On 2010/06/15 11:13, william dunand wrote:
> > ah, yes, I see what you mean, but this depends on the values chosen for
> > A, B, somewhere, something.
>
> Yeah sorry for the vagueness :)
> Anyway I tested it just in case and as expected it didn't work.
>
> > it might be simpler to combine the rules e.g.
> >
> > pass out on $ext_if proto tcp from {A, B} to port 25 nat-to $something
>
> Indeed, I guess having the nat-to on the pass rule is the only way
> (until the PR get solved ;)
> I just wanted to avoid having more than one nat rule, and block rules
> not gathered altogether at the top.
That relates to logging only. 'match log' is special as it is
handled immediately when the match rule is processed.
You can not expect to have the following work:
pass ...
match ... nat-to ...
When you use 'match' to set options (e.g. nat-to) it does that for
for *subsequent* rules, it doesn't retrospectively loop back and
change addresses on a rule which has *already* been processed.
