[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using pf to force different outgoing IP address depending on UNIX user/group for locally originating connection?

On 1/31/06, Dmitry Andrianov <dimas@xxxxxxxxxxx> wrote:
> Hello.
> To my understanding, you can apply nat rule to tagged packets only. This
> should do the trick.
> nat on $ext_if tagged TAG1 ->
> nat on $ext_if tagged TAG2 ->

You can apply tags to NATs, however the point of the original post was
that filter policy (which accepts the 'user' syntax) is evaluated
AFTER the NAT, so he can't tag a packet based on the filter policy and
then have it NATd using the correct source address for that user.

> Moreover, nat rules can also accept uid/gid matching but I'm not sure
> about that.
> Doesn't it work?

Nope...an otherwise syntactically correct config file (note that this
is from a recent OpenBSD snapshot, not FreeBSD - not that the
difference changes anything):

$ cat foo
nat on lo0 from any to any user root ->
$ sudo pfctl -f foo
foo:1: syntax error
pfctl: Syntax error in config file: pf rules not loaded
$ cat foo
nat on lo0 from any to any ->
$ sudo pfctl -f foo
$ sudo pfctl -sn
nat on lo0 inet all ->

I haven't looked at the code, but I wouldn't be terribly surprised if
you couldn't just copy/paste the user match code in the lexer for
filter rules into the nat part of the lexer.