rule ordering
solarflux.org/pf
pf-r at solarflux.org
Mon Feb 7 20:44:32 PST 2005
Jay wrote:
> I'm putting in a NAT rule for the first time. My pf.conf is just edited
> from the original.
>
> When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the
> following error message:
>
> /etc/pf.conf:62: Rules must be in order: options, normalization,
> queueing, translation, filtering
>
> A perfectly understandable error message -- queuing should be before
> translation. As in the following snippet from my pf.conf:
>
> # Queueing: rule-based bandwidth control.
> altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def }
> queue q_pri priority 7
> queue q_def priority 1 priq(default)
>
> pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \
> keep state queue (q_def, q_pri)
> pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \
> keep state queue (q_def, q_pri)
>
> # Translation: specify how addresses are to be mapped or redirected.
> nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161
>
> Yup. Looks like queueing before translation. But that's the snippet
> that throws the error. If I comment out all of the ALTQ rules, pfctl -n
> -f /etc/pf.conf works fine. Also the same if I comment out the NAT
> rule.
You have pass rules (hence, filtering) in your queueing section; you
must only set up queueing in that section. That's why commenting out
the nat rule or everything in your queueing section allow the pf.conf to
be parsed successfully.
-S
More information about the freebsd-pf
mailing list