Mike Belopuhov(m...@belopuhov.com) on 2016.06.20 00:11:03 +0200: > On Sun, Jun 19, 2016 at 23:43 +0200, Sebastian Benoit wrote: > > manpage documents that af-to does not work on pass out rules, but the > > pf.conf parser allows it, which leads a non working configuration being > > loaded. > > > > this changes the parser to make pass out .. af-to an error. > > > > ok? > > > > forgot to mention in my previous mail that af-to follows route-to > in this regard. you can say "pass out route-to" but in fact it's > sort of pointless since the routing decision has already been made > by the forwarding code. i'm not certain doing route-to at this > point produces a working result regarding created states, but that > would indeed contrast with af-to where this is not a supported > configuration. > > to some extent "pass out af-to" also follows "pass out rdr-to" and > "pass in nat-to" in a sense that they're not common and might not > produce results one would expect, yet are parsed and installed into > the kernel successfully.
yes, i thought these were checked, but there is only a check to make sure rdr/nat-to have a direction, not which one. i'll look at that tomorrow. thanks.