Hello,
On Mon, Jan 25, 2021 at 03:21:29PM +0100, Alexander Bluhm wrote:
> Hi,
>
> Some personal thoughts. I am happy when pf route-to gets simpler.
> Especially I have never understood what this address@interface
> syntax is used for.
>
> I cannot estimate what configuration is used by our cutomers in
> many installations. Simple syntax change address@interface ->
> address of next hob should be no problem. Slight semantic changes
> have to be dealt with. Current packet flow is complicated and may
> be inspired by old NAT behavior. As long it becomes more sane and
> easier to understand, we should change it.
I'm not sure if proposed scenario real. Let's assume there
is a PF box with three NICs running on this awkward set up
em1 ... 192.168.1.10
em0
em2 ... 192.168.1.10
em0 is attached to LAN em1 and em2 are facing to internet which is
reachable with two different physical lines. both lines are connected via
equipment, which uses fixed IP address 192.168.1.10 and PF admin has
no way to change that.
the 'address@interface' syntax is the only way to define rules:
pass in on em0 from 172.16.0.0/16 route-to 192.168.1.10@em1
pass in on em0 from 172.17.0.0/16 route-to 192.168.1.10@em2
regardless of how much real such scenario is I believe it can
currently work.
>
> But I don't like artificial restrictions. We don't know all use
> cases. reply-to and route-to could be used for both in and out
> rules. I have used them for strange divert-to on bridge setups.
> It should stay that way.
>
OK I agree.
regards
sashan
