On Sun, Dec 15, 2019 at 03:17:26PM +0100, Alexandr Nedvedicky wrote:
> Hello Daniel,
>
> thanks for reporting back.
>
> </snip>
> > Should the rdr-to rule still work? I fixed it with using the "Port foo"
> > directive in my sshd config (and a simple "pass in to port foo") in the
> > meantime.
>
> My earlier indeed change omits your usecase. The rdr rule should still
> work. Patch below should fix it. The idea is to check whether the
> packet got NATed to loopback. We let packet in, if it got changed
> by PF.
>
> The IPv6 part does not need similar fix. According to quick check
> of existing code it works.
>
> OK ?
Redirect to localhost is a violation of the strict host model.
Why not encourage people to use divert-to for local delivery?
Daniel, is your sshd bound to a * or to a 127.0.0.1 socket? If it
is a * socket, does it work to redirect to the IP address of the
incoming interface?
bluhm
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
> index 058b2f038fa..f4114f45045 100644
> --- a/sys/netinet/ip_input.c
> +++ b/sys/netinet/ip_input.c
> @@ -753,7 +753,8 @@ in_ouraddr(struct mbuf *m, struct ifnet *ifp, struct
> rtentry **prt)
> }
> }
> } else if (ipforwarding == 0 && rt->rt_ifidx != ifp->if_index &&
> - !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC))) {
> + !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) ||
> + (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) {
> /* received on wrong interface. */
> #if NCARP > 0
> struct ifnet *out_if;
