From 6fc3a906207f0199d5b11d490586a26e333dcf56 Mon Sep 17 00:00:00 2001
From: Nataliia Solomko <natalirs1985@gmail.com>
Date: Fri, 28 Nov 2025 18:24:24 +0200
Subject: [PATCH] vpp: T7972: Improve `nat44 no-forwarding` feature name and
 description in CLI

---
 docs/vpp/configuration/nat/nat44.rst | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/docs/vpp/configuration/nat/nat44.rst b/docs/vpp/configuration/nat/nat44.rst
index 006edb86e5..f9eaf170e6 100644
--- a/docs/vpp/configuration/nat/nat44.rst
+++ b/docs/vpp/configuration/nat/nat44.rst
@@ -554,23 +554,22 @@ This setting helps prevent memory exhaustion and ensures predictable performance
    # Increase session limit for high-capacity deployment
    set vpp settings nat44 session-limit 100000
 
-Forwarding Behavior
+Processing Mode
 -------------------
 
-By default, VyOS NAT44 forwards packets that don't match any NAT rules according to the routing table. This behavior can be controlled:
+NAT44 processing behavior can be controlled using the processing-mode option. Choose how NAT44 treats packets that do not match any NAT rule:
 
-.. cfgcmd:: set vpp settings nat44 no-forwarding
+.. cfgcmd:: set vpp settings nat44 processing-mode <mode>
 
-   Disable forwarding of packets that don't match existing NAT translations. When enabled, only packets that match static or dynamic NAT rules will be processed; all other traffic will be dropped.
+The available processing modes are:
 
-.. important::
-
-   This is a significant difference from traditional NAT solutions. By default, VyOS NAT44 allows non-NAT traffic to be forwarded normally. Using ``no-forwarding`` creates a pure NAT-only device that drops any traffic not covered by NAT rules.
+- ``static-dynamic``: Process traffic by both static rules and dynamic NAT (default)
+- ``static-bypass``: Process traffic by static NAT rules only, pass without NAT if not matched
 
-**Use cases for no-forwarding:**
+**Use cases:**
 
-* **Pure NAT gateway**: When the router should only handle NAT traffic and drop everything else
-* **Security isolation**: Preventing any non-NAT traffic from traversing the device
+* **static-dynamic**: Use when you want dynamic translations created for unmatched inbound traffic so most flows get NATed
+* **static-bypass**: Use when NAT should apply only to explicitly configured static mappings and all other traffic must continue to be routed normally
 
 Worker Assignment
 -----------------