On Wed, May 19, 2021 at 12:30:27PM +0100, Stuart Henderson wrote:
> Understood why, but I think wireguard is a special case, normally
> maintaining a nat mapping across a change of address doesn't help as the
> system at the other side won't associate it with the same "connection". The
> () behaviour relates to the address at state creation, there's no mechanism
> to do the look up for every packet.
| The () behaviour relates to the address at state creation, [...]
Yup, I figured. I've setup ifstated(8) with:
pfctl -k '100.64.0.0/10'
and I'll see how it goes. I'm gonna iterate with different solutions,
until I'm happy with the result. This is low-pri, so iteration will
happen ad-hoc, I guess every time condition (IP address change on
umb(4)) is triggered, which may happen even once per week.
--
Regards,
Mikolaj
