Document state policy flags for 'nat' and 'rdr' rules.

2007-05-10 23:03:22 +00:00 · 2007-05-10 23:03:22 +00:00 · e096ddfc8a
commit e096ddfc8a
parent f7748bc6aa
1 changed files with 20 additions and 2 deletions
--- a/dist/pf/share/man/man5/pf.conf.5
+++ b/dist/pf/share/man/man5/pf.conf.5
@ -1,4 +1,4 @@
-.\"	$NetBSD: pf.conf.5,v 1.10 2006/09/17 13:53:33 wiz Exp $
+.\"	$NetBSD: pf.conf.5,v 1.11 2007/05/10 23:03:22 dyoung Exp $
 .\"	$OpenBSD: pf.conf.5,v 1.326 2005/03/01 18:10:44 jmc Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
@ -1779,7 +1779,7 @@ single interface or a group of interfaces.
 .Pp
 The default policy is specified by the
 .Ar state-policy
-global option, but this can be adjusted on a per-rule basis by adding one
+global option, but this can be adjusted on individual filter rules by adding one
 of the
 .Ar if-bound ,
 .Ar group-bound
@ -1796,6 +1796,22 @@ pass out on ppp from any to 10.12/16 keep state (group-bound)
 A state created on ppp0 would match packets an all PPP interfaces,
 but not packets flowing through fxp0 or any other interface.
 .Pp
+You can adjust the state policy on individual
+.Ar nat
+and
+.Ar rdr
+translation rules by adding a keyword
+.Ar if-bound ,
+.Ar group-bound
+or
+.Ar floating
+at the end of the rule.  For example, a rule such as this,
+.Bd -literal -offset indent
+nat on sip0 from 10/8 to ! 10/8 -> 192.168.1.4/32 if-bound
+.Ed
+.Pp
+will create states that only match packets on sip0.
+.Pp
 Keeping rules
 .Ar floating
 is the more flexible option when the firewall is in a dynamic routing
@ -2667,6 +2683,7 @@ nat-rule       = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ]
                 [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                 [ "->" ( redirhost | "{" redirhost-list "}" )
                 [ portspec ] [ pooltype ] [ "static-port" ] ]
+                 [ ( "if-bound" | "group-bound" | "floating" ) ]

 binat-rule     = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ]
                 [ af ] [ "proto" ( proto-name | proto-number ) ]
@ -2678,6 +2695,7 @@ rdr-rule       = [ "no" ] "rdr" [ "pass" ] [ "on" ifspec ] [ af ]
                 [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                 [ "->" ( redirhost | "{" redirhost-list "}" )
                 [ portspec ] [ pooltype ] ]
+                 [ ( "if-bound" | "group-bound" | "floating" ) ]

 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
                 "for" ( interface-name | "{" interface-list "}" )