Hello David, thanks for nice wrap up of the story...
</snip> > > this change does the following: > > - stores the route info in the state instead of the pf rule > > this allows route-to to keep working when the ruleset changes, and > allows route-to info to be sent over pfsync. there's enough spare bits > in pfsync messages that the protocol doesnt break. > > the caveat is that route-to becomes tied to pass rules that create > state, like rdr-to and nat-to. > > - the argument to route-to etc is a destination ip address > > it's not limited to a next-hop address (thought a next-hop can be a > destination address). this allows for the failover and load balancing > referred to above. > > - deprecates the address@interface host syntax in pfctl > > because routing is done entirely by IPs, the interface is derived from > the route lookup, not pf. I think this requires a notion in changelog. > > this change does not affect some other stuff discussed in the thread: > > - it keeps the current semantic where when route-to changes which > interface the packet is travelling over, it runs pf_test again. > > that's a separate change for broader discussion. > OK sashan