Subject: stopping PF NAT state from "floating" ?
To: None <tech-net@netbsd.org>
From: David Young <dyoung@pobox.com>
List: tech-net
Date: 05/07/2007 01:01:47
I am using PF for NAT. I would like to stop NAT states from floating
between interfaces. I have searched all day for a solution, but I have
not found one. Does anyone know how?
Details:
I have this translation rule on the ethernet admsw0,
nat on admsw0 inet from <cuwin> to ! <cuwin> -> 192.168.1.4 port 10000:20000
I have noticed that the translation states will "float" between admsw0 and
ath0. That is, if the routes change so that a flow that passes through
admsw0 passes through ath0, instead, then the address translations from
admsw0 continue to apply to the flow on ath0. I can see why that might
be desirable in some cases, but it is bad for my application.
Here is the NAT state:
self udp 10.0.246.46:65533 -> 192.168.1.4:14690 -> a.b.c.d:2524 SINGLE:NO_TRAFFIC
self udp 10.0.246.46:65531 -> 192.168.1.4:13794 -> a.b.c.d:2525 SINGLE:NO_TRAFFIC
I see those translations applied to traffic going out ath0 after the route
to a.b.c.d moves from admsw0 to ath0. As I say, that's not what I desire.
I thought that 'set state-policy if-bound' would help, but I have found
out in other experiments that it will not. I believe I understand why not
after reading the PF sources, especially sys/dist/pf/sbin/pfctl/parse.y
and sys/dist/pf/net/pf.c.
Is there a way to stop NAT states from "floating" that I have missed?
Dave
--
David Young OJC Technologies
dyoung@ojctech.com Urbana, IL * (217) 278-3933