Troubleshooting tftp-proxy in OpenBSD pf

Finally figured out OpenBSD firewall configuration in which internal hosts can access TFTP servers on the internet. In OpenBSD pf firewall, you need to configure tftp-proxy. Google search returns a lot of complaints about tftp-proxy not working and not a single success story. I now believe there is a typo in the official manual.

The OpenBSD FAQ for TFTP proxy specifies the following redirect rule to redirect outgoing tftp connections to the internal tftp-proxy.

rdr pass log on $int_if proto udp from $int_if to port tftp -> 127.0.0.1 port 6969

However, according to "pfctl -g -s nat|grep tftp", my pf expands the rule above to the following.

rdr pass log on xl0 inet proto udp from 192.168.2.1 to any port = tftp -> 127.0.0.1 port 6969

It's clear that the expanded rule will will not redirect traffic coming from all of the internal hosts. The rule needs to be changed to

rdr pass log on $int_if proto udp from $int_net to any port tftp -> 127.0.0.1 port 6969

which expands to

rdr pass log on xl0 inet proto udp from 192.168.2.0/24 to any port = tftp -> 127.0.0.1 port 6969

The latter covers the whole internal network instead of just one host 192.168.2.1.