diff --git a/UPDATING b/UPDATING
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,15 @@
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20230531:
+	To enable pf rdr rules for connections initiated from the host, pf
+	filter rules are now processed by default for packets delivered
+	locally. This could change the behavior of rules which match packets
+	delivered to lo0. To disable this feature:
+
+		sysctl net.pf.filter_local=0
+		service pf restart
+
 20230422:
 	Remove portsnap(8).  Users are encouraged to obtain the ports tree
 	using git instead.
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -195,6 +195,12 @@
 #error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
 #endif
 
+VNET_DEFINE_STATIC(bool, pf_filter_local) = true;
+#define V_pf_filter_local	VNET(pf_filter_local)
+SYSCTL_BOOL(_net_pf, OID_AUTO, filter_local, CTLFLAG_VNET | CTLFLAG_RW,
+    &VNET_NAME(pf_filter_local), true,
+    "Enable filtering for packets delivered to local network stack");
+
 static void		 pf_init_tagset(struct pf_tagset *, unsigned int *,
 			    unsigned int);
 static void		 pf_cleanup_tagset(struct pf_tagset *);
@@ -6676,6 +6682,13 @@
 	pla.pa_hook = V_pf_ip4_out_hook;
 	ret = pfil_link(&pla);
 	MPASS(ret == 0);
+	if (V_pf_filter_local) {
+		pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
+		pla.pa_head = V_inet_local_pfil_head;
+		pla.pa_hook = V_pf_ip4_out_hook;
+		ret = pfil_link(&pla);
+		MPASS(ret == 0);
+	}
 #endif
 #ifdef INET6
 	pha.pa_type = PFIL_TYPE_IP6;
@@ -6697,6 +6710,13 @@
 	pla.pa_hook = V_pf_ip6_out_hook;
 	ret = pfil_link(&pla);
 	MPASS(ret == 0);
+	if (V_pf_filter_local) {
+		pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
+		pla.pa_head = V_inet6_local_pfil_head;
+		pla.pa_hook = V_pf_ip6_out_hook;
+		ret = pfil_link(&pla);
+		MPASS(ret == 0);
+	}
 #endif
 
 	atomic_store_bool(&V_pf_pfil_hooked, true);
diff --git a/tests/sys/netpfil/common/utils.subr b/tests/sys/netpfil/common/utils.subr
--- a/tests/sys/netpfil/common/utils.subr
+++ b/tests/sys/netpfil/common/utils.subr
@@ -55,11 +55,10 @@
 		jexec ${jname} ipfw -q -f flush
 		jexec ${jname} /bin/sh $cwd/ipfw.rule
 	elif [ ${fw} == "pf" ]; then
+		jexec ${jname} sysctl net.pf.filter_local=1
 		jexec ${jname} pfctl -e
 		jexec ${jname} pfctl -F all
 		jexec ${jname} pfctl -f $cwd/pf.rule
-		jexec ${jname} pfilctl link -o pf:default-out inet-local
-		jexec ${jname} pfilctl link -o pf:default-out6 inet6-local
 	elif [ ${fw} == "ipf" ]; then
 		jexec ${jname} ipf -E
 		jexec ${jname} ipf -Fa -f $cwd/ipf.rule