duplicate nat rules listed by pfctl
Gianni
gdoe6545 at yahoo.it
Wed Mar 11 22:04:12 PDT 2009
On 11/mar/09, at 20:50, David DeSimone wrote:
> Gianni <gdoe6545 at yahoo.it> wrote:
>>
>> With the following nat rules pfctl lists duplicate entries, can
>> anyone
>> explain why this is?
>>
>> ext_if = "tun0"
>> nat on $ext_if from $localnet to any -> ($ext_if)
>> no nat on $ext_if from $localnet to $vpn_nets
>
> What is the definition of $localnet?
int_if = "vr0"
localnet = $int_if:network
From your question I now see the answer:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC>
inet 192.168.200.250 netmask 0xffffff00 broadcast 192.168.200.255
inet 192.168.200.249 netmask 0xffffff00 broadcast 192.168.200.255
I've got 2 ip addresses on the interface and the :network shortcut
does not take into account that they are part of the same subnet.
If I do localnet = "192.168.200.0/24" it's fine, I don't get duplicate
entries.
>> # pfctl -s nat
>> nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin
>> nat on tun0 inet from 192.168.200.0/24 to any -> (tun0) round-robin
>> no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24
>> no nat on tun0 inet from 192.168.200.0/24 to 192.168.0.0/24
>
> Also, don't you think you should put the "no nat" rule before the
> "nat"
> rules?
Yes probably!
Because first matching nat rule wins right?
Thanks
-Gianni
More information about the freebsd-pf
mailing list