*** tcp_input.c.virgin	Thu Sep 26 22:10:57 1996
--- tcp_input.c	Thu Sep 26 22:12:09 1996
***************
*** 38,43 ****
--- 38,45 ----
  #include <netinet/tcp_debug.h>
  
  
+ #include "syslog.h"
+ 
  int	tcpprintfs = 0;
  int	tcprexmtthresh = 3;
  struct	tcpiphdr tcp_saveti;
***************
*** 174,179 ****
--- 176,186 ----
  
  struct inpcb *tcp_last_inp;
  
+ #ifdef BPF_KERN_FILTER
+ struct bpf_insn *bpf_tcp_filter;
+ u_long bpf_tcp_drops;
+ #endif
+ 
  /*
   * TCP input routine, follows pages 65-76 of the
   * protocol specification dated September, 1981 very closely.
***************
*** 324,329 ****
--- 331,354 ----
  		so = sonewconn(so);
  		if (so == 0)
  			goto drop;
+ #ifdef BPF_KERN_FILTER
+ 		/*
+ 		 * If we have a tcp filter and this connection is
+ 		 * listening for a new connection, run the filter and
+ 		 * pretend we're not listening if it matches.
+ 		 */
+ 		if (bpf_tcp_filter != NULL && tp->t_state == TCPS_LISTEN) {
+ 			len = m->m_len + sizeof(struct tcpiphdr);
+ 			if (bpf_filter(bpf_tcp_filter,
+ 			    (u_char *)ti, len, len) != 0) {
+ 				++bpf_tcp_drops;
+ 				log(LOG_DEBUG | LOG_AUTH,
+ 				    "tcp_input: %s bpf rejected to tcp port %d",
+ 				    inet_ntoa(ti->ti_src), ti->ti_dport);
+ 				goto dropwithreset;
+ 			}
+ 		}
+ #endif
  
  		(void) sbreserve(&so->so_rcv, save_rcv);
  		(void) sbreserve(&so->so_snd, save_snd);