Hello,

this looks good to me.

OK sashan@

On Mon, Aug 05, 2024 at 11:52:14AM +0200, Alexander Bluhm wrote:
> Hi,
> 
> Sending IPv6 fragments over a bridge with pf does not work.  During
> input pf reassembles the packet, and at bridge output it should be
> refragmented.  This is only done for PF_FWD directions, but bridge(4)
> and veb(4) always call pf_test() with PF_OUT.
> 
> ok?
> 
> bluhm
> 
> Index: net/if_bridge.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_bridge.c,v
> diff -u -p -r1.370 if_bridge.c
> --- net/if_bridge.c	14 Apr 2024 20:46:27 -0000	1.370
> +++ net/if_bridge.c	5 Aug 2024 09:40:26 -0000
> @@ -70,7 +70,7 @@
>  #if NPF > 0
>  #include <net/pfvar.h>
>  #define	BRIDGE_IN	PF_IN
> -#define	BRIDGE_OUT	PF_OUT
> +#define	BRIDGE_OUT	PF_FWD
>  #else
>  #define	BRIDGE_IN	0
>  #define	BRIDGE_OUT	1
> Index: net/if_veb.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_veb.c,v
> diff -u -p -r1.35 if_veb.c
> --- net/if_veb.c	13 Feb 2024 12:22:09 -0000	1.35
> +++ net/if_veb.c	5 Aug 2024 09:40:26 -0000
> @@ -944,7 +944,7 @@ veb_broadcast(struct veb_softc *sc, stru
>  	 * let pf look at it, but use the veb interface as a proxy.
>  	 */
>  	if (ISSET(ifp->if_flags, IFF_LINK1) &&
> -	    (m0 = veb_pf(ifp, PF_OUT, m0)) == NULL)
> +	    (m0 = veb_pf(ifp, PF_FWD, m0)) == NULL)
>  		return;
>  #endif
>  
> @@ -1039,7 +1039,7 @@ veb_transmit(struct veb_softc *sc, struc
>  
>  #if NPF > 0
>  	if (ISSET(ifp->if_flags, IFF_LINK1) &&
> -	    (m = veb_pf(ifp0, PF_OUT, m)) == NULL)
> +	    (m = veb_pf(ifp0, PF_FWD, m)) == NULL)
>  		return (NULL);
>  #endif
>  
>