Index: sys/netgraph/ng_ipfw.c
===================================================================
--- sys/netgraph/ng_ipfw.c
+++ sys/netgraph/ng_ipfw.c
@@ -233,7 +233,11 @@
 	struct ipfw_rule_ref *r;
 	struct mbuf *m;
 	struct ip *ip;
+	struct epoch_tracker et;
+	int ret;
 
+	ret = 0;
+
 	NGI_GET_M(item, m);
 	NG_FREE_ITEM(item);
 
@@ -250,37 +254,33 @@
 	ip = mtod(m, struct ip *);
 
 	r = (struct ipfw_rule_ref *)(tag + 1);
-	if (r->info & IPFW_INFO_IN) {
-		switch (ip->ip_v) {
+	switch (ip->ip_v) {
 #ifdef INET
-		case IPVERSION:
+	case IPVERSION:
+		NET_EPOCH_ENTER(et);
+		if (r->info & IPFW_INFO_IN)
 			ip_input(m);
-			return (0);
+		else
+			ret = ip_output(m, NULL, NULL, IP_FORWARDING, NULL,
+			    NULL);
+		NET_EPOCH_EXIT(et);
+		return (ret);
 #endif
 #ifdef INET6
-		case IPV6_VERSION >> 4:
+	case IPV6_VERSION >> 4:
+		NET_EPOCH_ENTER(et);
+		if (r->info & IPFW_INFO_IN)
 			ip6_input(m);
-			return (0);
+		else
+			ret = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
+		NET_EPOCH_EXIT(et);
+		return (ret);
 #endif
-		}
-	} else {
-		switch (ip->ip_v) {
-#ifdef INET
-		case IPVERSION:
-			return (ip_output(m, NULL, NULL, IP_FORWARDING,
-			    NULL, NULL));
-#endif
-#ifdef INET6
-		case IPV6_VERSION >> 4:
-			return (ip6_output(m, NULL, NULL, 0, NULL,
-			    NULL, NULL));
-#endif
-		}
+	default:
+		/* unknown IP protocol version */
+		NG_FREE_M(m);
+		return (EPROTONOSUPPORT);
 	}
-
-	/* unknown IP protocol version */
-	NG_FREE_M(m);
-	return (EPROTONOSUPPORT);
 }
 
 static int