On Wed, Sep 22, 2021 at 10:38:14AM +0100, Stuart Henderson wrote: > On 2021/09/22 11:28, Landry Breuil wrote: > > Le Tue, Sep 21, 2021 at 10:40:12PM +0200, Sebastian Benoit a ?crit : > > > Alexander Bluhm([email protected]) on 2021.09.21 22:34:09 +0200: > > > > On Mon, Sep 20, 2021 at 03:54:58PM +0200, Landry Breuil wrote: > > > > > did i screwup something somewhere in my config and there's a better > > > > > way > > > > > for that ? > > > > > > > > This was changed in February. No more interface, but gateway > > > > addresses. It seems that some parts of the documentation were > > > > missed. > > > > > > > > > should the manpage be improved for reply-to and talk about > > > > > 'destination > > > > > address' instead of 'interface' like route-to does ? > > > > > > > > Yes. > > > > > > > > It looks like most information is in the commit message. > > > > https://marc.info/?l=openbsd-cvs&m=161213948819452&w=2 > > > > > > It's also on http://www.openbsd.org/faq/upgrade69.html > > > > my english sucks and i'm not sure i got the meaning right, but here's a > > try: > > > > Index: pf.conf.5 > > =================================================================== > > RCS file: /cvs/src/share/man/man5/pf.conf.5,v > > retrieving revision 1.587 > > diff -u -r1.587 pf.conf.5 > > --- pf.conf.5 19 Jul 2021 16:23:56 -0000 1.587 > > +++ pf.conf.5 22 Sep 2021 09:23:14 -0000 > > @@ -1103,13 +1103,14 @@ > > option is similar to > > .Cm route-to , > > but routes packets that pass in the opposite direction (replies) to the > > -specified interface. > > +specified address. > > Opposite direction is only defined in the context of a state entry, and > > .Cm reply-to > > is useful only in rules that create state. > > It can be used on systems with multiple external connections to > > -route all outgoing packets of a connection through the interface > > -the incoming connection arrived through (symmetric routing enforcement). > > +route all outgoing packets of a connection through the interface the > > incoming > > +connection arrived through (symmetric routing enforcement) via the address > > of > > +the gateway specified in the rule. > > I think using "connection" twice (internet connection, and TCP/UDP/...\ > connection) can make this harder to read. Not 100% happy with this and > I have to go out so won't do any more wordsmithing now, but maybe it > gives some ideas? > > It can be used on systems with multiple paths to the internet to ensure > that replies to an incoming network connection to a particular address > are sent using the path associated with that address (symmetric routing > enforcement). > This is done by specifying the address of the gateway in "reply-to". >
this reads fine too, stuart. jmc > > > > .It Cm route-to > > The > > .Cm route-to > > > > i wouldnt know how to change the example in faq/upgrade69.html as it is > > valid > > (but only specific to the case of a point-to-point interface with a :peer > > property) > > > > ccing experts :) > >
