On 2014-12-04, Christer Solskogen <[email protected]> wrote:
> I've tried figuring the difference between these two, but I can't find
> anything that I quite understand(or I have looked in the wrong place).
> Can somebody please shed some light?
For "port forwarding" you want rdr-to.
rdr-to The packet is redirected to another destination and possibly a
different port.
divert-to <host> port <port>
Used to redirect packets to a local socket bound to host and
port. The packets will not be modified, so getsockname(2) on the
socket will return the original destination address of the
packet.
rdr-to is a general purpose address translation and can forward to
either the local machine or a different machine. By a small hack
(using the "bitmask" option) it's also possible to rewrite destination
ports and keep the original address. It rewrites addresses in the
packets, so it's more suited to "port forwarding". It can been used
to implement transparent proxies, but requires looking up the original
destination address using a state table lookup (DIOCNATLOOK), but
this is relatively complex and requires privileges to access /dev/pf.
For transparent proxies, divert-to is simpler. It only works on the
local machine. It preserves the original destination address in the
packet, allowing a simple method (getsockname) for proxy software
to retrieve it without needing any special privileges.
