From c9c1296a76da0eb1255e0297f4b4d92d1186f5b8 Mon Sep 17 00:00:00 2001 From: henning Date: Wed, 31 May 2017 09:30:38 +0000 Subject: [PATCH] clarify that translations happen immediately on match rules, not generally Tony Gong --- share/man/man5/pf.conf.5 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 49b296a36f4..54eac726b76 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.564 2017/05/31 09:19:10 bluhm Exp $ +.\" $OpenBSD: pf.conf.5,v 1.565 2017/05/31 09:30:38 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer @@ -809,7 +809,9 @@ port of the packets associated with a stateful connection. modifies the specified address and/or port in the packet and recalculates IP, TCP, and UDP checksums as necessary. .Pp -Subsequent rules will see packets as they look +If specified on a +.Ic match +rule, subsequent rules will see packets as they look after any addresses and ports have been translated. These rules will therefore have to filter based on the translated address and port number. -- 2.20.1