pf 配合 ipset 进行 forward 的的语法是怎么样的？

我也想知道, 顶上去, 知道的人来回答.

目前查到的资料，pf支持table，难不成得做一个ipset定时向table同步的功能？

ipset是netfilter的东西吧？Linux独有的，
PF是OS X的防火墙软件，

怎么配合？ipset能运行在OS X？

@cattyhouse 好吧，看来资料看少了,ipset也没法解决。
dnsmasq也没法标记域名了，是不是这个方案就over了？

@tony1016 要想在mac上搞点东西，还是多看看pf文档吧，也许人家就内置了类似ipsec的功能。

更正楼上 ipsec->ipset

最近在想，或许， pf+redsocks+chinaroute ，可以实现一套

研究了一晚上，没有成功，但是有所总结

1.首先是 redsocks 的 redirector ，显然不是 iptables ，似乎可以是 generic
```
base {
log_debug = on;
log_info = on;
daemon = off;
redirector = generic;
}

redsocks {
local_ip = 0.0.0.0;
local_port = 1080;
ip = 127.0.0.1;
port = 8964;
type = socks5;
}
```

2.pf 的 rdr 只能对 incoming 做 redirect ，所以，需要先 route-to ，把对外网的请求，变成对内网的请求，再把它重定向到 redsocks 。我以 twitter.com 为目标做了测试
```
rdr pass log on lo0 inet proto tcp from any to 104.244.0.0/16 -> 127.0.0.1 port 1080
pass out on en0 route-to lo0 inet proto tcp from en0 to 104.244.0.0/16
```

3.没有成功，上错误日志：

redsocks 的
```
1452697912.242337 main.c:152 main(...) redsocks started
1452697929.371679 redsocks.c:707 redsocks_accept_client(...) [192.168.2.155:52892->127.0.0.1:1080]: accepted
1452697929.372909 redsocks.c:327 redsocks_start_relay(...) [192.168.2.155:52892->127.0.0.1:1080]: data relaying started
1452697929.730668 redsocks.c:392 redsocks_shutdown(...) [192.168.2.155:52892->127.0.0.1:1080]: shutdown(relay, SHUT_RD): Socket is not connected
1452697929.732500 redsocks.c:400 redsocks_shutdown(...) [192.168.2.155:52892->127.0.0.1:1080]: both client and server disconnected
1452697929.732530 redsocks.c:337 redsocks_drop_client(...) [192.168.2.155:52892->127.0.0.1:1080]: dropping client
^C1452698186.130927 main.c:156 main(...) redsocks goes down
```

pf 的日志
```
No ALTQ support in kernel
ALTQ related functions disabled
ALL tcp 192.168.2.155:52056 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52056 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52370 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52370 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52428 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52428 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52506 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52506 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52561 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52561 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52615 -> 38.127.167.37:443 ESTABLISHED:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 38.127.167.37:443 <- 192.168.2.155:52615 FIN_WAIT_2:ESTABLISHED
ALL tcp 192.168.2.155:52892 -> 104.244.42.1:443 FIN_WAIT_2:FIN_WAIT_2
ALL tcp 127.0.0.1:1080 <- 104.244.42.1:443 <- 192.168.2.155:52892 FIN_WAIT_2:FIN_WAIT_2
```

可以看到 pf 的定向似乎是正确的： 127.0.0.1:1080 <- 104.244.42.1:443 <- 192.168.2.155:52892
我怀疑问题出在 mac 平台的 redsocks 。

希望懂 mac 和 freebsd 的同志，可以继续搞一搞