From owner-freebsd-pf@FreeBSD.ORG  Wed Jan 27 00:05:09 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E29C6106566C
	for <freebsd-pf@freebsd.org>; Wed, 27 Jan 2010 00:05:09 +0000 (UTC)
	(envelope-from gofdp-freebsd-pf@m.gmane.org)
Received: from lo.gmane.org (lo.gmane.org [80.91.229.12])
	by mx1.freebsd.org (Postfix) with ESMTP id 9DCDB8FC0A
	for <freebsd-pf@freebsd.org>; Wed, 27 Jan 2010 00:05:09 +0000 (UTC)
Received: from list by lo.gmane.org with local (Exim 4.50) id 1NZvP8-0003qx-FT
	for freebsd-pf@freebsd.org; Wed, 27 Jan 2010 01:05:06 +0100
Received: from 128.111.48.6 ([128.111.48.6])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-pf@freebsd.org>; Wed, 27 Jan 2010 01:05:06 +0100
Received: from ludovico.cavedon by 128.111.48.6 with local (Gmexim 0.1
	(Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-pf@freebsd.org>; Wed, 27 Jan 2010 01:05:06 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-pf@freebsd.org
From: Ludovico Cavedon <ludovico.cavedon@gmail.com>
Date: Wed, 27 Jan 2010 00:01:01 +0000 (UTC)
Lines: 25
Message-ID: <loom.20100127T005123-244@post.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: sea.gmane.org
User-Agent: Loom/3.14 (http://gmane.org/)
X-Loom-IP: 128.111.48.6 (Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7)
Sender: news <news@ger.gmane.org>
Subject: allow-opts on a nat pass rule
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2010 00:05:10 -0000

Hi all,
I have a freebsd firewall with a configuration like this:

#### BEGIN ###
ext_if4="em0"     # public interface
int_if="em1"      # private interface, to be source NATted

nat pass log (to pflog2) on $ext_if4 inet from $int_if:network to ! ($ext_if4)
-> ($ext_if4)
block drop log    # logs to pflog0
pass quick log (to pflog1) on $int_if allow-opts      # private network
pass out from ($ext_if4) allow-opts modulate state    # public network
#### END ###

If I send a packet to a public host from an private one, everything is fine, the
packet arrives at the destination, and is logged by pflog1 and pflog2.

If this packet, however, contains an IP option (e.g. NOP), the packets if
blocked by the firewall, and logged by pflog1 and pflog0.

Looks like it is not possible to specify "allow-opts" for the "nat pass" rules.
Is there any way I can get packets with IP options to be NATted?

Thank you in advance,
Ludovico