On Mon, Jun 20, 2016 at 00:27 +0200, Sebastian Benoit wrote: > Mike Belopuhov(m...@belopuhov.com) on 2016.06.20 00:11:03 +0200: > > On Sun, Jun 19, 2016 at 23:43 +0200, Sebastian Benoit wrote: > > > manpage documents that af-to does not work on pass out rules, but the > > > pf.conf parser allows it, which leads a non working configuration being > > > loaded. > > > > > > this changes the parser to make pass out .. af-to an error. > > > > > > ok? > > > > > > > forgot to mention in my previous mail that af-to follows route-to > > in this regard. you can say "pass out route-to" but in fact it's > > sort of pointless since the routing decision has already been made > > by the forwarding code. i'm not certain doing route-to at this > > point produces a working result regarding created states, but that > > would indeed contrast with af-to where this is not a supported > > configuration. > > > > to some extent "pass out af-to" also follows "pass out rdr-to" and > > "pass in nat-to" in a sense that they're not common and might not > > produce results one would expect, yet are parsed and installed into > > the kernel successfully. > > yes, > > i thought these were checked, but there is only a check to make sure > rdr/nat-to have a direction, not which one. i'll look at that tomorrow. > > thanks.
rdr-to/nat-to are not checked on purpose. i'm not certain about route-to/reply-to. as far as i'm concerned, af-to should be restricted to "pass in". but it would be nice to know if "pass out route-to" and "pass in reply-to" produce working configurations to restrict them as well if they don't.
