pf: Make af-to less magical
4 months ago
- #OpenBSD
- #pf
- #networking
- David Gwynne proposes making the 'af-to' option in pf less magical by removing its special case restrictions.
- Current 'af-to' restrictions include only working on incoming packets ('pass in' rules) and forcing translated packets to be forwarded, creating only one state.
- The proposed change allows 'af-to' to work on 'pass out' rules and lets the local stack handle translated packets, similar to 'rdr-to'.
- This change simplifies the code by removing special cases but requires additional rules for outgoing traffic in forwarded connections.
- Feedback is sought from users who utilize 'af-to' to ensure the changes maintain functionality while simplifying the codebase.