[Bug 268717] [pf] rdr rules don't work for traffic originating at localhost

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 05 Jan 2023 08:35:25 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268717

--- Comment #6 from dfr@rabson.org ---
Created attachment 239274
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239274&action=edit
possible fix for redirects initiated by localhost

Redirect rules are triggered on PF_IN events to allow the rule to replace the
destination address+port and also on PF_OUT events to reverse the replacement
for packets flowing back towards the original source address. If the source is
a local address, this second event is not triggered since the return packet is
delivered to the local protocol stack.

A possible fix is to simulate the PF_OUT event for packets destined for local
processing, allowing the second part of the redirect to be applied. This does
conflict with source address validation in 14-current which I'm disabling for
testing. That could be mitigated by relaxing source address validation to allow
packets with non-local source addresses pre-filtering.

-- 
You are receiving this mail because:
You are the assignee for the bug.