diff --git a/tun_dev.cpp b/tun_dev.cpp
index 1384ac5..a733573 100644
--- a/tun_dev.cpp
+++ b/tun_dev.cpp
@@ -293,6 +293,17 @@ int tun_dev_client_event_loop()
 					mylog(log_warn,"read from tun_fd return %d,errno=%s\n",len,strerror(errno));
 					continue;
 				}
+				if(len>=20)
+				{
+					u32_t dest_ip=htonl(read_u32(data+16));
+					if(  ( ntohl(sub_net_uint32)&0xFFFFFF00 ) !=  ( ntohl (dest_ip) &0xFFFFFF00) )
+					{
+						string sub=my_ntoa(dest_ip);
+						string dst=my_ntoa( htonl( ntohl (dest_ip) &0xFFFFFF00)   );
+						mylog(log_warn,"packet's dest ip [%s] not in subnet [%s],dropped\n", sub.c_str(), dst.c_str());
+						continue;
+					}
+				}
 
 				mylog(log_trace,"Received packet from tun,len: %d\n",len);