* Ingo Schwarze <schwa...@usta.de> [2011-01-18 16:59]:
> Hi Harald,
>
> Harald Dunkel wrote on Tue, Jan 18, 2011 at 04:41:39PM +0100:
>
> > pf.conf(5) says
> >
> > In the example below, packets bound for one specific server, as well as
> > those generated by the sysadmins are not proxied; all other connections
> > are.
> >
> > match in on $int_if proto { tcp, udp } from any to any port 80 \
> > rdr-to 127.0.0.1 port 80
> > pass in on $int_if proto { tcp, udp } from any to $server port 80
> > pass in on $int_if proto { tcp, udp } from $sysadmins to any port
> > 80
> >
> > I don't see that yet. All traffic for 80/tcp on $int_if matches
> > the first line, so I would assume that all this traffic is
> > redirected, regardless whether the following "pass in" rules
> > match. They don't "undo" the redirection.
>
> pf.conf(5) also says:
>
> For each packet processed by the packet filter, the filter rules are
> evaluated in sequential order, from first to last. For block and pass,
> the last matching rule decides what action is taken; if no rule matches
> ...
that doesn't contradict the OP at all. match rdr-to is indeed sticky
and the example flawed. replacing the match with pass would make it
work.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
