On 2007/06/08 14:10, Stuart Henderson wrote:
> On 2007/06/08 14:31, Yggdrasill Senecoen wrote:
> >
> > I want to have the same as making 2 nat rules with each his own
> > interface ($Ethernet and $Wifi), isn't possible ?
>
> You can do this using interface groups, you can set these up with
> the ifconfig(8) 'group' option (via hostname.if, usually).
ugh, I can see why noone's done the docs for this yet.
I think it should go something like this, but BNF is easier
to read than write, and I may have missed something in my
testing of where group names are allowed...
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.379
diff -u -p -r1.379 pf.conf.5
--- share/man/man5/pf.conf.5 8 May 2007 23:38:12 -0000 1.379
+++ share/man/man5/pf.conf.5 8 Jun 2007 14:05:05 -0000
@@ -1419,7 +1419,8 @@ This rule applies only to packets with t
addresses and ports.
.Pp
Addresses can be specified in CIDR notation (matching netblocks), as
-symbolic host names or interface names, or as any of the following keywords:
+symbolic host names, interface names or interface group names, or as any
+of the following keywords:
.Pp
.Bl -tag -width xxxxxxxxxxxxxx -compact
.It Ar any
@@ -1441,7 +1442,7 @@ the route back to the packet's source ad
Any address that matches the given table.
.El
.Pp
-Interface names can have modifiers appended:
+Interface names and interface group names can have modifiers appended:
.Pp
.Bl -tag -width xxxxxxxxxxxx -compact
.It Ar :network
@@ -2761,7 +2762,7 @@ option = "set" ( [ "timeout" ( t
[ "state-policy" ( "if-bound" | "floating" ) ]
[ "require-order" ( "yes" | "no" ) ]
[ "fingerprints" filename ] |
- [ "skip on" ( interface-name | "{" interface-list "}" ) ] |
+ [ "skip on" ifspec ] |
[ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] )
pf-rule = action [ ( "in" | "out" ) ]
@@ -2803,8 +2804,7 @@ rdr-rule = [ "no" ] "rdr" [ "pass"
[ portspec ] [ pooltype ] ]
antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
- "for" ( interface-name | "{" interface-list "}" )
- [ af ] [ "label" string ]
+ "for" ifspec [ af ] [ "label" string ]
table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
tableopts-list = tableopts-list tableopts | tableopts
@@ -2812,8 +2812,8 @@ tableopts = "persist" | "const" | "
"{" [ tableaddr-list ] "}"
tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
-tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex |
- interface-name | "self"
+tableaddr = hostname | ifspec | "self" |
+ ipv4-dotted-quad | ipv6-coloned-hex
altq-rule = "altq on" interface-name queueopts-list
"queue" subqueue
@@ -2844,8 +2844,10 @@ return = "drop" | "return" | "re
icmpcode = ( icmp-code-name | icmp-code-number )
icmp6code = ( icmp6-code-name | icmp6-code-number )
-ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}"
-interface-list = [ "!" ] interface-name [ [ "," ] interface-list ]
+ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
+ "{" interface-list "}"
+interface-list = [ "!" ] ( interface-name | interface-group )
+ [ [ "," ] interface-list ]
route = ( "route-to" | "reply-to" | "dup-to" )
( routehost | "{" routehost-list "}" )
[ pooltype ]
@@ -2865,8 +2867,9 @@ ipspec = "any" | host | "{" host
host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
redirhost = address [ "/" mask-bits ]
routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
-address = ( interface-name | "(" interface-name ")" | hostname |
- ipv4-dotted-quad | ipv6-coloned-hex )
+address = ( interface-name | interface-group |
+ "(" ( interface-name | interface-group ) ")" |
+ hostname | ipv4-dotted-quad | ipv6-coloned-hex )
host-list = host [ [ "," ] host-list ]
redirhost-list = redirhost [ [ "," ] redirhost-list ]
routehost-list = routehost [ [ "," ] routehost-list ]
