Date: Wed, 1 Feb 2006 08:01:36 -0600 From: Bill Marquette <bill.marquette@gmail.com> To: Dmitry Andrianov <dimas@dataart.com> Cc: freebsd-pf@freebsd.org Subject: Re: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection? Message-ID: <55e8a96c0602010601t7b746206ice51e29c3265490f@mail.gmail.com> In-Reply-To: <D5972F49810A69449A9EA72A4B360DC2799E29@e1.universe.dart.spb> References: <D5972F49810A69449A9EA72A4B360DC2799E29@e1.universe.dart.spb>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/31/06, Dmitry Andrianov <dimas@dataart.com> wrote: > Hello. > > To my understanding, you can apply nat rule to tagged packets only. This > should do the trick. > > nat on $ext_if tagged TAG1 -> 192.168.33.14 > nat on $ext_if tagged TAG2 -> 192.168.33.15 You can apply tags to NATs, however the point of the original post was that filter policy (which accepts the 'user' syntax) is evaluated AFTER the NAT, so he can't tag a packet based on the filter policy and then have it NATd using the correct source address for that user. > > Moreover, nat rules can also accept uid/gid matching but I'm not sure > about that. > > Doesn't it work? Nope...an otherwise syntactically correct config file (note that this is from a recent OpenBSD snapshot, not FreeBSD - not that the difference changes anything): $ cat foo nat on lo0 from any to any user root -> 127.0.0.1 $ sudo pfctl -f foo foo:1: syntax error pfctl: Syntax error in config file: pf rules not loaded $ cat foo nat on lo0 from any to any -> 127.0.0.1 $ sudo pfctl -f foo $ sudo pfctl -sn nat on lo0 inet all -> 127.0.0.1 I haven't looked at the code, but I wouldn't be terribly surprised if you couldn't just copy/paste the user match code in the lexer for filter rules into the nat part of the lexer. --Bill --Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e8a96c0602010601t7b746206ice51e29c3265490f>