On Sat, Nov 19, 2016 at 09:07:11PM +1300, Richard Procter wrote:
> Note, pf_route() calls pf_test() only if (pd->kif->pfik_ifp != ifp).
> (I read this as 'pf changed the packet's interface'.)
This check was added in the commit:
----------------------------
revision 1.218
date: 2002/06/07 21:46:08; author: jasoni; state: Exp; lines: +27 -21;
in pf_route{6}, do not pass thru pf_test again if the outgoing
interface has not changed
- ok dhartmei@
----------------------------
I guess this a protection against looping in pf with outgoing
route-to rules. This problem cannot happen with af-to. The af-to
rule is always an incoming rule. The pf_test() in ip_output() is
done in outgoing direction. So the af-to code is never called
recursively.
bluhm
