diff -ur nistnet/include/nistnet_table.h nistnet-iskratel/include/nistnet_table.h
--- nistnet/include/nistnet_table.h	Wed Mar 14 15:57:11 2001
+++ nistnet-iskratel/include/nistnet_table.h	Wed Apr 18 11:15:12 2001
@@ -57,6 +57,17 @@
  */
 #define INCOS_ANY	((u_int16_t) 0x0000)
 
+/* Define data corruption flags for lteChangeFlags
+ * - defCorruptProtoPayload when set enables payload
+ *   corruption on supported protocols (TCP,UDP).
+ *   When not set IP payload and probably higher level
+ *   protocol header is corrupted.
+ * - defRecalculateCsum fixes checksum of supported
+ *   higher level protocols (TCP,UDP).
+ */
+#define defCorruptProtoPayload 1
+#define defRecalculateCsum     2
+
 typedef struct _nistnetTableEntry {	/* size: @@48 bytes */
 	u_int32_t	lteFlags;		/* Flags... */
 	NistnetTableKey	lteKey;
@@ -105,6 +116,9 @@
 #define lteDropCorrelate	lteIDrop.intrho
 #define lteDup			lteIDup.intmu
 #define lteDupCorrelate		lteIDup.intrho
+        u_int32_t       lteChangePacket;  /* Added by R.P./IskraTel */
+        u_int32_t       lteChangeByte;    /* Added by R.P./IskraTel */
+        u_int32_t       lteChangeFlags;   /* Added by R.P./IskraTel */
 
 } NistnetTableEntry, *NistnetTableEntryPtr;
 
diff -ur nistnet/kernel/Makefile nistnet-iskratel/kernel/Makefile
--- nistnet/kernel/Makefile	Tue Jan 30 22:42:34 2001
+++ nistnet-iskratel/kernel/Makefile	Wed Apr 18 11:18:34 2001
@@ -13,7 +13,16 @@
 M_TARGET := nistnet.o
 M_TARGET1 := mungemod.o
 M_TARGET2 := spymod.o
-M_OBJS := knistnet.o tabledist.o nistnet_table.o jenkinshash.o random.o fast_rtc.o fast_sched.o fast_time.o rtc_capture.o
+M_OBJS := knistnet.o \
+	  tabledist.o \
+          nistnet_table.o \
+          jenkinshash.o \
+          random.o \
+          fast_rtc.o \
+          fast_sched.o \
+          fast_time.o \
+          rtc_capture.o \
+          proto_checks.o
 M_OBJS1 := linmunge.o
 M_OBJS2 := knistspy.o
 MODFLAGS = -DMODULE
diff -ur nistnet/kernel/knistnet.c nistnet-iskratel/kernel/knistnet.c
--- nistnet/kernel/knistnet.c	Wed Mar 14 15:56:29 2001
+++ nistnet-iskratel/kernel/knistnet.c	Wed Apr 18 13:34:58 2001
@@ -19,6 +19,7 @@
 #include <linux/module.h>
 
 #include "tabledist.h"
+#include "proto_checks.h"
 
 int nistnet_debug;
 
@@ -851,6 +852,129 @@
 		OtherNistnetMunger = DefaultNistnetMunger;
 }
 
+/* Added by R.P./IskraTel */
+int
+packet_should_modify(NistnetTablePtr tableme)
+{
+        unsigned int value;
+        if (!tableme->ltEntry.lteChangePacket)
+                return 0;
+        value=myrandom()&0xFFFF; /* Take random value, evaluate lower 16bits */
+        return (value < tableme->ltEntry.lteChangePacket);
+}
+int
+packet_should_modify_Byte(NistnetTablePtr tableme)
+{
+        unsigned int value;
+        if (!tableme->ltEntry.lteChangeByte) return 0;
+        value=myrandom()&0xFFFF; /* Take random value, evaluate lower 16bits */
+        return (value < tableme->ltEntry.lteChangeByte);
+}
+int
+packet_modify_IP(struct sk_buff *skb, NistnetTablePtr tableme)
+{
+	struct iphdr *iph;
+	int i;
+	char *payload;
+	iph=skb->nh.iph;
+	payload = skb->h.raw + iph->ihl*4; // What does skb->csum do ?
+	for (i=0; &payload[i] < (char *)(skb->tail); i++) {
+		if(!packet_should_modify_Byte(tableme))
+			continue;
+		payload[i]++; // increment
+		payload[i]|=(char)(myrandom()&0xFF); // add bits
+		payload[i]&=(char)(myrandom()&0xFF); // remove bits
+	}
+	return 0;
+}
+int
+packet_modify_TCP(struct sk_buff *skb, NistnetTablePtr tableme)
+{
+	struct iphdr *iph;
+	struct tcphdr *tcph;
+	int i;
+        unsigned int csum;
+	char *payload;  // What does skb->csum do ?
+	iph=skb->nh.iph;
+        tcph=(struct tcphdr *)(skb->h.raw + iph->ihl*4);
+	payload =(char *)tcph + tcph->doff*4;
+	for (i=0; &payload[i] < (char *)(skb->tail); i++) {
+		if(!packet_should_modify_Byte(tableme))
+			continue;
+		payload[i]++; // increment
+		payload[i]|=(char)(myrandom()&0xFF); // add bits
+		payload[i]&=(char)(myrandom()&0xFF); // remove bits
+        }
+        if (tableme->ltEntry.lteChangeFlags & defRecalculateCsum ) { // Should we recalculate csum ?
+                tcph->check=0; // has to be 0 for checksum calc
+                csum=csum_partial((char *)tcph, ntohs(iph->tot_len) - iph->ihl*4, 0); // TCP checksum
+                csum=csum_tcpudp_magic(iph->saddr, // TCP pseudo header checksum
+                                       iph->daddr,
+                                       ntohs(iph->tot_len) - iph->ihl*4,
+                                       IPPROTO_TCP,
+                                       csum
+                                      );
+                tcph->check=csum;
+        }
+        return 0;
+}
+int
+packet_modify_UDP(struct sk_buff *skb, NistnetTablePtr tableme)
+{
+	struct iphdr *iph;
+	struct udphdr *udph;
+	int i;
+	char *payload;  // What does skb->csum do ?
+	iph=skb->nh.iph;
+        udph=(struct udphdr *) (skb->h.raw + iph->ihl*4);
+	payload = (char *)udph + sizeof(*udph);
+	for (i=0; &payload[i] < (char *)(skb->tail); i++) {
+		if(!packet_should_modify_Byte(tableme))
+			continue;
+		payload[i]++; // increment
+		payload[i]|=(char)(myrandom()&0xFF); // add bits
+		payload[i]&=(char)(myrandom()&0xFF); // remove bits
+	}
+	if (udph->check && (tableme->ltEntry.lteChangeFlags & defRecalculateCsum )) { // Do we need to recalculate the checksum ?
+		unsigned int csum;
+                udph->check=0; // has to be 0 for checksum calc
+		csum=csum_partial((char *)udph, ntohs(udph->len), 0); // UDP checksum
+		csum=csum_tcpudp_magic(iph->saddr, // UDP pseudo header checksum
+				       iph->daddr,
+				       ntohs(udph->len),
+                                       IPPROTO_UDP,
+                                       csum
+				      );
+                udph->check=csum;
+	}
+	return 0;
+}
+int
+packet_modify(struct sk_buff *skb,NistnetTablePtr tableme)
+{
+	struct iphdr *iph;
+        iph=skb->nh.iph;
+
+        if (!packet_should_modify(tableme))
+                return 0; /* We wont't change this IP packet */
+
+        if (tableme->ltEntry.lteChangeFlags & defCorruptProtoPayload) {
+                switch(iph->protocol) { /* Add support for other protocols here */
+                case IPPROTO_UDP:
+                        return(packet_modify_UDP(skb,tableme));
+                        break;
+                case IPPROTO_TCP:
+                        return(packet_modify_TCP(skb,tableme));
+                        break;
+                default:
+                        break;
+                }
+        }
+        return(packet_modify_IP(skb,tableme));
+}
+
+/* Added by R.P./IskraTel */
+
 #define munge_finish(string)	{LinUnlock(string); if (skb2) (void) rcv_packet_munge(skb2, dev, ptype);/* recursively process dup */ }
 
 int
@@ -867,7 +991,55 @@
 		struct fast_timer_list *screamer;
 		struct nistnet_packetinfo *hpi;
 		struct sk_buff *skb2=NULL;
-		int ret=1;
+                int ret=1;
+                int rc;
+
+                /* Added by R.P./Iskratel */
+                /* As it is Nist is called before ip_rcv
+                   so we must check what we received from
+                   the network.
+                   1. Check the IP packet
+                   */
+                rc=check_packet_IP(skb);
+                //rc: 0 = OK, let's handle it,
+                //    1 = BAD_HDR, drop it,
+                if (1==rc) { // header/csum check failed
+			ip_statistics.IpInHdrErrors++;
+			kfree_skb(skb);
+                        LinUnlock("Packet header error");
+                        //printk("nistnet: Packet dropped - IP packet header error!\n");
+                        return 0;
+                }
+
+                /* lt_find_by_ipheader opens the skbuf and even tho it is unchecked it
+                 * assumes the packet is a valid one. It then reads the fields
+                 * it is interested in.
+                 * It does not:
+                 * - check if it is a first fragment (no clue why should one try to search
+                 *   for TCP port in a 13th IP fragment)
+                 * - if fragment is big enough to hold higher protocol header
+                 * - checksum the higher protocol headers
+                 * Now *normally* this will not be a problem (becouse Nist is run in a lab)..
+                 * and since I'm an abnormal person I'll do the abnormal thing: I'll do
+                 * those checks.
+                 */
+                rc=check_packet(skb);
+                //rc: 0 = OK, let's handle it,
+                //    1 = BAD_HDR, drop it,
+                //    2 = multifragment.. make it go pass Nist.
+                if (1==rc) { // header/csum check failed
+			ip_statistics.IpInHdrErrors++;
+			kfree_skb(skb);
+                        LinUnlock("Packet higher protocol header error");
+                        printk("nistnet: Packet dropped - Higher protocol packet header error!\n");
+                        return 0;
+                }
+                if (2==rc) { // is not a first fragment or is 2 small to anlyse higher protocol header
+                        LinUnlock("Packet/fragment");
+                        printk("nistnet: Packed slipped\n");
+                        return ippt->func(skb, dev, ippt);
+                }
+                /* End by R.P./Iskratel changes */
 
 		global_stats(STATS_START);
 		tableme = lt_find_by_ipheader(skb);
@@ -933,7 +1105,14 @@
 		if (packet_dup(tableme)) { /* you get a new sister! */
 			++hitme->dups;
 			skb2 = skb_copy(skb, GFP_ATOMIC);
-		}
+                }
+
+                /* Added by R.P./IskraTel */
+                /* This procedure check wheter to change the data payload
+                   and performs the needed changes.
+                */
+                packet_modify(skb,tableme);
+                /* End of modifications by R.P./IskraTel */
 
 		/* Now see if we're going to delay the packet */
 		if (!(delaytime = packet_delay(skb, tableme))) { /* no delay */
Only in nistnet-iskratel/kernel: proto_checks.c
Only in nistnet-iskratel/kernel: proto_checks.h
