Re: Apparent problem with divert-to rule parsing

2012-11-19 Thread Stuart Henderson
On 2012/11/19 00:02, gpon...@spamcop.net wrote:
 While porting a 4.9 pf.conf to 5.2 I came across something that looks
 like it might be a bug. The affected line was the pass in rule to
 send forward FTP requests to the proxy on the firewall.
 
 The following rule would not load:
 
 pass in quick on $IntIf inet proto tcp to port ftp divert-to lo0 port 8021
 
 The error message was:
 
 pf.conf:207: address family mismatch for divert
 
 If lo0 is replaced with 127.0.0.1 then it loads and works correctly.
 However, 127.0.0.1 is properly substituted for lo0 when using rdr-to.
 
 George

It would be nice if this worked, though it looks like it's non-trivial
to do (rdr-to is parsed in a different way to divert-to) - however, I'd
like to make sure that at least the documentation for ftp-proxy is
correct, did you find this rule in documentation somewhere?


Re: Apparent problem with divert-to rule parsing

2012-11-19 Thread gpontis

 The following rule would not load:

 pass in quick on $IntIf inet proto tcp to port ftp divert-to lo0 port
8021

 The error message was:

 pf.conf:207: address family mismatch for divert

 If lo0 is replaced with 127.0.0.1 then it loads and works correctly.
 However, 127.0.0.1 is properly substituted for lo0 when using rdr-to.

 George

It would be nice if this worked, though it looks like it's non-trivial
to do (rdr-to is parsed in a different way to divert-to) - however, I'd
like to make sure that at least the documentation for ftp-proxy is
correct, did you find this rule in documentation somewhere?


The only place where I found divert-to being referenced was in the  
ftp-proxy documentation, and it was shown with 127.0.0.1. It was I  
that made the switch to lo0, to be consistent with other rules in the  
pf.conf.


Geo.