3 files changed, 11 insertions, 14 deletions

diff --git a/sys/net/bridge.c b/sys/net/bridge.c
index d0fa2d9..5864a6f 100644
--- a/sys/net/bridge.c
+++ b/sys/net/bridge.c
@@ -1020,13 +1020,11 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst)
 	    ip->ip_off = ntohs(ip->ip_off);
 
 	    if (pfil_run_hooks(&inet_pfil_hook, &m0, src, PFIL_IN) != 0) {
-		EH_RESTORE(m0);		/* restore Ethernet header */
-		return m0;
-	    }
-	    if (m0 == NULL) {
-		bdg_dropped++;
+		/* NB: hook should consume packet */
 		return NULL;
 	    }
+	    if (m0 == NULL)			/* consumed by filter */
+		return m0;
 	    /*
 	     * If we get here, the firewall has passed the pkt, but the mbuf
 	     * pointer might have changed. Restore ip and the fields ntohs()'d.
diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c
index 9233aba..b625f0a 100644
--- a/sys/netinet6/ip6_forward.c
+++ b/sys/netinet6/ip6_forward.c
@@ -522,10 +522,9 @@ ip6_forward(m, srcrt)
 	/*
 	 * Run through list of hooks for output packets.
 	 */
-	if (pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT) != 0) {
-		error = EHOSTUNREACH;
-		goto freecopy;
-	}
+	error = pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT);
+	if (error != 0)
+		goto senderr;
 	if (m == NULL)
 		goto freecopy;
 	ip6 = mtod(m, struct ip6_hdr *);
@@ -545,6 +544,9 @@ ip6_forward(m, srcrt)
 				goto freecopy;
 		}
 	}
+#ifdef PFIL_HOOKS
+senderr:
+#endif
 	if (mcopy == NULL)
 		return;
 	switch (error) {
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 7e81373..e03fd3b 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -926,11 +926,8 @@ skip_ipsec2:;
 	/*
 	 * Run through list of hooks for output packets.
 	 */
-	if (pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT) != 0) {
-		error = EHOSTUNREACH;
-		goto done;
-	}
-	if (m == NULL)
+	error = pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT);
+	if (error != 0 || m == NULL)
 		goto done;
 	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* PFIL_HOOKS */