diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index be63e54ced99..dc8214e50f0a 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
- *	$Id: ip_input.c,v 1.114 1999/02/09 16:55:46 wollman Exp $
+ *	$Id: ip_input.c,v 1.115 1999/02/22 18:19:57 des Exp $
  */
 
 #define	_IP_VHL
@@ -437,8 +437,12 @@ iphack:
 	}
 pass:
 
-        if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, m->m_pkthdr.rcvif, IP_NAT_IN))
+        if (ip_nat_ptr && !(*ip_nat_ptr)(&ip, &m, m->m_pkthdr.rcvif, IP_NAT_IN)) {
+#ifdef IPFIREWALL_FORWARD
+		ip_fw_fwd_addr = NULL;
+#endif
 		return;
+	}
 #endif	/* !COMPAT_IPFW */
 
 	/*
@@ -448,8 +452,12 @@ pass:
 	 * to be sent and the original packet to be freed).
 	 */
 	ip_nhops = 0;		/* for source routed packets */
-	if (hlen > sizeof (struct ip) && ip_dooptions(m))
+	if (hlen > sizeof (struct ip) && ip_dooptions(m)) {
+#ifdef IPFIREWALL_FORWARD
+		ip_fw_fwd_addr = NULL;
+#endif
 		return;
+	}
 
         /* greedy RSVP, snatches any PATH packet of the RSVP protocol and no
          * matter if it is destined to another node, or whether it is 
@@ -474,8 +482,6 @@ pass:
 					ia = TAILQ_NEXT(ia, ia_link)) {
 #define	satosin(sa)	((struct sockaddr_in *)(sa))
 
-		if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
-			goto ours;
 #ifdef BOOTP_COMPAT
 		if (IA_SIN(ia)->sin_addr.s_addr == INADDR_ANY)
 			goto ours;
@@ -485,10 +491,15 @@ pass:
 		 * If the addr to forward to is one of ours, we pretend to
 		 * be the destination for this packet.
 		 */
-		if (ip_fw_fwd_addr != NULL &&
-			IA_SIN(ia)->sin_addr.s_addr ==
+		if (ip_fw_fwd_addr == NULL) {
+			if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
+				goto ours;
+		} else if (IA_SIN(ia)->sin_addr.s_addr ==
 					 ip_fw_fwd_addr->sin_addr.s_addr)
 			goto ours;
+#else
+		if (IA_SIN(ia)->sin_addr.s_addr == ip->ip_dst.s_addr)
+			goto ours;
 #endif
 		if (ia->ia_ifp && ia->ia_ifp->if_flags & IFF_BROADCAST) {
 			if (satosin(&ia->ia_broadaddr)->sin_addr.s_addr ==
@@ -555,6 +566,9 @@ pass:
 		m_freem(m);
 	} else
 		ip_forward(m, 0);
+#ifdef IPFIREWALL_FORWARD
+	ip_fw_fwd_addr = NULL;
+#endif
 	return;
 
 ours:
@@ -573,6 +587,9 @@ ours:
 #ifdef IPDIVERT
 				frag_divert_port = 0;
 				ip_divert_cookie = 0;
+#endif
+#ifdef IPFIREWALL_FORWARD
+				ip_fw_fwd_addr = NULL;
 #endif
 				return;
 			}