From owner-freebsd-pf@FreeBSD.ORG  Wed Aug 11 23:07:58 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7E72E106564A
	for <freebsd-pf@freebsd.org>; Wed, 11 Aug 2010 23:07:58 +0000 (UTC)
	(envelope-from xindigo@gmail.com)
Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50])
	by mx1.freebsd.org (Postfix) with ESMTP id 186268FC19
	for <freebsd-pf@freebsd.org>; Wed, 11 Aug 2010 23:07:56 +0000 (UTC)
Received: by wwb13 with SMTP id 13so805171wwb.31
	for <freebsd-pf@freebsd.org>; Wed, 11 Aug 2010 16:07:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:mime-version:received:from:date
	:message-id:subject:to:content-type;
	bh=Ad3JOiVYnkBQnTQzgXsAteA6j2L18A5EMB8fokuMoeQ=;
	b=fZdfTKZGc5EkUFHMpxb926g/n71W8L7TYmAzWrdk0/C//FTO9RlU1t04bDWUCa8bug
	fARCKn3ONEh08xDyUlF95vvEQUS5g2dRUK1THFJrU2h/jBmLG3B49ypaGjj02u+4EXx6
	/IiElctWRw881cityeFIM4q1/dJO7fPX6kpWw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:from:date:message-id:subject:to:content-type;
	b=Ty9KRVIR2OVtEAEzaObWk2+pvfA5RO4/H7JgPnoDnBXuI6gBG4TjrE9yVxVQPiKaf3
	9xTBIL4k6AyOMqiUoiGsMqm0MN2X1/YbKUM0jg8w/SpXOe2aat+LYNbkBrN71YUhm65I
	i4avZKviCgHYrT9jQLObXvlzmGBLF7PM4oimA=
Received: by 10.216.188.20 with SMTP id z20mr5883970wem.51.1281566178531; Wed,
	11 Aug 2010 15:36:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.212.34 with HTTP; Wed, 11 Aug 2010 15:35:56 -0700 (PDT)
From: Serguey Parkhomovsky <xindigo@gmail.com>
Date: Wed, 11 Aug 2010 15:35:56 -0700
Message-ID: <AANLkTinHPBYGM7awcT6wCu1NqvBmt2aTz9j=giSkGvH3@mail.gmail.com>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=UTF-8
Subject: pf doesn't honor net.inet.ip.forwarding?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2010 23:07:58 -0000

Hello,

pf seems to do NAT forwarding whether or not net.inet.ip.forwarding is
enabled. I set up a NAT between my webserver jail on lo1 and my
external interface on em0, and it works even when this setting is
disabled.

Here is the relevant part of my pf.conf:
nat on em0 from lo1 to any -> (em0)

Why does this work? Shouldn't pf be unable to forward packets when
net.inet.ip.forwarding=0?

- Serguey