diff -urN --exclude=ide.c --exclude=stallion.c --exclude istallion.c --exclude Config.in --exclude Configure.help linuxorg/.manualconfig linux/.manualconfig
--- linuxorg/.manualconfig	Thu Jan  1 08:00:00 1970
+++ linux/.manualconfig	Thu Sep  3 18:20:35 1998
@@ -0,0 +1,4 @@
+
+CONFIG_IP_NO_ICMP_REDIRECT = y
+CONFIG_IP_VERIFYSRC = y
+
diff -urN --exclude=ide.c --exclude=stallion.c --exclude istallion.c --exclude Config.in --exclude Configure.help linuxorg/Makefile linux/Makefile
--- linuxorg/Makefile	Sat Nov  8 02:51:05 1997
+++ linux/Makefile	Sat Nov 22 13:14:00 1997
@@ -60,6 +60,11 @@
 do-it-all:	config
 endif
 
+# manually configured options (not covered by config scripts)
+ifeq (.manualconfig,$(wildcard .manualconfig))
+include .manualconfig
+endif
+
 #
 # ROOT_DEV specifies the default root-device when making the image.
 # This can be either FLOPPY, CURRENT, /dev/xxxx or empty, in which case
diff -urN --exclude=ide.c --exclude=stallion.c --exclude istallion.c --exclude Config.in --exclude Configure.help linuxorg/drivers/net/ppp.c linux/drivers/net/ppp.c
--- linuxorg/drivers/net/ppp.c	Wed Aug 13 05:15:56 1997
+++ linux/drivers/net/ppp.c	Thu Sep  3 18:37:59 1998
@@ -410,9 +412,9 @@
 	/* Needed to make SOCK_PACKET work correctly in
 	 * memory fussy kernels.
 	 */
-	dev->flags	= IFF_POINTOPOINT|IFF_SOFTHEADERS;
+	dev->flags	= IFF_POINTOPOINT|IFF_SOFTHEADERS|IFF_VERIFYSRC;
 #else
-	dev->flags	= IFF_POINTOPOINT;
+	dev->flags	= IFF_POINTOPOINT|IFF_VERIFYSRC;
 #endif
 	dev->family	= AF_INET;
 	dev->pa_addr	= 0;
 #define USER_CS		0x23
 #define USER_DS		0x2B
diff -urN --exclude=ide.c --exclude=stallion.c --exclude istallion.c --exclude Config.in --exclude Configure.help linuxorg/include/linux/if.h linux/include/linux/if.h
--- linuxorg/include/linux/if.h	Thu Nov 13 12:46:28 1997
+++ linux/include/linux/if.h	Thu Sep  3 18:15:37 1998
@@ -46,6 +46,11 @@
 					 * Never visible outside of kernel.
 					 */
 
+#define IFF_VERIFYSRC	0x8000		/* verify that src address on 
+					 * incoming packets can be reached
+					 * via this device
+					 */
+
 /*
  * The ifaddr structure contains information about one address
  * of an interface.  They are maintained by the different address
diff -urN --exclude=ide.c --exclude=stallion.c --exclude istallion.c --exclude Config.in --exclude Configure.help linuxorg/net/core/dev.c linux/net/core/dev.c
--- linuxorg/net/core/dev.c	Wed Aug 13 05:15:56 1997
+++ linux/net/core/dev.c	Fri Sep  4 11:24:38 1998
@@ -1128,7 +1128,7 @@
 					IFF_BROADCAST | IFF_DEBUG | IFF_LOOPBACK |
 					IFF_POINTOPOINT | IFF_NOTRAILERS | IFF_RUNNING |
 					IFF_NOARP | IFF_PROMISC | IFF_ALLMULTI | IFF_SLAVE | IFF_MASTER
-					| IFF_MULTICAST)) | (dev->flags & (IFF_SOFTHEADERS|IFF_UP));
+					| IFF_MULTICAST | IFF_VERIFYSRC)) | (dev->flags & (IFF_SOFTHEADERS|IFF_UP));
 				/*
 				 *	Load in the correct multicast list now the flags have changed.
 				 */				
diff -urN --exclude=ide.c --exclude=stallion.c --exclude istallion.c --exclude Config.in --exclude Configure.help linuxorg/net/ipv4/Makefile linux/net/ipv4/Makefile
--- linuxorg/net/ipv4/Makefile	Tue Apr  8 23:47:47 1997
+++ linux/net/ipv4/Makefile	Thu Sep  3 18:19:32 1998
@@ -52,6 +52,14 @@
   endif
 endif
 
+ifeq ($(CONFIG_IP_VERIFYSRC),y)
+CFLAGS += -DCONFIG_IP_VERIFYSRC
+endif
+
 ifdef CONFIG_INET
 O_OBJS := $(IPV4_OBJS)
diff -urN --exclude=ide.c --exclude=stallion.c --exclude istallion.c --exclude Config.in --exclude Configure.help linuxorg/net/ipv4/ip_input.c linux/net/ipv4/ip_input.c
--- linuxorg/net/ipv4/ip_input.c	Thu Sep 18 03:00:47 1997
+++ linux/net/ipv4/ip_input.c	Fri Sep  4 14:23:42 1998
@@ -97,6 +97,13 @@
  *		Alan Cox	:	Multicast routing hooks
  *		Jos Vos		:	Do accounting *before* call_in_firewall
  *	Willy Konynenberg	:	Transparent proxying support
+ *		Mike Nix	:	Verify inbound IP source addresses.
+ *					99% of spoofing attacks spoof the source address.
+ *					we verify that the source IP of a packet is reachable
+ *					is reachable via the interface it arrived on!
  *
  *  
  *
@@ -159,6 +166,9 @@
 #ifdef CONFIG_NET_ALIAS
 #include <linux/net_alias.h>
 #endif
+#ifdef CONFIG_IP_VERIFYSRC
+#include <linux/if.h>
+#endif
 
 extern int last_retran;
 extern void sort_send(struct sock *sk);
@@ -252,6 +262,17 @@
 	ip_statistics.IpInReceives++;
 
 	/*
 	 *	Account for the packet (even if the packet is
 	 *	not accepted by the firewall!).
 	 */
@@ -324,7 +345,41 @@
 		}
 #endif					
 	}
-	
+
+#ifdef CONFIG_IP_VERIFYSRC
+	/* make sure the source ip of the packet is reachable via
+	   the device the packet arrived on.... */
+
+	if (dev->flags & IFF_VERIFYSRC) { int good_src=0;
+	   if (dev->flags & IFF_POINTOPOINT)
+		   good_src= iph->saddr==dev->pa_dstaddr;
+	      else good_src= iph->saddr==(dev->pa_addr & dev->pa_mask);
+
+	   if (!good_src) {
+		/* do a routing lookup to find the device for the src addr */
+ 		struct device *rtdev=ip_rt_dev(iph->saddr);
+
+		if (rtdev!=dev) {
+		   /* we can't reply via the source device! probably a
+		      spoof!  send it back to it's owner if it arrived
+		      on a point to point device..... */
+
+		   if (dev->flags & IFF_POINTOPOINT) {
+			printk("Spoofed IP to %lx detected? Bounced back to %lx on %s\n",
+				iph->daddr, dev->pa_dstaddr, dev->name);
+			iph->daddr=dev->pa_dstaddr;
+			ip_send_check(iph);
+			}
+		   else { kfree_skb(skb, FREE_WRITE);
+			  printk("Spoofed IP to %lx detected? Can't bounce to non P-t-P interface %s\n",
+				iph->daddr, dev->name);
+			  return 0;
+			}
+		}
+	   }
+	}
+#endif
+
 #if defined(CONFIG_IP_TRANSPARENT_PROXY) && !defined(CONFIG_IP_ALWAYS_DEFRAG)
 #define CONFIG_IP_ALWAYS_DEFRAG 1
 #endif