On Mon, Jun 03, 2013 at 11:49:58PM +0100, Stuart Henderson wrote: > On a router running PF and isakmpd, I have a rule like this: > > match out on pppoe0 inet all received-on vlan5 nat-to $someip > > I was surprised to find this being applied to packets received on vlan5 > and caught by an ipsec flow; the resulting *encapsulated* (proto ESP) packets > (as in, generated on the router itself, not actually themselves received on > vlan5) end up getting natted. > > What does anyone else think...expected or not? >
Question, would you expect the ipsec packets to match against this rule? match out on pppoe0 inet all received-on enc0 nat-to $someip As in should we change the received interface when we hit ipsec? Think carefully since this path is edged by dragons and deep dark rabbit holes. -- :wq Claudio
