Packet Flow Diagram

[drosophila]

Does anyone know where scope checking is done WRT this diagram? I'm referring to the part that'll generate a "Destination unreachable: Beyond scope of source address" message when a link-local tries to route to global space? It seems to be done before pf, because it also applies if I set the firewall to disabled (check "Disable Firewall Disable all packet filtering."), which (I think?) would bypass pf entirely (is that assumption correct?). Reason: I'd like to selectively change this behavior using pf rules, so that the exceptions exist only as long as the firewall is enabled, and only for the protocol(s) specified.

I could find precious little documentation on the entire subject of address scoping; almost all results are about the scope ID, which is basicly the %ifX suffix, not the "address scope" I'm referring to, and next to nothing about the handling and manipulation of the link- and site-local scopes themselves. There's more for Linux, but none of that can be applied to BSD.