In normal pf rules labels come last. An example from my workstation pf.conf
Code:
pass out quick on egress inet proto tcp from egress to any port www label "$nr:$proto:WWW"
pass out quick on egress inet proto tcp from egress to any port imaps label "$nr:$proto:IMAPS"
pass out quick on egress inet proto tcp from egress to any port https label "$nr:$proto:HTTPS"
pass out quick on egress inet proto tcp from egress to any port smtp label "$nr:$proto:SMTP"
In the BNF at the end of the 4.3 pf.conf man page
label is a definition of
filteropt and a
filteropt-list:
Code:
filteropt-list = filteropt-list filteropt | filteropt
filteropt = user | group | flags | icmp-type | icmp6-type | tos |
( "no" | "keep" | "modulate" | "synproxy" ) "state"
[ "(" state-opts ")" ] |
"fragment" | "no-df" | "min-ttl" number |
"max-mss" number | "random-id" | "reassemble tcp" |
fragmentation | "allow-opts" |
"label" string | "tag" string | [ ! ] "tagged" string |
"queue" ( string | "(" string [ [ "," ] string ] ")" ) |
"rtable" number | "probability" number"%"
The BNF for a pf rule states:
Code:
pf-rule = action [ ( "in" | "out" ) ]
[ "log" [ "(" logopts ")"] ] [ "quick" ]
[ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ]
hosts [ filteropt-list ]
So the label is one of the last things in a pf rule.
Now look at the BNF for the 4.3 rdr statement:
Code:
rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] ]
Neither a
filteropt nor a
label to be seen
PS: The 4.3 pf.conf manual can be found at
http://www.openbsd.org/cgi-bin/man.c...86&format=html
No need to resurrect an old pf.conf faq