My problem of pf rule
Travis H.
solinym at gmail.com
Sun Dec 11 20:06:11 PST 2005
On 12/11/05, yayj <yayjsir at gmail.com> wrote:
> all packets attempting to go out via em0 have the same src ip, (em0),
> including these from <fxp0_ip> and <fxp1_ip>.
Oh, I think I understand now.
I believe this may be a case where you want to use policy-based
routing; in this case you can tag packets from fxp0 and fxp1 to have
"tag foo" and perhaps you might be able to say:
pass in on { fxp0 fxp1} tag FOO
pass out on em0 to any not tagged FOO queue BAR
I'm not sure if you can say "not tagged FOO" though, and I cannot test that.
In any case, you are right, NAT occurs first and so all outbound
packets will have an IP of (em0) when they are leaving. The only way
that I know of to distinguish where they came from is with tags.
--
http://www.lightconsulting.com/~travis/ -><- P=NP if (P=0 or N=1)
"My love for mathematics is unto 1/x as x approaches 0."
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
More information about the freebsd-pf
mailing list