From 1f95b1d55ec0f8894d4dbc8a900d2aeda63e530d Mon Sep 17 00:00:00 2001 From: reyk <> Date: Mon, 18 May 2015 16:04:21 +0000 Subject: [PATCH] Change spamd to use divert-to instead of rdr-to. divert-to has many advantages over rdr-to for proxies. For example, it is much easier to use, requires less code, does not depend on /dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK ioctl), saves us from additional port allocations by the rdr/NAT code, and even avoids potential collisions and race conditions that could theoretically happen with the lookup. Heads up: users will have to update their spamd PF rules from rdr-to to divert-to. spamd now also listens to 127.0.0.1 instead of "any" (0.0.0.0) by default which should be fine with most setups but has to be considered for some special configurations. Based on a diff is almost two years old but got delayed several times ... beck@: "now is the time to get it in" :) Tested by many With help from okan@ OK okan@ beck@ millert@ --- src/etc/examples/pf.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/etc/examples/pf.conf b/src/etc/examples/pf.conf index 6cb9c925..2dd043aa 100644 --- a/src/etc/examples/pf.conf +++ b/src/etc/examples/pf.conf @@ -1,4 +1,4 @@ -# $OpenBSD: pf.conf,v 1.1 2014/07/16 12:46:16 deraadt Exp $ +# $OpenBSD: pf.conf,v 1.2 2015/05/18 16:04:21 reyk Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 @@ -22,8 +22,8 @@ pass # establish keep-state # rules for spamd(8) #table persist #table persist file "/etc/mail/nospamd" -#pass in on egress proto tcp from any to any port smtp \ -# rdr-to 127.0.0.1 port spamd +#pass in on egress inet proto tcp from any to any port smtp \ +# divert-to 127.0.0.1 port spamd #pass in on egress proto tcp from to any port smtp #pass in log on egress proto tcp from to any port smtp #pass out log on egress proto tcp to any port smtp