Forwarded packets passed through PFIL_OUT, which made it
difficult for firewalls to figure out if they were forwarding or
This in turn is an issue for pf for IPv6 fragment handling: it needs to
call ip6_output() or ip6_forward() to handle the fragments. Figuring out
which was difficult (and until now, incorrect).
Having pfil distinguish the two removes an ugly piece of code from pf.
Introduce a flags variable in the netpfil callbacks, which has PFIL_FWD
set for forwarded packets. This allows pf to reliably work out if a packet
is forwarded or not.