Hello,
On Mon, Dec 16, 2019 at 03:21:43PM +0100, Claudio Jeker wrote:
> On Mon, Dec 16, 2019 at 02:13:50PM +0100, Alexander Bluhm wrote:
> > On Sun, Dec 15, 2019 at 03:17:26PM +0100, Alexandr Nedvedicky wrote:
> > > Hello Daniel,
> > >
> > > thanks for reporting back.
> > >
> > > </snip>
> > > > Should the rdr-to rule still work? I fixed it with using the "Port foo"
> > > > directive in my sshd config (and a simple "pass in to port foo") in the
> > > > meantime.
> > >
> > > My earlier indeed change omits your usecase. The rdr rule should still
> > > work. Patch below should fix it. The idea is to check whether the
> > > packet got NATed to loopback. We let packet in, if it got changed
> > > by PF.
> > >
> > > The IPv6 part does not need similar fix. According to quick check
> > > of existing code it works.
> > >
> > > OK ?
> >
> > Redirect to localhost is a violation of the strict host model.
> > Why not encourage people to use divert-to for local delivery?
>
> I think this is a "do as I want" kind of thing. If I use pf(4) to redirect
> traffic to a different address then I think our version of strict host
> model should step back and accept the connection.
>
and also the change makes IPv4 behavior consistent with IPv6.
so if we won't be committing diff for IPv4, then we should change IPv6
to enforce divert-to for IPv6 too.
thanks and
regards
sashan
