On 2014/02/28 11:54, Mike Belopuhov wrote:
> On 28 February 2014 10:15, Loïc Blot <loic.b...@unix-experience.fr> wrote:
> > Hello,
> > i encounter a strange problem today on PF. I don't know if this i normal
> > but the result is illogic.
> >
> > I have this rule:
> >
> > pass out quick proto tcp from <all_clients_v4> to port { smtp smtps 587
> > imap imaps pop3 pop3s } nat-to $natto_iface
> >
> > Tables contain IPv4 addresses only.Tables may contain IPv4 addresses only now, but you may add an IPv6 address to a table later, so it is correct that this rule is added. > > After applying this rule (i added IPv6 support yesterday), those > > protocols weren't NAT-ed by PF. > > > > By investigating, i found this: > > > > pfctl -sr | grep nat-to > > > > pass out quick inet6 proto tcp from <all_clients_v4> to any port = 465 > > flags S/SA nat-to <__automatic_d309aaac_0> round-robin > > > > Then i look at __automatic_d309aaac_0, because inet6 was strange ! > > > > pfctl -t __automatic_d309aaac_1 -T show > > 2001:660:3bbb:aaaa::2 > > fe80::92b1:1cad:fe18:ea18 > > > > To resolve this problem i added inet keyword to my rule. > > > > Is this normal ? > > yes, you've got what you've asked for. you should say "pass out quick inet" > if you don't want inet6. While I agree with this, I don't think we should ever be natting to a non-scoped link-local address..
