On Mon, May 07, 2007 at 01:01:47AM -0500, David Young wrote:
> I am using PF for NAT.  I would like to stop NAT states from floating
> between interfaces.  I have searched all day for a solution, but I have
> not found one.  Does anyone know how?
> 
> Details:
> 
> I have this translation rule on the ethernet admsw0,
> 
> nat on admsw0 inet from <cuwin> to ! <cuwin> -> 192.168.1.4 port 10000:20000

With a bit of hacking on dist/pf/sbin/pfctl/parse.y, now I can use pfctl
to add this rule---note the if-bound flag, which is new:

nat on admsw0 inet from <cuwin> to ! <cuwin> (if-bound) -> 192.168.1.4 port 10000:20000

That certainly looks like that rule I want.  It did not work as I
expected: the rule created NAT states that "floated" from interface
to interface.  I noted that pfctl labels floating states 'self':

> self udp 10.0.246.46:65533 -> 192.168.1.4:14690 -> a.b.c.d:2524       SINGLE:NO_TRAFFIC
> self udp 10.0.246.46:65531 -> 192.168.1.4:13794 -> a.b.c.d:2525       SINGLE:NO_TRAFFIC

As a last-ditch effort to stop the state from floating, I redefined
the BOUND_IFACE macro, in this way hard-coding if-bound for ALL states:

#define BOUND_IFACE(r, k) (k)   

That gave me the behavior I want.  Here are the states I see, now:

admsw0 udp 10.0.246.46:65533 -> 192.168.1.4:17303 -> 64.198.255.12:2524       SINGLE:NO_TRAFFIC
admsw0 udp 10.0.246.46:65531 -> 192.168.1.4:17352 -> 64.198.255.12:2525       SINGLE:NO_TRAFFIC

pfctl seems to indicate, with 'admsw0' in the leftmost column, that the
state is bound to the interface.  I have verified with tcpdump that even
though the NAT states persist, they are not affecting ath0.

Right now, I am at a loss to explain how pfctl can add a rule with an
if-bound flag, read the same rule back out with if-bound flag intact,
and nevertheless ignore the if-bound flag when it creates state.
Still investigating.

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933