On 14 Oct 2020, at 21:16, J David wrote:
On Wed, Oct 14, 2020 at 1:59 PM Kristof Provost <k...@freebsd.org>
wrote:
There’s good reason to do this, as we have to be able to match
state
on both the pre-translation side (when processing LAN -> WAN traffic)
and post-translation (WAN -> LAN).
So, basically, pf would need separate states for each pre-redirect
destination address in order to have the information needed to map the
reply packet back to the original destination address.
But even if pf did that, the problem does not go away. It just moves
to the reply packet coming back with only the post-redirect info.
That info matches multiple states, leaving pf no way to pick the right
one.
Is that about right?
Pretty much, I think.
I’ve not dug very deep yet, but I wonder if we shouldn’t have to
teach pf to change the source port to avoid conflicting states in the
first place.
It’s a non-trivial problem in any case.
Regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
