Re: problem in defining pool ip addresses in the round robin manner

Sun, 25 Sep 2011 12:09:45 -0700 

h bagade wrote:

[...]


for instance, I want to nat ip addresses from 192.168.0.0/24 network to the
range of 10.10.10.1- 10.10.20.20 ip addresses in round robin. In pf rule I
should list the ip addresses in range one by one like this:

nat on $ext_if from { 192.168.0.0/24} to any ->  {10.10.10.1, 10.10.10.2,
...., 10.10.10.254, 10.10.11.1, ...., 10.10.20.20}
According to pf.conf manpage, you can use network range on the right side od the "nat" definition. 

There is example from manpage:

# NAT LOAD BALANCE
# Translate outgoing packets' source addresses using an address pool.
# A given source address is always translated to the same pool address by
# using the source-hash keyword.
nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
So I think you can use the same syntax with round-robin instead of source-hash 


which number of ip addresses on the right side is more that 2550 which could
be reduced extremely by defining network addresses {e.g. 10.10.10.0/24,
10.10.11.0/24, ... }.


There is grammar syntax for pf.conf at the end of the manpage:

nat-rule   = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
             [ "on" ifspec ] [ af ]
             [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
             [ "->" ( redirhost | "{" redirhost-list "}" )
             [ portspec ] [ pooltype ] [ "static-port" ] ]

So you can use redirhost or redirhost-list on the right side.

redirhost      = address [ "/" mask-bits ]

redirhost-list = redirhost [ [ "," ] redirhost-list ]
I did not try it on the real, but fast syntax check is correct for the following example:
nat on bge0 inet from any to any -> { 10.1.1.0/24, 10.1.1.1/24, 10.1.1.2/24 } round-robin 

You can test it like this
# echo 'nat on bge0 inet from any to any -> { 10.1.1.0/24, 10.1.1.1/24, 10.1.1.2/24 } round-robin' | pfctl -nvvf - 

No syntax error message was printed.

Let us know if it works for you.

Miroslav Lachman
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to