On 2014/10/14 23:36, Yann Hamon wrote: > The reason I posted this on bugs@ is because OpenBSD keeps UDP connections > natted to an IP address that has been changed, which doesn't seem > straightforward according to this documentation: > http://www.openbsd.org/faq/pf/nat.html which states: > > "This tells PF to update the rule if the IP address(es) on the named > interface changes" > > I would have expected that once the address on my interface changes, new > packets coming from my phone would have been natted to the new IP address. > But maybe this is expected behaviour - I am fine with the workaround.
The problem is that those packets match the existing state table entry, they don't hit the ruleset again until the state entry times out, which won't happen if the phone keeps on sending packets at an interval lower than the state timeout interval - it is probably doing this *specifically* to avoid letting NAT states time out ;-) I've been wondering if there might be other ways to handle this in pf but haven't come up with anything that would actually work without either being horrendously complex (some sort of super-if-bound that also checks IP addresses on the interface? yeeuw) or breaking other situations (if an interface bounces but keeps the same address, invalidating the states would be bad)..
