Daniel,

While hacking ipfilter or something else to do what you want, in this
case, might fill your need, IMHO it's definately not the right solution.

What really needs to happen is for the routing code to support multiple
routes to the same destination (as a starting point!) and be able to
select one based on some sort of path cost.

Another feature that the routing code should support is matching on the
source address or even more fields from headers for policy based routing.
This is not at all trivial given the current radix tree support for the
routing table.

Why should the routing table do it ?

Because it's a specious argument, at best, to say that this sort of
feature somehow belongs amongst code implementing access control.
Whatever way I look at it, at least, it seems to clearly fit in the
routing group of things, not filtering of any kind (or NAT, for that
matter!.)

Furthermore, you shouldn't need to be using firewall software to do
this, anwyay.  Code was added to ipfilter to allow exceptions to
routing to be put in rules, and I'm kind of inclined to leave it
like that, not as a mechanism for implementing policy based routing.

Cheers,
Darren