>    This is a nice concept but has a big problem.  The ip_input() routine
>    (the function that decides to route or drop or accept as local any incoming
>    IP packet) has no sure knowledge of which interface that packet actually
>    came in on.  The link layer device (ethernet, slip, ppp, etc), throws the
>    incoming packet on the protocol input queue and schedules a software
>    interrupt.
> 
> I guess you missed this:
> 
> 	m->m_pkthdr.rcvif = &sc->sc_arpcom.ac_if;

Sorry, I was wrong on this.  That's what I get for routinely poking
around inside of 3 or 4 different OS kernels in a week.

So you could allow LSR/SSR with a GATEWAY option if you made sure
that the code checked that the ourgoing interface was the same as the
interface that the packet orignally came from.  

BTW...

As far as screend goes, it's functionality is nice, but performance 
(esp. latency) suffers because every packet requires a callout from the 
kernel to the screend.

I prefer the approach like the BSDI firewall kit where you install 
filter expressions into the kernel.  It isn't that much more complex
(with some supporting tools) and performs much better.
--
Mark