> Whoohoo!
LOL, thanks!

> I expect that you really _DO NEED_ that second loopback interface for
> the above config, otherwise your packets will just end up in one big
> loop. A workaround might be to tag the packets when they are rdr'ed and
> make sure that you only rdr packets that are non-tagged. I have to look
> up the exact syntax on how to do that. I strongly suggest testing your
> pf rules on another machine first (OpenBSD or FreeBSD VM) and then
> deploying in iOS.
Yeah, I sense the loop there. I thought that

pass quick on lo0 keep state
pass out quick inet proto tcp user nobody flags S/SA modulate state

was my "exit strategy", anyway. Looks like they never really work ;-)
Tagging packets is a good idea! It's something I didn't think to try in first place as, usually, it's useless when it comes to iptables but it's pf here, so I should definitively try it.

> Do you have the kernel crash log handy by any chance? It should be in
> /Library/Logs/CrashReporter/Panics
Gone, but I will try to replicate it. Looking for some 0days, are you? :-P

