Nitpick: if we're revisiting this fancy condition, would it be possible to consider replace its occurrence with something like

if (RTE_IS_INVALID(ro->ro_rt) || dst->sin_family != AF_INET ...)

?

Do we have RTE_IS_INVALID? But we always first need to check that ro->ro_rt isn't NULL anyway.

Would it be possible to move it to a spare field?

Seem to always fallback to the in_ifaddr_broadcast() check.

Originally RTF_BROADCAST flag was added 22 years ago in r15652 to avoid calling in_ifaddr_broadcast(). We had route cloning back then, so it was a fair assumption - if the lookup result was a host route (and it almost always was), then we could trust its broadcast flag, as it was set in the in_addroute() after verificaton.

Currently we don't have route cloning and the only way of having RTF_BROADCAST set on the route is to explicitly add host route to the broadcast address:

route add -host 10.0.0.255 -iface vtnet0

assuming 10.0.0.0/24 belongs to vtnet0

Given that, the check here and in line 400 (if (ro->ro_rt->rt_flags & RTF_HOST)) will aways failback to in_ifaddr_broadcast().

Maybe it's worth just eliminating this condition and always check for in_ifaddr_broadcast().

No, we don't. I was suggesting adding it as we have these checks repeated at least twice in the ip_output()

But as long as we allow adding such routes manually, we should support them, shouldn't we?