Index: if_veb.c
===================================================================
RCS file: /cvs/src/sys/net/if_veb.c,v
retrieving revision 1.31
diff -u -p -r1.31 if_veb.c
--- if_veb.c	16 May 2023 14:32:54 -0000	1.31
+++ if_veb.c	23 Nov 2023 06:56:19 -0000
@@ -589,12 +589,14 @@ veb_rule_filter(struct veb_port *p, int 
 #if NPF > 0
 struct veb_pf_ip_family {
 	sa_family_t	   af;
+	int		   ip_hlen;
 	struct mbuf	*(*ip_check)(struct ifnet *, struct mbuf *);
 	void		 (*ip_input)(struct ifnet *, struct mbuf *);
 };
 
 static const struct veb_pf_ip_family veb_pf_ipv4 = {
 	.af		= AF_INET,
+	.ip_hlen	= sizeof(struct ip),
 	.ip_check	= ipv4_check,
 	.ip_input	= ipv4_input,
 };
@@ -602,6 +604,7 @@ static const struct veb_pf_ip_family veb
 #ifdef INET6
 static const struct veb_pf_ip_family veb_pf_ipv6 = {
 	.af		= AF_INET6,
+	.ip_hlen	= sizeof(struct ip6_hdr),
 	.ip_check	= ipv6_check,
 	.ip_input	= ipv6_input,
 };
@@ -612,6 +615,7 @@ veb_pf(struct ifnet *ifp0, int dir, stru
 {
 	struct ether_header *eh, copy;
 	const struct veb_pf_ip_family *fam;
+	int hlen;
 
 	/*
 	 * pf runs on vport interfaces when they enter or leave the
@@ -644,6 +648,10 @@ veb_pf(struct ifnet *ifp0, int dir, stru
 		m = (*fam->ip_check)(ifp0, m);
 		if (m == NULL)
 			return (NULL);
+	} else if (m->m_len < fam->ip_hlen) {
+		m = m_pullup(m, fam->ip_hlen);
+		if (m == NULL)
+			return (NULL);
 	}
 
 	if (pf_test(fam->af, dir, ifp0, &m) != PF_PASS) {
@@ -660,12 +668,14 @@ veb_pf(struct ifnet *ifp0, int dir, stru
 		return (NULL);
 	}
 
-	m = m_prepend(m, sizeof(*eh), M_DONTWAIT);
+	hlen = roundup(sizeof(*eh), sizeof(long));
+	m = m_prepend(m, hlen, M_DONTWAIT);
 	if (m == NULL)
 		return (NULL);
 
 	/* checksum? */
 
+	m_adj(m, hlen - sizeof(*eh));
 	eh = mtod(m, struct ether_header *);
 	*eh = copy;