From e096ddfc8abc02897dc776701171bc65a06086ee Mon Sep 17 00:00:00 2001
From: dyoung <dyoung@NetBSD.org>
Date: Thu, 10 May 2007 23:03:22 +0000
Subject: [PATCH] Document state policy flags for 'nat' and 'rdr' rules.

---
 dist/pf/share/man/man5/pf.conf.5 | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/dist/pf/share/man/man5/pf.conf.5 b/dist/pf/share/man/man5/pf.conf.5
index 7b2c9e798f33..edde4ff4a0db 100644
--- a/dist/pf/share/man/man5/pf.conf.5
+++ b/dist/pf/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$NetBSD: pf.conf.5,v 1.10 2006/09/17 13:53:33 wiz Exp $
+.\"	$NetBSD: pf.conf.5,v 1.11 2007/05/10 23:03:22 dyoung Exp $
 .\"	$OpenBSD: pf.conf.5,v 1.326 2005/03/01 18:10:44 jmc Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
@@ -1779,7 +1779,7 @@ single interface or a group of interfaces.
 .Pp
 The default policy is specified by the
 .Ar state-policy
-global option, but this can be adjusted on a per-rule basis by adding one
+global option, but this can be adjusted on individual filter rules by adding one
 of the
 .Ar if-bound ,
 .Ar group-bound
@@ -1796,6 +1796,22 @@ pass out on ppp from any to 10.12/16 keep state (group-bound)
 A state created on ppp0 would match packets an all PPP interfaces,
 but not packets flowing through fxp0 or any other interface.
 .Pp
+You can adjust the state policy on individual
+.Ar nat
+and
+.Ar rdr
+translation rules by adding a keyword
+.Ar if-bound ,
+.Ar group-bound
+or
+.Ar floating
+at the end of the rule.  For example, a rule such as this,
+.Bd -literal -offset indent
+nat on sip0 from 10/8 to ! 10/8 -> 192.168.1.4/32 if-bound
+.Ed
+.Pp
+will create states that only match packets on sip0.
+.Pp
 Keeping rules
 .Ar floating
 is the more flexible option when the firewall is in a dynamic routing
@@ -2667,6 +2683,7 @@ nat-rule       = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                  [ "->" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] [ "static-port" ] ]
+                 [ ( "if-bound" | "group-bound" | "floating" ) ]
 
 binat-rule     = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ]
                  [ af ] [ "proto" ( proto-name | proto-number ) ]
@@ -2678,6 +2695,7 @@ rdr-rule       = [ "no" ] "rdr" [ "pass" ] [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                  [ "->" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] ]
+                 [ ( "if-bound" | "group-bound" | "floating" ) ]
 
 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
                  "for" ( interface-name | "{" interface-list "}" )