Hello Daniel,
thanks for reporting back.
</snip>
> Should the rdr-to rule still work? I fixed it with using the "Port foo"
> directive in my sshd config (and a simple "pass in to port foo") in the
> meantime.
My earlier indeed change omits your usecase. The rdr rule should still
work. Patch below should fix it. The idea is to check whether the
packet got NATed to loopback. We let packet in, if it got changed
by PF.
The IPv6 part does not need similar fix. According to quick check
of existing code it works.
OK ?
thanks and
regards
sashan
--------8<---------------8<---------------8<------------------8<--------
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 058b2f038fa..f4114f45045 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -753,7 +753,8 @@ in_ouraddr(struct mbuf *m, struct ifnet *ifp, struct
rtentry **prt)
}
}
} else if (ipforwarding == 0 && rt->rt_ifidx != ifp->if_index &&
- !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC))) {
+ !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) ||
+ (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) {
/* received on wrong interface. */
#if NCARP > 0
struct ifnet *out_if;
