diff --git a/share/man/man9/pfil.9 b/share/man/man9/pfil.9
index 293e605d1766..4416b3035bf3 100644
--- a/share/man/man9/pfil.9
+++ b/share/man/man9/pfil.9
@@ -203,8 +203,12 @@ When a
 .Vt pfil_head
 is being modified, no traffic is diverted
 (to avoid deadlock).
-This means that unwanted traffic may flow for a short period
+This means that traffic may be dropped unconditionally for a short period
 of time.
+.Fn pfil_run_hooks
+will return
+.Dv ENOBUF
+to indicate this.
 .Sh SEE ALSO
 .Xr bpf 4 ,
 .Xr bridge 4
diff --git a/sys/net/pfil.c b/sys/net/pfil.c
index f5fff2a8fcab..bfd382db6bed 100644
--- a/sys/net/pfil.c
+++ b/sys/net/pfil.c
@@ -119,8 +119,16 @@ pfil_run_hooks(struct pfil_head *ph, struct mbuf **mp, struct ifnet *ifp,
 	struct mbuf *m = *mp;
 	int rv = 0;
 
-	if (ph->ph_busy_count == -1 || ph->ph_want_write)
-		return (0);
+	/*
+	 * Prevent packet filtering from starving the modification of
+	 * the packet filters. We would prefer a reader/writer locking
+	 * mechanism with guaranteed ordering, though.
+	 */
+	if (ph->ph_busy_count == -1 || ph->ph_want_write) {
+		m_freem(*mp);
+		*mp = NULL;
+		return (ENOBUFS);
+	}
 
 	PFIL_RLOCK(ph);
 	for (pfh = pfil_hook_get(dir, ph); pfh != NULL;