On Wed, Apr 09, 2008 at 05:36:57PM +0900, Ryan McBride wrote: > You're right, it should be relatively easy to give binat a 'no state' > option...
Try the attached diff, eg: binat on egress from 192.168.100.1 to any -> 10.99.99.99 no state Index: sys/net/pf.c =================================================================== RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.567 diff -u -r1.567 pf.c --- sys/net/pf.c 20 Feb 2008 23:40:13 -0000 1.567 +++ sys/net/pf.c 9 Apr 2008 11:41:02 -0000 @@ -3321,7 +3321,8 @@ return (PF_DROP); } - if (!state_icmp && (r->keep_state || nr != NULL || + if (!state_icmp && (r->keep_state || + (nr != NULL && nr->keep_state) || (pd->flags & PFDESC_TCP_NORM))) { /* create new state */ struct pf_state *s = NULL; Index: sbin/pfctl/parse.y =================================================================== RCS file: /cvs/src/sbin/pfctl/parse.y,v retrieving revision 1.536 diff -u -r1.536 parse.y --- sbin/pfctl/parse.y 1 Feb 2008 06:58:45 -0000 1.536 +++ sbin/pfctl/parse.y 9 Apr 2008 11:41:02 -0000 @@ -439,7 +439,7 @@ %type <v.number> number icmptype icmp6type uid gid %type <v.number> tos not yesno %type <v.probability> probability -%type <v.i> no dir af fragcache optimizer +%type <v.i> no dir af fragcache optimizer binatkeep %type <v.i> sourcetrack flush unaryop statelock %type <v.b> action nataction natpasslog scrubaction %type <v.b> flags flag blockspec @@ -3741,6 +3741,7 @@ memset(&r, 0, sizeof(r)); r.action = $1.b1; + r.keep_state = 1; r.natpass = $1.b2; r.log = $1.w; r.logif = $1.w2; @@ -3889,8 +3890,12 @@ } ; +binatkeep : /* empty */ { $$ = 1; } + | NO STATE { $$ = 0; } + ; + binatrule : no BINAT natpasslog interface af proto FROM host TO ipspec tag - tagged rtable redirection + tagged rtable redirection binatkeep { struct pf_rule binat; struct pf_pooladdr *pa; @@ -3915,6 +3920,7 @@ binat.log = $3.b2; binat.logif = $3.w2; binat.af = $5; + binat.keep_state = $15; if (!binat.af && $8 != NULL && $8->af) binat.af = $8->af; if (!binat.af && $10 != NULL && $10->af) Index: sbin/pfctl/pfctl_parser.c =================================================================== RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v retrieving revision 1.235 diff -u -r1.235 pfctl_parser.c --- sbin/pfctl/pfctl_parser.c 15 Oct 2007 02:16:35 -0000 1.235 +++ sbin/pfctl/pfctl_parser.c 9 Apr 2008 11:41:02 -0000 @@ -986,6 +986,8 @@ printf(" -> "); print_pool(&r->rpool, r->rpool.proxy_port[0], r->rpool.proxy_port[1], r->af, r->action); + if (!r->keep_state && r->action == PF_BINAT) + printf(" no state"); } }