[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF and "route-to"

To: Luis Cerdas <luis.cerdas@rawten.net>
Subject: Re: PF and "route-to"
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Fri, 7 Jun 2002 03:10:16 +0200
Cc: misc@openbsd.org
Content-Disposition: inline
References: <Pine.LNX.4.10.10206061040480.29854-100000@pizza.crust.inside> <B9254F1C.38B4%luis.cerdas@rawten.net>
User-Agent: Mutt/1.2.5.1i

On Thu, Jun 06, 2002 at 05:40:44PM -0600, Luis Cerdas wrote:

> The thing is that pf is in fact routing to the configured interface (rule
> matching is working), and is forwarding to the next hop router, but it is
> not doing any NAT for the packet.

Yes, route-to (as well as fastroute and dup-to) will send packets out
directly through the interface, without going through pf again. Hence,
NAT on the outgoing interface doesn't work (neither would filter rules
on the outgoing interface apply to such packets).

It would be possible to force them through pf again, but I'm not yet
sure how this can be done with minimal overhead. For now, I'll just note
that it doesn't work.

Daniel

Follow-Ups:
- Re: PF and "route-to"
  - From: Darren Reed <avalon@coombs.anu.edu.au>
- Re: PF and "route-to"
  - From: lcerdas@rawten.net

References:
- Re: Login Definitions
  - From: Chris Maresca <ckm@crust.net>
- PF and "route-to"
  - From: "Luis Cerdas" <luis.cerdas@rawten.net>

Prev by Date: Re: obsd 3.1 on netra t1 105
Next by Date: Re: PF and "route-to"
Prev by thread: PF and "route-to"
Next by thread: Re: PF and "route-to"
Index(es):
- Date
- Thread