On Mon, Dec 16, 2019 at 03:42:27PM +0100, Alexandr Nedvedicky wrote: > > I think this is a "do as I want" kind of thing. If I use pf(4) to redirect > > traffic to a different address then I think our version of strict host > > model should step back and accept the connection. > > and also the change makes IPv4 behavior consistent with IPv6. > so if we won't be committing diff for IPv4, then we should change IPv6 > to enforce divert-to for IPv6 too.
IPv4 and IPv6 code looks different. In ip6_input_if() the IN6_IS_ADDR_LOOPBACK() check accepts packets redirected to ::1. Do we really need that? We always have ::1 on lo0 and a valid route. And why should a source ::1 enforce local delivery? That looks odd. I would prefer to have the PF_TAG_TRANSLATE_LOCALHOST check in both ip_input_if() and ip6_input_if() to explicitly make clear that redirect does not follow the strict host model. bluhm
