POOL OPTIONS
For nat and rdr rules, (as well as for the route-to, reply-to and dup-to
rule options) for which there is a single redirection address which has a
subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP
address), a variety of different methods for assigning this address can
be used:
bitmask
The bitmask option applies the network portion of the redirection
address to the address to be modified (source with nat, destination
with rdr).
random
The random option selects an address at random within the defined
block of addresses.
source-hash
The source-hash option uses a hash of the source address to deter‐
mine the redirection address, ensuring that the redirection address
is always the same for a given source. An optional key can be
specified after this keyword either in hex or as a string; by
default pfctl(8) randomly generates a key for source-hash every
time the ruleset is reloaded.
round-robin
The round-robin option loops through the redirection address(es).
When more than one redirection address is specified, round-robin is
the only permitted pool type.
static-port
With nat rules, the static-port option prevents pf(4) from modify‐
ing the source port on TCP and UDP packets.