On 6/24/23 13:14, Stuart Henderson wrote:
On 2023-06-24, Stephan Neuhaus <s...@artdecode.de> wrote:
I now think that either the documentation is wrong, or
pf is wrong. At any rate, there seems to be a rather
serious disconnect between the two. The FAQ clearly
says:
When a packet is selected by a match rule, parameters (e.g. nat-to) in
that rule are remembered and are applied to the packet when a pass rule
matching the packet is reached.
Yes that's wrong. Address changes take effect at the time the match rule
is processed when traversing the ruleset; rules processed later "see"
the rewritten address. As pf.conf(5) says,
Translation
Translation options modify either the source or destination address
and port of the packets associated with a stateful connection. pf(4)
modifies the specified address and/or port in the packet and
recalculates IP, TCP, and UDP checksums as necessary.
If specified on a match rule, subsequent rules will see packets as
they look after any addresses and ports have been translated. These
rules will therefore have to filter based on the translated address
and port number.
OK, that's clear and unambiguous, thanks! So it's a bug in the FAQ, not
in pf itself.
Cheers
Stephan
