On 2011-06-11, Benjamin Kiessling <mittages...@l.unchti.me> wrote: > Hi, > > On 2011.06.10 16:35:43 +0000, Stuart Henderson wrote: >> I would suggest being more specific with your nat rule. >> If you have a default v6 route on gre, this is in group egress >> too, and might get picked as the interface to try and nat packets >> to, but it doesn't have a v4 address so the nat can't work. >> Because you're using (egress:0) rather than just egress:0 to >> track address changes, you won't be able to see what's going on >> using the standard tools (pfctl -vf /etc/pf.conf, pfctl -sr, >> etc) which might otherwise clarify things. > > Thanks. That seems to have fixed it. I assumed the skip gre0 would be enough > to > disable all rules on the interface/route going over that interface.
That only disables PF processing on those interfaces, it doesn't prevent the addresses being used in other rules. For example you might want to use something like 'pass out on vlan5 from (gre0:network)' and I don't think people would expect 'set skip on gre0' to stop that from working.
