Hi,
I while ago I changed pf route-to that it does not send packets
from 127.0.0.1 address to the network. This is necessary for localy
generated icmp packets that would be dropped otherwise.
Now I found out that this prevents some useful routing tricks on
loopback. So this check should be refined to modify only the source
address of packets that go to the external network.
ok?
bluhm
Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.1064
diff -u -p -r1.1064 pf.c
--- net/pf.c 6 Apr 2018 10:39:15 -0000 1.1064
+++ net/pf.c 9 May 2018 16:20:28 -0000
@@ -5984,7 +5984,8 @@ pf_route(struct pf_pdesc *pd, struct pf_
goto bad;
}
/* A locally generated packet may have invalid source address. */
- if ((ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
+ if ((ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET &&
+ (ifp->if_flags & IFF_LOOPBACK) == 0)
ip->ip_src = ifatoia(rt->rt_ifa)->ia_addr.sin_addr;
in_proto_cksum_out(m0, ifp);
@@ -6139,7 +6140,8 @@ pf_route6(struct pf_pdesc *pd, struct pf
goto bad;
}
/* A locally generated packet may have invalid source address. */
- if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src))
+ if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) &&
+ (ifp->if_flags & IFF_LOOPBACK) == 0)
ip6->ip6_src = ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
in6_proto_cksum_out(m0, ifp);
