On Fri, 11 Sep 2009 02:23:54 +0400 Vadim Zhukov <persg...@gmail.com> wrote: > Hello all. > > Can anyone ack that route-to/reply-to rules do not work on amd64? > I have the following rule in pf.conf: > > pass in quick on $limit_if inet proto icmp icmp-type echoreq \ > reply-to ($limit_if $limit_gw) > > It does not work (IPs replaced via corresponding macros by me), > see tcpdump(8) output: > > 02:00:58.171084 77.108.65.40 > ($limit_if): icmp: echo request > 02:00:58.171113 77.108.65.40 > $limit_gw: icmp: echo request > > Yep, such weird. And when I remove "reply-to" clause, it works as > intended: > > 01:53:11.174644 77.108.65.40 > ($limit_if): icmp: echo request > > No ICMP replies seen - they try to go via default route that is on > another interface. > > There are similar problems with "route-to": it looks like acting as > "rdr-to", replacing destination IP address. > > I have no problems on i386 firewall with same sort of setup. > > System was updated via snapshot two days ago, and then kernel and > pfctl(8) were rebuilt then from source while debugging this case. Full > dmesg is at the end of letter. > > Thank you for any responses. >
i think i have the same problem on amd64 (current) with reply-to the reply-to ($if $gw) makes reply go to $gw instead of the sender it was working before the pf nat change laurent
