From owner-freebsd-pf@FreeBSD.ORG  Wed Feb  1 14:01:43 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6040F16A420
	for <freebsd-pf@freebsd.org>; Wed,  1 Feb 2006 14:01:43 +0000 (GMT)
	(envelope-from bill.marquette@gmail.com)
Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.204])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4B9A143D79
	for <freebsd-pf@freebsd.org>; Wed,  1 Feb 2006 14:01:37 +0000 (GMT)
	(envelope-from bill.marquette@gmail.com)
Received: by xproxy.gmail.com with SMTP id s9so104896wxc
	for <freebsd-pf@freebsd.org>; Wed, 01 Feb 2006 06:01:36 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=DSQH3+Gskzhy4EdnVLXZnShfLKk8Kx/VYixRrO6RCDkkZiKVDd/T+lw1f/nF/YZawwSgstfZesXEMxHx/19ReGkHrvgZxy3aeZyKUXRjYYZYF0S2UVkRS/cISa0N9nVaH356K5gR4iJiWEy3Zc3/HXAjXeIQturXUerX0kQlOPE=
Received: by 10.70.90.20 with SMTP id n20mr2909627wxb;
	Wed, 01 Feb 2006 06:01:36 -0800 (PST)
Received: by 10.70.89.8 with HTTP; Wed, 1 Feb 2006 06:01:36 -0800 (PST)
Message-ID: <55e8a96c0602010601t7b746206ice51e29c3265490f@mail.gmail.com>
Date: Wed, 1 Feb 2006 08:01:36 -0600
From: Bill Marquette <bill.marquette@gmail.com>
To: Dmitry Andrianov <dimas@dataart.com>
In-Reply-To: <D5972F49810A69449A9EA72A4B360DC2799E29@e1.universe.dart.spb>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <D5972F49810A69449A9EA72A4B360DC2799E29@e1.universe.dart.spb>
Cc: freebsd-pf@freebsd.org
Subject: Re: Using pf to force different outgoing IP address depending on
	UNIX user/group for locally originating connection?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2006 14:01:43 -0000

On 1/31/06, Dmitry Andrianov <dimas@dataart.com> wrote:
> Hello.
>
> To my understanding, you can apply nat rule to tagged packets only. This
> should do the trick.
>
> nat on $ext_if tagged TAG1 -> 192.168.33.14
> nat on $ext_if tagged TAG2 -> 192.168.33.15

You can apply tags to NATs, however the point of the original post was
that filter policy (which accepts the 'user' syntax) is evaluated
AFTER the NAT, so he can't tag a packet based on the filter policy and
then have it NATd using the correct source address for that user.

>
> Moreover, nat rules can also accept uid/gid matching but I'm not sure
> about that.
>
> Doesn't it work?

Nope...an otherwise syntactically correct config file (note that this
is from a recent OpenBSD snapshot, not FreeBSD - not that the
difference changes anything):

$ cat foo
nat on lo0 from any to any user root -> 127.0.0.1
$ sudo pfctl -f foo
foo:1: syntax error
pfctl: Syntax error in config file: pf rules not loaded
$ cat foo
nat on lo0 from any to any -> 127.0.0.1
$ sudo pfctl -f foo
$ sudo pfctl -sn
nat on lo0 inet all -> 127.0.0.1

I haven't looked at the code, but I wouldn't be terribly surprised if
you couldn't just copy/paste the user match code in the lexer for
filter rules into the nat part of the lexer.

--Bill

--Bill