I have a similar problem. I just installed 4.7, and a set of rules which has been working for a long time doesn't work any more with the change of syntax/semantics. I also was using NAT rules with multiple interfaces in the same rule.
Ken Hendrickson PS If possible, can an example blurb be put into the man page, or some other better place for it, showing how to do it? It's going to take me a while to slog through all the documentation to learn how to do it the new way (and I realize I have to do it anyway). -----Original Message----- From: [email protected] on behalf of Ryan McBride Sent: Wed 9/1/2010 9:05 AM To: AEH Automatisierung Cc: [email protected] Subject: Re: pf 4.6 vs. 4.7 Yes, this functionality was removed in January. There was simply too much complexity there to support something which 99% of users don't need (you're the first person I know of to say anything). Probably the simplest workaround is to make your two process control a single table. >From the changelog: CVSROOT: /cvs Module name: src Changes by: [email protected] 2010/01/11 20:20:52 Modified files: libexec/tftp-proxy: filter.c sbin/pfctl : parse.y pfctl.c pfctl_optimize.c pfctl_parser.c pfctl_parser.h pfctl_table.c share/man/man4 : pf.4 share/man/man5 : pf.conf.5 sys/net : pf.c pf_if.c pf_ioctl.c pf_lb.c pf_table.c pfvar.h usr.sbin/ftp-proxy: filter.c usr.sbin/relayd: pfe_filter.c Log message: First pass at removing the 'pf_pool' mechanism for translation and routing actions. Allow interfaces to be specified in special table entries for the routing actions. Lists of addresses can now only be done using tables, which pfctl will generate automatically from the existing syntax. Functionally, this deprecates the use of multiple tables or dynamic interfaces in a single nat or rdr rule. ok henning dlg claudio On Wed, Sep 01, 2010 at 02:48:02PM +0200, AEH Automatisierung wrote: > I'ts just a short question > > I'm using OpenBSD since version 3.0 > > in V4.6 i had some nat-anchors containing > > rdr on $ExtIF proto tcp to $st43_ip port 80 -> {<st43-0>,<st43-1>} > round-robin > > when I try to translate this rule to pf 4.7 > > pass in quick on $ExtIF proto tcp to $st43_ip port 80 rdr-to > {<st43-0>,<st43-1>} round-robin > > pfctl gives me the following error. > > st43.pf:6: only addresses can be listed forredirection pools > pfctl: Syntax error in config file: pf rules not loaded > > I also can't combine tables eg. <st43> = {<st43-1>,<st43-2>} > > the packet filter only accecpts rules like > > pass in quick on $ExtIF proto tcp to $st43_ip port 80 rdr-to > <st43-0> round-robin > > So my question: Is this feature gone or is there a workaround > > Description: there are two different processes controlling the > redirection pools st43-0 and st43-1 > > Sincerly yours Amir El-Hussein > --
