On Tuesday 21 August 2007, Stuart Henderson wrote: > "Since translation occurs before filtering the filter engine will see > packets as they look after any addresses and ports have been > translated."
I have read that in the docs but how to reconcile it with the ruleset on http://openbsd.org/faq/pf/tagging.html ? The example (which I relied heavily on) shows basically: ================ nat on $ext_if tag LAN_INET_NAT tagged LAN_INET -> ($ext_if) pass in on $int_if from $int_net tag LAN_INET keep state pass out quick on $ext_if tagged LAN_INET_NAT keep state ================ It seems that the pass in rule is applied before the nat rule otherwise there would be no packets tagged LAN_INET and therefore no packets would end up being tagged LAN_INET_NAT. What I'm suggesting is that for the above ruleset to seem valid the 'pass in' filter happens first, the 'nat' (translation) happens next, then the 'pass out' filter is applied. Of course, maybe only the tagging portion happens in the order outlined but nothing else does (which is at the least counterintuitive). > nat on $att_if from $xxx_net -> $xxx_ip > nat on $att_if from $yyy_net -> $yyy_ip > pass out on $att_if route-to ($xxx_route) from $xxx_ip > pass out on $att_if route-to ($yyy_route) from $yyy_ip So change: nat on $wow_8_if inet tag WOW_8_NAT tagged WOW_8 -> $wow_8_ad1 nat on $wow_4_if inet tag WOW_4_NAT tagged WOW_4 -> $wow_4_ad1 to: nat on $att_if inet tag WOW_8_NAT tagged WOW_8 -> $wow_8_ad1 nat on $att_if inet tag WOW_4_NAT tagged WOW_4 -> $wow_4_ad1 ? Thanks. -- Chris
