Revert "NAT: add interface-group documentation. "

docs/configuration/nat/nat44.rst

@@ -148,35 +148,23 @@ rule.
 
 * **outbound-interface** - applicable only to :ref:`source-nat`. It
   configures the interface which is used for the outside traffic that
-  this translation rule applies to. Interface groups, inverted
+  this translation rule applies to.
-  selection and wildcard, are also supported.
-
-  Examples:
-
-  .. code-block:: none
-
-    set nat source rule 20 outbound-interface interface-name eth0
-    set nat source rule 30 outbound-interface interface-name bond1*
-    set nat source rule 20 outbound-interface interface-name !vtun2
-    set nat source rule 20 outbound-interface interface-group GROUP1
-    set nat source rule 20 outbound-interface interface-group !GROUP2
-
-
-* **inbound-interface** - applicable only to :ref:`destination-nat`. It
-  configures the interface which is used for the inside traffic the
-  translation rule applies to. Interface groups, inverted
-  selection and wildcard, are also supported.
 
   Example:
 
   .. code-block:: none
 
-    set nat destination rule 20 inbound-interface interface-name eth0
+    set nat source rule 20 outbound-interface eth0
-    set nat destination rule 30 inbound-interface interface-name bond1*
-    set nat destination rule 20 inbound-interface interface-name !vtun2
-    set nat destination rule 20 inbound-interface interface-group GROUP1
-    set nat destination rule 20 inbound-interface interface-group !GROUP2
 
+* **inbound-interface** - applicable only to :ref:`destination-nat`. It
+  configures the interface which is used for the inside traffic the
+  translation rule applies to.
+
+  Example:
+
+  .. code-block:: none
+
+    set nat destination rule 20 inbound-interface eth1
 
 * **protocol** - specify which types of protocols this translation rule
   applies to. Only packets matching the specified protocol are NATed.
@@ -335,7 +323,7 @@ demonstrate the following configuration:
 
 .. code-block:: none
 
-  set nat source rule 100 outbound-interface interface-name 'eth0'
+  set nat source rule 100 outbound-interface 'eth0'
   set nat source rule 100 source address '192.168.0.0/24'
   set nat source rule 100 translation address 'masquerade'
 
@@ -344,9 +332,7 @@ Which generates the following configuration:
 .. code-block:: none
 
   rule 100 {
-      outbound-interface {
+      outbound-interface eth0
-          interface-name eth0
-      }
       source {
           address 192.168.0.0/24
       }
@@ -438,19 +424,19 @@ Example:
 
   set nat destination rule 100 description 'Regular destination NAT from external'
   set nat destination rule 100 destination port '3389'
-  set nat destination rule 100 inbound-interface interface-name 'pppoe0'
+  set nat destination rule 100 inbound-interface 'pppoe0'
   set nat destination rule 100 protocol 'tcp'
   set nat destination rule 100 translation address '192.0.2.40'
 
   set nat destination rule 110 description 'NAT Reflection: INSIDE'
   set nat destination rule 110 destination port '3389'
-  set nat destination rule 110 inbound-interface interface-name 'eth0.10'
+  set nat destination rule 110 inbound-interface 'eth0.10'
   set nat destination rule 110 protocol 'tcp'
   set nat destination rule 110 translation address '192.0.2.40'
 
   set nat source rule 110 description 'NAT Reflection: INSIDE'
   set nat source rule 110 destination address '192.0.2.0/24'
-  set nat source rule 110 outbound-interface interface-name 'eth0.10'
+  set nat source rule 110 outbound-interface 'eth0.10'
   set nat source rule 110 protocol 'tcp'
   set nat source rule 110 source address '192.0.2.0/24'
   set nat source rule 110 translation address 'masquerade'
@@ -466,9 +452,7 @@ Which results in a configuration of:
            destination {
                port 3389
            }
-           inbound-interface {
+           inbound-interface pppoe0
-               interface-name pppoe0
-           }
            protocol tcp
            translation {
                address 192.0.2.40
@@ -479,9 +463,7 @@ Which results in a configuration of:
            destination {
                port 3389
            }
-           inbound-interface {
+           inbound-interface eth0.10
-               interface-name eth0.10
-           }
            protocol tcp
            translation {
                address 192.0.2.40
@@ -494,9 +476,7 @@ Which results in a configuration of:
            destination {
                address 192.0.2.0/24
            }
-           outbound-interface {
+           outbound-interface eth0.10
-               interface-name eth0.10
-           }
            protocol tcp
            source {
                address 192.0.2.0/24
@@ -535,7 +515,7 @@ Our configuration commands would be:
 
   set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'
   set nat destination rule 10 destination port '80'
-  set nat destination rule 10 inbound-interface interface-name 'eth0'
+  set nat destination rule 10 inbound-interface 'eth0'
   set nat destination rule 10 protocol 'tcp'
   set nat destination rule 10 translation address '192.168.0.100'
 
@@ -550,9 +530,7 @@ Which would generate the following NAT destination configuration:
               destination {
                   port 80
               }
-              inbound-interface {
+              inbound-interface eth0
-                  interface-name eth0
-              }
               protocol tcp
               translation {
                   address 192.168.0.100
@@ -568,45 +546,43 @@ Which would generate the following NAT destination configuration:
 This establishes our Port Forward rule, but if we created a firewall
 policy it will likely block the traffic.
 
-Firewall rules for Destination NAT
+It is important to note that when creating firewall rules that the DNAT
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-It is important to note that when creating firewall rules, the DNAT
 translation occurs **before** traffic traverses the firewall. In other
 words, the destination address has already been translated to
 192.168.0.100.
 
-So in our firewall ruleset, we want to allow traffic which previously matched
+So in our firewall policy, we want to allow traffic coming in on the
-a destination nat rule. In order to avoid creating many rules, one for each
+outside interface, destined for TCP port 80 and the IP address of
-destination nat rule, we can accept all **'dnat'** connections with one simple
+192.168.0.100.
-rule, using ``connection-status`` matcher:
 
 .. code-block:: none
 
-  set firewall ipv4 forward filter rule 10 action accept
+  set firewall name OUTSIDE-IN rule 20 action 'accept'
-  set firewall ipv4 forward filter rule 10 connection-status nat destination
+  set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100'
-  set firewall ipv4 forward filter rule 10 state new enable
+  set firewall name OUTSIDE-IN rule 20 destination port '80'
+  set firewall name OUTSIDE-IN rule 20 protocol 'tcp'
+  set firewall name OUTSIDE-IN rule 20 state new 'enable'
 
 This would generate the following configuration:
 
 .. code-block:: none
 
-  ipv4 {
+  rule 20 {
-      forward {
-          filter {
-              rule 10 {
       action accept
-                  connection-status {
+      destination {
-                      nat destination
+          address 192.168.0.100
+          port 80
       }
+      protocol tcp
       state {
           new enable
       }
   }
-          }
-      }
-  }
 
+.. note::
+
+  If you have configured the `INSIDE-OUT` policy, you will need to add
+  additional rules to permit inbound NAT traffic.
 
 1-to-1 NAT
 ----------
@@ -634,10 +610,10 @@ and one external interface:
   set interfaces ethernet eth1 description 'Outside interface'
   set nat destination rule 2000 description '1-to-1 NAT example'
   set nat destination rule 2000 destination address '192.0.2.30'
-  set nat destination rule 2000 inbound-interface interface-name 'eth1'
+  set nat destination rule 2000 inbound-interface 'eth1'
   set nat destination rule 2000 translation address '192.168.1.10'
   set nat source rule 2000 description '1-to-1 NAT example'
-  set nat source rule 2000 outbound-interface interface-name 'eth1'
+  set nat source rule 2000 outbound-interface 'eth1'
   set nat source rule 2000 source address '192.168.1.10'
   set nat source rule 2000 translation address '192.0.2.30'
 
@@ -663,7 +639,7 @@ We will use source and destination address for hash generation.
 
 .. code-block:: none
 
-  set nat destination rule 10 inbound-interface inbound-interface eth0
+  set nat destination rule 10 inbound-interface eth0
   set nat destination rule 10 protocol tcp
   set nat destination rule 10 destination port 80
   set nat destination rule 10 load-balance hash source-address
@@ -679,7 +655,7 @@ We will generate the hash randomly.
 
 .. code-block:: none
 
-  set nat source rule 10 outbound-interface interface-name eth0
+  set nat source rule 10 outbound-interface eth0
   set nat source rule 10 source address 10.0.0.0/8
   set nat source rule 10 load-balance hash random
   set nat source rule 10 load-balance backend 192.0.2.251 weight 33
@@ -733,10 +709,12 @@ NAT Configuration
 
   set nat source rule 110 description 'Internal to ASP'
   set nat source rule 110 destination address '172.27.1.0/24'
+  set nat source rule 110 outbound-interface 'any'
   set nat source rule 110 source address '192.168.43.0/24'
   set nat source rule 110 translation address '172.29.41.89'
   set nat source rule 120 description 'Internal to ASP'
   set nat source rule 120 destination address '10.125.0.0/16'
+  set nat source rule 120 outbound-interface 'any'
   set nat source rule 120 source address '192.168.43.0/24'
   set nat source rule 120 translation address '172.29.41.89'