From 42f47cc05f63d8745bec57428b7ad6ba9201dea2 Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Wed, 27 Mar 2024 15:47:21 +0100
Subject: [PATCH] pf: fix reply-to after rdr and dummynet

If we redirect a packet to localhost and it gets dummynet'd it may be
re-injected later (e.g. when delayed) which means it will be passed
through ip_input() again. ip_input() will then reject the packet because
it's directed to the loopback address, but did not arrive on a loopback
interface.

Fix this by having pf set the rcvif to V_iflo if we redirect to
loopback.

See also:	https://redmine.pfsense.org/issues/15363
Sponsored by:	Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 5e934ae59c8..cb3626cb76c 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8484,6 +8484,18 @@ pf_dummynet_route(struct pf_pdesc *pd, struct pf_kstate *s,
 				    sizeof(struct sockaddr_in6));
 		}
 
+		if (s != NULL && s->nat_rule.ptr != NULL &&
+		    s->nat_rule.ptr->action == PF_RDR &&
+		    ((pd->af == AF_INET && IN_LOOPBACK(ntohl(pd->dst->v4.s_addr))) ||
+		    (pd->af == AF_INET6 && IN6_IS_ADDR_LOOPBACK(&pd->dst->v6)))) {
+			/*
+			 * If we're redirecting to loopback mark this packet
+			 * as being local. Otherwise it might get dropped
+			 * if dummynet re-injects.
+			 */
+			(*m0)->m_pkthdr.rcvif = V_loif;
+		}
+
 		if (pf_pdesc_to_dnflow(pd, r, s, &dnflow)) {
 			pd->pf_mtag->flags |= PF_MTAG_FLAG_DUMMYNET;
 			ip_dn_io_ptr(m0, &dnflow);