From 6dfb2c2dce0ffabd783ec24b8d4d128993363f72 Mon Sep 17 00:00:00 2001
From: Doug Rabson <dfr@FreeBSD.org>
Date: Tue, 20 Jun 2023 14:01:58 +0100
Subject: pf: Add code to enable filtering for locally delivered packets

This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for packets being
delivered locally, use:

	sysctl net.pf.filter_local=1
	service pf restart

PR:             268717
Reviewed-by:	kp
MFC-after:	2 weeks
Differential Revision: https://reviews.freebsd.org/D40373

(cherry picked from commit 3a1f834b5228986a7c14fd60da13cf2700e80996)
---
 UPDATING | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'UPDATING')

diff --git a/UPDATING b/UPDATING
index 2ca07499ff00..796f2b751b95 100644
--- a/UPDATING
+++ b/UPDATING
@@ -12,6 +12,18 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before updating system packages
 and/or ports.
 
+20230619:
+	To enable pf rdr rules for connections initiated from the host, pf
+	filter rules can be optionally enabled for packets delivered
+	locally. This can change the behavior of rules which match packets
+	delivered to lo0. To enable this feature:
+
+		sysctl net.pf.filter_local=1
+		service pf restart
+
+	When enabled, its best to ensure that packets delivered locally are not
+	filtered, e.g. by adding a 'skip on lo' rule.
+
 20230404:
 	llvm-objump is now always installed as objdump.  Previously there was
 	no /usr/bin/objdump unless the WITH_LLVM_BINUTILS knob was used.
-- 
cgit v1.2.3