On 2022-02-10, Mike Fischer <fischer+o...@lavielle.com> wrote: >> The redirection to an address on the local machine is just internal to >> the machine; those would only show a second time in tcpdump if they were >> being sent to another machine. > > Ok, thanks. So there is no way to trace rdr-to (other than possibly doing low > level kernel debugging)?
See pflog(4) - "match log(matches)" is very useful for tracking through fiddly rulesets. >> Normally if you have two addresses on the same lan you'd configure them >> as aliases on the one interface, this seems a bit of a non-standard >> config. > > Yes I know. The reason for trying this was that having two > inet6 autoconf interfaces on the same LAN has issues. And alias > was not an option due to dynamic IPv6 prefixes. (See this > thread: https://marc.info/?l=openbsd-misc&m=164412170710420&w=2 > and a suggestion by Brian Brombacher in > https://marc.info/?l=openbsd-misc&m=164418424619191&w=2 that I wanted to > give a try.) > > Non-standard or not, it works ;-) Though the headers seen by the web > server show the redirected IP and port and not the ones originally asked > for by the client. Not surprising but something the site developer needs > to be aware of. And HTTP was only an easy to use example. For other > services this limitation may have more severe consequences. Ah yes I do remember reading this, but I couldn't figure out a use case for doing it that way :) I'm not a fan of non-standard configs where avoidable, they're usually the ones which get broken when things are changed. btw for "only the prefix is listed not the complete IPv6 addresses" -> see netstat's -v flag.
