Hm..., in_var.h

>   /*
>    * Macro for finding whether an internet address (in_addr) belongs to one
> !  * of our interfaces (in_ifaddr). If necessary, ensure that the packet (mb)
> !  * came in on the correct interface.  NULL if the address isn't ours.
>    */
> ! #define INADDR_TO_IA(addr, ia, mb) \

So this match now fails even if the address is ours, if the
strongend rules do not permit...

Mmm..., ip_input.c
>   	/*
>   	 * Check our list of addresses, to see if the packet is for us.
>   	 */
> ! 	INADDR_TO_IA(ip->ip_dst, ia, m);
> ! 	if (ia != NULL)
> ! 		goto ours;

and no material change to the code here.  From what I see, the code
path for strongend rejected packets then drop straight through
to ip_forward()...  Erk.  Shouldn't there be explicit code
to drop such packets?


--