On 28 Sep 2016, at 13:53, Franco Fichtner wrote:
The main culprit of pfil not working correctly is pf's route-to and reply-to (and the tag formerly known as fastroute) as they would call if_output directly on the ifnet and consume their packets this way. That transmit code is also copied from if_output() and should likely not be called from within pf, especially when there is a pfil hook chain to go through.
Agreed, but there’s another culprit: the v6 fragment handling code. It needs to call ip6_output()/ip6_forward() because it generates multiple output packets.
Dealing with that has been on my todo list for a while now, but I’ve not even
found the time to make a start at it. Regards, Kristof _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
