On Wed, Apr 02, 2008 at 04:27:17PM -0700, Adam Richards wrote: > Is there a "no state" directive for nat rules, similar to the > no-state directive for filter rules? Or another clever way to > use nat/rdr/filter statements? Even though I wasn't able to find > any affirmative evidence in pf.conf(5) manpage I thought I'd ask > anyway. > > While I'd prefer a "yes pf can do this" answer, I will accept a > "no...but here are the code sections you'll want to look at to > start your patch work" answer. ;)
No, PF does not do this. Keeping state is required for NAT to work, because you need to keep track of the mapping so that the return packets can be translated back the other way; I'm guessing that your actual problem is not the basic state mechanism, but the TCP sequence number tracking. Look for the commend "Sequence tracking algorithm from Guido van Rooij's paper" in sys/net/pf.c for this code; it should be relatively trivial to add a bypass option for this in pfctl, and skip these checks in pf.c if that option is present. None of this is really a good idea though, and it shouldn't be seen as an appropriate response to a nasty network design. -Ryan
