the answer packet
for a packet where ports have been replaced must have. If we kept
state information we would simply look up the connection the packet
belongs to and would than know the correct ports. For this reason
no bidirectional rules can be used for port rewriting. We always need
two rules, one for the inbound and one for the outbound direction,
each containing exactly one port the packet has to match in order
to be translated. If the port specified is a source or a destination
port depends on what port we want to rewrite. Most of the time this
will be a destination port, I guess.
The port issue shows how important keeping state information is for
NAT to really be flexible.