--- ip_fw_private.h.orig 2017-07-06 22:56:37.107986503 +0300 +++ ip_fw_private.h 2017-10-04 08:24:29.724189000 +0300 @@ -82,6 +82,7 @@ */ struct ip_fw_args { struct mbuf *m; /* the mbuf chain */ + struct ifnet *iif; /* intermediate interface */ struct ifnet *oif; /* output interface */ struct sockaddr_in *next_hop; /* forward address */ struct sockaddr_in6 *next_hop6; /* ipv6 forward address */ --- ip_fw_pfil.c.orig 2017-07-06 22:56:39.178985707 +0300 +++ ip_fw_pfil.c 2017-10-04 08:43:16.598927000 +0300 @@ -145,6 +145,7 @@ } args.m = *m0; + args.iif = dir == DIR_IN && ifp != args.m->m_pkthdr.rcvif ? ifp : NULL; args.oif = dir == DIR_OUT ? ifp : NULL; args.inp = inp; @@ -341,6 +342,7 @@ m_adj(m, ETHER_HDR_LEN); /* strip ethernet header */ args.m = m; /* the packet we are looking at */ + args.iif = dir == PFIL_IN && ifp != m->m_pkthdr.rcvif ? ifp : NULL; args.oif = dir == PFIL_OUT ? ifp: NULL; /* destination, if any */ args.next_hop = NULL; /* we do not support forward yet */ args.next_hop6 = NULL; /* we do not support forward yet */ --- ip_fw2.c.orig 2017-07-06 22:56:39.180986274 +0300 +++ ip_fw2.c 2017-10-04 09:26:00.528889000 +0300 @@ -914,6 +914,8 @@ #endif int ucred_lookup = 0; + struct ifnet *iif = args->iif; + /* * oif | args->oif If NULL, ipfw_chk has been called on the * inbound path (ether_input, ip_input). @@ -1384,7 +1386,7 @@ case O_VIA: match = iface_match(oif ? oif : - m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, + iif ? iif : m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd, chain, &tablearg); break;