Hello Daniel, thanks for reporting back.
</snip> > Should the rdr-to rule still work? I fixed it with using the "Port foo" > directive in my sshd config (and a simple "pass in to port foo") in the > meantime. My earlier indeed change omits your usecase. The rdr rule should still work. Patch below should fix it. The idea is to check whether the packet got NATed to loopback. We let packet in, if it got changed by PF. The IPv6 part does not need similar fix. According to quick check of existing code it works. OK ? thanks and regards sashan --------8<---------------8<---------------8<------------------8<-------- diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 058b2f038fa..f4114f45045 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -753,7 +753,8 @@ in_ouraddr(struct mbuf *m, struct ifnet *ifp, struct rtentry **prt) } } } else if (ipforwarding == 0 && rt->rt_ifidx != ifp->if_index && - !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC))) { + !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) || + (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) { /* received on wrong interface. */ #if NCARP > 0 struct ifnet *out_if;