pf(4) changes recently?

[Sean Bruno]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I use pf and jails on a host to redirect port 80 to the correct jail.  I
only use 1 routeable IP and have been running this configuration for
over a year now.

I run nginx in jailA (10.0.0.2) and have it capture port 80 requests and
forward them to either jailB (10.0.0.3) or jailC(10.0.0.4) based on
hostname in the http request.

Recently(last 3 months), pf has started blocking the ability of jailA to
send these requests to the other two jails and I don't know why.  my
nginx config and pf.conf are unchanged.  When I enter jailA and attempt
to telnet to jailB port 80, I get rejected.  So, I assume something is
wrong with my current pf implementation.

pf.conf:
-
----------------------------------------------------------------------------------------------------
jailA_if = "lo1"
JailAnet = $jailA_if:network

jailB_if = "lo2"
jailBnet = $jailB_if:network

jailC_if = "lo3"
jailCnet = $jailC_if:network

jailA="10.0.0.2"
jailB="10.0.0.3"
jailC="10.0.0.4"
#NAT
nat on $ext_if from $jailAnet to any -> ($ext_if)
nat on $ext_if from $jailBnet to any -> ($ext_if)
nat on $ext_if from $jailCnet to any -> ($ext_if)

# Redirect 80
rdr pass on $ext_if inet proto tcp to port http -> $jailA port http
-
----------------------------------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQF8BAEBCgBmBQJUe6xAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwAAoJEBIB78oecn5k3wwIAJA/WHdR+1F9sgfpx+LkgIWf
ghS+57DINlt3fuMR5TTZ6lP9yLtYAPt+bf/PaJzgBn10waVrw9RmmZucCGySf+cu
92HGPi9fchyALplpeyPR3qD5bne8lnx9xQhYhh/gNIpkX7K/+hW+j1xGG5AsNwjr
uQwoFq2IMwitFRdx4fSpttERbUEWDX7q333/QYkcLTpGoiouADzmlM9kqtSLGuvG
+oRXl+lI83A3q4G+ec4r7sSmRc4Ou7J1YMiiWlaSqAZCRlPWhcWnQTVwQCHhYGgC
5FX26CV7akFmGCy1OykZJBRvQjozZp4t7FL7Jv0mvavMTX8ZalST3LRqqV7aBBM=
=XqEl
-----END PGP SIGNATURE-----