Hi, I'm trying to replace my pf pass out nat-to rule with 2 rules, match out and and a pass out.
tldr after match with nat-to, the following pass rule matches src address not from original src IP but on the new translated IP from nat-to According to FAQ (https://www.openbsd.org/faq/pf/nat.html) match out on tl0 from 192.168.1.0/24 to any nat-to 198.51.100.1 pass on tl0 from 192.168.1.0/24 to any Or the following may be used: pass out on tl0 from 192.168.1.0/24 to any nat-to 198.51.100.1 Following this example I want to replace: @162 pass out quick on trunk0 inet from 10.3.5.11 to any flags S/SA tagged from_internal nat-to $VIP with the following 2: @154 match out log on trunk0 inet from 10.3.5.11 to any tagged from_internal nat-to $VIP @155 pass out log quick on trunk0 inet from 10.3.5.11 to any flags S/SA tagged from_internal @156 pass out log quick on trunk0 inet from $VIP to any flags S/SA tagged from_internal Rule 155 does not work. Only rule 156 works where it matches on nat-to $VIP and not the original src IP. May 27 09:31:02.490795 rule 154/(match) [uid 0, pid 35606] match out on trunk0: [rewritten: src VIP:51292, dst 104.21.54.91:80] 10.3.5.11.54928 > 104.21.54.91.80: S [tcp sum ok] 2359664156:2359664156(0) win 64240 <mss 1460,sackOK,timestamp 2829994921 0,nop,wscale 7> (ttl 63, id 38329, len 60, bad ip cksum 3785! -> 3885) May 27 09:31:02.490797 rule 156/(match) [uid 0, pid 35606] pass out on trunk0: [rewritten: src VIP:51292, dst 104.21.54.91:80] 10.3.5.11.54928 > 104.21.54.91.80: S [tcp sum ok] 2359664156:2359664156(0) win 64240 <mss 1460,sackOK,timestamp 2829994921 0,nop,wscale 7> (ttl 63, id 38329, len 60, bad ip cksum 3785! -> 3885) Is this the correct intended behavior? If so maybe the FAQ should be updated. I'm worried maybe the code checks (wrongly) on nat-to src IP and not original src ip. Thanks, Giannis
