October 13 2011 NAT update

[Tom Murphy]

You guys might want to add a note to current.html that from October
13 2011, the NAT updates have made it impossible to not use an address
family in a nat-to statement.

The following statement fails now:

match out on egress from ($int_if:network) nat-to (egress)

Gives the error:

/etc/pf.conf:74: af-to is not supported on match rules
/etc/pf.conf:74: skipping rule due to errors

Changing it to:  

match out on egress inet from ($int_if:network) nat-to (egress)

Fixes it.

I wasn't sure how many people explicitly use the address family in 
their nat-to lines, but this one caught me out when I updated to a
newer snapshot earlier this month.

Tom

Re: October 13 2011 NAT update

[Mike Belopuhov]

On Fri, Oct 28, 2011 at 12:09 PM, Tom Murphy open...@pertho.net wrote:
 You guys might want to add a note to current.html that from October
 13 2011, the NAT updates have made it impossible to not use an address
 family in a nat-to statement.

 The following statement fails now:

 match out on egress from ($int_if:network) nat-to (egress)

 Gives the error:

 /etc/pf.conf:74: af-to is not supported on match rules
 /etc/pf.conf:74: skipping rule due to errors

 Changing it to:

 match out on egress inet from ($int_if:network) nat-to (egress)

 Fixes it.

 I wasn't sure how many people explicitly use the address family in
 their nat-to lines, but this one caught me out when I updated to a
 newer snapshot earlier this month.

 Tom



yes, i have a proper fix for that.  need to test it though.