October 13 2011 NAT update

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

October 13 2011 NAT update

Tom Murphy-7
You guys might want to add a note to current.html that from October
13 2011, the NAT updates have made it impossible to not use an address
family in a nat-to statement.

The following statement fails now:

match out on egress from ($int_if:network) nat-to (egress)

Gives the error:

/etc/pf.conf:74: af-to is not supported on match rules
/etc/pf.conf:74: skipping rule due to errors

Changing it to:  

match out on egress inet from ($int_if:network) nat-to (egress)

Fixes it.

I wasn't sure how many people explicitly use the address family in
their nat-to lines, but this one caught me out when I updated to a
newer snapshot earlier this month.

Tom

Reply | Threaded
Open this post in threaded view
|

Re: October 13 2011 NAT update

Mike Belopuhov
On Fri, Oct 28, 2011 at 12:09 PM, Tom Murphy <[hidden email]> wrote:

> You guys might want to add a note to current.html that from October
> 13 2011, the NAT updates have made it impossible to not use an address
> family in a nat-to statement.
>
> The following statement fails now:
>
> match out on egress from ($int_if:network) nat-to (egress)
>
> Gives the error:
>
> /etc/pf.conf:74: af-to is not supported on match rules
> /etc/pf.conf:74: skipping rule due to errors
>
> Changing it to:
>
> match out on egress inet from ($int_if:network) nat-to (egress)
>
> Fixes it.
>
> I wasn't sure how many people explicitly use the address family in
> their nat-to lines, but this one caught me out when I updated to a
> newer snapshot earlier this month.
>
> Tom
>
>

yes, i have a proper fix for that.  need to test it though.