PF rdr unsticking tag?

[mecano]

Hello,
I'm trying to tag http packets to route access based on source IP but it looks like tag doesn't stick.

In /etc/pf.conf, I got this

# === TRANSLATION
no rdr on lo0 from any to any 
nat on $ext_if from <public> to any -> ($ext_if)
nat on $ext_if from <private> to any tag PRIVATE -> ($ext_if)
rdr on $ext_if inet proto tcp from <trusted> to ($ext_if) port 80 tag PRIVATE -> $proxy port 81
rdr on $ext_if proto tcp from !<trusted> to ($ext_if) port 80 -> $proxy port 81
# === FILTERING
pass  in  log quick on $ext_if inet proto tcp from  <trusted> to $proxy    port 81       tagged PRIVATE
pass  in  log quick on $ext_if inet proto tcp from      any        to $proxy    port 81   
pass  in  log quick on $int_if  inet proto tcp from  $proxy      to <public> port $webports  
pass  in  log quick on $int_if  inet proto tcp from  $proxy      to <private> port $webports tagged PRIVATE
pass out log on $int_if inet proto tcp from $proxy to <public> port $webports
pass out log on $int_if inet proto tcp from $proxy to <private> port $webports tagged PRIVATE

rdr is working fine but "tagged PRIVATE" rules are never caught. Any help will be greatly appreciated.

 

[mecano]

Nevermind, I just realize that by any means pf is not the place to do this, I'll better use http auth instead. Too bad would have been fun to do it with pf

[edit] For those wondering why the tag didn't stick (well in fact it did), the logic was busted. Hope noone hit his head on this one.