Troubles with anchors

[Vladimir Kapustin]

Hi all!

Making a script for turning on/off Internet for our clients I have
the following trouble:

Some of our clients may need a real IP-adress. Sometimes pairs of
internal/external IP may change. For these needs i put in pf.conf
the following strings:

#nat on $ext_if from <internet> to any -> 192.168.1.21
#binat-anchor real_ip

In the case of "real_ip" field, the script must make BINAT on the
IP that we have in that field, but it doesn't do it!

Originally the rules were:

#ifconfig xl0 $ip_ext netmask 255.255.255.0 alias
#echo "binat on xl0 from $ip_int to any -> $ip_ext" | pfctl -a real_ip:$ip_ext -f -

Anchor with the complex name real_ip:$ip_ext is necessary so as,
in case of turning off the Internet on that IP we were able to
turn off binat rules only for that particular IP.

But in practice when we add the following rule:

#echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip:192.168.1.26 -f -

we have:

#pfctl -sn -a real_ip/192.168.1.26
#binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26

But actually we were masked by 192.168.1.21

But if:

#echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip -f -

we have:

#pfctl -sn -a real_ip
#binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26

And now we were masked by 192.168.1.26 - that's what we need!

But we can't do this that way. That's why

We desided to use subanchors:

#echo "anchor 192.168.1.26" | pfctl -a real_ip -f -
#echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl -a real_ip/192.168.1.26 -f -

#pfctl -vsA

real_ip
real_ip/192.168.1.26

#pfctl -sn -a real_ip/192.168.1.26
#binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26

And now we again were masked by 192.168.1.21

How can i solve this problem?
We have no ability to statically write binat rules in pf.conf. 

FreeBSD 6.2-Release