1# pf must have these rules in the regress anchor 2 3set ruleset-optimization none 4 5# nothing to pflog N3, will be overridden by later rule 6pass log (to $PFLOG_N3) on $LO no state 7 8# everything to pflog N2 9match log (to $PFLOG_N2) on $LO no state 10 11# specific test to pflog N1 12pass log (to $PFLOG_N1) on $LO inet 13pass log (to $PFLOG_N1) on $LO to 169.254.0.1 no state 14pass log (to $PFLOG_N1) on $LO to 169.254.0.2 keep state 15pass log (all to $PFLOG_N1) on $LO to 169.254.0.3 keep state 16pass log (user to $PFLOG_N1) on $LO to 169.254.0.4 17pass on $LO to 169.254.0.5 18pass log (matches to $PFLOG_N1) on $LO to 169.254.0.6 19pass on $LO to 169.254.0.6 20 21# use unique local adresses, link local scope id is broken in pf 22pass log (to $PFLOG_N1) on $LO inet6 23pass log (to $PFLOG_N1) on $LO to fc00::1 no state 24pass log (to $PFLOG_N1) on $LO to fc00::2 keep state 25pass log (all to $PFLOG_N1) on $LO to fc00::3 keep state 26pass log (user to $PFLOG_N1) on $LO to fc00::4 27pass on $LO to fc00::5 28pass log (matches to $PFLOG_N1) on $LO to fc00::6 29pass on $LO to fc00::6 30 31# we nat on lo-out, log the original packet, generic lo-in logs natted packet 32pass out log (to $PFLOG_N1) on $LO to 169.254.0.11 rdr-to 169.254.0.21 33pass out log (to $PFLOG_N1) on $LO to 169.254.0.12 nat-to 169.254.0.22 34pass out log (to $PFLOG_N1) on $LO to fc00::11 rdr-to fc00::21 35pass out log (to $PFLOG_N1) on $LO to fc00::12 nat-to fc00::22 36 37# af-to is for in rule only, IPv4 loopback does not work, use link-local 38pass in log (to $PFLOG_N1) on $LO to 169.254.0.14 af-to \ 39 inet6 from fc00::23 to fc00::24 40pass in log (to $PFLOG_N1) on $LO to fc00::14 af-to \ 41 inet from 169.254.0.23 to 169.254.0.24 42