From owner-freebsd-pf@FreeBSD.ORG  Thu Mar 12 05:04:11 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E64BE106564A
	for <freebsd-pf@freebsd.org>; Thu, 12 Mar 2009 05:04:11 +0000 (UTC)
	(envelope-from gdoe6545@yahoo.it)
Received: from n24.bullet.mail.ukl.yahoo.com (n24.bullet.mail.ukl.yahoo.com
	[87.248.110.141])
	by mx1.freebsd.org (Postfix) with SMTP id 532B88FC1A
	for <freebsd-pf@freebsd.org>; Thu, 12 Mar 2009 05:04:11 +0000 (UTC)
	(envelope-from gdoe6545@yahoo.it)
Received: from [217.12.4.215] by n24.bullet.mail.ukl.yahoo.com with NNFMP;
	12 Mar 2009 05:04:18 -0000
Received: from [87.248.110.111] by t2.bullet.ukl.yahoo.com with NNFMP;
	12 Mar 2009 05:04:10 -0000
Received: from [127.0.0.1] by omp216.mail.ukl.yahoo.com with NNFMP;
	12 Mar 2009 05:04:10 -0000
X-Yahoo-Newman-Id: 533686.33629.bm@omp216.mail.ukl.yahoo.com
Received: (qmail 49605 invoked from network); 12 Mar 2009 05:04:10 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.it;
	h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Message-Id:From:To:In-Reply-To:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Date:References:X-Mailer;
	b=PZFjwVSEzwgspLCK1CsZc6dVPsjCG1JebwmD3KTv8QiUxlqWwiyxiiRMsPlPWmDWZfCK6QVpdjpAf3m941/w4+9UGmw6WoLoMgHk7ODuw3BIG45jfhkcvybWbymXgKdTIv5sYvMq5Cb03D1OL/C/GEk7McZ0v3MNePRLrNkfF08=
	; 
Received: from unknown (HELO stromberg.smersh.casa) (gdoe6545@88.149.154.198
	with plain)
	by smtp130.mail.ukl.yahoo.com with SMTP; 12 Mar 2009 05:04:10 -0000
X-YMail-OSG: jtvT0vEVM1myO4qpblnxGFLqImzL0mxTMZMJapqHXiMrDL9RqMd.Cjnee3c.7QqOsO1uR40Rb85Hp.kenhsxl79k5LESR7nNaImOPk0kaIz1YdG7Ozecafb3MBgxcA9pl1nl1uTXV8NBQeyTdpWYNeCgANWOz5oUhPaBT1ho3Zy.lE3I761Gjlnj47jX0u5dAB.ZpGLh64C3IP1Z
X-Yahoo-Newman-Property: ymail-5
Message-Id: <7B51D53B-224C-4887-A017-AF136264F4A9@yahoo.it>
From: Gianni <gdoe6545@yahoo.it>
To: freebsd-pf@freebsd.org
In-Reply-To: <20090311195007.GE3436@verio.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Thu, 12 Mar 2009 06:04:08 +0100
References: <6BCCA4DE-FD38-494B-A947-4C1D63775A1A@yahoo.it>
	<20090311195007.GE3436@verio.net>
X-Mailer: Apple Mail (2.930.3)
Subject: Re: duplicate nat rules listed by pfctl
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 05:04:12 -0000

On 11/mar/09, at 20:50, David DeSimone wrote:
> Gianni <gdoe6545@yahoo.it> wrote:
>>
>> With the following nat rules pfctl lists duplicate entries, can  
>> anyone
>> explain why this is?
>>
>> ext_if = "tun0"
>> nat on $ext_if from $localnet to any -> ($ext_if)
>> no nat on $ext_if from $localnet to $vpn_nets
>
> What is the definition of $localnet?

int_if = "vr0"
localnet = $int_if:network

 From your question I now see the answer:

vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu  
1500
	options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC>
	inet 192.168.200.250 netmask 0xffffff00 broadcast 192.168.200.255
	inet 192.168.200.249 netmask 0xffffff00 broadcast 192.168.200.255

I've got 2 ip addresses on the interface and the :network shortcut  
does not take into account that they are part of the same subnet.
If I do localnet = "192.168.200.0/24" it's fine, I don't get duplicate  
entries.

>> # pfctl -s nat
>> nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin
>> nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin
>> no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24
>> no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24
>
> Also, don't you think you should put the "no nat" rule before the  
> "nat"
> rules?

Yes probably!
Because first matching nat rule wins right?
Thanks
-Gianni