А теперь обьясните, чем для данного случая вас не устраивает имеющийся механизм ipfw verrevpath и, шире, RPF check?
На всякий случай напомню:
verrevpath
For incoming packets, a routing table lookup is done on the
packet's source address. If the interface on which the packet
entered the system matches the outgoing interface for the route,
the packet matches. If the interfaces do not match up, the
packet does not match. All outgoing packets or packets with no
incoming interface match.
The name and functionality of the option is intentionally similar
to the Cisco IOS command:
ip verify unicast reverse-path
This option can be used to make anti-spoofing rules to reject all
packets with source addresses not from this interface. See also
the option antispoof.
no subject
На всякий случай напомню:
verrevpath For incoming packets, a routing table lookup is done on the packet's source address. If the interface on which the packet entered the system matches the outgoing interface for the route, the packet matches. If the interfaces do not match up, the packet does not match. All outgoing packets or packets with no incoming interface match. The name and functionality of the option is intentionally similar to the Cisco IOS command: ip verify unicast reverse-path This option can be used to make anti-spoofing rules to reject all packets with source addresses not from this interface. See also the option antispoof.