On 2021/09/22 11:28, Landry Breuil wrote: > Le Tue, Sep 21, 2021 at 10:40:12PM +0200, Sebastian Benoit a écrit : > > Alexander Bluhm([email protected]) on 2021.09.21 22:34:09 +0200: > > > On Mon, Sep 20, 2021 at 03:54:58PM +0200, Landry Breuil wrote: > > > > did i screwup something somewhere in my config and there's a better way > > > > for that ? > > > > > > This was changed in February. No more interface, but gateway > > > addresses. It seems that some parts of the documentation were > > > missed. > > > > > > > should the manpage be improved for reply-to and talk about 'destination > > > > address' instead of 'interface' like route-to does ? > > > > > > Yes. > > > > > > It looks like most information is in the commit message. > > > https://marc.info/?l=openbsd-cvs&m=161213948819452&w=2 > > > > It's also on http://www.openbsd.org/faq/upgrade69.html > > my english sucks and i'm not sure i got the meaning right, but here's a > try: > > Index: pf.conf.5 > =================================================================== > RCS file: /cvs/src/share/man/man5/pf.conf.5,v > retrieving revision 1.587 > diff -u -r1.587 pf.conf.5 > --- pf.conf.5 19 Jul 2021 16:23:56 -0000 1.587 > +++ pf.conf.5 22 Sep 2021 09:23:14 -0000 > @@ -1103,13 +1103,14 @@ > option is similar to > .Cm route-to , > but routes packets that pass in the opposite direction (replies) to the > -specified interface. > +specified address. > Opposite direction is only defined in the context of a state entry, and > .Cm reply-to > is useful only in rules that create state. > It can be used on systems with multiple external connections to > -route all outgoing packets of a connection through the interface > -the incoming connection arrived through (symmetric routing enforcement). > +route all outgoing packets of a connection through the interface the incoming > +connection arrived through (symmetric routing enforcement) via the address of > +the gateway specified in the rule.
I think using "connection" twice (internet connection, and TCP/UDP/...\ connection) can make this harder to read. Not 100% happy with this and I have to go out so won't do any more wordsmithing now, but maybe it gives some ideas? It can be used on systems with multiple paths to the internet to ensure that replies to an incoming network connection to a particular address are sent using the path associated with that address (symmetric routing enforcement). This is done by specifying the address of the gateway in "reply-to". > .It Cm route-to > The > .Cm route-to > > i wouldnt know how to change the example in faq/upgrade69.html as it is valid > (but only specific to the case of a point-to-point interface with a :peer > property) > > ccing experts :) >
