Discussion:
duplicate rules in binat-to rule macro expansion
TimH
2016-01-24 02:30:35 UTC
Permalink
If you use a macro in a binat-to rule that contains multiple IPs like
so:

home_ipv4 = "{" 10.22.28.100 10.74.13.26 10.0.10.2 "}"

pass on $egress_if from 172.28.0.107 to $home_ipv4 binat-to 10.39.177.145


It will create a cascade of duplicate inbound pass rules like
so:

1) pass out on em0 inet from 172.28.0.107 to 10.22.28.100 flags S/SA nat-to 10.39.177.145 static-port
2) pass in on em0 inet from 10.22.28.100 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107
3) pass in on em0 inet from 10.74.13.26 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107
4) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107
5) pass out on em0 inet from 172.28.0.107 to 10.74.13.26 flags S/SA nat-to 10.39.177.145 static-port
6) pass in on em0 inet from 10.74.13.26 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107
7) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107
8) pass out on em0 inet from 172.28.0.107 to 10.0.10.2 flags S/SA nat-to 10.39.177.145 static-port
9) pass in on em0 inet from 10.0.10.2 to 10.39.177.145 flags S/SA rdr-to 172.28.0.107

Lines 3 and 6 are duplicates and lines 4, 7, and 9 are duplicates.

Tested on 5.8. Not a big deal, but I figured I would mention
it since I noticed.

--TimH

Loading...