On 27/05/2026 16:33, Stuart Henderson wrote: > On 2026-05-27, Kapetanakis Giannis <[email protected]> wrote: >> Hi, >> >> I'm trying to replace my pf pass out nat-to rule with 2 rules, match out and >> and a pass out. >> >> tldr after match with nat-to, the following pass rule matches src address >> not from original src IP but on the new translated IP from nat-to > that is expected behaviour, from pf.conf(5) > > +---- > | Translation > | Translation options modify either the source or destination address and > port > | of the packets associated with a stateful connection. pf(4) modifies the > | specified address and/or port in the packet and recalculates IP, TCP, and > | UDP checksums as necessary. > | >> If specified on a match rule, subsequent rules will see packets as they look >> after any addresses and ports have been translated. These rules will >> therefore have to filter based on the translated address and port number. >>
I didn't spot that block on man page last time. It's very clear. I did read that part that hb@ sent but it wasn't clear what happens with the src address. The whole thing makes sense, it is just the FAQ that confused me, since I never used match rules before.\ thanks both, G
