congestion indicator in stack and pf


when the kernel is done servicing interrupts, just before it would switch back to userland, it runs scheduled soft interrupts

packets are taken out of ipintrq (for v4)
ip_input(), calls pf_test(), which does state lookup and ruleset eval if needed