Date: Mon, 7 Feb 2005 22:50:51 -0600 From: Jay <jay@meangrape.com> To: "solarflux.org/pf" <pf-r@solarflux.org> Cc: freebsd-pf@freebsd.org Subject: Re: rule ordering Message-ID: <20050208045051.GA24489@mail.meangrape.com> In-Reply-To: <420843AD.7080201@solarflux.org> References: <20050208010112.GC17904@mail.meangrape.com> <420843AD.7080201@solarflux.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Thanks! Makes perfect sense.
On Mon, Feb 07, 2005 at 11:44:29PM -0500, solarflux.org/pf wrote:
> Jay wrote:
> >I'm putting in a NAT rule for the first time. My pf.conf is just edited
> >from the original.
> >
> >When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the
> >following error message:
> >
> > /etc/pf.conf:62: Rules must be in order: options, normalization,
> >queueing, translation, filtering
> >
> >A perfectly understandable error message -- queuing should be before
> >translation. As in the following snippet from my pf.conf:
> >
> > # Queueing: rule-based bandwidth control.
> > altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def }
> > queue q_pri priority 7
> > queue q_def priority 1 priq(default)
> >
> > pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \
> > keep state queue (q_def, q_pri)
> > pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \
> > keep state queue (q_def, q_pri)
> >
> > # Translation: specify how addresses are to be mapped or redirected.
> > nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161
> >
> >Yup. Looks like queueing before translation. But that's the snippet
> >that throws the error. If I comment out all of the ALTQ rules, pfctl -n
> >-f /etc/pf.conf works fine. Also the same if I comment out the NAT
> >rule.
>=20
> You have pass rules (hence, filtering) in your queueing section; you
> must only set up queueing in that section. That's why commenting out
> the nat rule or everything in your queueing section allow the pf.conf to
> be parsed successfully.
>=20
> -S
>=20
>=20
>=20
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
--=20
Jay.
--3MwIy2ne0vdjdPXF
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQFCCEUrtcZrSsNkJBoRAlPUAJ49X/mp75ARItL2qcKoqqaTY3jJ5wCgiEPh
ylzeTgZzL8gZ1txt/EMeWz8=
=PYze
-----END PGP SIGNATURE-----
--3MwIy2ne0vdjdPXF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050208045051.GA24489>