Correct pfil_run_hooks return handling: if the return value is non-zero

then the mbuf has been consumed by a hook; otherwise beware of a null
mbuf return (gack).  In particular the bridge was doing the wrong thing.
While in the ipv6 code make it's handling of pfil_run_hooks identical
to netbsd.

Pointed out by:	Pyun YongHyeon <yongari@kt-is.co.kr>

sys/net/bridge.c

@@ -1020,13 +1020,11 @@ bdg_forward(struct mbuf *m0, struct ifnet *dst)
 	    ip->ip_off = ntohs(ip->ip_off);
 
 	    if (pfil_run_hooks(&inet_pfil_hook, &m0, src, PFIL_IN) != 0) {
-		EH_RESTORE(m0);		/* restore Ethernet header */
-		return m0;
-	    }
-	    if (m0 == NULL) {
-		bdg_dropped++;
+		/* NB: hook should consume packet */
 		return NULL;
 	    }
+	    if (m0 == NULL)			/* consumed by filter */
+		return m0;
 	    /*
 	     * If we get here, the firewall has passed the pkt, but the mbuf
 	     * pointer might have changed. Restore ip and the fields ntohs()'d.

sys/netinet6/ip6_forward.c

@@ -522,10 +522,9 @@ ip6_forward(m, srcrt)
 	/*
 	 * Run through list of hooks for output packets.
 	 */
-	if (pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT) != 0) {
-		error = EHOSTUNREACH;
-		goto freecopy;
-	}
+	error = pfil_run_hooks(&inet6_pfil_hook, &m, rt->rt_ifp, PFIL_OUT);
+	if (error != 0)
+		goto senderr;
 	if (m == NULL)
 		goto freecopy;
 	ip6 = mtod(m, struct ip6_hdr *);
@@ -545,6 +544,9 @@ ip6_forward(m, srcrt)
 				goto freecopy;
 		}
 	}
+#ifdef PFIL_HOOKS
+senderr:
+#endif
 	if (mcopy == NULL)
 		return;
 	switch (error) {

sys/netinet6/ip6_output.c

@@ -926,11 +926,8 @@ skip_ipsec2:;
 	/*
 	 * Run through list of hooks for output packets.
 	 */
-	if (pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT) != 0) {
-		error = EHOSTUNREACH;
-		goto done;
-	}
-	if (m == NULL)
+	error = pfil_run_hooks(&inet6_pfil_hook, &m, ifp, PFIL_OUT);
+	if (error != 0 || m == NULL)
 		goto done;
 	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* PFIL_HOOKS */