Apply by doing
	cd /sys
	patch < sourceroute.patch

Index: netinet/ip_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- ip_input.c	1998/02/01 21:46:02	1.28
+++ ip_input.c	1998/02/03 21:11:08	1.29
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.26 1997/08/09 23:36:29 millert Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.29 1998/02/03 21:11:08 deraadt Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -744,6 +744,17 @@
 		 */
 		case IPOPT_LSRR:
 		case IPOPT_SSRR:
+			if (!ip_dosourceroute) {
+				char buf[4*sizeof "123"];
+
+				strcpy(buf, inet_ntoa(ip->ip_dst));
+				log(LOG_WARNING,
+				    "attempted source route from %s to %s\n",
+				    inet_ntoa(ip->ip_src), buf);
+				type = ICMP_UNREACH;
+				code = ICMP_UNREACH_SRCFAIL;
+				goto bad;
+			}
 			if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
 				code = &cp[IPOPT_OFFSET] - (u_char *)ip;
 				goto bad;
@@ -771,18 +782,6 @@
 				break;
 			}
 
-			if (!ip_dosourceroute) {
-				char buf[4*sizeof "123"];
-
-				strcpy(buf, inet_ntoa(ip->ip_dst));
-				log(LOG_WARNING,
-				    "attempted source route from %s to %s\n",
-				    inet_ntoa(ip->ip_src), buf);
-				type = ICMP_UNREACH;
-				code = ICMP_UNREACH_SRCFAIL;
-				goto bad;
-			}
-
 			/*
 			 * locate outgoing interface
 			 */
@@ -889,7 +888,7 @@
 			ipt->ipt_ptr += sizeof(n_time);
 		}
 	}
-	if (forward) {
+	if (forward && ipforwarding) {
 		ip_forward(m, 1);
 		return (1);
 	}