From owner-freebsd-pf@FreeBSD.ORG  Wed Feb  1 18:28:16 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5D36B16A420
	for <freebsd-pf@freebsd.org>; Wed,  1 Feb 2006 18:28:16 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9807C43D46
	for <freebsd-pf@freebsd.org>; Wed,  1 Feb 2006 18:28:15 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id k11IRqKI008103
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Wed, 1 Feb 2006 19:27:52 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k11IRpto011326;
	Wed, 1 Feb 2006 19:27:51 +0100 (MET)
Date: Wed, 1 Feb 2006 19:27:51 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Bill Marquette <bill.marquette@gmail.com>
Message-ID: <20060201182751.GD1311@insomnia.benzedrine.cx>
References: <D5972F49810A69449A9EA72A4B360DC2799E29@e1.universe.dart.spb>
	<55e8a96c0602010601t7b746206ice51e29c3265490f@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <55e8a96c0602010601t7b746206ice51e29c3265490f@mail.gmail.com>
User-Agent: Mutt/1.5.10i
Cc: freebsd-pf@freebsd.org
Subject: Re: Using pf to force different outgoing IP address depending on
	UNIX user/group for locally originating connection?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2006 18:28:16 -0000

On Wed, Feb 01, 2006 at 08:01:36AM -0600, Bill Marquette wrote:

> I haven't looked at the code, but I wouldn't be terribly surprised if
> you couldn't just copy/paste the user match code in the lexer for
> filter rules into the nat part of the lexer.

No, the user/group options are not valid in translation rules. But
making them valid there would be the most logical solution. It's not
terribly complicated, and I'll try to add that. It won't be backported
to 5.x, though :)

I'm not sure you can do it routing tricks through loopback. You could
try setting the default route through an intentionally wrong interface,
pass with tag and route-to (to the right interface) there, and then nat
on the right interface based on tag. But that's quite a hack.

Daniel