Thanks all, i will be careful in the future, and i don't forget to precise "inet" keyword :) -- Best regards,
Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le vendredi 28 février 2014 à 11:54 +0100, Mike Belopuhov a écrit : > On 28 February 2014 10:15, Loïc Blot <loic.b...@unix-experience.fr> wrote: > > Hello, > > i encounter a strange problem today on PF. I don't know if this i normal > > but the result is illogic. > > > > I have this rule: > > > > pass out quick proto tcp from <all_clients_v4> to port { smtp smtps 587 > > imap imaps pop3 pop3s } nat-to $natto_iface > > > > Tables contain IPv4 addresses only. > > > > After applying this rule (i added IPv6 support yesterday), those > > protocols weren't NAT-ed by PF. > > > > By investigating, i found this: > > > > pfctl -sr | grep nat-to > > > > pass out quick inet6 proto tcp from <all_clients_v4> to any port = 465 > > flags S/SA nat-to <__automatic_d309aaac_0> round-robin > > > > Then i look at __automatic_d309aaac_0, because inet6 was strange ! > > > > pfctl -t __automatic_d309aaac_1 -T show > > 2001:660:3bbb:aaaa::2 > > fe80::92b1:1cad:fe18:ea18 > > > > To resolve this problem i added inet keyword to my rule. > > > > Is this normal ? > > yes, you've got what you've asked for. you should say "pass out quick inet" > if you don't want inet6. > > > Maybe a fix was required on pf parser? > > > > Have a nice day > > > > > > -- > > Best regards, > > > > Loïc BLOT, Engineering > > UNIX Systems, Security and Network Engineer > > http://www.unix-experience.fr
