Although henning@ (in http://marc.info/?l=openbsd-misc&m=125181847818600&w=2) said: 8><--- snip the new NAT code is very very very flexible. every matching "match" rule changes the adress on the fly (not really, but that is what it looks like for subsequent rules), and you can nat or rdr multiple times. for pass rules, only the last matching one matters.
so given match out on $ext_if nat-to 1.2.3.4 match out on $ext_if to 1.2.3.4 nat-to 5.6.7.8 both rules will match and 5.6.7.8 will be the new src address. however, with pass out on $ext_if nat-to 1.2.3.4 pass out on $ext_if nat-to 5.6.7.8 ONLY the second one matters for NAT. same semantic that match rules have for a lot of other stuff (altq, rtable, log, scrub). 8><-------end snip there is no mention of the "pass out on $ext_if nat-to 1.2.3.4" way of doing NAT in the pf.conf manpage for a "vanilla" firewall. There is one use of the construct but it refers to an unlikely scenario of NATting to a "fake internal" network. That wouldn't jump out of the page to a beginner wanting a simple RFC1928 LAN. There is no obvious hint as to why I'd ever want to use the "match out" ...."nat-to" form. I think we have the <man page written by experts> in spades. I've transitioned from ipf through pf up to 4.6 without hassles and I've found it easy to get newbies started with a quick run over the manpages. I've also done a few tricky things because the BNF section gave me clues and I tried them out. BNF didn't help me this time: Configs that parse correctly don't always function. Further the (only) sample pf.conf, the one in /etc, doesn't really represent a useful ruleset. I've got everything <I> need working but am concerned about the unusual lack of clarity for somebody who has not been using pf for years. At one stage we had a bunch of samples in a /usr/somepath directory and a typical beginners firewall template with commented out spamd stuff in /etc I have been learning a lot about presenting info to people who don't already know it, so I'm ready to work with you guys on making pf docs less of a proficiency test. ;-) R/ *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
