Netfilter: Extending iptables

 * This is a module which is used for rejecting packets.  Simply sends
 * back an icmp host unreachable and drops the packet
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <net/icmp.h>
#include "packet-filter/kernel/ip_tables.h"

struct in_device;
#include <net/route.h>

static int ipt_reject_target(struct sk_buff *skb,
			     const char *indev,
			     const char *outdev,
			     const union ipt_targinfo *info,
			     unsigned int pos)
	struct iphdr *iph = skb->nh.iph;
	/* Alexey says:
	 * Generally, routing is THE FIRST thing to make, when packet
	 * enters IP stack. Before packet is routed you cannot call
	 * any service routines from IP stack.
	if (skb->dst != NULL
	    || ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
			      dev_get_by_name(indev)) == 0)

	return -NF_DROP - 1;

static int ipt_reject_checkentry(const union ipt_targinfo *info,
				 unsigned int pos,
				 unsigned int finalpos)
    return 1;

static struct ipt_target ipt_reject_reg
= { { NULL, NULL }, "REJECT", ipt_reject_target, ipt_reject_checkentry, NULL,
    &__this_module };

int init_module(void)
    if (ipt_register_target(&ipt_reject_reg))
	return -EINVAL;

    return 0;

void cleanup_module(void)

Connection Tracking...