From owner-freebsd-pf@FreeBSD.ORG Mon Aug 15 16:27:36 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D96DF16A41F for ; Mon, 15 Aug 2005 16:27:36 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25FC943D45 for ; Mon, 15 Aug 2005 16:27:35 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j7FGRYM9010117 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 15 Aug 2005 18:27:35 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j7FGRX1K030486; Mon, 15 Aug 2005 18:27:34 +0200 (MEST) Date: Mon, 15 Aug 2005 18:27:33 +0200 From: Daniel Hartmeier To: Sergey Lapin Message-ID: <20050815162733.GC32151@insomnia.benzedrine.cx> References: <48239d390508150840481420ec@mail.gmail.com> <20050815154334.GB32151@insomnia.benzedrine.cx> <48239d3905081509062c585a17@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48239d3905081509062c585a17@mail.gmail.com> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: Fwd: Fwd: Dual-feed: PF setup troubles X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2005 16:27:37 -0000 On Mon, Aug 15, 2005 at 08:06:03PM +0400, Sergey Lapin wrote: > And as for other bugs - return to wrong place and NAT from wrong interface? > #2 is serious > http://www.mail-archive.com/freebsd-pf@freebsd.org/msg00421.html Repeat it on 6.0RC and provide the smallest ruleset that reproduces it completely. The order of how translation rules are evaluated with routing rules has changed several times, 6.0RC contains the newest code. Note that translation rules (like NAT) are executed before route-to is, i.e. if you let outgoing packets first go out the default interface, any NAT rule on that interface is performed, _before_ the packet is then re-routed to the non-default interface. Using route-to on the internal interface makes this a non-issue, but you met the bug when trying that. Assuming that bug is fixed, it will probably be the simplest approach, and work. If you do want to use route-to on the outgoing default interface, however, you can try restricting the nat rules to appropriately tagged packets, like nat on ... from ... to ... tagged TAG -> ... so they only apply for packets that are not (later) re-routed. Daniel