On Mon, 14 Nov 2016, Alexander Bluhm wrote: > Hi, > > The !r->rt case is only used by af-to. pf_route6() calls ip6_output() > to do the work while pf_route() has some custom implementation for > that. It is simpler to call ip_output() or ip6_output() from > pf_test() directly. > > ok?
Note, pf_route() calls pf_test() only if (pd->kif->pfik_ifp != ifp). (I read this as 'pf changed the packet's interface'.) Using ip_output() avoids this guard. If it's an optimisation, no problem, but that's unclear to me. (I suspect it's ok, as af-to is invalid in out-bound rules: so the guard is always true and pf_test() is always called, unless the af-to packet is being sent out the interface it arrived on. But pf_test() should be called for all output packets, so this patch would improve the situation.) With that proviso, ok procter@ best, Richard.
