when pf_route (and pf_route6) are supposed to handle forwarding the packet (ie, for route-to or reply-to rules), they take the mbuf away from the calling code path. this is done by clearing the mbuf pointer in the pf_pdesc struct. it doesn't do this for dup-to rules though.
at the moment pf_route clears that pointer on the way out, but it could take the mbuf away up front in the same place that it already checks if it's a dup-to rule or not. it's a small change. i've bumped up the number of lines of context so it's easier to read too. ok? Index: pf.c =================================================================== RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.1101 diff -u -p -r1.1101 pf.c --- pf.c 19 Jan 2021 22:22:23 -0000 1.1101 +++ pf.c 27 Jan 2021 01:05:29 -0000 @@ -5988,6 +5988,7 @@ pf_route(struct pf_pdesc *pd, struct pf_ if ((r->rt == PF_REPLYTO) == (r->direction == pd->dir)) return; m0 = pd->m; + pd->m = NULL; } if (m0->m_len < sizeof(struct ip)) { @@ -6108,8 +6109,6 @@ pf_route(struct pf_pdesc *pd, struct pf_ ipstat_inc(ips_fragmented); done: - if (r->rt != PF_DUPTO) - pd->m = NULL; rtfree(rt); return; @@ -6146,6 +6145,7 @@ pf_route6(struct pf_pdesc *pd, struct pf if ((r->rt == PF_REPLYTO) == (r->direction == pd->dir)) return; m0 = pd->m; + pd->m = NULL; } if (m0->m_len < sizeof(struct ip6_hdr)) { @@ -6237,8 +6237,6 @@ pf_route6(struct pf_pdesc *pd, struct pf } done: - if (r->rt != PF_DUPTO) - pd->m = NULL; rtfree(rt); return;