Re: tagging in NAT rules not working

Fri, 18 Jul 2008 05:30:55 -0700 

Chris Smith wrote:
> On Wednesday 16 July 2008, Marco Fretz wrote:
>> pf nat rule:
>> nat log on bge0 inet from 172.16.12.128/27 tag natted -> 88.82.xx.xx
>>
>> pf filter rule:
>> pass log quick all flags S/SA keep state tagged natted
> 
> FWIW, you no longer need to specify "flags S/SA keep state" as it is the 
> default.

Yes, i know. It copied the rules out of "pfctl -sr" and there it is
shown because its added by default...

> 
> It does work here, or my packets would not end up in the proper queues.
> 

the difference i see to your construct is you'r tagging packets which
are already tagged. but anyways my construct should work as well, right?

at the moment i do nat and then a pass:

nat log on bge0 inet from 172.16.12.128/27 tag natted -> 88.82.xx.xx
pass log quick from 172.16.12.128/27

if i add the "tagged natted" to the pass rule the rule does never match...

>> the packed is dropped by my default deny rule (the rule does never
>> match). i think the packet does not get the tag "natted". any ideas?
>> them same thing with rdr rules is woking fine.
> 
>> nat and rdr is done before filtering, right? so if the connection
>> gets natted the tag should be present in the filter section...?
>> (thats what i read in the FAQ)
> 
> The FAQ actually states "translation occurs before filtering", which may 
> be interpreted differently than "nat and rdr is done before filtering".
> 
> This construct is working for me:
> ==========================================================
> nat on $ext_if inet from $voip_if:network tag VOIP_NET_NAT tagged 
> VOIP_NET -> ($ext_if)
> 
> pass in on $voip_if inet proto { tcp, icmp, udp } all tag VOIP_NET
> 
> pass out quick on $ext_if from ($ext_if) tagged VOIP_NET_NAT queue 
> voip_out
> ==========================================================
> 
> The packet arrives on the internal interface, $voip_if, and gets tagged 
> with VOIP_NET, the nat rule tags everything that is tagged VOIP_NET 
> with a new tag of VOIP_NET_NAT, then everything tagged VOIP_NET_NAT is 
> passed quick out the external interface through the voip_out queue 
> (highest priority).

Reply via email to