1diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/include/linux/netfilter.h linux-2.4.4-dropped/include/linux/netfilter.h 2--- linux-2.4.4-plain/include/linux/netfilter.h Mon Apr 30 00:15:33 2001 3+++ linux-2.4.4-dropped/include/linux/netfilter.h Wed May 2 20:00:50 2001 4@@ -41,6 +41,13 @@ 5 const struct net_device *out, 6 int (*okfn)(struct sk_buff *)); 7 8+/* Simple drop the packet fn for NF_HOOK(). */ 9+extern inline int nf_drop_okfn(struct sk_buff *skb) 10+{ 11+ kfree_skb(skb); 12+ return 0; 13+} 14+ 15 struct nf_hook_ops 16 { 17 struct list_head list; 18diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/include/linux/netfilter_ipv4/ip_nat.h linux-2.4.4-dropped/include/linux/netfilter_ipv4/ip_nat.h 19--- linux-2.4.4-plain/include/linux/netfilter_ipv4/ip_nat.h Sun Apr 29 03:29:35 2001 20+++ linux-2.4.4-dropped/include/linux/netfilter_ipv4/ip_nat.h Wed May 2 20:00:50 2001 21@@ -111,10 +111,13 @@ 22 struct ip_nat_seq seq[IP_CT_DIR_MAX]; 23 }; 24 25-/* Set up the info structure to map into this range. */ 26+/* Set up the info structure to map into this range. Returns verdict. */ 27 extern unsigned int ip_nat_setup_info(struct ip_conntrack *conntrack, 28 const struct ip_nat_multi_range *mr, 29- unsigned int hooknum); 30+ unsigned int hooknum, 31+ const struct net_device *in, 32+ const struct net_device *out, 33+ struct sk_buff *skb); 34 35 /* Is this tuple already taken? (not by us)*/ 36 extern int ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple, 37diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/include/linux/netfilter_ipv4.h linux-2.4.4-dropped/include/linux/netfilter_ipv4.h 38--- linux-2.4.4-plain/include/linux/netfilter_ipv4.h Mon Apr 30 00:15:33 2001 39+++ linux-2.4.4-dropped/include/linux/netfilter_ipv4.h Wed May 2 20:00:50 2001 40@@ -47,7 +47,9 @@ 41 #define NF_IP_LOCAL_OUT 3 42 /* Packets about to hit the wire. */ 43 #define NF_IP_POST_ROUTING 4 44-#define NF_IP_NUMHOOKS 5 45+/* `Interesting' packets we're about to drop: nfmark holds nf_ip_dropreason */ 46+#define NF_IP_DROPPING 5 47+#define NF_IP_NUMHOOKS 6 48 49 enum nf_ip_hook_priorities { 50 NF_IP_PRI_FIRST = INT_MIN, 51@@ -57,6 +59,18 @@ 52 NF_IP_PRI_FILTER = 0, 53 NF_IP_PRI_NAT_SRC = 100, 54 NF_IP_PRI_LAST = INT_MAX, 55+}; 56+ 57+enum nf_ip_dropreason { 58+ NF_IP_DROP_NSA_WATCHING, /* `They' didn't like the packet */ 59+ NF_IP_DROP_INVALID_REDIRECT, /* Invalid redirect */ 60+ NF_IP_DROP_IGNORES_REDIRECT, /* Not heeding redirects */ 61+ NF_IP_DROP_MARTIAN_SOURCE, /* Unexpected source address */ 62+ NF_IP_DROP_MARTIAN_DESTINATION, /* Unexpected destination address */ 63+ NF_IP_DROP_NAT_UNTRACKED, /* NAT dropped untracked packet */ 64+ NF_IP_DROP_NAT_NO_UNIQUE_TUPLE, /* NAT couldn't map connection */ 65+ NF_IP_DROP_NAT_FTP_ERROR, /* NAT on malformed FTP packet */ 66+ NF_IP_DROP_MAX 67 }; 68 69 #ifdef CONFIG_NETFILTER_DEBUG 70diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/include/net/route.h linux-2.4.4-dropped/include/net/route.h 71--- linux-2.4.4-plain/include/net/route.h Mon Apr 30 00:13:03 2001 72+++ linux-2.4.4-dropped/include/net/route.h Wed May 2 20:00:50 2001 73@@ -97,7 +97,7 @@ 74 struct in_device; 75 extern void ip_rt_init(void); 76 extern void ip_rt_redirect(u32 old_gw, u32 dst, u32 new_gw, 77- u32 src, u8 tos, struct net_device *dev); 78+ u32 src, u8 tos, struct sk_buff *skb); 79 extern void ip_rt_advice(struct rtable **rp, int advice); 80 extern void rt_cache_flush(int how); 81 extern int ip_route_output_key(struct rtable **, const struct rt_key *key); 82diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/core/netfilter.c linux-2.4.4-dropped/net/core/netfilter.c 83--- linux-2.4.4-plain/net/core/netfilter.c Sun Apr 29 03:29:35 2001 84+++ linux-2.4.4-dropped/net/core/netfilter.c Wed May 2 20:00:50 2001 85@@ -559,6 +559,14 @@ 86 with it. */ 87 void (*ip_ct_attach)(struct sk_buff *, struct nf_ct_info *); 88 89+/* Embodyment of drop the packet fn for NF_HOOK() (sometimes this 90+ address is taken) */ 91+int nf_drop_okfn(struct sk_buff *skb) 92+{ 93+ kfree_skb(skb); 94+ return 0; 95+} 96+ 97 void __init netfilter_init(void) 98 { 99 int i, h; 100diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/icmp.c linux-2.4.4-dropped/net/ipv4/icmp.c 101--- linux-2.4.4-plain/net/ipv4/icmp.c Sun Apr 29 03:29:35 2001 102+++ linux-2.4.4-dropped/net/ipv4/icmp.c Wed May 2 20:00:50 2001 103@@ -705,7 +705,7 @@ 104 105 case ICMP_REDIR_HOST: 106 case ICMP_REDIR_HOSTTOS: 107- ip_rt_redirect(skb->nh.iph->saddr, ip, skb->h.icmph->un.gateway, iph->saddr, iph->tos, skb->dev); 108+ ip_rt_redirect(skb->nh.iph->saddr, ip, skb->h.icmph->un.gateway, iph->saddr, iph->tos, skb); 109 break; 110 default: 111 break; 112diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/netfilter/ip_fw_compat_masq.c linux-2.4.4-dropped/net/ipv4/netfilter/ip_fw_compat_masq.c 113--- linux-2.4.4-plain/net/ipv4/netfilter/ip_fw_compat_masq.c Mon Sep 18 19:09:55 2000 114+++ linux-2.4.4-dropped/net/ipv4/netfilter/ip_fw_compat_masq.c Wed May 2 20:00:50 2001 115@@ -85,7 +85,8 @@ 116 newsrc, newsrc, 117 { htons(61000) }, { htons(65095) } } } }); 118 119- ret = ip_nat_setup_info(ct, &range, NF_IP_POST_ROUTING); 120+ ret = ip_nat_setup_info(ct, &range, NF_IP_POST_ROUTING, 121+ NULL, dev, *pskb); 122 if (ret != NF_ACCEPT) { 123 WRITE_UNLOCK(&ip_nat_lock); 124 return ret; 125diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/netfilter/ip_nat_core.c linux-2.4.4-dropped/net/ipv4/netfilter/ip_nat_core.c 126--- linux-2.4.4-plain/net/ipv4/netfilter/ip_nat_core.c Sun Apr 29 03:29:36 2001 127+++ linux-2.4.4-dropped/net/ipv4/netfilter/ip_nat_core.c Wed May 2 20:00:50 2001 128@@ -500,7 +500,10 @@ 129 unsigned int 130 ip_nat_setup_info(struct ip_conntrack *conntrack, 131 const struct ip_nat_multi_range *mr, 132- unsigned int hooknum) 133+ unsigned int hooknum, 134+ const struct net_device *in, 135+ const struct net_device *out, 136+ struct sk_buff *skb) 137 { 138 struct ip_conntrack_tuple new_tuple, inv_tuple, reply; 139 struct ip_conntrack_tuple orig_tp; 140@@ -551,7 +554,12 @@ 141 hooknum)) { 142 DEBUGP("ip_nat_setup_info: Can't get unique for %p.\n", 143 conntrack); 144- return NF_DROP; 145+ skb->nfmark = NF_IP_DROP_NAT_NO_UNIQUE_TUPLE; 146+ NF_HOOK(PF_INET, NF_IP_DROPPING, skb, 147+ (struct net_device *)in, 148+ (struct net_device *)out, 149+ nf_drop_okfn); 150+ return NF_STOLEN; 151 } 152 153 #if 0 154diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/netfilter/ip_nat_ftp.c linux-2.4.4-dropped/net/ipv4/netfilter/ip_nat_ftp.c 155--- linux-2.4.4-plain/net/ipv4/netfilter/ip_nat_ftp.c Sun Apr 29 03:29:36 2001 156+++ linux-2.4.4-dropped/net/ipv4/netfilter/ip_nat_ftp.c Wed May 2 20:00:50 2001 157@@ -94,8 +94,8 @@ 158 = ((union ip_conntrack_manip_proto) 159 { htons(ftpinfo->port) }); 160 } 161- *verdict = ip_nat_setup_info(ct, &mr, hooknum); 162- 163+ *verdict = ip_nat_setup_info(ct, &mr, hooknum, (*pskb)->dev, NULL, 164+ *pskb); 165 return 1; 166 } 167 168diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/netfilter/ip_nat_rule.c linux-2.4.4-dropped/net/ipv4/netfilter/ip_nat_rule.c 169--- linux-2.4.4-plain/net/ipv4/netfilter/ip_nat_rule.c Sun Apr 29 03:29:36 2001 170+++ linux-2.4.4-dropped/net/ipv4/netfilter/ip_nat_rule.c Wed May 2 20:00:50 2001 171@@ -127,7 +127,7 @@ 172 IP_NF_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)); 173 IP_NF_ASSERT(out); 174 175- return ip_nat_setup_info(ct, targinfo, hooknum); 176+ return ip_nat_setup_info(ct, targinfo, hooknum, in, out, *pskb); 177 } 178 179 static unsigned int ipt_dnat_target(struct sk_buff **pskb, 180@@ -148,7 +148,7 @@ 181 /* Connection must be valid and new. */ 182 IP_NF_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)); 183 184- return ip_nat_setup_info(ct, targinfo, hooknum); 185+ return ip_nat_setup_info(ct, targinfo, hooknum, in, out, *pskb); 186 } 187 188 static int ipt_snat_checkentry(const char *tablename, 189@@ -224,7 +224,10 @@ 190 static inline unsigned int 191 alloc_null_binding(struct ip_conntrack *conntrack, 192 struct ip_nat_info *info, 193- unsigned int hooknum) 194+ unsigned int hooknum, 195+ const struct net_device *in, 196+ const struct net_device *out, 197+ struct sk_buff *skb) 198 { 199 /* Force range to this IP; let proto decide mapping for 200 per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED). 201@@ -239,7 +242,7 @@ 202 203 DEBUGP("Allocating NULL binding for %p (%u.%u.%u.%u)\n", conntrack, 204 NIPQUAD(ip)); 205- return ip_nat_setup_info(conntrack, &mr, hooknum); 206+ return ip_nat_setup_info(conntrack, &mr, hooknum, in, out, skb); 207 } 208 209 static inline int call_expect(const struct ip_nat_expect *i, 210@@ -278,9 +281,11 @@ 211 } 212 ret = ipt_do_table(pskb, hooknum, in, out, &nat_table, NULL); 213 if (ret == NF_ACCEPT) { 214- if (!(info->initialized & (1 << HOOK2MANIP(hooknum)))) 215+ if (!(info->initialized & (1 << HOOK2MANIP(hooknum)))) { 216 /* NUL mapping */ 217- ret = alloc_null_binding(ct, info, hooknum); 218+ ret = alloc_null_binding(ct, info, hooknum, in, out, 219+ *pskb); 220+ } 221 } 222 return ret; 223 } 224diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/netfilter/ipt_LOG.c linux-2.4.4-dropped/net/ipv4/netfilter/ipt_LOG.c 225--- linux-2.4.4-plain/net/ipv4/netfilter/ipt_LOG.c Mon Jan 1 15:54:07 2001 226+++ linux-2.4.4-dropped/net/ipv4/netfilter/ipt_LOG.c Wed May 2 20:00:50 2001 227@@ -281,8 +281,10 @@ 228 level_string[1] = '0' + (loginfo->level % 8); 229 spin_lock_bh(&log_lock); 230 printk(level_string); 231- printk("%sIN=%s OUT=%s ", 232- loginfo->prefix, 233+ printk("%s", loginfo->prefix); 234+ if (userinfo && hooknum == NF_IP_DROPPING) 235+ printk("(%s) ", (const char *)userinfo); 236+ printk("IN=%s OUT=%s ", 237 in ? in->name : "", 238 out ? out->name : ""); 239 if (in && !out) { 240diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/netfilter/ipt_MASQUERADE.c linux-2.4.4-dropped/net/ipv4/netfilter/ipt_MASQUERADE.c 241--- linux-2.4.4-plain/net/ipv4/netfilter/ipt_MASQUERADE.c Sun Apr 29 03:29:36 2001 242+++ linux-2.4.4-dropped/net/ipv4/netfilter/ipt_MASQUERADE.c Wed May 2 20:00:50 2001 243@@ -112,7 +112,7 @@ 244 mr->range[0].min, mr->range[0].max } } }); 245 246 /* Hand modified range to generic setup. */ 247- return ip_nat_setup_info(ct, &newrange, hooknum); 248+ return ip_nat_setup_info(ct, &newrange, hooknum, in, out, *pskb); 249 } 250 251 static inline int 252diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/netfilter/ipt_REDIRECT.c linux-2.4.4-dropped/net/ipv4/netfilter/ipt_REDIRECT.c 253--- linux-2.4.4-plain/net/ipv4/netfilter/ipt_REDIRECT.c Tue Jun 20 18:32:27 2000 254+++ linux-2.4.4-dropped/net/ipv4/netfilter/ipt_REDIRECT.c Wed May 2 20:00:50 2001 255@@ -86,7 +86,7 @@ 256 mr->range[0].min, mr->range[0].max } } }); 257 258 /* Hand modified range to generic setup. */ 259- return ip_nat_setup_info(ct, &newrange, hooknum); 260+ return ip_nat_setup_info(ct, &newrange, hooknum, in, out, *pskb); 261 } 262 263 static struct ipt_target redirect_reg 264diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/netfilter/iptable_drop.c linux-2.4.4-dropped/net/ipv4/netfilter/iptable_drop.c 265--- linux-2.4.4-plain/net/ipv4/netfilter/iptable_drop.c Wed Dec 31 21:00:00 1969 266+++ linux-2.4.4-dropped/net/ipv4/netfilter/iptable_drop.c Wed May 2 20:00:50 2001 267@@ -0,0 +1,123 @@ 268+/* 269+ * Table for dropped packets. 270+ * 271+ * Copyright (C) 2000 Paul `Rusty' Russell 272+ */ 273+#include <linux/module.h> 274+#include <linux/netfilter_ipv4/ip_tables.h> 275+ 276+#define DROPPED_VALID_HOOKS (1 << NF_IP_DROPPING) 277+ 278+/* Standard entry. */ 279+struct ipt_standard 280+{ 281+ struct ipt_entry entry; 282+ struct ipt_standard_target target; 283+}; 284+ 285+struct ipt_error_target 286+{ 287+ struct ipt_entry_target target; 288+ char errorname[IPT_FUNCTION_MAXNAMELEN]; 289+}; 290+ 291+struct ipt_error 292+{ 293+ struct ipt_entry entry; 294+ struct ipt_error_target target; 295+}; 296+ 297+static struct 298+{ 299+ struct ipt_replace repl; 300+ struct ipt_standard entries[1]; 301+ struct ipt_error term; 302+} initial_table __initdata 303+= { { "drop", DROPPED_VALID_HOOKS, 2, 304+ sizeof(struct ipt_standard) + sizeof(struct ipt_error), 305+ { [NF_IP_DROPPING] 0 }, 306+ { [NF_IP_DROPPING] 0 }, 307+ 0, NULL, { } }, 308+ { 309+ /* DROPPING */ 310+ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 311+ 0, 312+ sizeof(struct ipt_entry), 313+ sizeof(struct ipt_standard), 314+ 0, { 0, 0 }, { } }, 315+ { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } }, 316+ -NF_ACCEPT - 1 } } 317+ }, 318+ /* ERROR */ 319+ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 }, 320+ 0, 321+ sizeof(struct ipt_entry), 322+ sizeof(struct ipt_error), 323+ 0, { 0, 0 }, { } }, 324+ { { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } }, 325+ { } }, 326+ "ERROR" 327+ } 328+ } 329+}; 330+ 331+static struct ipt_table packet_dropped 332+= { { NULL, NULL }, "drop", &initial_table.repl, 333+ DROPPED_VALID_HOOKS, RW_LOCK_UNLOCKED, NULL }; 334+ 335+static const char *dropnames[NF_IP_DROP_MAX] 336+= { [NF_IP_DROP_IGNORES_REDIRECT] = "Invalid redirect", 337+ [NF_IP_DROP_MARTIAN_SOURCE] = "Unexpected source address", 338+ [NF_IP_DROP_MARTIAN_DESTINATION] = "Unexpected destination address", 339+ [NF_IP_DROP_NAT_UNTRACKED] = "NAT dropped untracked packet", 340+ [NF_IP_DROP_NAT_NO_UNIQUE_TUPLE] = "NAT couldn't map connection", 341+ [NF_IP_DROP_NAT_FTP_ERROR] = "NAT failed on malformed FTP packet", 342+}; 343+ 344+/* The work comes in here from netfilter.c. */ 345+static unsigned int 346+ipt_hook(unsigned int hook, 347+ struct sk_buff **pskb, 348+ const struct net_device *in, 349+ const struct net_device *out, 350+ int (*okfn)(struct sk_buff *)) 351+{ 352+ const char *reason = NULL; 353+ 354+ if ((*pskb)->nfmark < NF_IP_DROP_MAX) 355+ reason = dropnames[(*pskb)->nfmark]; 356+ 357+ return ipt_do_table(pskb, hook, in, out, &packet_dropped, (void *)reason); 358+} 359+ 360+static struct nf_hook_ops ipt_ops 361+= { { NULL, NULL }, ipt_hook, PF_INET, NF_IP_DROPPING, NF_IP_PRI_FILTER }; 362+ 363+static int __init init(void) 364+{ 365+ int ret; 366+ 367+ /* Register table */ 368+ ret = ipt_register_table(&packet_dropped); 369+ if (ret < 0) { 370+ printk("iptable_drop: ipt_register_table failed!\n"); 371+ return ret; 372+ } 373+ 374+ /* Register hooks */ 375+ ret = nf_register_hook(&ipt_ops); 376+ if (ret < 0) { 377+ printk("iptable_drop: nf_register_hook failed!\n"); 378+ ipt_unregister_table(&packet_dropped); 379+ } 380+ return ret; 381+} 382+ 383+static void __exit fini(void) 384+{ 385+ nf_unregister_hook(&ipt_ops); 386+ ipt_unregister_table(&packet_dropped); 387+} 388+ 389+module_init(init); 390+module_exit(fini); 391diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/ipv4/route.c linux-2.4.4-dropped/net/ipv4/route.c 392--- linux-2.4.4-plain/net/ipv4/route.c Sun Apr 29 03:29:36 2001 393+++ linux-2.4.4-dropped/net/ipv4/route.c Wed May 2 20:00:50 2001 394@@ -711,9 +711,10 @@ 395 } 396 397 void ip_rt_redirect(u32 old_gw, u32 daddr, u32 new_gw, 398- u32 saddr, u8 tos, struct net_device *dev) 399+ u32 saddr, u8 tos, struct sk_buff *skb) 400 { 401 int i, k; 402+ struct net_device *dev = skb->dev; 403 struct in_device *in_dev = in_dev_get(dev); 404 struct rtable *rth, **rthp; 405 u32 skeys[2] = { saddr, 0 }; 406@@ -828,6 +829,17 @@ 407 NIPQUAD(old_gw), dev->name, NIPQUAD(new_gw), 408 NIPQUAD(saddr), NIPQUAD(daddr), tos); 409 #endif 410+#ifdef CONFIG_NETFILTER 411+ if (IN_DEV_LOG_MARTIANS(in_dev)) { 412+ /* Send clone through logging */ 413+ struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); 414+ if (nskb) { 415+ nskb->nfmark = NF_IP_DROP_INVALID_REDIRECT; 416+ NF_HOOK(PF_INET, NF_IP_DROPPING, nskb, dev, NULL, 417+ nf_drop_okfn); 418+ } 419+ } 420+#endif 421 in_dev_put(in_dev); 422 } 423 424@@ -909,6 +921,18 @@ 425 NIPQUAD(rt->rt_src), rt->rt_iif, 426 NIPQUAD(rt->rt_dst), NIPQUAD(rt->rt_gateway)); 427 #endif 428+#ifdef CONFIG_NETFILTER 429+ /* We're not dropping, but user will be interested --RR */ 430+ if (IN_DEV_LOG_MARTIANS(in_dev) && 431+ rt->u.dst.rate_tokens == ip_rt_redirect_number) { 432+ struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); 433+ if (nskb) { 434+ nskb->nfmark = NF_IP_DROP_IGNORES_REDIRECT; 435+ NF_HOOK(PF_INET, NF_IP_DROPPING, nskb, NULL, 436+ rt->u.dst.dev, nf_drop_okfn); 437+ } 438+ } 439+#endif 440 } 441 out: 442 in_dev_put(in_dev); 443@@ -1511,6 +1535,16 @@ 444 printk(KERN_WARNING "martian destination %u.%u.%u.%u from %u.%u.%u.%u, dev %s\n", 445 NIPQUAD(daddr), NIPQUAD(saddr), dev->name); 446 #endif 447+#ifdef CONFIG_NETFILTER 448+ { 449+ struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); 450+ if (nskb) { 451+ nskb->nfmark = NF_IP_DROP_MARTIAN_SOURCE; 452+ NF_HOOK(PF_INET, NF_IP_DROPPING, nskb, dev, NULL, 453+ nf_drop_okfn); 454+ } 455+ } 456+#endif 457 e_inval: 458 err = -EINVAL; 459 goto done; 460@@ -1538,6 +1572,16 @@ 461 printk(":"); 462 } 463 printk("\n"); 464+ } 465+ } 466+#endif 467+#ifdef CONFIG_NETFILTER 468+ if (IN_DEV_LOG_MARTIANS(in_dev)) { 469+ struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC); 470+ if (nskb) { 471+ nskb->nfmark = NF_IP_DROP_MARTIAN_SOURCE; 472+ NF_HOOK(PF_INET, NF_IP_DROPPING, nskb, dev, NULL, 473+ nf_drop_okfn); 474 } 475 } 476 #endif 477diff -Nru --exclude *~ --exclude *.rej linux-2.4.4-plain/net/netsyms.c linux-2.4.4-dropped/net/netsyms.c 478--- linux-2.4.4-plain/net/netsyms.c Sun Apr 29 03:29:36 2001 479+++ linux-2.4.4-dropped/net/netsyms.c Wed May 2 20:03:44 2001 480@@ -561,6 +561,7 @@ 481 EXPORT_SYMBOL(nf_setsockopt); 482 EXPORT_SYMBOL(nf_getsockopt); 483 EXPORT_SYMBOL(ip_ct_attach); 484+EXPORT_SYMBOL(nf_drop_okfn); 485 #endif 486 487 EXPORT_SYMBOL(register_gifconf); 488