https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288577
--- Comment #3 from [email protected] --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=646798b6783184fb194a2d97667e05895e00c358 commit 646798b6783184fb194a2d97667e05895e00c358 Author: Kajetan Staszkiewicz <[email protected]> AuthorDate: 2025-10-01 13:51:46 +0000 Commit: Kajetan Staszkiewicz <[email protected]> CommitDate: 2025-10-30 17:32:21 +0000 pf: Make nat-to and rdr-to work properly both on in and out rules New-style address translation is done by nat-to and rdr-to actions on normal match and pass rules. Those rules, when used without address translation, can be specified without direction. But that allows users to specify pre-routing nat and post-routing rdr. This case is not handled properly and causes pre-routing nat to modify destination address, as if it was a rdr rule, and post-routing rdr to modify source address, as if it was a nat rule. Ensure that nat-to action modifies source address and rdr-to destination address no matter in which direction the rule is applied. The man page for pf.conf already specifies that nat-to and rdr-to rules should be limited to respective directions. PR: 288577 Reviewed by: kp MFC after: 3 days Sponsored by: InnoGames GmbH Differential Revision: https://reviews.freebsd.org/D53216 sys/netpfil/pf/pf_lb.c | 16 +++++++++++++-- tests/sys/netpfil/pf/nat.sh | 47 +++++++++++++++++++++++++++++++++++++++------ 2 files changed, 55 insertions(+), 8 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
