Well,  I submitted a bit of a PR a few weeks ago about the way that PFIL_HOOKS
in ip_output.c respond to having the packet taken away from them.  (Basically,
to sum up, the code looks like:

                        rv = pfh->pfil_func(ip, hlen, ifp, 1, &m1);
                        if (rv) {
                                error = EHOSTUNREACH;
                                goto done;
                        }
                        ip = mtod(m = m1, struct ip *);

but there are circumstances when the IPFilter code changes m1 to NULL and
returns successfully.  This causes the kernel to panic.  IPFilter does this
anytime it encounters a rule which reroutes an outbound packet -- like:

pass out on de0 to de1 all

But anyway, the question that I have is that I ran into a problem recently
that this was the easiest way to solve.  That is I wanted my computer to have
an alias that was on a separate subnet that went out of a different ISP
(we are changing to DSL, but have a frame that still works.)  Unfortunately
the alias was going out the default interface and that ISP killed the packets
as being spoofed.  I couldn't see any way to route based on source, so I
used ipf

pass out on fxp0 to fxp0:<frame router> from <old address> to any

Anyway, is there a better solution for this problem?

 .. Roland