On Thu, Feb 7, 2013 at 10:09 AM, Stuart Henderson <s...@spacehopper.org>wrote:
> On 2013/02/07 10:01, sven falempin wrote:
> > On Thu, Feb 7, 2013 at 9:44 AM, Stuart Henderson <s...@spacehopper.org
> >wrote:
> >
> > > On 2013/02/07 09:26, sven falempin wrote:
> > > > egress, vr0 ext are all the same, arent they ?
> > >
> > > Probably, but you didn't give enough information to be sure.
> > >
> > > For example if you have IPv6 via a tunnel interface (or perhaps
> > > more importantly, if you later add it), then that will also be
> > > in the egress group but might not have an IPv4 address and I
> > > haven't tested to see how that works. Or if you have a lower
> > > priority default route via another interface that you didn't
> > > mention, then that could also be in 'egress'. Perhaps unlikely
> > > but without the information I don't want to make assumptions.
> > >
> > > (Personally I do like using interface groups where I'm referring
> > > to the interface, but try and tie things down a bit further for
> > > IP addresses especially for NAT).
> > >
> > >
> > My problem is the time between an address ip change on an interface and
> the
> > nat rules actually use the new address.
> > For my rules i am happy with my ext, but i will test vr0 see if it is
> > faster.
> > Or maybe dive into the source if i am bored.
>
> from the manpage section I quoted earlier:
>
> WHEN THE INTERFACE NAME
> IS
> SURROUNDED BY PARENTHESES, THE RULE IS AUTOMATICALLY UPDATED
> WHENEVER THE INTERFACE CHANGES ITS ADDRESS. THE RULESET DOES
> NOT
> NEED TO BE RELOADED. THIS IS ESPECIALLY USEFUL WITH NAT.
>
>
# cat -n /etc/pf.conf | grep nat
26 match out on vr0 from 192.168.42.0/24 to !(self) nat-to ext
28 match out on ext from 192.168.142.0/24 to !(self) nat-to ext
# pfctl -nf /etc/pf.conf
/etc/pf.conf:26: syntax error
/etc/pf.conf:28: syntax error
:-(
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
