PF NAT regression
Michal Mertl
mime at traveller.cz
Mon Sep 10 12:28:31 PDT 2007
Max Laier napsal(a):
> On Monday 10 September 2007, Michal Mertl wrote:
>
>> Hello,
>>
>> I have recently upgraded 6.2-STABLE based router to -CURRENT kernel and
>> I found out the following in /etc/pf.conf does not work anymore:
>>
>> ext_if="sis0"
>> nat on $ext_if from ! ($ext_if) to any -> ($ext_if)
>>
>> It works again when I change it to:
>>
>> nat on $ext_if from any to any -> ($ext_if)
>>
>
> Can you show me "ifconfig sis0" and "pfctl -vvvsn" for either rule? It
> might be a problem with picking up aliases correctly. You could also try
> to limit the nat rule by specifying "inet". A tcpdump on sis0 might also
> be helpful to figure out what's going on, as could be "pfctl -xm" to
> enable extended debugging on the console. This should print which
> address is chosen for any translation. Finally you might want to look at
> the rule counters and the state table after trying a couple of
> connections
I am sorry, I can't reproduce the problem myself anymore :-(.
I do not understand how could it have happened - it seemed clear to me
before - first version -> no NAT vs. second version -> NAT. I am pretty
sure I repeated the test several times. And of course NAT did not work
as otherwise I would not be trying to change the ruleset. There is only
one IP address on the sis0 interface and it is being assigned by DHCP.
If I have problems again I will try to better diagnose the situation.
Michal
More information about the freebsd-current
mailing list