At present, the PFIL_HOOK code is somewhat confined to the ipv4 protocol.

In discussions with phone, we tossed around some ideas for being able to
setup filters based on this protocol and that protocol (of most interest
at present is IPv4/IPv6).  Passing flags and values to do this and that
would solve the problem, but perhaps not in the best fashion possible.

In the end, the idea of having each protocol have its own input/output
filtering lists seemed to be the best.  This would be implemented by
adding a new pfil struct to both struct protosw and struct ip6protosw
which contained private list heads for at least both input and output.
This sets up the possibility of using pfil in other protocols (non-inet
or things like udp, etc).

Once the method for extending to IPv6 is decided on, the problem of where
to add filtering hooks needs to be addressed.  Having spent some time
looking at it, I think the correct hooks need to be added at about line
292 of ip6_input.c (after the version check, but prior to any scope checks).
If the stats counter was moved further down, then I'd be tempted to let at
least the first scope check be done before doing pfil checks.  My preference
is to have it as the first thing after the "hbhcheck:" label, but I'm not
sufficiently aware of what needs to be done when, yet, with IPv6.  For
outgoing IPv6 packets, just prior to the comment "Send the packet to the
outgoing interface." seems the best place.

Once this gets finalised, can we get the pfil changes put back into the
KAME mainline (with #ifdef PFIL_HOOK, of course) ? :-)

Comments ?

Darren