Until now forwarded packets passed through PFIL_OUT, which made it
difficult for firewalls to figure out if they were forwarding or
This in turn is an issue for pf for IPv6 fragment handling: it needs to
call ip6_output() or ip6_forward() to handle the fragments. Figuring out
which was difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.
Other firewalls (ipfw, ipf) need to be made aware of this. Simply
changing PFIL_FWD into PFIL_OUT in their hook functions removes any
behaviour change for them.