Packet Flow Diagram

[drosophila]

Does anyone know where scope checking is done WRT this diagram? I'm referring to the part that'll generate a "Destination unreachable: Beyond scope of source address" message when a link-local tries to route to global space? It seems to be done before pf, because it also applies if I set the firewall to disabled (check "Disable Firewall Disable all packet filtering."), which (I think?) would bypass pf entirely (is that assumption correct?). Reason: I'd like to selectively change this behavior using pf rules, so that the exceptions exist only as long as the firewall is enabled, and only for the protocol(s) specified.

I could find precious little documentation on the entire subject of address scoping; almost all results are about the scope ID, which is basicly the %ifX suffix, not the "address scope" I'm referring to, and next to nothing about the handling and manipulation of the link- and site-local scopes themselves. There's more for Linux, but none of that can be applied to BSD.

Addendum: after experimenting some more with it, it seems like the redirection step actually comes after the inbound filtering, which is consistent with RFC4890, so that one can manually block this sort of traffic for logging purposes. However, NAT only happens in the out section, and between that and the in section the automatic denial already happens, so it is not possible to match on the traffic in order to NAT it (so between 3 and 6, possibly between 3 and 4 even). So, without manually reconfiguring the kernel (which obviously is not acceptable both in terms of maintainability and opportunities for errors), I am denied this fail-safe mechanism, whether it would actually work as intended or not. I feel there lies a missed opportunity for fallback security in this. The only way around this would be to set up a transparent filtering bridge, which however would rely even more on proper filtering and doesn't afford any protection at all, just like disabling scope checking altogether.