On 4 June 2013 02:48, Stuart Henderson <[email protected]> wrote: > On 2013/06/04 02:01, Mike Belopuhov wrote: >> On 4 June 2013 00:49, Stuart Henderson <[email protected]> wrote: >> > On a router running PF and isakmpd, I have a rule like this: >> > >> > match out on pppoe0 inet all received-on vlan5 nat-to $someip >> > >> > I was surprised to find this being applied to packets received on vlan5 >> > and caught by an ipsec flow; the resulting *encapsulated* (proto ESP) >> > packets >> > (as in, generated on the router itself, not actually themselves received on >> > vlan5) end up getting natted. >> > >> > What does anyone else think...expected or not? >> > >> >> but if you do the same w/o 'received-on' then packets would get natted >> anyways, won't they? > > it's special to received-on - replace it with 'from 10.15.5.0/24' and > the proto esp packets don't get natted. >
if you add the "from" then you're changing the filter to exclude those packets. received-on just looks at the rcvif stored in the mbuf packet header and since it's not changed by anything you're able to match those packets. now if you want to make ipsec packets look like they've originated on the host itself, you'd need to reset the rcvif.
