From 852f407794d9f047e36e18df159cf35887f981a9 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Tue, 3 Jun 2003 12:18:03 +0000 Subject: make crystal clear that NAT happens before filtering and what that means for the filter rules. from Joel Knight again ok cedric@, silence everybody else --- share/man/man5/pf.conf.5 | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) (limited to 'share/man/man5/pf.conf.5') diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 7ea0515c6a5..590e84e919f 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.249 2003/06/02 20:05:49 david Exp $ +.\" $OpenBSD: pf.conf.5,v 1.250 2003/06/03 12:18:02 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -866,7 +866,19 @@ such a rule as long as they are not blocked by the filtering section of The translation engine modifies the specified address and/or port in the packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to the packet filter for evaluation. -Translation occurs before filtering. +.Pp +Since translation occurs before filtering the filter +engine will see packets as they look after any +addresses and ports have been translated. Filter rules +will therefore have to filter based on the translated +address and port number. In addition, packets that +match a translation rule are not automatically passed +through the packet filter; translated packets are +still subject to +.Ar block +and +.Ar pass +rules. .Pp The state entry created permits .Xr pf 4 @@ -931,11 +943,7 @@ option prefixed to a translation rule causes packets to remain untranslated, much in the same way as .Ar drop quick works in the packet filter (see below). -.Pp -If no rule matches the packet, the packet is passed to the filter unmodified. -Translation occurs before the filter rules are applied; -therefore rules for redirected packets should specify the address and port -after translation. +If no rule matches the packet it is passed to the filter engine unmodified. .Pp Translation rules apply only to packets that pass through the specified interface, and if no interface is specified, -- cgit v1.2.3