On Sun, Jun 19, 2016 at 23:43 +0200, Sebastian Benoit wrote: > manpage documents that af-to does not work on pass out rules, but the > pf.conf parser allows it, which leads a non working configuration being > loaded. > > this changes the parser to make pass out .. af-to an error. > > ok? >
forgot to mention in my previous mail that af-to follows route-to in this regard. you can say "pass out route-to" but in fact it's sort of pointless since the routing decision has already been made by the forwarding code. i'm not certain doing route-to at this point produces a working result regarding created states, but that would indeed contrast with af-to where this is not a supported configuration. to some extent "pass out af-to" also follows "pass out rdr-to" and "pass in nat-to" in a sense that they're not common and might not produce results one would expect, yet are parsed and installed into the kernel successfully.
