If you use a macro in a binat-to rule that contains multiple IPs like
so:
home_ipv4 = "{" 10.22.28.100 10.74.13.26 10.0.10.2 "}"
pass on $egress_if from 172.28.0.107 to $home_ipv4 binat-to 10.39.177.145
It will create a cascade of duplicate inbound pass rules like
so:
1) pass out on em0 inet from 172.28.0.107 to 10.22.28.100 flags S/SA nat-to
10.39.177.145 static-port
2) pass in on em0 inet from 10.22.28.100 to 10.39.177.145 flags S/SA rdr-to
172.28.0.107
3) pass in on em0 inet from 10.74.13.26 to 10.39.177.145 flags S/SA rdr-to
172.28.0.107
4) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to
172.28.0.107
5) pass out on em0 inet from 172.28.0.107 to 10.74.13.26 flags S/SA nat-to
10.39.177.145 static-port
6) pass in on em0 inet from 10.74.13.26 to 10.39.177.145 flags S/SA rdr-to
172.28.0.107
7) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to
172.28.0.107
8) pass out on em0 inet from 172.28.0.107 to 10.0.10.2 flags S/SA nat-to
10.39.177.145 static-port
9) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to
172.28.0.107
Lines 3 and 6 are duplicates and lines 4, 7, and 9 are duplicates.
Tested on 5.8. Not a big deal, but I figured I would mention
it since I noticed.
--TimH
