Re: pf.conf.5 translation option happens immediately only on match rules

[Henning Brauer]

* Tony Gong  [2017-05-31 10:28]:
> Pretty sure pf applies translations immediately only if the rule is a
> match rule.
> Diff makes this clear in the man page.

yup, in, thx

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

pf.conf.5 translation option happens immediately only on match rules

[Tony Gong]

Pretty sure pf applies translations immediately only if the rule is a
match rule.
Diff makes this clear in the man page.


diff --git share/man/man5/pf.conf.5 share/man/man5/pf.conf.5
index d76129deb47..7fa4bde1495 100644
--- share/man/man5/pf.conf.5
+++ share/man/man5/pf.conf.5
@@ -808,7 +808,9 @@ port of the packets associated with a stateful connection.
 modifies the specified address and/or port in the packet and recalculates
 IP, TCP, and UDP checksums as necessary.
 .Pp
-Subsequent rules will see packets as they look
+If specified on a
+.Ic match
+rule, subsequent rules will see packets as they look
 after any addresses and ports have been translated.
 These rules will therefore have to filter based on the translated
 address and port number.