From: Alexander Bluhm <bluhm@openbsd.org>
Subject: pfclt print nat-to and rdr-to
To: tech@openbsd.org
Date: Wed, 18 Feb 2026 22:44:46 +0100

Hi,

Kernel pf rule may have both nat-to and rdr-to fields.  pfctl prints
only one of them.  By removing one else, user see what the kernel
does.

pass in on em1 inet all flags S/SA nat-to 5.6.7.8 rdr-to 1.2.3.4

ok?

bluhm

Index: pfctl_parser.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/pfctl/pfctl_parser.c,v
diff -u -p -r1.357 pfctl_parser.c
--- pfctl_parser.c	3 Feb 2026 10:25:28 -0000	1.357
+++ pfctl_parser.c	18 Feb 2026 21:32:24 -0000
@@ -1200,15 +1200,18 @@ print_rule(struct pfctl *pf, struct pf_r
 			    r->rdr.proxy_port[1], r->naf ? r->naf : r->af,
 			    PF_POOL_RDR, verbose);
 		}
-	} else if (!anchor_call[0] && r->nat.addr.type != PF_ADDR_NONE) {
-		printf (" nat-to ");
-		print_pool(&r->nat, r->nat.proxy_port[0],
-		    r->nat.proxy_port[1], r->naf ? r->naf : r->af,
-		    PF_POOL_NAT, verbose);
-	} else if (!anchor_call[0] && r->rdr.addr.type != PF_ADDR_NONE) {
-		printf (" rdr-to ");
-		print_pool(&r->rdr, r->rdr.proxy_port[0],
-		    r->rdr.proxy_port[1], r->af, PF_POOL_RDR, verbose);
+	} else {
+		if (!anchor_call[0] && r->nat.addr.type != PF_ADDR_NONE) {
+			printf (" nat-to ");
+			print_pool(&r->nat, r->nat.proxy_port[0],
+			    r->nat.proxy_port[1], r->naf ? r->naf : r->af,
+			    PF_POOL_NAT, verbose);
+		}
+		if (!anchor_call[0] && r->rdr.addr.type != PF_ADDR_NONE) {
+			printf (" rdr-to ");
+			print_pool(&r->rdr, r->rdr.proxy_port[0],
+			    r->rdr.proxy_port[1], r->af, PF_POOL_RDR, verbose);
+		}
 	}
 	if (r->rt) {
 		if (r->rt == PF_ROUTETO)