Support for port translation is very basic because here we really needed to keep some state information. The problem is to insert the original port into packets that are answers for packets we translated. Unless we keep that information if we do the forward translation we are unable to do the translation for the return packets, since we have absolutely no way to determine the port the client may have used. This is why bidirectional rules are completely impossible to use with this implementation, and doing the backward translation 'manually' by specifying an extra rule for it is not generic. Of course, I can specify a rule like
ipnatadm -O -W eth1 -i -D webserver/32 80 \
-N temp-replacement/32 8888
This will work, since we know exactly the IP we have to insert in return packets: it is port 80. So the rule for the return packets will be
ipnatadm -I -W eth1 -i -S temp-replacement/32 8888 \
-M webserver/32 80
This will take care that the clients connecting to the webserver see the expected source address and port in the packets they get back, which must be from the IP and port they sent their packets to. In this example we have also done IP address translation, not just port translation. Port translation alone makes less sense than IP address translation, but it may still sometimes be useful.