Nearly the same code fragment appears in both the input and the output
paths.

I just committed changes to ip_input.c and ip_output.c to fix this
problem (i've actually been running with these changes for a while on
a router which is playing a similar game of wanting to route packets
to different `upstream' paths based on source address).

Here's the diff..

Index: ip_input.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_input.c,v
retrieving revision 1.67
diff -u -r1.67 ip_input.c
--- ip_input.c  1998/06/01 00:39:37     1.67
+++ ip_input.c  1998/07/17 00:22:30
@@ -329,7 +329,10 @@
                        rv = pfh->pfil_func(ip, hlen, m->m_pkthdr.rcvif, 0, &m0);
                        if (rv)
                                goto next;
-                       ip = mtod(m = m0, struct ip *);
+                       m = m0;
+                       if (m == NULL)
+                               goto next;
+                       ip = mtod(m, struct ip *);
                }
 #endif /* PFIL_HOOKS */
 
zsh: 16945 exit 1     cvs -q diff ip_input.c
Index: ip_output.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_output.c,v
retrieving revision 1.48
diff -u -r1.48 ip_output.c
--- ip_output.c 1998/04/28 15:26:00     1.48
+++ ip_output.c 1998/07/17 00:22:33
@@ -356,7 +356,10 @@
                                error = EHOSTUNREACH;
                                goto done;
                        }
-                       ip = mtod(m = m1, struct ip *);
+                       m = m1;
+                       if (m == NULL)
+                               goto done;
+                       ip = mtod(m, struct ip *);
                }
 #endif /* PFIL_HOOKS */
 sendit: