- moving config-* fixed.

[packages/kernel.git] / 2.6.1-NF-20040114.patch

diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_TTL.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_TTL.h
--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_TTL.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_TTL.h	2004-01-14 14:06:00.000000000 +0100
@@ -0,0 +1,21 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+enum {
+	IPT_TTL_SET = 0,
+	IPT_TTL_INC,
+	IPT_TTL_DEC
+};
+
+#define IPT_TTL_MAXMODE	IPT_TTL_DEC
+
+struct ipt_TTL_info {
+	u_int8_t	mode;
+	u_int8_t	ttl;
+};
+
+
+#endif
diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_connlimit.h
--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_connlimit.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_connlimit.h	2004-01-14 14:04:43.000000000 +0100
@@ -0,0 +1,12 @@
+#ifndef _IPT_CONNLIMIT_H
+#define _IPT_CONNLIMIT_H
+
+struct ipt_connlimit_data;
+
+struct ipt_connlimit_info {
+	int limit;
+	int inverse;
+	u_int32_t mask;
+	struct ipt_connlimit_data *data;
+};
+#endif /* _IPT_CONNLIMIT_H */
diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_osf.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_osf.h
--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_osf.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_osf.h	2004-01-14 14:04:31.000000000 +0100
@@ -0,0 +1,130 @@
+/*
+ * ipt_osf.h
+ *
+ * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef _IPT_OSF_H
+#define _IPT_OSF_H
+
+#define MAXGENRELEN		32
+#define MAXDETLEN		64
+
+#define IPT_OSF_GENRE		1
+#define IPT_OSF_SMART		2
+#define IPT_OSF_LOG		4
+
+#define IPT_OSF_LOGLEVEL_ALL		0
+#define IPT_OSF_LOGLEVEL_FIRST	1
+
+#include <linux/list.h>
+
+struct ipt_osf_info
+{
+	char 			genre[MAXGENRELEN];
+	int			len;
+	unsigned long		flags;
+	int			loglevel;
+	int			invert; /* UNSUPPORTED */
+};
+
+struct osf_wc
+{
+	char			wc;
+	unsigned long		val;
+};
+
+/* This struct represents IANA options
+ * http://www.iana.org/assignments/tcp-parameters
+ */
+struct osf_opt
+{
+	unsigned char		kind;
+	unsigned char		length;
+	struct osf_wc		wc;
+};
+
+#ifdef __KERNEL__
+
+struct osf_finger
+{
+	struct list_head	flist;
+	struct osf_wc		wss;
+	unsigned char		ttl;
+	unsigned char		df;
+	unsigned long		ss;
+	char			genre[MAXGENRELEN];
+	char			version[MAXGENRELEN], subtype[MAXGENRELEN];
+	
+	/* Not needed, but for consistency with original table from Michal Zalewski */
+	char			details[MAXDETLEN]; 
+
+	int 			opt_num;
+	struct osf_opt		opt[MAX_IPOPTLEN]; /* In case it is all NOP or EOL */
+
+};
+
+/* Defines for IANA option kinds */
+
+#define OSFOPT_EOL		0	/* End of options */
+#define OSFOPT_NOP		1	/* NOP */
+#define OSFOPT_MSS		2	/* Maximum segment size */
+#define OSFOPT_WSO		3	/* Window scale option */
+#define OSFOPT_SACKP		4	/* SACK permitted */
+#define OSFOPT_SACK		5	/* SACK */
+#define OSFOPT_ECHO		6	
+#define OSFOPT_ECHOREPLY	7
+#define OSFOPT_TS		8	/* Timestamp option */
+#define OSFOPT_POCP		9	/* Partial Order Connection Permitted */
+#define OSFOPT_POSP		10	/* Partial Order Service Profile */
+/* Others are not used in current OSF */
+
+static struct osf_opt IANA_opts[] = 
+{
+	{0, 1,},
+	{1, 1,},
+	{2, 4,},
+	{3, 3,},
+	{4, 2,},
+	{5, 1 ,}, /* SACK length is not defined */
+	{6, 6,},
+	{7, 6,},
+	{8, 10,},
+	{9, 2,},
+	{10, 3,},
+	{11, 1,}, /* CC: Suppose 1 */
+	{12, 1,}, /* the same */
+	{13, 1,}, /* and here too */
+	{14, 3,},
+	{15, 1,}, /* TCP Alternate Checksum Data. Length is not defined */
+	{16, 1,},
+	{17, 1,},
+	{18, 3,},
+	{19, 18,},
+	{20, 1,},
+	{21, 1,},
+	{22, 1,},
+	{23, 1,},
+	{24, 1,},
+	{25, 1,},
+	{26, 1,},
+};
+
+#endif /* __KERNEL__ */
+
+#endif /* _IPT_OSF_H */
diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_psd.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_psd.h
--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_psd.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_psd.h	2004-01-14 14:04:53.000000000 +0100
@@ -0,0 +1,40 @@
+#ifndef _IPT_PSD_H
+#define _IPT_PSD_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+/*
+ * High port numbers have a lower weight to reduce the frequency of false
+ * positives, such as from passive mode FTP transfers.
+ */
+#define PORT_WEIGHT_PRIV		3
+#define PORT_WEIGHT_HIGH		1
+
+/*
+ * Port scan detection thresholds: at least COUNT ports need to be scanned
+ * from the same source, with no longer than DELAY ticks between ports.
+ */
+#define SCAN_MIN_COUNT			7
+#define SCAN_MAX_COUNT			(SCAN_MIN_COUNT * PORT_WEIGHT_PRIV)
+#define SCAN_WEIGHT_THRESHOLD		SCAN_MAX_COUNT
+#define SCAN_DELAY_THRESHOLD		(HZ * 3)
+
+/*
+ * Keep track of up to LIST_SIZE source addresses, using a hash table of
+ * HASH_SIZE entries for faster lookups, but limiting hash collisions to
+ * HASH_MAX source addresses per the same hash value.
+ */
+#define LIST_SIZE			0x100
+#define HASH_LOG			9
+#define HASH_SIZE			(1 << HASH_LOG)
+#define HASH_MAX			0x10
+
+struct ipt_psd_info {
+	unsigned int weight_threshold;
+	unsigned int delay_threshold;
+	unsigned short lo_ports_weight;
+	unsigned short hi_ports_weight;
+};
+
+#endif /*_IPT_PSD_H*/
diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_quota.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_quota.h
--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_quota.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_quota.h	2004-01-14 14:04:22.000000000 +0100
@@ -0,0 +1,11 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+        u_int64_t quota;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_time.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_time.h
--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_time.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_time.h	2004-01-14 14:05:44.000000000 +0100
@@ -0,0 +1,13 @@
+#ifndef __ipt_time_h_included__
+#define __ipt_time_h_included__
+
+
+struct ipt_time_info {
+	u_int8_t  days_match;   /* 1 bit per day. -SMTWTFS                      */
+	u_int16_t time_start;   /* 0 < time_start < 23*60+59 = 1439             */
+	u_int16_t time_stop;    /* 0:0 < time_stat < 23:59                      */
+	u_int8_t  kerneltime;   /* ignore skb time (and use kerneltime) or not. */
+};
+
+
+#endif /* __ipt_time_h_included__ */
diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_u32.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_u32.h
--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_u32.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_u32.h	2004-01-14 14:05:13.000000000 +0100
@@ -0,0 +1,40 @@
+#ifndef _IPT_U32_H
+#define _IPT_U32_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+enum ipt_u32_ops
+{
+	IPT_U32_AND,
+	IPT_U32_LEFTSH,
+	IPT_U32_RIGHTSH,
+	IPT_U32_AT
+};
+
+struct ipt_u32_location_element
+{
+	u_int32_t number;
+	u_int8_t nextop;
+};
+struct ipt_u32_value_element
+{
+	u_int32_t min;
+	u_int32_t max;
+};
+/* *** any way to allow for an arbitrary number of elements?
+   for now I settle for a limit of 10 of each */
+#define U32MAXSIZE 10
+struct ipt_u32_test
+{
+	u_int8_t nnums;
+	struct ipt_u32_location_element location[U32MAXSIZE+1];
+	u_int8_t nvalues;
+	struct ipt_u32_value_element value[U32MAXSIZE+1];
+};
+
+struct ipt_u32
+{
+	u_int8_t ntests;
+	struct ipt_u32_test tests[U32MAXSIZE+1];
+};
+
+#endif /*_IPT_U32_H*/
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/Kconfig linux-2.6.1/net/ipv4/netfilter/Kconfig
--- linux-2.6.1.org/net/ipv4/netfilter/Kconfig	2004-01-09 07:59:56.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/Kconfig	2004-01-14 14:06:00.000000000 +0100
@@ -466,6 +466,16 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_TARGET_TTL
+	tristate  'TTL target support'
+	depends on IP_NF_MANGLE
+	  help
+	  This adds an iptables TTL manipulation target, which enables the user
+	  to set the TTL value of an IP packet or to increment / decrement it 
+	  by a given value.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config IP_NF_TARGET_CLASSIFY
 	tristate "CLASSIFY target support"
 	depends on IP_NF_MANGLE
@@ -566,5 +576,162 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_MATCH_QUOTA
+	tristate  'quota match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This option adds CONFIG_IP_NF_MATCH_QUOTA, which implements network
+	  quotas by decrementing a byte counter with each packet.
+	  
+	  Supported options are:
+	  --quota <bytes>
+	    The quota in bytes.
+	  
+	  KNOWN BUGS: this does not work on SMP systems.
+	  
+
+config IP_NF_MATCH_OSF
+	tristate  'OSF match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  The idea of passive OS fingerprint matching exists for quite a long time,
+	  but was created as extension fo OpenBSD pf only some weeks ago.
+	  Original idea was lurked in some OpenBSD mailing list (thanks
+	  grange@open...) and than adopted for Linux netfilter in form of this code.
+	  
+	  Original table was created by Michal Zalewski <lcamtuf@coredump.cx> for
+	  his excellent p0f and than changed a bit for more convenience.
+	  
+	  This module compares some data(WS, MSS, options and it's order, ttl,
+	  df and others) from first SYN packet (actually from packets with SYN
+	  bit set) with hardcoded in fingers[] table ones.
+	  
+	  Example: (Of course this only an example, do not get inspired by this)
+	  
+	  # iptables -N LINUX
+	  # iptables -A LINUX -j LOG --log-prefix "Linux"
+	  
+	  # iptables -A INPUT -p tcp -m osf --genre Linux -j LINUX
+	  # iptables -A INPUT -p tcp -m osf --genre FreeBSD -j REJECT
+	  
+	  NOTE: -p tcp is obviously required as it is a TCP match.
+	  
+	  OSF also has:
+	  --log 1/0. 
+	  	If present, OSF will log determined genres even if they don't match
+	  	desired one.	
+	  	0 - log all determined entries, 
+	  	1 - only first one.
+	  	
+	  	Example:
+	  	#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
+	  
+	  	In syslog you find something like this:
+	  	ipt_osf: Windows [Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
+	  	ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
+	  
+	    --smart
+	    	if present, OSF will use some smartness to determine remote OS.
+	  	Now only not use TTL( with it far remote machines can be determined).
+	  
+	  Fingerprints can be loaded through /proc/sys/net/ipv4/osf file.
+	  Only one fingerprint per open/close.
+	  
+	  Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
+
+config IP_NF_MATCH_CONNLIMIT
+	tristate  'Connections/IP limit match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This adds an iptables match which allows you to restrict the
+	  number of parallel TCP connections to a server per client IP address
+	  (or address block).
+	  
+	  Examples:
+	  
+	  # allow 2 telnet connections per client host
+	  iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
+	  
+	  # you can also match the other way around:
+	  iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
+	  
+	  # limit the nr of parallel http requests to 16 per class C sized
+	  # network (24 bit netmask)
+	  iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
+	  	--connlimit-mask 24 -j REJECT
+
+config IP_NF_MATCH_PSD
+	tristate  'psd match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This option adds a `psd' match, which supplies portscan
+	  detection match (psd). This match will attempt to detect TCP and UDP
+	  port scans. This match was derived from Solar Designer's scanlogd.
+	  
+	  Suppported options are:
+	  
+	  --psd-weight-threshold <threshold>
+	  
+	    Total weight of the latest TCP/UDP packets with different
+	    destination ports coming from the same host to be treated as port
+	    scan sequence.
+	  
+	  --psd-delay-threshold <delay>
+	  
+	    Delay (in hundredths of second) for the packets with different
+	    destination ports coming from the same host to be treated as
+	    possible port scan subsequence.
+	  
+	  --psd-lo-ports-weight <weight>
+	  
+	    Weight of the packet with privileged (<=1024) destination port.
+	  
+	  --psd-hi-ports-weight <weight>
+	  
+	    Weight of the packet with non-priviliged destination port.
+
+config IP_NF_MATCH_U32
+	tristate  'U32 match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  
+	  U32 allows you to extract quantities of up to 4 bytes from a packet,
+	  AND them with specified masks, shift them by specified amounts and
+	  test whether the results are in any of a set of specified ranges.
+	  The specification of what to extract is general enough to skip over
+	  headers with lengths stored in the packet, as in IP or TCP header
+	  lengths.
+	  Details and examples are in the kernel module source.
+
+config IP_NF_MATCH_TIME
+	tristate  'TIME match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  
+	  This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
+	  This match allows you to filter based on the packet arrival time
+	  (arrival time at the machine which the netfilter is running on) or
+	  departure time (for locally generated packets).
+	  
+	  Supported options are:
+	  --timestart HH:MM
+	    The starting point of the time match frame.
+	  
+	  --timestop HH:MM
+	    The stopping point of the time match frame
+	  
+	  --days Tue,Mon...
+	    Days of the week to match separated by a coma, no space
+	    (one of Sun,Mon,Tue,Wed,Thu,Fri,Sat)
+	  
+	  Example:
+	    -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
+	    will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
+	    to Friday.
+	  
+	    -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon
+	    will match the packets (locally generated) that have a departure timestamp
+	    in the range 8:00->18:00 on Monday only.
+
 endmenu
 
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/Makefile linux-2.6.1/net/ipv4/netfilter/Makefile
--- linux-2.6.1.org/net/ipv4/netfilter/Makefile	2004-01-09 07:59:18.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/Makefile	2004-01-14 14:06:00.000000000 +0100
@@ -42,6 +42,7 @@
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
@@ -51,6 +52,14 @@
 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 
+obj-$(CONFIG_IP_NF_MATCH_TIME) += ipt_time.o
+
+
+obj-$(CONFIG_IP_NF_MATCH_PSD) += ipt_psd.o
+
+obj-$(CONFIG_IP_NF_MATCH_OSF) += ipt_osf.o
+
+
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
 
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
@@ -59,8 +68,12 @@
 
 obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length.o
 
+obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o
+
+
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
 
@@ -72,6 +85,7 @@
 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
 obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o
 obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
+obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/ipt_TTL.c linux-2.6.1/net/ipv4/netfilter/ipt_TTL.c
--- linux-2.6.1.org/net/ipv4/netfilter/ipt_TTL.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/ipt_TTL.c	2004-01-14 14:06:00.000000000 +0100
@@ -0,0 +1,117 @@
+/* TTL modification target for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org>
+ *
+ * Version: 1.8
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_TTL.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
+MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_LICENSE("GPL");
+
+static unsigned int ipt_ttl_target(struct sk_buff **pskb,
+		                           const struct net_device *in,
+                                   const struct net_device *out,
+                                   unsigned int hooknum,
+                                   const void *targinfo,
+                                   void *userinfo)
+{
+	struct iphdr *iph = (*pskb)->nh.iph;
+	const struct ipt_TTL_info *info = targinfo;
+	u_int16_t diffs[2];
+	int new_ttl;
+			 
+	switch (info->mode) {
+		case IPT_TTL_SET:
+			new_ttl = info->ttl;
+			break;
+		case IPT_TTL_INC:
+			new_ttl = iph->ttl + info->ttl;
+			if (new_ttl > 255)
+				new_ttl = 255;
+			break;
+		case IPT_TTL_DEC:
+			new_ttl = iph->ttl + info->ttl;
+			if (new_ttl < 0)
+				new_ttl = 0;
+			break;
+		default:
+			new_ttl = iph->ttl;
+			break;
+	}
+
+	if (new_ttl != iph->ttl) {
+		diffs[0] = htons(((unsigned)iph->ttl) << 8) ^ 0xFFFF;
+		iph->ttl = new_ttl;
+		diffs[1] = htons(((unsigned)iph->ttl) << 8);
+		iph->check = csum_fold(csum_partial((char *)diffs,
+						    sizeof(diffs),
+				 	            iph->check^0xFFFF));
+									                	(*pskb)->nfcache |= NFC_ALTERED;
+	}
+
+	return IPT_CONTINUE;
+}
+
+static int ipt_ttl_checkentry(const char *tablename,
+		const struct ipt_entry *e,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask)
+{
+	struct ipt_TTL_info *info = targinfo;
+
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) {
+		printk(KERN_WARNING "TTL: targinfosize %u != %Zu\n",
+				targinfosize,
+				IPT_ALIGN(sizeof(struct ipt_TTL_info)));
+		return 0;	
+	}	
+
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "TTL: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+
+	if (info->mode > IPT_TTL_MAXMODE) {
+		printk(KERN_WARNING "TTL: invalid or unknown Mode %u\n", 
+			info->mode);
+		return 0;
+	}
+
+	if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) {
+		printk(KERN_WARNING "TTL: increment/decrement doesn't make sense with value 0\n");
+		return 0;
+	}
+	
+	return 1;
+}
+
+static struct ipt_target ipt_TTL = {
+	.name		= "TTL", 
+	.target		= ipt_ttl_target,
+	.checkentry	= ipt_ttl_checkentry,
+	.me		= THIS_MODULE,
+};
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_TTL);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_TTL);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.1/net/ipv4/netfilter/ipt_connlimit.c
--- linux-2.6.1.org/net/ipv4/netfilter/ipt_connlimit.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/ipt_connlimit.c	2004-01-14 14:04:43.000000000 +0100
@@ -0,0 +1,230 @@
+/*
+ * netfilter module to limit the number of parallel tcp
+ * connections per IP address.
+ *   (c) 2000 Gerd Knorr <kraxel@bytesex.org>
+ *   Nov 2002: Martin Bene <martin.bene@icomedias.com>:
+ *		only ignore TIME_WAIT or gone connections
+ *
+ * based on ...
+ *
+ * Kernel module to match connection tracking information.
+ * GPL (C) 1999  Rusty Russell (rusty@rustcorp.com.au).
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/list.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_core.h>
+#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_connlimit.h>
+
+#define DEBUG 0
+
+MODULE_LICENSE("GPL");
+
+/* we'll save the tuples of all connections we care about */
+struct ipt_connlimit_conn
+{
+        struct list_head list;
+	struct ip_conntrack_tuple tuple;
+};
+
+struct ipt_connlimit_data {
+	spinlock_t lock;
+	struct list_head iphash[256];
+};
+
+static int ipt_iphash(u_int32_t addr)
+{
+	int hash;
+
+	hash  =  addr        & 0xff;
+	hash ^= (addr >>  8) & 0xff;
+	hash ^= (addr >> 16) & 0xff;
+	hash ^= (addr >> 24) & 0xff;
+	return hash;
+}
+
+static int count_them(struct ipt_connlimit_data *data,
+		      u_int32_t addr, u_int32_t mask,
+		      struct ip_conntrack *ct)
+{
+#if DEBUG
+	const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv",
+				     "fin_wait", "time_wait", "close", "close_wait",
+				     "last_ack", "listen" };
+#endif
+	int addit = 1, matches = 0;
+	struct ip_conntrack_tuple tuple;
+	struct ip_conntrack_tuple_hash *found;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash,*lh;
+
+	spin_lock(&data->lock);
+	tuple = ct->tuplehash[0].tuple;
+	hash = &data->iphash[ipt_iphash(addr & mask)];
+
+	/* check the saved connections */
+	for (lh = hash->next; lh != hash; lh = lh->next) {
+		conn = list_entry(lh,struct ipt_connlimit_conn,list);
+		found = ip_conntrack_find_get(&conn->tuple,ct);
+		if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
+		    found != NULL &&
+		    found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
+			/* Just to be sure we have it only once in the list.
+			   We should'nt see tuples twice unless someone hooks this
+			   into a table without "-p tcp --syn" */
+			addit = 0;
+		}
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port),
+		       NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port),
+		       (NULL != found) ? tcp[found->ctrack->proto.tcp.state] : "gone");
+#endif
+		if (NULL == found) {
+			/* this one is gone */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			continue;
+		}
+		if (found->ctrack->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) {
+			/* we don't care about connections which are
+			   closed already -> ditch it */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			nf_conntrack_put(&found->ctrack->infos[0]);
+			continue;
+		}
+		if ((addr & mask) == (conn->tuple.src.ip & mask)) {
+			/* same source IP address -> be counted! */
+			matches++;
+		}
+		nf_conntrack_put(&found->ctrack->infos[0]);
+	}
+	if (addit) {
+		/* save the new connection in our list */
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
+		       NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
+#endif
+		conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
+		if (NULL == conn)
+			return -1;
+		memset(conn,0,sizeof(*conn));
+		INIT_LIST_HEAD(&conn->list);
+		conn->tuple = tuple;
+		list_add(&conn->list,hash);
+		matches++;
+	}
+	spin_unlock(&data->lock);
+	return matches;
+}
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct ipt_connlimit_info *info = matchinfo;
+	int connections, match;
+	struct ip_conntrack *ct;
+	enum ip_conntrack_info ctinfo;
+
+	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+	if (NULL == ct) {
+		printk("ipt_connlimit: Oops: invalid ct state ?\n");
+		*hotdrop = 1;
+		return 0;
+	}
+	connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct);
+	if (-1 == connections) {
+		printk("ipt_connlimit: Hmm, kmalloc failed :-(\n");
+		*hotdrop = 1; /* let's free some memory :-) */
+		return 0;
+	}
+        match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit);
+#if DEBUG
+	printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u "
+	       "connections=%d limit=%d match=%s\n",
+	       NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask),
+	       connections, info->limit, match ? "yes" : "no");
+#endif
+
+	return match;
+}
+
+static int check(const char *tablename,
+		 const struct ipt_ip *ip,
+		 void *matchinfo,
+		 unsigned int matchsize,
+		 unsigned int hook_mask)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	int i;
+
+	/* verify size */
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info)))
+		return 0;
+
+	/* refuse anything but tcp */
+	if (ip->proto != IPPROTO_TCP)
+		return 0;
+
+	/* init private data */
+	info->data = kmalloc(sizeof(struct ipt_connlimit_data),GFP_KERNEL);
+	spin_lock_init(&(info->data->lock));
+	for (i = 0; i < 256; i++)
+		INIT_LIST_HEAD(&(info->data->iphash[i]));
+	
+	return 1;
+}
+
+static void destroy(void *matchinfo, unsigned int matchinfosize)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash;
+	int i;
+
+	/* cleanup */
+	for (i = 0; i < 256; i++) {
+		hash = &(info->data->iphash[i]);
+		while (hash != hash->next) {
+			conn = list_entry(hash->next,struct ipt_connlimit_conn,list);
+			list_del(hash->next);
+			kfree(conn);
+		}
+	}
+	kfree(info->data);
+}
+
+static struct ipt_match connlimit_match = {
+	.name		= "connlimit",
+	.match		= &match,
+	.checkentry	= &check,
+	.me		= THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_match(&connlimit_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&connlimit_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/ipt_osf.c linux-2.6.1/net/ipv4/netfilter/ipt_osf.c
--- linux-2.6.1.org/net/ipv4/netfilter/ipt_osf.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/ipt_osf.c	2004-01-14 14:04:31.000000000 +0100
@@ -0,0 +1,730 @@
+/*
+ * ipt_osf.c
+ *
+ * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * OS fingerprint matching module.
+ * It simply compares various parameters from SYN packet with
+ * some hardcoded ones.
+ *
+ * Original table was created by Michal Zalewski <lcamtuf@coredump.cx>
+ * for his p0f.
+ */
+
+#include <linux/config.h>
+#include <linux/kernel.h>
+#include <linux/smp.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <linux/ip.h>
+#include <linux/proc_fs.h>
+#include <linux/fs.h>
+#include <linux/slab.h>
+#include <linux/spinlock.h>
+#include <linux/ctype.h>
+#include <linux/list.h>
+
+#include <net/sock.h>
+#include <net/ip.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#include <linux/netfilter_ipv4/ipt_osf.h>
+
+#define OSF_DEBUG
+
+#ifdef OSF_DEBUG
+#define log(x...) 		printk(KERN_INFO "ipt_osf: " x)
+#define loga(x...) 		printk(x)
+#else
+#define log(x...) 		do {} while(0)
+#define loga(x...) 		do {} while(0)
+#endif
+
+#define FMATCH_WRONG		0
+#define FMATCH_OK		1
+#define FMATCH_OPT_WRONG	2
+
+#define OPTDEL			','
+#define OSFPDEL 		':'
+#define MAXOPTSTRLEN		128
+#define OSFFLUSH		"FLUSH"
+
+static rwlock_t osf_lock = RW_LOCK_UNLOCKED;
+static struct list_head	finger_list;	
+
+static int match(const struct sk_buff *, const struct net_device *, const struct net_device *,
+		      const void *, int, const void *, u_int16_t, int *);
+static int checkentry(const char *, const struct ipt_ip *, void *,
+		           unsigned int, unsigned int);
+
+static struct ipt_match osf_match = { 
+	.name		= "osf",
+	.match		= &match,
+	.checkentry	= &checkentry,
+	.me		= THIS_MODULE,
+};
+
+static inline int smart_dec(unsigned long flags, unsigned char ip_ttl, unsigned char f_ttl)
+{
+	if (flags & IPT_OSF_SMART)
+		return 1;
+	else
+		return (ip_ttl == f_ttl);
+}
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	struct ipt_osf_info *info = (struct ipt_osf_info *)matchinfo;
+	struct iphdr *ip = skb->nh.iph;
+	struct tcphdr *tcp;
+	int fmatch = FMATCH_WRONG, fcount = 0;
+	unsigned long totlen, optsize = 0, window;
+	unsigned char df, *optp = NULL, *_optp = NULL;
+	char check_WSS = 0;
+	struct list_head *ent;
+	struct osf_finger *f;
+
+	if (!ip || !info)
+		return 0;
+				
+	tcp = (struct tcphdr *)((u_int32_t *)ip + ip->ihl);
+
+	if (!tcp->syn)
+		return 0;
+	else if (tcp->ack)
+		return 0;
+	
+	totlen = ntohs(ip->tot_len);
+	df = ((ntohs(ip->frag_off) & IP_DF)?1:0);
+	window = ntohs(tcp->window);
+	
+	if (tcp->doff*4 > sizeof(struct tcphdr))
+	{
+		_optp = optp = (char *)(tcp+1);
+		optsize = tcp->doff*4 - sizeof(struct tcphdr);
+	}
+
+	
+	/* Actually we can create hash/table of all genres and search
+	 * only in appropriate part, but here is initial variant,
+	 * so will use slow path.
+	 */
+	read_lock(&osf_lock);
+	list_for_each(ent, &finger_list)
+	{
+		f = list_entry(ent, struct osf_finger, flist);
+	
+		if (!(info->flags & IPT_OSF_LOG) && strcmp(info->genre, f->genre)) 
+			continue;
+
+		optp = _optp;
+		fmatch = FMATCH_WRONG;
+
+		if (totlen == f->ss && df == f->df && 
+			smart_dec(info->flags, ip->ttl, f->ttl))
+		{
+			unsigned long foptsize;
+			int optnum;
+			unsigned short mss = 0;
+
+			check_WSS = 0;
+
+			switch (f->wss.wc)
+			{
+				case 0:	  check_WSS = 0; break;
+				case 'S': check_WSS = 1; break;
+				case 'T': check_WSS = 2; break;
+				case '%': check_WSS = 3; break;
+				default: log("Wrong fingerprint wss.wc=%d, %s - %s\n", 
+							 f->wss.wc, f->genre, f->details);
+					 check_WSS = 4;
+					 break;
+			}
+			if (check_WSS == 4)
+				continue;
+
+			/* Check options */
+
+			foptsize = 0;
+			for (optnum=0; optnum<f->opt_num; ++optnum)
+				foptsize += f->opt[optnum].length;
+
+				
+			if (foptsize > MAX_IPOPTLEN || optsize > MAX_IPOPTLEN || optsize != foptsize)
+				continue;
+
+			if (!optp)
+			{
+				fmatch = FMATCH_OK;
+				loga("\tYEP : matching without options.\n");
+				if ((info->flags & IPT_OSF_LOG) && 
+					info->loglevel == IPT_OSF_LOGLEVEL_FIRST)
+					break;
+				else
+					continue;
+			}
+			
+
+			for (optnum=0; optnum<f->opt_num; ++optnum)
+			{
+				if (f->opt[optnum].kind == (*optp))
+				{
+					unsigned char len = f->opt[optnum].length;
+					unsigned char *optend = optp + len;
+
+					fmatch = FMATCH_OK;
+
+					if (*optp == OSFOPT_MSS) /* MSS */
+						mss = ntohs(*(unsigned short *)(optp+2));
+					
+					if (len != 1)
+					{
+						/* Skip kind and length fields*/
+						optp += 2; 
+
+						if (f->opt[optnum].wc.wc != 0)
+						{
+							unsigned long tmp = 0;
+							
+							/* Hmmm... It looks a bit ugly. :) */
+							memcpy(&tmp, &f->opt[optnum].wc.val, 
+								(len > sizeof(unsigned long)?
+								 	sizeof(unsigned long):len));
+
+							tmp = ntohl(tmp);
+							if (tmp != f->opt[optnum].wc.val)
+								fmatch = FMATCH_OPT_WRONG;
+						}
+					}
+
+					optp = optend;
+				}
+				else
+					fmatch = FMATCH_OPT_WRONG;
+
+				if (fmatch != FMATCH_OK)
+					break;
+			}
+
+			if (fmatch != FMATCH_OPT_WRONG)
+			{
+				fmatch = FMATCH_WRONG;
+
+				switch (check_WSS)
+				{
+					case 0:
+						if (window == f->wss.val)
+							fmatch = FMATCH_OK;
+						break;
+					case 1: /* MSS */
+						if (window == f->wss.val*mss)
+							fmatch = FMATCH_OK;
+						break;
+					case 2: /* MTU */
+						if (window == f->wss.val*(mss+40))
+							fmatch = FMATCH_OK;
+						break;
+					case 3: /* MOD */
+						if (window % f->wss.val == 0)
+							fmatch = FMATCH_OK;
+						break;
+				}
+			}
+					
+
+			if (fmatch == FMATCH_OK)
+			{
+				fcount++;
+				log("%s [%s]: %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", 
+					f->genre, f->details,
+					NIPQUAD(ip->saddr), ntohs(tcp->source),
+					NIPQUAD(ip->daddr), ntohs(tcp->dest));
+				if ((info->flags & IPT_OSF_LOG) && 
+					info->loglevel == IPT_OSF_LOGLEVEL_FIRST)
+					break;
+			}
+		}
+	}
+	if (!fcount && (info->flags & IPT_OSF_LOG))
+	{
+		log("Unknown: %lu:%d:%d:%lu:", window, ip->ttl, df, totlen);
+		if (optp)
+		{
+			unsigned char opt[4 * 15 - sizeof(struct tcphdr)];
+			unsigned int i, optsize;
+
+			optsize = tcp->doff * 4 - sizeof(struct tcphdr);
+			if (skb_copy_bits(skb, ip->ihl*4 + sizeof(struct tcphdr),
+					  opt, optsize) < 0)
+				loga("TRUNCATED");
+			else
+				for (i = 0; i < optsize; i++)
+					loga("%02X", opt[i]);
+			
+		}  
+		loga(" %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u\n", 
+			NIPQUAD(ip->saddr), ntohs(tcp->source),
+			NIPQUAD(ip->daddr), ntohs(tcp->dest));
+	}
+	read_unlock(&osf_lock);
+
+	return (fmatch == FMATCH_OK)?1:0;
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+       if (matchsize != IPT_ALIGN(sizeof(struct ipt_osf_info)))
+               return 0;
+       if (ip->proto != IPPROTO_TCP)
+	       return 0;
+
+       return 1;
+}
+
+static char * osf_strchr(char *ptr, char c)
+{
+	char *tmp;
+
+	tmp = strchr(ptr, c);
+
+	while (tmp && tmp+1 && isspace(*(tmp+1)))
+		tmp++;
+
+	return tmp;
+}
+
+static struct osf_finger * finger_alloc(void)
+{
+	struct osf_finger *f;
+
+	f = kmalloc(sizeof(struct osf_finger), GFP_KERNEL);
+	if (f)
+		memset(f, 0, sizeof(struct osf_finger));
+	
+	return f;
+}
+
+static void finger_free(struct osf_finger *f)
+{
+	memset(f, 0, sizeof(struct osf_finger));
+	kfree(f);
+}
+
+
+static void osf_parse_opt(struct osf_opt *opt, int *optnum, char *obuf, int olen)
+{
+	int i, op;
+	char *ptr, wc;
+	unsigned long val;
+
+	ptr = &obuf[0];
+	i = 0;
+	while (ptr != NULL && i < olen)
+	{
+		val = 0;
+		op = 0;
+		wc = 0;
+		switch (obuf[i])
+		{
+			case 'N': 
+				op = OSFOPT_NOP;
+				ptr = osf_strchr(&obuf[i], OPTDEL);
+				if (ptr)
+				{
+					*ptr = '\0';
+					ptr++;
+					i += (int)(ptr-&obuf[i]);
+
+				}
+				else
+					i++;
+				break;
+			case 'S': 
+				op = OSFOPT_SACKP;
+				ptr = osf_strchr(&obuf[i], OPTDEL);
+				if (ptr)
+				{
+					*ptr = '\0';
+					ptr++;
+					i += (int)(ptr-&obuf[i]);
+
+				}
+				else
+					i++;
+				break;
+			case 'T': 
+				op = OSFOPT_TS;
+				ptr = osf_strchr(&obuf[i], OPTDEL);
+				if (ptr)
+				{
+					*ptr = '\0';
+					ptr++;
+					i += (int)(ptr-&obuf[i]);
+
+				}
+				else
+					i++;
+				break;
+			case 'W': 
+				op = OSFOPT_WSO;
+				ptr = osf_strchr(&obuf[i], OPTDEL);
+				if (ptr)
+				{
+					switch (obuf[i+1])
+					{
+						case '%':	wc = '%'; break;
+						case 'S':	wc = 'S'; break;
+						case 'T':	wc = 'T'; break;
+						default:	wc = 0; break;
+					}
+					
+					*ptr = '\0';
+					ptr++;
+					if (wc)
+						val = simple_strtoul(&obuf[i+2], NULL, 10);
+					else
+						val = simple_strtoul(&obuf[i+1], NULL, 10);
+					i += (int)(ptr-&obuf[i]);
+
+				}
+				else
+					i++;
+				break;
+			case 'M': 
+				op = OSFOPT_MSS;
+				ptr = osf_strchr(&obuf[i], OPTDEL);
+				if (ptr)
+				{
+					if (obuf[i+1] == '%')
+						wc = '%';
+					*ptr = '\0';
+					ptr++;
+					if (wc)
+						val = simple_strtoul(&obuf[i+2], NULL, 10);
+					else
+						val = simple_strtoul(&obuf[i+1], NULL, 10);
+					i += (int)(ptr-&obuf[i]);
+
+				}
+				else
+					i++;
+				break;
+			case 'E': 
+				op = OSFOPT_EOL;
+				ptr = osf_strchr(&obuf[i], OPTDEL);
+				if (ptr)
+				{
+					*ptr = '\0';
+					ptr++;
+					i += (int)(ptr-&obuf[i]);
+
+				}
+				else
+					i++;
+				break;
+			default:
+				ptr = osf_strchr(&obuf[i], OPTDEL);
+				if (ptr)
+				{
+					ptr++;
+					i += (int)(ptr-&obuf[i]);
+
+				}
+				else
+					i++;
+				break;
+		}
+
+		opt[*optnum].kind 	= IANA_opts[op].kind;
+		opt[*optnum].length 	= IANA_opts[op].length;
+		opt[*optnum].wc.wc 	= wc;
+		opt[*optnum].wc.val	= val;
+
+		(*optnum)++;
+	}
+}
+
+static int osf_proc_read(char *buf, char **start, off_t off, int count, int *eof, void *data)
+{
+	struct list_head *ent;
+	struct osf_finger *f = NULL;
+	int i;
+	
+	*eof = 1;
+	count = 0;
+
+	read_lock_bh(&osf_lock);
+	list_for_each(ent, &finger_list)
+	{
+		f = list_entry(ent, struct osf_finger, flist);
+
+		log("%s [%s]", f->genre, f->details);
+		
+		count += sprintf(buf+count, "%s - %s[%s] : %s", 
+					f->genre, f->version,
+					f->subtype, f->details);
+		
+		if (f->opt_num)
+		{
+			loga(" OPT: ");
+			//count += sprintf(buf+count, " OPT: ");
+			for (i=0; i<f->opt_num; ++i)
+			{
+				//count += sprintf(buf+count, "%d.%c%lu; ", 
+				//	f->opt[i].kind, (f->opt[i].wc.wc)?f->opt[i].wc.wc:' ', f->opt[i].wc.val);
+				loga("%d.%c%lu; ", 
+					f->opt[i].kind, (f->opt[i].wc.wc)?f->opt[i].wc.wc:' ', f->opt[i].wc.val);
+			}
+		}
+		loga("\n");
+		count += sprintf(buf+count, "\n");
+	}
+	read_unlock_bh(&osf_lock);
+
+	return count;
+}
+
+static int osf_proc_write(struct file *file, const char *buffer, unsigned long count, void *data)
+{
+	int cnt;
+	unsigned long i;
+	char obuf[MAXOPTSTRLEN];
+	struct osf_finger *finger;
+	struct list_head *ent, *n;
+
+	char *pbeg, *pend;
+
+	if (count == strlen(OSFFLUSH) && !strncmp(buffer, OSFFLUSH, strlen(OSFFLUSH)))
+	{
+		int i = 0;
+		write_lock_bh(&osf_lock);
+		list_for_each_safe(ent, n, &finger_list)
+		{
+			i++;
+			finger = list_entry(ent, struct osf_finger, flist);
+			list_del(&finger->flist);
+			finger_free(finger);
+		}
+		write_unlock_bh(&osf_lock);
+	
+		log("Flushed %d entries.\n", i);
+		
+		return count;
+	}
+
+	
+	cnt = 0;
+	for (i=0; i<count && buffer[i] != '\0'; ++i)
+		if (buffer[i] == ':')
+			cnt++;
+
+	if (cnt != 8 || i != count)
+	{
+		log("Wrong input line cnt=%d[8], len=%lu[%lu]\n", 
+			cnt, i, count);
+		return count;
+	}
+
+	memset(obuf, 0, sizeof(obuf));
+	
+	finger = finger_alloc();
+	if (!finger)
+	{
+		log("Failed to allocate new fingerprint entry.\n");
+		return -ENOMEM;
+	}
+
+	pbeg = (char *)buffer;
+	pend = osf_strchr(pbeg, OSFPDEL);
+	if (pend)
+	{
+		*pend = '\0';
+		if (pbeg[0] == 'S')
+		{
+			finger->wss.wc = 'S';
+			if (pbeg[1] == '%')
+				finger->wss.val = simple_strtoul(pbeg+2, NULL, 10);
+			else if (pbeg[1] == '*')
+				finger->wss.val = 0;
+			else 
+				finger->wss.val = simple_strtoul(pbeg+1, NULL, 10);
+		}
+		else if (pbeg[0] == 'T')
+		{
+			finger->wss.wc = 'T';
+			if (pbeg[1] == '%')
+				finger->wss.val = simple_strtoul(pbeg+2, NULL, 10);
+			else if (pbeg[1] == '*')
+				finger->wss.val = 0;
+			else 
+				finger->wss.val = simple_strtoul(pbeg+1, NULL, 10);
+		}
+		if (isdigit(pbeg[0]))
+		{
+			finger->wss.wc = 0;
+			finger->wss.val = simple_strtoul(pbeg, NULL, 10);
+		}
+
+		pbeg = pend+1;
+	}
+	pend = osf_strchr(pbeg, OSFPDEL);
+	if (pend)
+	{
+		*pend = '\0';
+		finger->ttl = simple_strtoul(pbeg, NULL, 10);
+		pbeg = pend+1;
+	}
+	pend = osf_strchr(pbeg, OSFPDEL);
+	if (pend)
+	{
+		*pend = '\0';
+		finger->df = simple_strtoul(pbeg, NULL, 10);
+		pbeg = pend+1;
+	}
+	pend = osf_strchr(pbeg, OSFPDEL);
+	if (pend)
+	{
+		*pend = '\0';
+		finger->ss = simple_strtoul(pbeg, NULL, 10);
+		pbeg = pend+1;
+	}
+
+	pend = osf_strchr(pbeg, OSFPDEL);
+	if (pend)
+	{
+		*pend = '\0';
+		cnt = snprintf(obuf, sizeof(obuf), "%s", pbeg);
+		pbeg = pend+1;
+	}
+
+	pend = osf_strchr(pbeg, OSFPDEL);
+	if (pend)
+	{
+		*pend = '\0';
+		if (pbeg[0] == '@' || pbeg[0] == '*')
+			cnt = snprintf(finger->genre, sizeof(finger->genre), "%s", pbeg+1);
+		else
+			cnt = snprintf(finger->genre, sizeof(finger->genre), "%s", pbeg);
+		pbeg = pend+1;
+	}
+	
+	pend = osf_strchr(pbeg, OSFPDEL);
+	if (pend)
+	{
+		*pend = '\0';
+		cnt = snprintf(finger->version, sizeof(finger->version), "%s", pbeg);
+		pbeg = pend+1;
+	}
+	
+	pend = osf_strchr(pbeg, OSFPDEL);
+	if (pend)
+	{
+		*pend = '\0';
+		cnt = snprintf(finger->subtype, sizeof(finger->subtype), "%s", pbeg);
+		pbeg = pend+1;
+	}
+
+	cnt = snprintf(finger->details, 
+			((count - (pbeg - buffer)+1) > MAXDETLEN)?MAXDETLEN:(count - (pbeg - buffer)+1), 
+			"%s", pbeg);
+	
+	log("%s - %s[%s] : %s\n", 
+		finger->genre, finger->version,
+		finger->subtype, finger->details);
+	
+	osf_parse_opt(finger->opt, &finger->opt_num, obuf, sizeof(obuf));
+	
+
+	write_lock_bh(&osf_lock);
+	list_add_tail(&finger->flist, &finger_list);
+	write_unlock_bh(&osf_lock);
+
+	return count;
+}
+
+static int __init osf_init(void)
+{
+	int err;
+	struct proc_dir_entry *p;
+
+	log("Startng OS fingerprint matching module.\n");
+
+	INIT_LIST_HEAD(&finger_list);
+	
+	err = ipt_register_match(&osf_match);
+	if (err)
+	{
+		log("Failed to register OS fingerprint matching module.\n");
+		return -ENXIO;
+	}
+
+	p = create_proc_entry("sys/net/ipv4/osf", S_IFREG | 0644, NULL);
+	if (!p)
+	{
+		ipt_unregister_match(&osf_match);
+		return -ENXIO;
+	}
+
+	p->write_proc = osf_proc_write;
+	p->read_proc  = osf_proc_read;
+
+	return 0;
+}
+
+static void __exit osf_fini(void)
+{
+	struct list_head *ent, *n;
+	struct osf_finger *f;
+	
+	remove_proc_entry("sys/net/ipv4/osf", NULL);
+	ipt_unregister_match(&osf_match);
+
+	list_for_each_safe(ent, n, &finger_list)
+	{
+		f = list_entry(ent, struct osf_finger, flist);
+		list_del(&f->flist);
+		finger_free(f);
+	}
+	
+	log("OS fingerprint matching module finished.\n");
+}
+
+module_init(osf_init);
+module_exit(osf_fini);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Evgeniy Polyakov <johnpol@2ka.mipt.ru>");
+MODULE_DESCRIPTION("Passive OS fingerprint matching.");
+
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/ipt_psd.c linux-2.6.1/net/ipv4/netfilter/ipt_psd.c
--- linux-2.6.1.org/net/ipv4/netfilter/ipt_psd.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/ipt_psd.c	2004-01-14 14:04:53.000000000 +0100
@@ -0,0 +1,360 @@
+/*
+  This is a module which is used for PSD (portscan detection)
+  Derived from scanlogd v2.1 written by Solar Designer <solar@false.com>
+  and LOG target module.
+
+  Copyright (C) 2000,2001 astaro AG
+
+  This file is distributed under the terms of the GNU General Public
+  License (GPL). Copies of the GPL can be obtained from:
+     ftp://prep.ai.mit.edu/pub/gnu/GPL
+
+  2000-05-04 Markus Hennig <hennig@astaro.de> : initial
+  2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
+  2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
+  2001-01-02 Dennis Koslowski <koslowski@astaro.de> : output modified
+  2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
+*/
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/tcp.h>
+#include <linux/spinlock.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_psd.h>
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Dennis Koslowski <koslowski@astaro.com>");
+
+#define HF_DADDR_CHANGING   0x01
+#define HF_SPORT_CHANGING   0x02
+#define HF_TOS_CHANGING	    0x04
+#define HF_TTL_CHANGING	    0x08
+            
+/*
+ * Information we keep per each target port
+ */
+struct port {
+	u_int16_t number;      /* port number */ 
+	u_int8_t proto;        /* protocol number */
+	u_int8_t and_flags;    /* tcp ANDed flags */
+	u_int8_t or_flags;     /* tcp ORed flags */
+};
+
+/*
+ * Information we keep per each source address.
+ */
+struct host {
+	struct host *next;		/* Next entry with the same hash */
+	clock_t timestamp;		/* Last update time */
+	struct in_addr src_addr;	/* Source address */
+	struct in_addr dest_addr;	/* Destination address */
+	unsigned short src_port;	/* Source port */
+	int count;			/* Number of ports in the list */
+	int weight;			/* Total weight of ports in the list */
+	struct port ports[SCAN_MAX_COUNT - 1];	/* List of ports */
+	unsigned char tos;		/* TOS */
+	unsigned char ttl;		/* TTL */
+	unsigned char flags;		/* HF_ flags bitmask */
+};
+
+/*
+ * State information.
+ */
+static struct {
+	spinlock_t lock;
+	struct host list[LIST_SIZE];	/* List of source addresses */
+	struct host *hash[HASH_SIZE];	/* Hash: pointers into the list */
+	int index;			/* Oldest entry to be replaced */
+} state;
+
+/*
+ * Convert an IP address into a hash table index.
+ */
+static inline int hashfunc(struct in_addr addr)
+{
+	unsigned int value;
+	int hash;
+
+	value = addr.s_addr;
+	hash = 0;
+	do {
+		hash ^= value;
+	} while ((value >>= HASH_LOG));
+
+	return hash & (HASH_SIZE - 1);
+}
+
+static int
+ipt_psd_match(const struct sk_buff *pskb,
+	      const struct net_device *in,
+	      const struct net_device *out,
+	      const void *matchinfo,
+	      int offset,
+	      const void *hdr,
+	      u_int16_t datalen,
+	      int *hotdrop)
+{
+	struct iphdr *ip_hdr;
+	struct tcphdr *tcp_hdr;
+	struct in_addr addr;
+	u_int16_t src_port,dest_port;
+  	u_int8_t tcp_flags, proto;
+	clock_t now;
+	struct host *curr, *last, **head;
+	int hash, index, count;
+
+	/* Parameters from userspace */
+	const struct ipt_psd_info *psdinfo = matchinfo;
+
+	/* IP header */
+	ip_hdr = pskb->nh.iph;
+
+	/* Sanity check */
+	if (ntohs(ip_hdr->frag_off) & IP_OFFSET) {
+		DEBUGP("PSD: sanity check failed\n");
+		return 0;
+	}
+
+	/* TCP or UDP ? */
+	proto = ip_hdr->protocol;
+
+	if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) {
+		DEBUGP("PSD: protocol not supported\n");
+		return 0;
+	}
+
+	/* Get the source address, source & destination ports, and TCP flags */
+
+	addr.s_addr = ip_hdr->saddr;
+
+	tcp_hdr = (struct tcphdr*)((u_int32_t *)ip_hdr + ip_hdr->ihl);
+