On Sun, Dec 15, 2019 at 03:17:26PM +0100, Alexandr Nedvedicky wrote: > Hello Daniel, > > thanks for reporting back. > > </snip> > > Should the rdr-to rule still work? I fixed it with using the "Port foo" > > directive in my sshd config (and a simple "pass in to port foo") in the > > meantime. > > My earlier indeed change omits your usecase. The rdr rule should still > work. Patch below should fix it. The idea is to check whether the > packet got NATed to loopback. We let packet in, if it got changed > by PF. > > The IPv6 part does not need similar fix. According to quick check > of existing code it works. > > OK ?
Redirect to localhost is a violation of the strict host model. Why not encourage people to use divert-to for local delivery? Daniel, is your sshd bound to a * or to a 127.0.0.1 socket? If it is a * socket, does it work to redirect to the IP address of the incoming interface? bluhm > --------8<---------------8<---------------8<------------------8<-------- > diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c > index 058b2f038fa..f4114f45045 100644 > --- a/sys/netinet/ip_input.c > +++ b/sys/netinet/ip_input.c > @@ -753,7 +753,8 @@ in_ouraddr(struct mbuf *m, struct ifnet *ifp, struct > rtentry **prt) > } > } > } else if (ipforwarding == 0 && rt->rt_ifidx != ifp->if_index && > - !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC))) { > + !((ifp->if_flags & IFF_LOOPBACK) || (ifp->if_type == IFT_ENC) || > + (m->m_pkthdr.pf.flags & PF_TAG_TRANSLATE_LOCALHOST))) { > /* received on wrong interface. */ > #if NCARP > 0 > struct ifnet *out_if;