Hi,
In ip_input(), there is a filter to disable all packets to 127.0.0.0/27.
That filter drops a packet that was a transport-mode ESP packet and
that has been redirected to 127.0.0.1 with pf `rdr-to' rule.
Below diff will fix the filter not to drop such packets.
ok? or comment?
The problem was found by Alexis san. He are trying to configure npppd
and isakmpd to listen on 127.0.0.1 and pf to redirect packets to local
(carp) address with `rdr-to' rule.
Index: sys/netinet/ip_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.195
diff -u -p -r1.195 ip_input.c
--- sys/netinet/ip_input.c 6 Jul 2011 02:42:28 -0000 1.195
+++ sys/netinet/ip_input.c 14 Mar 2012 06:29:09 -0000
@@ -303,7 +303,11 @@ ipv4_input(struct mbuf *m)
/* 127/8 must not appear on wire - RFC1122 */
if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
(ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
- if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
+ if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0
+#if NPF > 0
+ && !ISSET(m->m_pkthdr.pf.flags, PF_TAG_TRANSLATE_LOCALHOST)
+#endif
+ ) {
ipstat.ips_badaddr++;
goto bad;
}
