On 2026-05-27, Kapetanakis Giannis <[email protected]> wrote: > Hi, > > I'm trying to replace my pf pass out nat-to rule with 2 rules, match out and > and a pass out. > > tldr after match with nat-to, the following pass rule matches src address not > from original src IP but on the new translated IP from nat-to
that is expected behaviour, from pf.conf(5) +---- | Translation | Translation options modify either the source or destination address and port | of the packets associated with a stateful connection. pf(4) modifies the | specified address and/or port in the packet and recalculates IP, TCP, and | UDP checksums as necessary. | > If specified on a match rule, subsequent rules will see packets as they look > after any addresses and ports have been translated. These rules will > therefore have to filter based on the translated address and port number. +---- > According to FAQ (https://www.openbsd.org/faq/pf/nat.html) > match out on tl0 from 192.168.1.0/24 to any nat-to 198.51.100.1 > pass on tl0 from 192.168.1.0/24 to any yes, that does not tally with how translation rules work. > Is this the correct intended behavior? If so maybe the FAQ should be updated. > I'm worried maybe the code checks (wrongly) on nat-to src IP and not original > src ip. i don't think faq/pf has been carefully reviewed by people that know PF in a long time (if at all). i recommend not relying on the faq for PF stuff, the pf.conf(5) manual is the best source of information.
