[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

nat exclusions



i've observed that pf will nat all addresses in a supplied cidr block. for example, if i instruct pf to nat my 24-bit private network ...

nat on xl0 from 192.168.0.0/24 to any -> xl0

.. pf will not only nat traffic sourcing from 192.168.0.1 through 192.168.0.254 but also 192.168.0.0 and 192.168.0.255. i've always considered these the network and network broadcast addresses. anyway, i'm not really interested in translating/passing any traffic that sources from the network and network broadcast addresses. my only interest in that kind of traffic would be why it's trying to leave my network in the first place!

in the past, to avoid this, i've used the following ...

no nat on xl0 from 192.168.0.0/32 to any
no nat on xl0 from 192.168.0.255/32 to any
nat on xl0 from 192.168.0.0/24 to any -> xl0

.. i recently noticed that pf now allows for some different ways of expressing this ...

no nat on xl0 from 192.168.0.0/32 to any
no nat on xl0 from fxp0:broadcast to any
nat on xl0 from fxp0:network to any -> xl0

.. or even ...

table <hosts> { fxp0:network, !192.168.0.0/32, !fxp0:broadcast }
nat on xl0 from <hosts> to any -> xl0

i think it might be useful to be able to express the network number as easily as it currently is to express the network broadcast number in the rules. past that it might even be more convenient to be able to express the valid host addresses (192.168.0.1 through 192.168.0.254 in my example network) as easily. for example adding a :hosts modifier to a named interface in a nat rule ...

nat on xl0 from fxp0:hosts to any -> xl0

.. this could expand to valid host addresses for the given interface's network.

any thoughts?

-ps