[packages/kernel.git] / 2.6.5-rc1-patch-o-matic-ng-extra-20040316.patch

diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_helpers.h linux-2.6.5-rc1/include/linux/netfilter_helpers.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_helpers.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_helpers.h	2004-03-16 12:04:49.000000000 +0000
@@ -0,0 +1,133 @@
+/*
+ * Helpers for netfiler modules.  This file provides implementations for basic
+ * functions such as strncasecmp(), etc.
+ *
+ * gcc will warn for defined but unused functions, so we only include the
+ * functions requested.  The following macros are used:
+ *   NF_NEED_STRNCASECMP        nf_strncasecmp()
+ *   NF_NEED_STRTOU16           nf_strtou16()
+ *   NF_NEED_STRTOU32           nf_strtou32()
+ */
+#ifndef _NETFILTER_HELPERS_H
+#define _NETFILTER_HELPERS_H
+
+/* Only include these functions for kernel code. */
+#ifdef __KERNEL__
+
+#include <linux/ctype.h>
+#define iseol(c) ( (c) == '\r' || (c) == '\n' )
+
+/*
+ * The standard strncasecmp()
+ */
+#ifdef NF_NEED_STRNCASECMP
+static int
+nf_strncasecmp(const char* s1, const char* s2, u_int32_t len)
+{
+    if (s1 == NULL || s2 == NULL)
+    {
+        if (s1 == NULL && s2 == NULL)
+        {
+            return 0;
+        }
+        return (s1 == NULL) ? -1 : 1;
+    }
+    while (len > 0 && tolower(*s1) == tolower(*s2))
+    {
+        len--;
+        s1++;
+        s2++;
+    }
+    return ( (len == 0) ? 0 : (tolower(*s1) - tolower(*s2)) );
+}
+#endif /* NF_NEED_STRNCASECMP */
+
+/*
+ * Parse a string containing a 16-bit unsigned integer.
+ * Returns the number of chars used, or zero if no number is found.
+ */
+#ifdef NF_NEED_STRTOU16
+static int
+nf_strtou16(const char* pbuf, u_int16_t* pval)
+{
+    int n = 0;
+
+    *pval = 0;
+    while (isdigit(pbuf[n]))
+    {
+        *pval = (*pval * 10) + (pbuf[n] - '0');
+        n++;
+    }
+
+    return n;
+}
+#endif /* NF_NEED_STRTOU16 */
+
+/*
+ * Parse a string containing a 32-bit unsigned integer.
+ * Returns the number of chars used, or zero if no number is found.
+ */
+#ifdef NF_NEED_STRTOU32
+static int
+nf_strtou32(const char* pbuf, u_int32_t* pval)
+{
+    int n = 0;
+
+    *pval = 0;
+    while (pbuf[n] >= '0' && pbuf[n] <= '9')
+    {
+        *pval = (*pval * 10) + (pbuf[n] - '0');
+        n++;
+    }
+
+    return n;
+}
+#endif /* NF_NEED_STRTOU32 */
+
+/*
+ * Given a buffer and length, advance to the next line and mark the current
+ * line.
+ */
+#ifdef NF_NEED_NEXTLINE
+static int
+nf_nextline(char* p, uint len, uint* poff, uint* plineoff, uint* plinelen)
+{
+    uint    off = *poff;
+    uint    physlen = 0;
+
+    if (off >= len)
+    {
+        return 0;
+    }
+
+    while (p[off] != '\n')
+    {
+        if (len-off <= 1)
+        {
+            return 0;
+        }
+
+        physlen++;
+        off++;
+    }
+
+    /* if we saw a crlf, physlen needs adjusted */
+    if (physlen > 0 && p[off] == '\n' && p[off-1] == '\r')
+    {
+        physlen--;
+    }
+
+    /* advance past the newline */
+    off++;
+
+    *plineoff = *poff;
+    *plinelen = physlen;
+    *poff = off;
+
+    return 1;
+}
+#endif /* NF_NEED_NEXTLINE */
+
+#endif /* __KERNEL__ */
+
+#endif /* _NETFILTER_HELPERS_H */
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ip_conntrack.h	2004-03-16 12:00:23.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ip_conntrack.h	2004-03-16 12:04:49.000000000 +0000
@@ -206,6 +209,10 @@
 	} nat;
 #endif /* CONFIG_IP_NF_NAT_NEEDED */
 
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+	unsigned long mark;
+#endif
+
 };
 
 /* get master conntrack via master expectation */
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ip_conntrack_rpc.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ip_conntrack_rpc.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ip_conntrack_rpc.h	2004-03-16 12:04:46.000000000 +0000
@@ -0,0 +1,68 @@
+/* RPC extension for IP connection tracking, Version 2.2
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ *	- original rpc tracking module
+ *	- "recent" connection handling for kernel 2.3+ netfilter
+ *
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ *	- upgraded conntrack modules to oldnat api - kernel 2.4.0+
+ *
+ * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ *	- upgraded conntrack modules to newnat api - kernel 2.4.20+
+ *	- extended matching to support filtering on procedures
+ *
+ * ip_conntrack_rpc.h,v 2.2 2003/01/12 18:30:00
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ **
+ */
+
+#include <asm/param.h>
+#include <linux/sched.h>
+#include <linux/timer.h>
+#include <linux/stddef.h>
+#include <linux/list.h>
+
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+
+#ifndef _IP_CONNTRACK_RPC_H
+#define _IP_CONNTRACK_RPC_H
+
+#define RPC_PORT       111
+
+
+/* Datum in RPC packets are encoded in XDR */
+#define IXDR_GET_INT32(buf) ((u_int32_t) ntohl((uint32_t)*buf))
+
+/* Fast timeout, to deny DoS atacks */
+#define EXP (60 * HZ)
+
+/* Normal timeouts */
+#define EXPIRES (180 * HZ)
+
+/* For future conections RPC, using client's cache bindings
+ * I'll use ip_conntrack_lock to lock these lists	*/
+
+/* This identifies each request and stores protocol */
+struct request_p {
+	struct list_head list;
+
+	u_int32_t xid;   
+	u_int32_t ip;
+	u_int16_t port;
+	
+	/* Protocol */
+	u_int16_t proto;
+
+	struct timer_list timeout;
+};
+
+static inline int request_p_cmp(const struct request_p *p, u_int32_t xid, 
+				u_int32_t ip, u_int32_t port) {
+	return (p->xid == xid && p->ip == ip && p->port);
+
+}
+
+#endif /* _IP_CONNTRACK_RPC_H */
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_CONNMARK.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_CONNMARK.h	2004-03-16 12:04:09.000000000 +0000
@@ -0,0 +1,25 @@
+#ifndef _IPT_CONNMARK_H_target
+#define _IPT_CONNMARK_H_target
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+	IPT_CONNMARK_SET = 0,
+	IPT_CONNMARK_SAVE,
+	IPT_CONNMARK_RESTORE
+};
+
+struct ipt_connmark_target_info {
+	unsigned long mark;
+	unsigned long mask;
+	u_int8_t mode;
+};
+
+#endif /*_IPT_CONNMARK_H_target*/
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_IPMARK.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_IPMARK.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_IPMARK.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_IPMARK.h	2004-03-16 12:04:10.000000000 +0000
@@ -0,0 +1,13 @@
+#ifndef _IPT_IPMARK_H_target
+#define _IPT_IPMARK_H_target
+
+struct ipt_ipmark_target_info {
+	unsigned long andmask;
+	unsigned long ormask;
+	unsigned int addr;
+};
+
+#define IPT_IPMARK_SRC    0
+#define IPT_IPMARK_DST    1
+
+#endif /*_IPT_IPMARK_H_target*/
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_XOR.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_XOR.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_XOR.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_XOR.h	2004-03-16 12:04:18.000000000 +0000
@@ -0,0 +1,9 @@
+#ifndef _IPT_XOR_H
+#define _IPT_XOR_H
+
+struct ipt_XOR_info {
+	char		key[30];
+	u_int8_t	block_size;
+};
+
+#endif /* _IPT_XOR_H */
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_addrtype.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_addrtype.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_addrtype.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_addrtype.h	2004-03-16 12:04:20.000000000 +0000
@@ -0,0 +1,11 @@
+#ifndef _IPT_ADDRTYPE_H
+#define _IPT_ADDRTYPE_H
+
+struct ipt_addrtype_info {
+	u_int16_t	source;		/* source-type mask */
+	u_int16_t	dest;		/* dest-type mask */
+	int		invert_source;
+	int		invert_dest;
+};
+
+#endif
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_connmark.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_connmark.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_connmark.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_connmark.h	2004-03-16 12:04:09.000000000 +0000
@@ -0,0 +1,18 @@
+#ifndef _IPT_CONNMARK_H
+#define _IPT_CONNMARK_H
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+struct ipt_connmark_info {
+	unsigned long mark, mask;
+	u_int8_t invert;
+};
+
+#endif /*_IPT_CONNMARK_H*/
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_policy.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_policy.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_policy.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_policy.h	2004-03-16 12:04:45.000000000 +0000
@@ -0,0 +1,52 @@
+#ifndef _IPT_POLICY_H
+#define _IPT_POLICY_H
+
+#define POLICY_MAX_ELEM	4
+
+enum ipt_policy_flags
+{
+	POLICY_MATCH_IN		= 0x1,
+	POLICY_MATCH_OUT	= 0x2,
+	POLICY_MATCH_NONE	= 0x4,
+	POLICY_MATCH_STRICT	= 0x8,
+};
+
+enum ipt_policy_modes
+{
+	POLICY_MODE_TRANSPORT,
+	POLICY_MODE_TUNNEL
+};
+
+struct ipt_policy_spec
+{
+	u_int8_t	saddr:1,
+			daddr:1,
+			proto:1,
+			mode:1,
+			spi:1,
+			reqid:1;
+};
+
+struct ipt_policy_elem
+{
+	u_int32_t	saddr;
+	u_int32_t	smask;
+	u_int32_t	daddr;
+	u_int32_t	dmask;
+	u_int32_t	spi;
+	u_int32_t	reqid;
+	u_int8_t	proto;
+	u_int8_t	mode;
+
+	struct ipt_policy_spec	match;
+	struct ipt_policy_spec	invert;
+};
+
+struct ipt_policy_info
+{
+	struct ipt_policy_elem pol[POLICY_MAX_ELEM];
+	u_int16_t flags;
+	u_int16_t len;
+};
+
+#endif /* _IPT_POLICY_H */
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_rpc.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_rpc.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_rpc.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_rpc.h	2004-03-16 12:04:46.000000000 +0000
@@ -0,0 +1,35 @@
+/* RPC extension for IP netfilter matching, Version 2.2
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ *	- original rpc tracking module
+ *	- "recent" connection handling for kernel 2.3+ netfilter
+ *
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ *	- upgraded conntrack modules to oldnat api - kernel 2.4.0+
+ *
+ * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ *	- upgraded conntrack modules to newnat api - kernel 2.4.20+
+ *	- extended matching to support filtering on procedures
+ *
+ * ipt_rpc.h.c,v 2.2 2003/01/12 18:30:00
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ **
+ */
+
+#ifndef _IPT_RPC_H
+#define _IPT_RPC_H
+
+struct ipt_rpc_data;
+
+struct ipt_rpc_info {
+	int inverse;
+	int strict;
+	const char c_procs[1408];
+	int i_procs;
+	struct ipt_rpc_data *data;
+};
+
+#endif /* _IPT_RPC_H */
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_string.h linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_string.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_ipv4/ipt_string.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_ipv4/ipt_string.h	2004-03-16 12:06:26.000000000 +0000
@@ -0,0 +1,21 @@
+#ifndef _IPT_STRING_H
+#define _IPT_STRING_H
+
+/* *** PERFORMANCE TWEAK ***
+ * Packet size and search string threshold,
+ * above which sublinear searches is used. */
+#define IPT_STRING_HAYSTACK_THRESH	100
+#define IPT_STRING_NEEDLE_THRESH	20
+
+#define BM_MAX_NLEN 256
+#define BM_MAX_HLEN 1024
+
+typedef char *(*proc_ipt_search) (char *, char *, int, int);
+
+struct ipt_string_info {
+    char string[BM_MAX_NLEN];
+    u_int16_t invert;
+    u_int16_t len;
+};
+
+#endif /* _IPT_STRING_H */
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/linux/netfilter_mime.h linux-2.6.5-rc1/include/linux/netfilter_mime.h
--- linux-2.6.5-rc1.org/include/linux/netfilter_mime.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/include/linux/netfilter_mime.h	2004-03-16 12:04:49.000000000 +0000
@@ -0,0 +1,89 @@
+/*
+ * MIME functions for netfilter modules.  This file provides implementations
+ * for basic MIME parsing.  MIME headers are used in many protocols, such as
+ * HTTP, RTSP, SIP, etc.
+ *
+ * gcc will warn for defined but unused functions, so we only include the
+ * functions requested.  The following macros are used:
+ *   NF_NEED_MIME_NEXTLINE      nf_mime_nextline()
+ */
+#ifndef _NETFILTER_MIME_H
+#define _NETFILTER_MIME_H
+
+/* Only include these functions for kernel code. */
+#ifdef __KERNEL__
+
+#include <linux/ctype.h>
+
+/*
+ * Given a buffer and length, advance to the next line and mark the current
+ * line.  If the current line is empty, *plinelen will be set to zero.  If
+ * not, it will be set to the actual line length (including CRLF).
+ *
+ * 'line' in this context means logical line (includes LWS continuations).
+ * Returns 1 on success, 0 on failure.
+ */
+#ifdef NF_NEED_MIME_NEXTLINE
+static int
+nf_mime_nextline(char* p, uint len, uint* poff, uint* plineoff, uint* plinelen)
+{
+    uint    off = *poff;
+    uint    physlen = 0;
+    int     is_first_line = 1;
+
+    if (off >= len)
+    {
+        return 0;
+    }
+
+    do
+    {
+        while (p[off] != '\n')
+        {
+            if (len-off <= 1)
+            {
+                return 0;
+            }
+
+            physlen++;
+            off++;
+        }
+
+        /* if we saw a crlf, physlen needs adjusted */
+        if (physlen > 0 && p[off] == '\n' && p[off-1] == '\r')
+        {
+            physlen--;
+        }
+
+        /* advance past the newline */
+        off++;
+
+        /* check for an empty line */
+        if (physlen == 0)
+        {
+            break;
+        }
+
+        /* check for colon on the first physical line */
+        if (is_first_line)
+        {
+            is_first_line = 0;
+            if (memchr(p+(*poff), ':', physlen) == NULL)
+            {
+                return 0;
+            }
+        }
+    }
+    while (p[off] == ' ' || p[off] == '\t');
+
+    *plineoff = *poff;
+    *plinelen = (physlen == 0) ? 0 : (off - *poff);
+    *poff = off;
+
+    return 1;
+}
+#endif /* NF_NEED_MIME_NEXTLINE */
+
+#endif /* __KERNEL__ */
+
+#endif /* _NETFILTER_MIME_H */
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/net/tcp.h linux-2.6.5-rc1/include/net/tcp.h
--- linux-2.6.5-rc1.org/include/net/tcp.h	2004-03-16 05:45:33.000000000 +0000
+++ linux-2.6.5-rc1/include/net/tcp.h	2004-03-16 12:04:38.000000000 +0000
@@ -162,6 +162,7 @@
 extern void tcp_bucket_unlock(struct sock *sk);
 extern int tcp_port_rover;
 extern struct sock *tcp_v4_lookup_listener(u32 addr, unsigned short hnum, int dif);
+extern struct sock *tcp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 hnum, int dif);
 
 /* These are AF independent. */
 static __inline__ int tcp_bhashfn(__u16 lport)
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/include/net/udp.h linux-2.6.5-rc1/include/net/udp.h
--- linux-2.6.5-rc1.org/include/net/udp.h	2004-03-16 05:47:17.000000000 +0000
+++ linux-2.6.5-rc1/include/net/udp.h	2004-03-16 12:04:38.000000000 +0000
@@ -74,6 +74,8 @@
 extern int	udp_ioctl(struct sock *sk, int cmd, unsigned long arg);
 extern int	udp_disconnect(struct sock *sk, int flags);
 
+extern struct sock *udp_v4_lookup(u32 saddr, u16 sport, u32 daddr, u16 dport, int dif);
+
 DECLARE_SNMP_STAT(struct udp_mib, udp_statistics);
 #define UDP_INC_STATS(field)		SNMP_INC_STATS(udp_statistics, field)
 #define UDP_INC_STATS_BH(field)		SNMP_INC_STATS_BH(udp_statistics, field)
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/Kconfig linux-2.6.5-rc1/net/ipv4/netfilter/Kconfig
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/Kconfig	2004-03-16 12:00:23.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/Kconfig	2004-03-16 12:06:26.000000000 +0000
@@ -672,5 +672,61 @@
 	depends on IP_NF_IPTABLES
 	  help
 
+config IP_NF_CONNTRACK_MARK
+	bool  'Connection mark tracking support'
+config IP_NF_TARGET_CONNMARK
+	tristate  'CONNMARK target support'
+	depends on IP_NF_MANGLE
+config IP_NF_MATCH_CONNMARK
+	tristate  ' Connection mark match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_TARGET_IPMARK
+	tristate  'IPMARK target support'
+	depends on IP_NF_MANGLE
+	  help
+
+config IP_NF_TARGET_XOR
+	tristate  'XOR target support'
+	depends on IP_NF_MANGLE
+	  help
+
+config IP_NF_MATCH_ADDRTYPE
+	tristate  'address type match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_POLICY
+       tristate "IPsec policy match support"
+       depends on IP_NF_IPTABLES && XFRM
+       help
+         Policy matching allows you to match packets based on the
+         IPsec policy that was used during decapsulation/will
+         be used during encapsulation.
+
+         To compile it as a module, choose M here.  If unsure, say N.
+	  help
+
+config IP_NF_MATCH_RPC
+	tristate  'RPC match support'
+	depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
+	  help
+
+config IP_NF_NAT_RTSP
+	tristate
+	depends on IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
+	default IP_NF_NAT if IP_NF_RTSP=y
+	default m if IP_NF_RTSP=m
+config IP_NF_RTSP
+	tristate  ' RTSP protocol support'
+	depends on IP_NF_CONNTRACK
+	  help
+
+config IP_NF_MATCH_STRING
+	tristate  'String match support'
+	depends on IP_NF_IPTABLES
+	  help
+
 endmenu
 
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/Makefile linux-2.6.5-rc1/net/ipv4/netfilter/Makefile
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/Makefile	2004-03-16 12:00:23.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/Makefile	2004-03-16 12:06:26.000000000 +0000
@@ -41,6 +49,8 @@
 obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 
 # matches
+obj-$(CONFIG_IP_NF_MATCH_RPC) += ip_conntrack_rpc_tcp.o ip_conntrack_rpc_udp.o ipt_rpc.o
+
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
 obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
@@ -48,6 +59,7 @@
 obj-$(CONFIG_IP_NF_MATCH_DSTLIMIT) += ipt_dstlimit.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
+obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 
 obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
@@ -78,12 +90,15 @@
 
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNMARK) += ipt_connmark.o
 obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
 
 obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
+obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o
 
 # targets
 obj-$(CONFIG_IP_NF_TARGET_REJECT) += ipt_REJECT.o
@@ -91,6 +106,7 @@
 obj-$(CONFIG_IP_NF_TARGET_ECN) += ipt_ECN.o
 obj-$(CONFIG_IP_NF_TARGET_DSCP) += ipt_DSCP.o
 obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
+obj-$(CONFIG_IP_NF_TARGET_IPMARK) += ipt_IPMARK.o
 obj-$(CONFIG_IP_NF_TARGET_IMQ) += ipt_IMQ.o
 obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
@@ -99,6 +115,8 @@
 obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_XOR) += ipt_XOR.o
+obj-$(CONFIG_IP_NF_TARGET_CONNMARK) += ipt_CONNMARK.o
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c linux-2.6.5-rc1/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ip_conntrack_rpc_tcp.c	2004-03-16 12:04:46.000000000 +0000
@@ -0,0 +1,508 @@
+/* RPC extension for IP (TCP) connection tracking, Version 2.2
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ *	- original rpc tracking module
+ *	- "recent" connection handling for kernel 2.3+ netfilter
+ *
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ *	- upgraded conntrack modules to oldnat api - kernel 2.4.0+
+ *
+ * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ *	- upgraded conntrack modules to newnat api - kernel 2.4.20+
+ *	- extended matching to support filtering on procedures
+ *
+ * ip_conntrack_rpc_tpc.c,v 2.2 2003/01/12 18:30:00
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ **
+ *	Module load syntax:
+ *	insmod ip_conntrack_rpc_tcp.o ports=port1,port2,...port<MAX_PORTS>
+ *
+ *	Please give the ports of all RPC servers you wish to connect to.
+ *	If you don't specify ports, the default will be port 111.
+ **
+ *	Note to all:
+ *
+ *	RPCs should not be exposed to the internet - ask the Pentagon;
+ *
+ *	  "The unidentified crackers pleaded guilty in July to charges
+ *	   of juvenile delinquency stemming from a string of Pentagon
+ *	   network intrusions in February.
+ *
+ *	   The youths, going by the names TooShort and Makaveli, used
+ *	   a common server security hole to break in, according to
+ *	   Dane Jasper, owner of the California Internet service
+ *	   provider, Sonic. They used the hole, known as the 'statd'
+ *	   exploit, to attempt more than 800 break-ins, Jasper said."
+ *
+ *	From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
+ *	URL:  http://www.wired.com/news/politics/0,1283,16098,00.html
+ **
+ */
+
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+#include <net/tcp.h>
+
+#include <asm/param.h>
+#include <linux/sched.h>
+#include <linux/timer.h>
+#include <linux/stddef.h>
+#include <linux/list.h>
+
+#include <linux/netfilter_ipv4/lockhelp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_rpc.h>
+
+#define MAX_PORTS 8
+static int ports[MAX_PORTS];
+static int ports_n_c = 0;
+
+#ifdef MODULE_PARM
+MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
+MODULE_PARM_DESC(ports, "port numbers (TCP/UDP) of RPC portmapper servers");
+#endif
+
+MODULE_AUTHOR("Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>");
+MODULE_DESCRIPTION("RPC TCP connection tracking module");
+MODULE_LICENSE("GPL");
+
+#if 0
+#define DEBUGP(format, args...) printk(KERN_DEBUG "ip_conntrack_rpc_tcp: " \
+					format, ## args)
+#else
+#define DEBUGP(format, args...)
+#endif
+
+DECLARE_RWLOCK(ipct_rpc_tcp_lock);
+#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ipct_rpc_tcp_lock)
+#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ipct_rpc_tcp_lock)
+#include <linux/netfilter_ipv4/listhelp.h>
+
+/* For future conections RPC, using client's cache bindings
+ * I'll use ip_conntrack_lock to lock these lists	   */
+
+LIST_HEAD(request_p_list_tcp);
+
+
+static void delete_request_p(unsigned long request_p_ul) 
+{
+	struct request_p *p = (void *)request_p_ul;
+	
+	WRITE_LOCK(&ipct_rpc_tcp_lock);
+	LIST_DELETE(&request_p_list_tcp, p);
+	WRITE_UNLOCK(&ipct_rpc_tcp_lock);
+	kfree(p);
+	return;
+}
+
+
+static void req_cl(struct request_p * r)
+{
+	WRITE_LOCK(&ipct_rpc_tcp_lock);
+	del_timer(&r->timeout);
+	LIST_DELETE(&request_p_list_tcp, r);
+	WRITE_UNLOCK(&ipct_rpc_tcp_lock);
+	kfree(r);
+	return;
+}
+
+
+static void clean_request(struct list_head *list)
+{
+	struct list_head *first = list->prev;
+	struct list_head *temp = list->next;
+	struct list_head *aux;
+
+	if (list_empty(list))
+		return;
+
+	while (first != temp) {
+		aux = temp->next;
+		req_cl((struct request_p *)temp);
+		temp = aux;	
+	}
+	req_cl((struct request_p *)temp);
+	return;
+}
+
+
+static void alloc_request_p(u_int32_t xid, u_int16_t proto, u_int32_t ip,
+		     u_int16_t port)
+{
+	struct request_p *req_p;
+	
+	/* Verifies if entry already exists */
+	WRITE_LOCK(&ipct_rpc_tcp_lock);
+	req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp,
+		struct request_p *, xid, ip, port);
+
+	if (req_p) {
+		/* Refresh timeout */
+		if (del_timer(&req_p->timeout)) {
+			req_p->timeout.expires = jiffies + EXP;
+			add_timer(&req_p->timeout);	
+		} 
+		WRITE_UNLOCK(&ipct_rpc_tcp_lock);
+		return;	
+
+	}
+	WRITE_UNLOCK(&ipct_rpc_tcp_lock);
+	
+	/* Allocate new request_p */
+	req_p = (struct request_p *) kmalloc(sizeof(struct request_p), GFP_ATOMIC);
+	if (!req_p) {
+ 		DEBUGP("can't allocate request_p\n");
+		return;			
+	}
+	*req_p = ((struct request_p) {{ NULL, NULL }, xid, ip, port, proto, 
+		{ { NULL, NULL }, jiffies + EXP, (unsigned long)req_p,
+			NULL }}); 
+      
+	/* Initialize timer */
+	init_timer(&req_p->timeout);
+	req_p->timeout.function = delete_request_p;
+	add_timer(&req_p->timeout); 
+
+	/* Put in list */
+	WRITE_LOCK(&ipct_rpc_tcp_lock);
+	list_prepend(&request_p_list_tcp, req_p);
+	WRITE_UNLOCK(&ipct_rpc_tcp_lock); 
+	return; 
+
+}
+
+
+static int check_rpc_packet(const u_int32_t *data,
+			int dir, struct ip_conntrack *ct,
+			struct list_head request_p_list)
+{
+	struct request_p *req_p;
+	u_int32_t xid;
+	struct ip_conntrack_expect expect, *exp = &expect;
+
+        /* Translstion's buffer for XDR */
+        u_int16_t port_buf;
+
+
+	/* Get XID */
+	xid = *data;
+
+ 	/* This does sanity checking on RPC payloads,
+	 * and permits only the RPC "get port" (3)
+	 * in authorised procedures in client
+	 * communications with the portmapper.
+	 */
+
+	/* perform direction dependant RPC work */
+	if (dir == IP_CT_DIR_ORIGINAL) {
+
+		data += 5;
+
+		/* Get RPC requestor */
+		if (IXDR_GET_INT32(data) != 3) {
+			DEBUGP("RPC packet contains an invalid (non \"get\") requestor. [skip]\n");
+			return NF_ACCEPT;
+		}
+		DEBUGP("RPC packet contains a \"get\" requestor. [cont]\n");
+
+		data++;
+
+		/* Jump Credentials and Verfifier */
+		data += IXDR_GET_INT32(data) + 2;
+		data += IXDR_GET_INT32(data) + 2;
+
+		/* Get RPC procedure */
+		DEBUGP("RPC packet contains procedure request [%u]. [cont]\n",
+			(unsigned int)IXDR_GET_INT32(data));
+
+		/* Get RPC protocol and store against client parameters */
+		data = data + 2;
+		alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.ip,
+				ct->tuplehash[dir].tuple.src.u.all);
+
+		DEBUGP("allocated RPC req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n",
+			xid, IXDR_GET_INT32(data),
+			NIPQUAD(ct->tuplehash[dir].tuple.src.ip),
+			ntohs(ct->tuplehash[dir].tuple.src.u.all));
+
+		DEBUGP("allocated RPC request for protocol %u. [done]\n",
+			(unsigned int)IXDR_GET_INT32(data));
+
+	} else {
+
+		/* Check for returning packet's stored counterpart */
+		req_p = LIST_FIND(&request_p_list_tcp, request_p_cmp,
+				  struct request_p *, xid,
+				  ct->tuplehash[!dir].tuple.src.ip,
+				  ct->tuplehash[!dir].tuple.src.u.all);
+
+		/* Drop unexpected packets */
+		if (!req_p) {
+			DEBUGP("packet is not expected. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Verifies if packet is really an RPC reply packet */
+		data = data++;
+		if (IXDR_GET_INT32(data) != 1) {
+			DEBUGP("packet is not a valid RPC reply. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Is status accept? */
+		data++;
+		if (IXDR_GET_INT32(data)) {
+			DEBUGP("packet is not an RPC accept. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Get Verifier length. Jump verifier */
+		data++;
+		data = data + IXDR_GET_INT32(data) + 2;
+
+		/* Is accpet status "success"? */
+		if (IXDR_GET_INT32(data)) {
+			DEBUGP("packet is not an RPC accept status of success. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Get server port number */	  
+		data++;
+		port_buf = (u_int16_t) IXDR_GET_INT32(data);
+
+		/* If a packet has made it this far then it deserves an
+		 * expectation ...  if port == 0, then this service is 
+		 * not going to be registered.
+		 */
+		if (port_buf) {
+			DEBUGP("port found: %u\n", port_buf);
+
+			memset(&expect, 0, sizeof(expect));
+
+			/* Watch out, Radioactive-Man! */
+			exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
+			exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
+			exp->mask.src.ip = 0xffffffff;
+			exp->mask.dst.ip = 0xffffffff;
+
+			switch (req_p->proto) {
+				case IPPROTO_UDP:
+					exp->tuple.src.u.udp.port = 0;
+					exp->tuple.dst.u.udp.port = htons(port_buf);
+					exp->tuple.dst.protonum = IPPROTO_UDP;
+					exp->mask.src.u.udp.port = 0;
+					exp->mask.dst.u.udp.port = htons(0xffff);
+					exp->mask.dst.protonum = 0xffff;
+					break;
+
+				case IPPROTO_TCP:
+					exp->tuple.src.u.tcp.port = 0;
+					exp->tuple.dst.u.tcp.port = htons(port_buf);
+					exp->tuple.dst.protonum = IPPROTO_TCP;
+					exp->mask.src.u.tcp.port = 0;
+					exp->mask.dst.u.tcp.port = htons(0xffff);
+					exp->mask.dst.protonum = 0xffff;
+					break;
+			}
+			exp->expectfn = NULL;
+
+			ip_conntrack_expect_related(ct, &expect);
+
+			DEBUGP("expect related ip   %u.%u.%u.%u:0-%u.%u.%u.%u:%u proto=%u\n",
+				NIPQUAD(exp->tuple.src.ip),
+				NIPQUAD(exp->tuple.dst.ip),
+				port_buf, req_p->proto);
+
+			DEBUGP("expect related mask %u.%u.%u.%u:0-%u.%u.%u.%u:65535 proto=%u\n",
+				NIPQUAD(exp->mask.src.ip),
+				NIPQUAD(exp->mask.dst.ip),
+				exp->mask.dst.protonum);
+
+		}
+
+		req_cl(req_p);
+
+		DEBUGP("packet evaluated. [expect]\n");
+		return NF_ACCEPT;
+	}
+
+	return NF_ACCEPT;
+
+}
+
+
+/* RPC TCP helper */
+static int help(const struct iphdr *iph, size_t len,
+		struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
+{
+	struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
+	const u_int32_t *data = (const u_int32_t *)tcph + tcph->doff;
+	size_t tcplen = len - iph->ihl * 4;
+
+	int dir = CTINFO2DIR(ctinfo);
+	int crp_ret;
+
+
+	DEBUGP("new packet to evaluate ..\n");
+
+	/* This works for packets like handshake packets, ignore */
+	if (len == ((tcph->doff + iph->ihl) * 4)) {
+		DEBUGP("packet has no data (may still be handshaking). [skip]\n");
+		return NF_ACCEPT;
+	}
+
+	/* Until there's been traffic both ways, don't look in packets. */
+	if (ctinfo != IP_CT_ESTABLISHED
+	    && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
+		DEBUGP("connection tracking state is; ctinfo=%u ..\n", ctinfo);
+		DEBUGP("[note: failure to get past this error may indicate asymmetric routing]\n");
+		DEBUGP("packet is not yet part of a two way stream. [skip]\n");
+		return NF_ACCEPT;
+	}
+
+	/* Not whole TCP header? */
+	if (tcplen < sizeof(struct tcphdr) || tcplen < tcph->doff * 4) {
+		DEBUGP("TCP header length is; tcplen=%u ..\n", (unsigned) tcplen);
+		DEBUGP("packet does not contain a complete TCP header. [skip]\n");
+		return NF_ACCEPT;
+	}
+
+	/* FIXME: Source route IP option packets --RR */
+	if (tcp_v4_check(tcph, tcplen, iph->saddr, iph->daddr,
+			 csum_partial((char *) tcph, tcplen, 0))) {
+		DEBUGP("csum; %p %u %u.%u.%u.%u %u.%u.%u.%u\n",
+		     tcph, tcplen, NIPQUAD(iph->saddr),
+		     NIPQUAD(iph->daddr));
+		DEBUGP("[note: failure to get past this error may indicate source routing]\n");
+		DEBUGP("packet contains a bad checksum. [skip]\n");
+		return NF_ACCEPT;
+	}
+
+	/* perform direction dependant protocol work */
+	if (dir == IP_CT_DIR_ORIGINAL) {
+
+		DEBUGP("packet is from the initiator. [cont]\n");
+
+		/* Tests if packet len is ok */
+		if ((tcplen - (tcph->doff * 4)) != 60) {
+			DEBUGP("packet length is not correct. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+	} else {
+
+		DEBUGP("packet is from the receiver. [cont]\n");
+
+		/* Tests if packet len is ok */
+		if ((tcplen - (tcph->doff * 4)) != 32) {
+			DEBUGP("packet length is not correct. [skip]\n");
+			return NF_ACCEPT;
+		}
+	}
+
+	/* Get to the data */
+	data++;
+
+	/* Check the RPC data */
+	crp_ret = check_rpc_packet(data, dir, ct, request_p_list_tcp);
+
+	return crp_ret;
+
+}
+
+
+static struct ip_conntrack_helper rpc_helpers[MAX_PORTS];
+
+static void fini(void);
+
+
+static int __init init(void)
+{
+	int port, ret;
+	static char name[10];
+
+
+	/* If no port given, default to standard RPC port */
+	if (ports[0] == 0)
+		ports[0] = RPC_PORT;
+
+	for (port = 0; (port < MAX_PORTS) && ports[port]; port++) {
+		memset(&rpc_helpers[port], 0, sizeof(struct ip_conntrack_helper));
+
+                if (ports[port] == RPC_PORT)
+                        sprintf(name, "rpc");
+                else
+                        sprintf(name, "rpc-%d", port);
+
+		rpc_helpers[port].name = name;
+		rpc_helpers[port].me = THIS_MODULE;
+		rpc_helpers[port].max_expected = 1;
+		rpc_helpers[port].flags = IP_CT_HELPER_F_REUSE_EXPECT;
+		rpc_helpers[port].timeout = 0;
+
+		rpc_helpers[port].tuple.dst.protonum = IPPROTO_TCP;
+		rpc_helpers[port].mask.dst.protonum = 0xffff;
+
+		/* RPC can come from ports 0:65535 to ports[port] (111) */
+		rpc_helpers[port].tuple.src.u.udp.port = htons(ports[port]);
+		rpc_helpers[port].mask.src.u.udp.port = htons(0xffff);
+		rpc_helpers[port].mask.dst.u.udp.port = htons(0x0);
+
+		rpc_helpers[port].help = help;
+
+		DEBUGP("registering helper for port #%d: %d/TCP\n", port, ports[port]);
+		DEBUGP("helper match ip   %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
+			NIPQUAD(rpc_helpers[port].tuple.dst.ip),
+			ntohs(rpc_helpers[port].tuple.dst.u.tcp.port),
+			NIPQUAD(rpc_helpers[port].tuple.src.ip),
+			ntohs(rpc_helpers[port].tuple.src.u.tcp.port));
+		DEBUGP("helper match mask %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
+			NIPQUAD(rpc_helpers[port].mask.dst.ip),
+			ntohs(rpc_helpers[port].mask.dst.u.tcp.port),
+			NIPQUAD(rpc_helpers[port].mask.src.ip),
+			ntohs(rpc_helpers[port].mask.src.u.tcp.port));
+
+		ret = ip_conntrack_helper_register(&rpc_helpers[port]);
+
+		if (ret) {
+			printk("ERROR registering port %d\n",
+				ports[port]);
+			fini();
+			return -EBUSY;
+		}
+		ports_n_c++;
+	}
+	return 0;
+}
+
+
+/* This function is intentionally _NOT_ defined as __exit, because 
+ * it is needed by the init function */
+static void fini(void)
+{
+	int port;
+
+	DEBUGP("cleaning request list\n");
+	clean_request(&request_p_list_tcp);
+
+	for (port = 0; (port < ports_n_c) && ports[port]; port++) {
+		DEBUGP("unregistering port %d\n", ports[port]);
+		ip_conntrack_helper_unregister(&rpc_helpers[port]);
+	}
+}
+
+
+module_init(init);
+module_exit(fini);
+
+struct module *ip_conntrack_rpc_tcp = THIS_MODULE;
+EXPORT_SYMBOL(request_p_list_tcp);
+EXPORT_SYMBOL(ip_conntrack_rpc_tcp);
+EXPORT_SYMBOL(ipct_rpc_tcp_lock);
+
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c linux-2.6.5-rc1/net/ipv4/netfilter/ip_conntrack_rpc_udp.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ip_conntrack_rpc_udp.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ip_conntrack_rpc_udp.c	2004-03-16 12:04:46.000000000 +0000
@@ -0,0 +1,503 @@
+/* RPC extension for IP (UDP) connection tracking, Version 2.2
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ *	- original rpc tracking module
+ *	- "recent" connection handling for kernel 2.3+ netfilter
+ *
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ *	- upgraded conntrack modules to oldnat api - kernel 2.4.0+
+ *
+ * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ *	- upgraded conntrack modules to newnat api - kernel 2.4.20+
+ *	- extended matching to support filtering on procedures
+ *
+ * ip_conntrack_rpc_udp.c,v 2.2 2003/01/12 18:30:00
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ **
+ *	Module load syntax:
+ *	insmod ip_conntrack_rpc_udp.o ports=port1,port2,...port<MAX_PORTS>
+ *
+ *	Please give the ports of all RPC servers you wish to connect to.
+ *	If you don't specify ports, the default will be port 111.
+ **
+ *	Note to all:
+ *
+ *	RPCs should not be exposed to the internet - ask the Pentagon;
+ *
+ *	  "The unidentified crackers pleaded guilty in July to charges
+ *	   of juvenile delinquency stemming from a string of Pentagon
+ *	   network intrusions in February.
+ *
+ *	   The youths, going by the names TooShort and Makaveli, used
+ *	   a common server security hole to break in, according to
+ *	   Dane Jasper, owner of the California Internet service
+ *	   provider, Sonic. They used the hole, known as the 'statd'
+ *	   exploit, to attempt more than 800 break-ins, Jasper said."
+ *
+ *	From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
+ *	URL:  http://www.wired.com/news/politics/0,1283,16098,00.html
+ **
+ */
+
+#include <linux/module.h>
+#include <linux/netfilter.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+#include <net/udp.h>
+
+#include <asm/param.h>
+#include <linux/sched.h>
+#include <linux/timer.h>
+#include <linux/stddef.h>
+#include <linux/list.h>
+
+#include <linux/netfilter_ipv4/lockhelp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/ip_conntrack_rpc.h>
+
+#define MAX_PORTS 8
+static int ports[MAX_PORTS];
+static int ports_n_c = 0;
+
+#ifdef MODULE_PARM
+MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
+MODULE_PARM_DESC(ports, "port numbers (TCP/UDP) of RPC portmapper servers");
+#endif
+
+MODULE_AUTHOR("Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>");
+MODULE_DESCRIPTION("RPC UDP connection tracking module");
+MODULE_LICENSE("GPL");
+
+#if 0
+#define DEBUGP(format, args...) printk(KERN_DEBUG "ip_conntrack_rpc_udp: " \
+					format, ## args)
+#else
+#define DEBUGP(format, args...)
+#endif
+
+DECLARE_RWLOCK(ipct_rpc_udp_lock);
+#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ipct_rpc_udp_lock)
+#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ipct_rpc_udp_lock)
+#include <linux/netfilter_ipv4/listhelp.h>
+
+/* For future conections RPC, using client's cache bindings
+ * I'll use ip_conntrack_lock to lock these lists           */
+
+LIST_HEAD(request_p_list_udp);
+
+
+static void delete_request_p(unsigned long request_p_ul)
+{
+	struct request_p *p = (void *)request_p_ul;
+	
+	WRITE_LOCK(&ipct_rpc_udp_lock);
+	LIST_DELETE(&request_p_list_udp, p);
+	WRITE_UNLOCK(&ipct_rpc_udp_lock);
+	kfree(p);
+	return;
+}
+
+
+static void req_cl(struct request_p * r)
+{
+	WRITE_LOCK(&ipct_rpc_udp_lock);
+	del_timer(&r->timeout);
+	LIST_DELETE(&request_p_list_udp, r);
+	WRITE_UNLOCK(&ipct_rpc_udp_lock);
+	kfree(r);
+	return;
+}
+
+
+static void clean_request(struct list_head *list)
+{
+	struct list_head *first = list->prev;
+	struct list_head *temp = list->next;
+	struct list_head *aux;
+
+	if (list_empty(list))
+		return;
+
+	while (first != temp) {
+		aux = temp->next;
+		req_cl((struct request_p *)temp);
+		temp = aux;	
+	}
+	req_cl((struct request_p *)temp);
+	return;
+}
+
+
+static void alloc_request_p(u_int32_t xid, u_int16_t proto, u_int32_t ip,
+		     u_int16_t port)
+{
+	struct request_p *req_p;
+        
+	/* Verifies if entry already exists */
+	WRITE_LOCK(&ipct_rpc_udp_lock);
+	req_p = LIST_FIND(&request_p_list_udp, request_p_cmp,
+		struct request_p *, xid, ip, port);
+
+	if (req_p) {
+		/* Refresh timeout */
+		if (del_timer(&req_p->timeout)) {
+			req_p->timeout.expires = jiffies + EXP;
+			add_timer(&req_p->timeout);	
+		} 
+		WRITE_UNLOCK(&ipct_rpc_udp_lock);
+		return;	
+
+	}
+	WRITE_UNLOCK(&ipct_rpc_udp_lock);
+	
+	/* Allocate new request_p */
+	req_p = (struct request_p *) kmalloc(sizeof(struct request_p), GFP_ATOMIC);
+	if (!req_p) {
+ 		DEBUGP("can't allocate request_p\n");
+		return;			
+	}
+	*req_p = ((struct request_p) {{ NULL, NULL }, xid, ip, port, proto, 
+		{ { NULL, NULL }, jiffies + EXP, (unsigned long)req_p,
+			NULL }}); 
+      
+	/* Initialize timer */
+	init_timer(&req_p->timeout);
+	req_p->timeout.function = delete_request_p;
+	add_timer(&req_p->timeout); 
+
+	/* Put in list */
+	WRITE_LOCK(&ipct_rpc_udp_lock);
+	list_prepend(&request_p_list_udp, req_p);
+	WRITE_UNLOCK(&ipct_rpc_udp_lock); 
+	return; 
+
+}
+
+
+static int check_rpc_packet(const u_int32_t *data,
+			int dir, struct ip_conntrack *ct,
+			struct list_head request_p_list)
+{
+	struct request_p *req_p;
+	u_int32_t xid;
+	struct ip_conntrack_expect expect, *exp = &expect;
+
+	/* Translstion's buffer for XDR */
+	u_int16_t port_buf;
+
+
+	/* Get XID */
+	xid = *data;
+
+ 	/* This does sanity checking on RPC payloads,
+	 * and permits only the RPC "get port" (3)
+	 * in authorised procedures in client
+	 * communications with the portmapper.
+	 */
+
+	/* perform direction dependant RPC work */
+	if (dir == IP_CT_DIR_ORIGINAL) {
+
+		data += 5;
+
+		/* Get RPC requestor */
+		if (IXDR_GET_INT32(data) != 3) {
+			DEBUGP("RPC packet contains an invalid (non \"get\") requestor. [skip]\n");
+			return NF_ACCEPT;
+		}
+		DEBUGP("RPC packet contains a \"get\" requestor. [cont]\n");
+
+		data++;
+
+		/* Jump Credentials and Verfifier */
+		data = data + IXDR_GET_INT32(data) + 2;
+		data = data + IXDR_GET_INT32(data) + 2;
+
+		/* Get RPC procedure */
+		DEBUGP("RPC packet contains procedure request [%u]. [cont]\n",
+			(unsigned int)IXDR_GET_INT32(data));
+
+		/* Get RPC protocol and store against client parameters */
+		data = data + 2;
+		alloc_request_p(xid, IXDR_GET_INT32(data), ct->tuplehash[dir].tuple.src.ip,
+				ct->tuplehash[dir].tuple.src.u.all);
+
+		DEBUGP("allocated RPC req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n",
+			xid, IXDR_GET_INT32(data),
+			NIPQUAD(ct->tuplehash[dir].tuple.src.ip),
+			ntohs(ct->tuplehash[dir].tuple.src.u.all));
+
+		DEBUGP("allocated RPC request for protocol %u. [done]\n",
+			(unsigned int)IXDR_GET_INT32(data));
+
+	} else {
+
+		/* Check for returning packet's stored counterpart */
+		req_p = LIST_FIND(&request_p_list_udp, request_p_cmp,
+				  struct request_p *, xid,
+				  ct->tuplehash[!dir].tuple.src.ip,
+				  ct->tuplehash[!dir].tuple.src.u.all);
+
+		/* Drop unexpected packets */
+		if (!req_p) {
+			DEBUGP("packet is not expected. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Verifies if packet is really an RPC reply packet */
+		data = data++;
+		if (IXDR_GET_INT32(data) != 1) {
+			DEBUGP("packet is not a valid RPC reply. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Is status accept? */
+		data++;
+		if (IXDR_GET_INT32(data)) {
+			DEBUGP("packet is not an RPC accept. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Get Verifier length. Jump verifier */
+		data++;
+		data = data + IXDR_GET_INT32(data) + 2;
+
+		/* Is accpet status "success"? */
+		if (IXDR_GET_INT32(data)) {
+			DEBUGP("packet is not an RPC accept status of success. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Get server port number */	  
+		data++;
+		port_buf = (u_int16_t) IXDR_GET_INT32(data);
+
+		/* If a packet has made it this far then it deserves an
+		 * expectation ...  if port == 0, then this service is 
+		 * not going to be registered.
+		 */
+		if (port_buf) {
+			DEBUGP("port found: %u\n", port_buf);
+
+			memset(&expect, 0, sizeof(expect));
+
+			/* Watch out, Radioactive-Man! */
+			exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
+			exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
+			exp->mask.src.ip = 0xffffffff;
+			exp->mask.dst.ip = 0xffffffff;
+
+			switch (req_p->proto) {
+				case IPPROTO_UDP:
+					exp->tuple.src.u.udp.port = 0;
+					exp->tuple.dst.u.udp.port = htons(port_buf);
+					exp->tuple.dst.protonum = IPPROTO_UDP;
+					exp->mask.src.u.udp.port = 0;
+					exp->mask.dst.u.udp.port = htons(0xffff);
+					exp->mask.dst.protonum = 0xffff;
+					break;
+
+				case IPPROTO_TCP:
+					exp->tuple.src.u.tcp.port = 0;
+					exp->tuple.dst.u.tcp.port = htons(port_buf);
+					exp->tuple.dst.protonum = IPPROTO_TCP;
+					exp->mask.src.u.tcp.port = 0;
+					exp->mask.dst.u.tcp.port = htons(0xffff);
+					exp->mask.dst.protonum = 0xffff;
+					break;
+			}
+			exp->expectfn = NULL;
+
+			ip_conntrack_expect_related(ct, &expect);
+
+			DEBUGP("expect related ip   %u.%u.%u.%u:0-%u.%u.%u.%u:%u proto=%u\n",
+				NIPQUAD(exp->tuple.src.ip),
+				NIPQUAD(exp->tuple.dst.ip),
+				port_buf, req_p->proto);
+
+			DEBUGP("expect related mask %u.%u.%u.%u:0-%u.%u.%u.%u:65535 proto=%u\n",
+				NIPQUAD(exp->mask.src.ip),
+				NIPQUAD(exp->mask.dst.ip),
+				exp->mask.dst.protonum);
+
+		}
+
+		req_cl(req_p);
+
+		DEBUGP("packet evaluated. [expect]\n");
+		return NF_ACCEPT;
+	}
+
+	return NF_ACCEPT;
+
+}
+
+
+/* RPC UDP helper */
+static int help(const struct iphdr *iph, size_t len,
+		struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
+{
+	struct udphdr *udph = (void *) iph + iph->ihl * 4;
+	const u_int32_t *data = (const u_int32_t *)udph + 2;
+	size_t udplen = len - iph->ihl * 4;
+	int dir = CTINFO2DIR(ctinfo);
+	int crp_ret;
+
+	/* Checksum */
+	const u_int16_t *chsm = (const u_int16_t *)udph + 3;
+
+
+	DEBUGP("new packet to evaluate ..\n");
+
+	/* Not whole UDP header? */
+	if (udplen < sizeof(struct udphdr)) {
+		DEBUGP("UDP header length is; udplen=%u ..\n", (unsigned) udplen);
+		DEBUGP("packet does not contain a complete UDP header. [skip]\n");
+		return NF_ACCEPT;
+	}
+
+	/* FIXME: Source route IP option packets --RR */
+	if (*chsm) {
+		if (csum_tcpudp_magic(iph->saddr, iph->daddr, udplen, IPPROTO_UDP,
+		    csum_partial((char *)udph, udplen, 0))) {
+			DEBUGP("[note: failure to get past this error may indicate source routing]\n");
+			DEBUGP("packet contains a bad checksum. [skip]\n");
+			return NF_ACCEPT;
+		   } 
+	}
+
+	/* perform direction dependant protocol work */
+	if (dir == IP_CT_DIR_ORIGINAL) {
+
+		DEBUGP("packet is from the initiator. [cont]\n");
+
+		/* Tests if packet len is ok */
+		if ((udplen - sizeof(struct udphdr)) != 56) {
+			DEBUGP("packet length is not correct. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+	} else {
+
+		DEBUGP("packet is from the receiver. [cont]\n");
+
+		/* Until there's been traffic both ways, don't look in packets. */
+		if (ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
+			DEBUGP("connection tracking state is; ctinfo=%u ..\n", ctinfo);
+			DEBUGP("[note: failure to get past this error may indicate asymmetric routing]\n");
+			DEBUGP("packet is not yet part of a two way stream. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+		/* Tests if packet len is ok */
+			if ((udplen - sizeof(struct udphdr)) != 28) {
+			DEBUGP("packet length is not correct. [skip]\n");
+			return NF_ACCEPT;
+		}
+
+	}
+
+	/* Get to the data */
+	/* udp *data == *correct */
+
+	/* Check the RPC data */
+	crp_ret = check_rpc_packet(data, dir, ct, request_p_list_udp);
+
+	return crp_ret;
+
+}
+
+
+static struct ip_conntrack_helper rpc_helpers[MAX_PORTS];
+
+static void fini(void);
+
+
+static int __init init(void)
+{
+	int port, ret;
+	static char name[10];
+
+
+	/* If no port given, default to standard RPC port */
+	if (ports[0] == 0)
+		ports[0] = RPC_PORT;
+
+	for (port = 0; (port < MAX_PORTS) && ports[port]; port++) {
+		memset(&rpc_helpers[port], 0, sizeof(struct ip_conntrack_helper));
+
+                if (ports[port] == RPC_PORT)
+                        sprintf(name, "rpc");
+                else
+                        sprintf(name, "rpc-%d", port);
+
+		rpc_helpers[port].name = name;
+		rpc_helpers[port].me = THIS_MODULE;
+		rpc_helpers[port].max_expected = 1;
+		rpc_helpers[port].flags = IP_CT_HELPER_F_REUSE_EXPECT;
+		rpc_helpers[port].timeout = 0;
+
+		rpc_helpers[port].tuple.dst.protonum = IPPROTO_UDP;
+		rpc_helpers[port].mask.dst.protonum = 0xffff;
+
+		/* RPC can come from ports 0:65535 to ports[port] (111) */
+		rpc_helpers[port].tuple.src.u.udp.port = htons(ports[port]);
+		rpc_helpers[port].mask.src.u.udp.port = htons(0xffff);
+		rpc_helpers[port].mask.dst.u.udp.port = htons(0x0);
+
+		rpc_helpers[port].help = help;
+
+		DEBUGP("registering helper for port #%d: %d/UDP\n", port, ports[port]);
+		DEBUGP("helper match ip   %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
+			NIPQUAD(rpc_helpers[port].tuple.dst.ip),
+			ntohs(rpc_helpers[port].tuple.dst.u.udp.port),
+			NIPQUAD(rpc_helpers[port].tuple.src.ip),
+			ntohs(rpc_helpers[port].tuple.src.u.udp.port));
+		DEBUGP("helper match mask %u.%u.%u.%u:%u->%u.%u.%u.%u:%u\n",
+			NIPQUAD(rpc_helpers[port].mask.dst.ip),
+			ntohs(rpc_helpers[port].mask.dst.u.udp.port),
+			NIPQUAD(rpc_helpers[port].mask.src.ip),
+			ntohs(rpc_helpers[port].mask.src.u.udp.port));
+
+		ret = ip_conntrack_helper_register(&rpc_helpers[port]);
+
+		if (ret) {
+			printk("ERROR registering port %d\n",
+				ports[port]);
+			fini();
+			return -EBUSY;
+		}
+		ports_n_c++;
+	}
+	return 0;
+}
+
+
+/* This function is intentionally _NOT_ defined as __exit, because 
+ * it is needed by the init function */
+static void fini(void)
+{
+	int port;
+
+	DEBUGP("cleaning request list\n");
+	clean_request(&request_p_list_udp);
+
+	for (port = 0; (port < ports_n_c) && ports[port]; port++) {
+		DEBUGP("unregistering port %d\n", ports[port]);
+		ip_conntrack_helper_unregister(&rpc_helpers[port]);
+	}
+}
+
+
+module_init(init);
+module_exit(fini);
+
+struct module *ip_conntrack_rpc_udp = THIS_MODULE;
+EXPORT_SYMBOL(request_p_list_udp);
+EXPORT_SYMBOL(ip_conntrack_rpc_udp);
+EXPORT_SYMBOL(ipct_rpc_udp_lock);
+
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.5-rc1/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ip_conntrack_standalone.c	2004-03-16 12:00:23.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ip_conntrack_standalone.c	2004-03-16 12:04:09.000000000 +0000
@@ -110,6 +110,9 @@
 		len += sprintf(buffer + len, "[ASSURED] ");
 	len += sprintf(buffer + len, "use=%u ",
 		       atomic_read(&conntrack->ct_general.use));
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+	len += sprintf(buffer + len, "mark=%ld ", conntrack->mark);
+#endif
 	len += sprintf(buffer + len, "\n");
 
 	return len;
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ip_tables.c linux-2.6.5-rc1/net/ipv4/netfilter/ip_tables.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ip_tables.c	2004-03-16 05:45:50.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ip_tables.c	2004-03-16 12:04:36.000000000 +0000
@@ -8,6 +8,10 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  *
+ *  6 Mar 2002 Robert Olsson <robban@robtex.com>
+ * 17 Apr 2003 Chris  Wilson <chris@netservers.co.uk>
+ *     - mark_source_chains speedup for complex chains
+ *
  * 19 Jan 2002 Harald Welte <laforge@gnumonks.org>
  * 	- increase module usage count as soon as we have rules inside
  * 	  a table
@@ -498,6 +502,9 @@
 {
 	unsigned int hook;
 
+	/* keep track of where we have been: */
+	unsigned char *been = vmalloc(newinfo->size);
+
 	/* No recursion; use packet counter to save back ptrs (reset
 	   to 0 as we leave), and comefrom to save source hook bitmask */
 	for (hook = 0; hook < NF_IP_NUMHOOKS; hook++) {
@@ -510,6 +517,7 @@
 
 		/* Set initial back pointer. */
 		e->counters.pcnt = pos;
+		memset(been, 0, newinfo->size);
 
 		for (;;) {
 			struct ipt_standard_target *t
@@ -518,6 +526,7 @@
 			if (e->comefrom & (1 << NF_IP_NUMHOOKS)) {
 				printk("iptables: loop hook %u pos %u %08X.\n",
 				       hook, pos, e->comefrom);
+				vfree(been);
 				return 0;
 			}
 			e->comefrom
@@ -565,10 +574,14 @@
 			} else {
 				int newpos = t->verdict;
 
-				if (strcmp(t->target.u.user.name,
+				if ( (pos < 0 || pos >= newinfo->size
+				      || !been[pos]) 
+				    && strcmp(t->target.u.user.name,
 					   IPT_STANDARD_TARGET) == 0
 				    && newpos >= 0) {
 					/* This a jump; chase it. */
+					if (pos >= 0 && pos < newinfo->size)
+						been[pos]++;
 					duprintf("Jump rule %u -> %u\n",
 						 pos, newpos);
 				} else {
@@ -584,6 +597,7 @@
 		next:
 		duprintf("Finished chain %u\n", hook);
 	}
+	vfree(been);
 	return 1;
 }
 
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_CONNMARK.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_CONNMARK.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_CONNMARK.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_CONNMARK.c	2004-03-16 12:04:09.000000000 +0000
@@ -0,0 +1,118 @@
+/* This kernel module is used to modify the connection mark values, or
+ * to optionally restore the skb nfmark from the connection mark
+ *
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
+MODULE_DESCRIPTION("IP tables CONNMARK matching module");
+MODULE_LICENSE("GPL");
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_CONNMARK.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+	const struct ipt_connmark_target_info *markinfo = targinfo;
+	unsigned long diff;
+	unsigned long nfmark;
+	unsigned long newmark;
+
+	enum ip_conntrack_info ctinfo;
+	struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
+	if (ct) {
+	    switch(markinfo->mode) {
+	    case IPT_CONNMARK_SET:
+		newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
+		if (newmark != ct->mark)
+		    ct->mark = newmark;
+		break;
+	    case IPT_CONNMARK_SAVE:
+		newmark = (ct->mark & ~markinfo->mask) | ((*pskb)->nfmark & markinfo->mask);
+		if (ct->mark != newmark)
+		    ct->mark = newmark;
+		break;
+	    case IPT_CONNMARK_RESTORE:
+		nfmark = (*pskb)->nfmark;
+		diff = (ct->mark ^ nfmark & markinfo->mask);
+		if (diff != 0) {
+		    (*pskb)->nfmark = nfmark ^ diff;
+		    (*pskb)->nfcache |= NFC_ALTERED;
+		}
+		break;
+	    }
+	}
+
+	return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+	   void *targinfo,
+	   unsigned int targinfosize,
+	   unsigned int hook_mask)
+{
+	struct ipt_connmark_target_info *matchinfo = targinfo;
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_connmark_target_info))) {
+		printk(KERN_WARNING "CONNMARK: targinfosize %u != %Zu\n",
+		       targinfosize,
+		       IPT_ALIGN(sizeof(struct ipt_connmark_target_info)));
+		return 0;
+	}
+
+	if (matchinfo->mode == IPT_CONNMARK_RESTORE) {
+	    if (strcmp(tablename, "mangle") != 0) {
+		    printk(KERN_WARNING "CONNMARK: restore can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		    return 0;
+	    }
+	}
+
+	return 1;
+}
+
+static struct ipt_target ipt_connmark_reg = {
+	.name = "CONNMARK",
+	.target = &target,
+	.checkentry = &checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_connmark_reg);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_connmark_reg);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_IPMARK.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_IPMARK.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_IPMARK.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_IPMARK.c	2004-03-16 12:04:10.000000000 +0000
@@ -0,0 +1,81 @@
+/* This is a module which is used for setting the NFMARK field of an skb. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_IPMARK.h>
+
+MODULE_AUTHOR("Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>");
+MODULE_DESCRIPTION("IP tables IPMARK: mark based on ip address");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+	const struct ipt_ipmark_target_info *ipmarkinfo = targinfo;
+	struct iphdr *iph = (*pskb)->nh.iph;
+	unsigned long mark;
+
+	if (ipmarkinfo->addr == IPT_IPMARK_SRC)
+		mark = (unsigned long) ntohl(iph->saddr);
+	else
+		mark = (unsigned long) ntohl(iph->daddr);
+
+	mark &= ipmarkinfo->andmask;
+	mark |= ipmarkinfo->ormask;
+	
+	if ((*pskb)->nfmark != mark) {
+		(*pskb)->nfmark = mark;
+		(*pskb)->nfcache |= NFC_ALTERED;
+	}
+	return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+           void *targinfo,
+           unsigned int targinfosize,
+           unsigned int hook_mask)
+{
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_ipmark_target_info))) {
+		printk(KERN_WARNING "IPMARK: targinfosize %u != %Zu\n",
+		       targinfosize,
+		       IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)));
+		return 0;
+	}
+
+	if (strcmp(tablename, "mangle") != 0) {
+		printk(KERN_WARNING "IPMARK: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+
+	return 1;
+}
+
+static struct ipt_target ipt_ipmark_reg = { 
+	.name = "IPMARK",
+	.target = target,
+	.checkentry = checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_ipmark_reg);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_ipmark_reg);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_XOR.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_XOR.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_XOR.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_XOR.c	2004-03-16 12:04:18.000000000 +0000
@@ -0,0 +1,117 @@
+/* XOR target for IP tables
+ * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be>
+ * Based on ipt_TTL.c
+ *
+ * Version 1.0
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_XOR.h>
+
+MODULE_AUTHOR("Tim Vandermeersch <Tim.Vandermeersch@pandora.be>");
+MODULE_DESCRIPTION("IP tables XOR module");
+MODULE_LICENSE("GPL");
+
+static unsigned int 
+ipt_xor_target(struct sk_buff **pskb, 
+		const struct net_device *in, const struct net_device *out, 
+		unsigned int hooknum, const void *targinfo, void *userinfo)
+{
+	struct ipt_XOR_info *info = (void *) targinfo;
+	struct iphdr *iph;
+	struct tcphdr *tcph;
+	struct udphdr *udph;
+	int i, j, k;
+
+	if (!skb_ip_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
+
+	iph = (*pskb)->nh.iph;
+  
+	if (iph->protocol == IPPROTO_TCP) {
+		tcph = (struct tcphdr *) ((*pskb)->data + iph->ihl*4);
+		for (i=0, j=0; i<(ntohs(iph->tot_len) - iph->ihl*4 - tcph->doff*4); ) {
+			for (k=0; k<=info->block_size; k++) {
+				(char) (*pskb)->data[ iph->ihl*4 + tcph->doff*4 + i ] ^= 
+						info->key[j];
+				i++;
+			}
+			j++;
+			if (info->key[j] == 0x00)
+				j = 0;
+		}
+	} else if (iph->protocol == IPPROTO_UDP) {
+		udph = (struct udphdr *) ((*pskb)->data + iph->ihl*4);
+		for (i=0, j=0; i<(ntohs(udph->len)-8); ) {
+			for (k=0; k<=info->block_size; k++) {
+				(char) (*pskb)->data[ iph->ihl*4 + sizeof(struct udphdr) + i ] ^= 
+						info->key[j];
+				i++;
+			}
+			j++;
+			if (info->key[j] == 0x00)
+				j = 0;
+		}
+	}
+  
+	return IPT_CONTINUE;
+}
+
+static int ipt_xor_checkentry(const char *tablename, const struct ipt_entry *e,
+		void *targinfo, unsigned int targinfosize, 
+		unsigned int hook_mask)
+{
+	struct ipt_XOR_info *info = targinfo;
+
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_XOR_info))) {
+		printk(KERN_WARNING "XOR: targinfosize %u != %Zu\n", 
+				targinfosize, IPT_ALIGN(sizeof(struct ipt_XOR_info)));
+		return 0;
+	}	
+
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "XOR: can only be called from"
+				"\"mangle\" table, not \"%s\"\n", tablename);
+		return 0; 
+	}
+
+	if (!strcmp(info->key, "")) {
+		printk(KERN_WARNING "XOR: You must specify a key");
+		return 0;
+	}
+
+	if (info->block_size == 0) {
+		printk(KERN_WARNING "XOR: You must specify a block-size");
+		return 0;
+	}
+
+	return 1;
+}
+
+static struct ipt_target ipt_XOR = { 
+	.name = "XOR",
+	.target = ipt_xor_target, 
+	.checkentry = ipt_xor_checkentry,
+	.me = THIS_MODULE,
+};
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_XOR);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_XOR);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_addrtype.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_addrtype.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_addrtype.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_addrtype.c	2004-03-16 12:04:20.000000000 +0000
@@ -0,0 +1,68 @@
+/*
+ *  iptables module to match inet_addr_type() of an ip.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <net/route.h>
+
+#include <linux/netfilter_ipv4/ipt_addrtype.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_LICENSE("GPL");
+
+static inline int match_type(u_int32_t addr, u_int16_t mask)
+{
+	return !!(mask & (1 << inet_addr_type(addr)));
+}
+
+static int match(const struct sk_buff *skb, const struct net_device *in,
+		 const struct net_device *out, const void *matchinfo,
+		 int offset, int *hotdrop)
+{
+	const struct ipt_addrtype_info *info = matchinfo;
+	const struct iphdr *iph = skb->nh.iph;
+	int ret = 1;
+
+	if (info->source)
+		ret &= match_type(iph->saddr, info->source)^info->invert_source;
+	if (info->dest)
+		ret &= match_type(iph->daddr, info->dest)^info->invert_dest;
+	
+	return ret;
+}
+
+static int checkentry(const char *tablename, const struct ipt_ip *ip,
+		      void *matchinfo, unsigned int matchsize,
+		      unsigned int hook_mask)
+{
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_addrtype_info))) {
+		printk(KERN_ERR "ipt_addrtype: invalid size (%u != %u)\n.",
+		       matchsize, IPT_ALIGN(sizeof(struct ipt_addrtype_info)));
+		return 0;
+	}
+
+	return 1;
+}
+
+static struct ipt_match addrtype_match = { 
+	.name = "addrtype",
+	.match = match,
+	.checkentry = checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&addrtype_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&addrtype_match);
+
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_connmark.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_connmark.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_connmark.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_connmark.c	2004-03-16 12:04:09.000000000 +0000
@@ -0,0 +1,81 @@
+/* This kernel module matches connection mark values set by the
+ * CONNMARK target
+ *
+ * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+MODULE_AUTHOR("Henrik Nordstrom <hno@marasytems.com>");
+MODULE_DESCRIPTION("IP tables connmark match module");
+MODULE_LICENSE("GPL");
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_connmark.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      int *hotdrop)
+{
+	const struct ipt_connmark_info *info = matchinfo;
+	enum ip_conntrack_info ctinfo;
+	struct ip_conntrack *ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+	if (!ct)
+		return 0;
+
+	return ((ct->mark & info->mask) == info->mark) ^ info->invert;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_ip *ip,
+	   void *matchinfo,
+	   unsigned int matchsize,
+	   unsigned int hook_mask)
+{
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_connmark_info)))
+		return 0;
+
+	return 1;
+}
+
+static struct ipt_match connmark_match = {
+	.name = "connmark",
+	.match = &match,
+	.checkentry = &checkentry,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&connmark_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&connmark_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_owner.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_owner.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_owner.c	2004-03-16 05:47:19.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_owner.c	2004-03-16 12:04:38.000000000 +0000
@@ -6,12 +6,19 @@
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
+ *
+ * 03/26/2003 Patrick McHardy <kaber@trash.net>	: LOCAL_IN support
  */
 
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/file.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
 #include <net/sock.h>
+#include <net/tcp.h>
+#include <net/udp.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
@@ -21,7 +28,7 @@
 MODULE_DESCRIPTION("iptables owner match");
 
 static int
-match_comm(const struct sk_buff *skb, const char *comm)
+match_comm(const struct sock *sk, const char *comm)
 {
 	struct task_struct *g, *p;
 	struct files_struct *files;
@@ -38,7 +45,7 @@
 			spin_lock(&files->file_lock);
 			for (i=0; i < files->max_fds; i++) {
 				if (fcheck_files(files, i) ==
-				    skb->sk->sk_socket->file) {
+				    sk->sk_socket->file) {
 					spin_unlock(&files->file_lock);
 					task_unlock(p);
 					read_unlock(&tasklist_lock);
@@ -54,7 +61,7 @@
 }
 
 static int
-match_pid(const struct sk_buff *skb, pid_t pid)
+match_pid(const struct sock *sk, pid_t pid)
 {
 	struct task_struct *p;
 	struct files_struct *files;
@@ -70,7 +77,7 @@
 		spin_lock(&files->file_lock);
 		for (i=0; i < files->max_fds; i++) {
 			if (fcheck_files(files, i) ==
-			    skb->sk->sk_socket->file) {
+			    sk->sk_socket->file) {
 				spin_unlock(&files->file_lock);
 				task_unlock(p);
 				read_unlock(&tasklist_lock);
@@ -86,10 +93,10 @@
 }
 
 static int
-match_sid(const struct sk_buff *skb, pid_t sid)
+match_sid(const struct sock *sk, pid_t sid)
 {
 	struct task_struct *g, *p;
-	struct file *file = skb->sk->sk_socket->file;
+	struct file *file = sk->sk_socket->file;
 	int i, found=0;
 
 	read_lock(&tasklist_lock);
@@ -129,41 +136,71 @@
       int *hotdrop)
 {
 	const struct ipt_owner_info *info = matchinfo;
+	struct iphdr *iph = skb->nh.iph;
+	struct sock *sk = NULL;
+	int ret = 0;
+
+	if (out) {
+		sk = skb->sk;
+	} else {
+		if (iph->protocol == IPPROTO_TCP) {
+			struct tcphdr *tcph =
+				(struct tcphdr *)((u_int32_t *)iph + iph->ihl);
+			sk = tcp_v4_lookup(iph->saddr, tcph->source,
+			                   iph->daddr, tcph->dest,
+			                   skb->dev->ifindex);
+			if (sk && sk->sk_state == TCP_TIME_WAIT) {
+				tcp_tw_put((struct tcp_tw_bucket *)sk);
+				return ret;
+			}
+		} else if (iph->protocol == IPPROTO_UDP) {
+			struct udphdr *udph =
+				(struct udphdr *)((u_int32_t *)iph + iph->ihl);
+			sk = udp_v4_lookup(iph->saddr, udph->source, iph->daddr,
+			                   udph->dest, skb->dev->ifindex);
+		}
+	}
 
-	if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
-		return 0;
+	if (!sk || !sk->sk_socket || !sk->sk_socket->file)
+		goto out;
 
 	if(info->match & IPT_OWNER_UID) {
-		if ((skb->sk->sk_socket->file->f_uid != info->uid) ^
+		if ((sk->sk_socket->file->f_uid != info->uid) ^
 		    !!(info->invert & IPT_OWNER_UID))
-			return 0;
+			goto out;
 	}
 
 	if(info->match & IPT_OWNER_GID) {
-		if ((skb->sk->sk_socket->file->f_gid != info->gid) ^
+		if ((sk->sk_socket->file->f_gid != info->gid) ^
 		    !!(info->invert & IPT_OWNER_GID))
-			return 0;
+			goto out;
 	}
 
 	if(info->match & IPT_OWNER_PID) {
-		if (!match_pid(skb, info->pid) ^
+		if (!match_pid(sk, info->pid) ^
 		    !!(info->invert & IPT_OWNER_PID))
-			return 0;
+			goto out;
 	}
 
 	if(info->match & IPT_OWNER_SID) {
-		if (!match_sid(skb, info->sid) ^
+		if (!match_sid(sk, info->sid) ^
 		    !!(info->invert & IPT_OWNER_SID))
-			return 0;
+			goto out;
 	}
 
 	if(info->match & IPT_OWNER_COMM) {
-		if (!match_comm(skb, info->comm) ^
+		if (!match_comm(sk, info->comm) ^
 		    !!(info->invert & IPT_OWNER_COMM))
-			return 0;
+			goto out;
 	}
 
-	return 1;
+	ret = 1;
+
+out:
+	if (in && sk)
+		sock_put(sk);
+
+	return ret;
 }
 
 static int
@@ -173,11 +210,19 @@
            unsigned int matchsize,
            unsigned int hook_mask)
 {
-        if (hook_mask
-            & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING))) {
-                printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
-                return 0;
-        }
+	if (hook_mask
+	    & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING) |
+	    (1 << NF_IP_LOCAL_IN))) {
+		printk("ipt_owner: only valid for LOCAL_IN, LOCAL_OUT "
+		       "or POST_ROUTING.\n");
+		return 0;
+	}
+
+	if ((hook_mask & (1 << NF_IP_LOCAL_IN))
+	    && ip->proto != IPPROTO_TCP && ip->proto != IPPROTO_UDP) {
+		printk("ipt_owner: only TCP or UDP can be used in LOCAL_IN\n");
+		return 0;
+	}
 
 	if (matchsize != IPT_ALIGN(sizeof(struct ipt_owner_info))) {
 		printk("Matchsize %u != %Zu\n", matchsize,
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_policy.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_policy.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_policy.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_policy.c	2004-03-16 12:04:45.000000000 +0000
@@ -0,0 +1,176 @@
+/* IP tables module for matching IPsec policy
+ *
+ * Copyright (c) 2004 Patrick McHardy, <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/kernel.h>
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/init.h>
+#include <net/xfrm.h>
+
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv4/ipt_policy.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("IPtables IPsec policy matching module");
+MODULE_LICENSE("GPL");
+
+
+static inline int
+match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e)
+{
+#define MISMATCH(x,y)	(e->match.x && ((e->x != (y)) ^ e->invert.x))
+
+	if (MISMATCH(saddr, x->props.saddr.a4 & e->smask) ||
+	    MISMATCH(daddr, x->id.daddr.a4 & e->dmask) ||
+	    MISMATCH(proto, x->id.proto) ||
+	    MISMATCH(mode, x->props.mode) ||
+	    MISMATCH(spi, x->id.spi) ||
+	    MISMATCH(reqid, x->props.reqid))
+		return 0;
+	return 1;
+}
+
+static int
+match_policy_in(const struct sk_buff *skb, const struct ipt_policy_info *info)
+{
+	const struct ipt_policy_elem *e;
+	struct sec_path *sp = skb->sp;
+	int strict = info->flags & POLICY_MATCH_STRICT;
+	int i, pos;
+
+	if (sp == NULL)
+		return -1;
+	if (strict && info->len != sp->len)
+		return 0;
+
+	for (i = sp->len - 1; i >= 0; i--) {
+		pos = strict ? i - sp->len + 1 : 0;
+		if (pos >= info->len)
+			return 0;
+		e = &info->pol[pos];
+
+		if (match_xfrm_state(sp->x[i].xvec, e)) {
+			if (!strict)
+				return 1;
+		} else if (strict)
+			return 0;
+	}
+
+	return strict ? 1 : 0;
+}
+
+static int
+match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info)
+{
+	const struct ipt_policy_elem *e;
+	struct dst_entry *dst = skb->dst;
+	int strict = info->flags & POLICY_MATCH_STRICT;
+	int i, pos;
+
+	if (dst->xfrm == NULL)
+		return -1;
+
+	for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
+		pos = strict ? i : 0;
+		if (pos >= info->len)
+			return 0;
+		e = &info->pol[pos];
+
+		if (match_xfrm_state(dst->xfrm, e)) {
+			if (!strict)
+				return 1;
+		} else if (strict)
+			return 0;
+	}
+
+	return strict ? 1 : 0;
+}
+
+static int match(const struct sk_buff *skb,
+                 const struct net_device *in,
+                 const struct net_device *out,
+                 const void *matchinfo, int offset, int *hotdrop)
+{
+	const struct ipt_policy_info *info = matchinfo;
+	int ret;
+
+	if (info->flags & POLICY_MATCH_IN)
+		ret = match_policy_in(skb, info);
+	else
+		ret = match_policy_out(skb, info);
+
+	if (ret < 0) {
+		if (info->flags & POLICY_MATCH_NONE)
+			ret = 1;
+		else
+			ret = 0;
+	} else if (info->flags & POLICY_MATCH_NONE)
+		ret = 0;
+
+	return ret;
+}
+
+static int checkentry(const char *tablename, const struct ipt_ip *ip,
+                      void *matchinfo, unsigned int matchsize,
+                      unsigned int hook_mask)
+{
+	struct ipt_policy_info *info = matchinfo;
+
+	if (matchsize != IPT_ALIGN(sizeof(*info))) {
+		printk(KERN_ERR "ipt_policy: matchsize %u != %u\n",
+		       matchsize, IPT_ALIGN(sizeof(*info)));
+		return 0;
+	}
+	if (!(info->flags & (POLICY_MATCH_IN|POLICY_MATCH_OUT))) {
+		printk(KERN_ERR "ipt_policy: neither incoming nor "
+		                "outgoing policy selected\n");
+		return 0;
+	}
+	if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
+	    && info->flags & POLICY_MATCH_OUT) {
+		printk(KERN_ERR "ipt_policy: output policy not valid in "
+		                "PRE_ROUTING and INPUT\n");
+		return 0;
+	}
+	if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
+	    && info->flags & POLICY_MATCH_IN) {
+		printk(KERN_ERR "ipt_policy: input policy not valid in "
+		                "POST_ROUTING and OUTPUT\n");
+		return 0;
+	}
+	if (info->len > POLICY_MAX_ELEM) {
+		printk(KERN_ERR "ipt_policy: too many policy elements\n");
+		return 0;
+	}
+
+	return 1;
+}
+
+static struct ipt_match policy_match =
+{
+	.name		= "policy",
+	.match		= match,
+	.checkentry 	= checkentry,
+	.me		= THIS_MODULE,
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&policy_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&policy_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_rpc.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_rpc.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_rpc.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_rpc.c	2004-03-16 12:04:46.000000000 +0000
@@ -0,0 +1,428 @@
+/* RPC extension for IP connection matching, Version 2.2
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ *	- original rpc tracking module
+ *	- "recent" connection handling for kernel 2.3+ netfilter
+ *
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ *	- upgraded conntrack modules to oldnat api - kernel 2.4.0+
+ *
+ * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ *	- upgraded conntrack modules to newnat api - kernel 2.4.20+
+ *	- extended matching to support filtering on procedures
+ *
+ * ipt_rpc.c,v 2.2 2003/01/12 18:30:00
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ **
+ *	Module load syntax:
+ *	insmod ipt_rpc.o ports=port1,port2,...port<MAX_PORTS>
+ *
+ *	Please give the ports of all RPC servers you wish to connect to.
+ *	If you don't specify ports, the default will be port 111.
+ **
+ *	Note to all:
+ *
+ *	RPCs should not be exposed to the internet - ask the Pentagon;
+ *
+ *	  "The unidentified crackers pleaded guilty in July to charges
+ *	   of juvenile delinquency stemming from a string of Pentagon
+ *	   network intrusions in February.
+ *
+ *	   The youths, going by the names TooShort and Makaveli, used
+ *	   a common server security hole to break in, according to
+ *	   Dane Jasper, owner of the California Internet service
+ *	   provider, Sonic. They used the hole, known as the 'statd'
+ *	   exploit, to attempt more than 800 break-ins, Jasper said."
+ *
+ *	From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
+ *	URL:  http://www.wired.com/news/politics/0,1283,16098,00.html
+ **
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/list.h>
+#include <linux/udp.h>
+#include <linux/tcp.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack_rpc.h>
+#include <linux/netfilter_ipv4/lockhelp.h>
+#include <linux/netfilter_ipv4/ipt_rpc.h>
+
+#define MAX_PORTS 8
+static int ports[MAX_PORTS];
+static int ports_n_c = 0;
+
+#ifdef MODULE_PARM
+MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
+MODULE_PARM_DESC(ports, "port numbers (TCP/UDP) of RPC portmapper servers");
+#endif
+
+MODULE_AUTHOR("Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>");
+MODULE_DESCRIPTION("RPC connection matching module");
+MODULE_LICENSE("GPL");
+
+#if 0
+#define DEBUGP(format, args...) printk(KERN_DEBUG "ipt_rpc: " \
+					format, ## args)
+#else
+#define DEBUGP(format, args...)
+#endif
+
+EXPORT_NO_SYMBOLS;
+
+/* vars from ip_conntrack_rpc_tcp */
+extern struct list_head request_p_list_tcp;
+extern struct module *ip_conntrack_rpc_tcp;
+
+/* vars from ip_conntrack_rpc_udp */
+extern struct list_head request_p_list_udp;
+extern struct module *ip_conntrack_rpc_udp;
+
+DECLARE_RWLOCK_EXTERN(ipct_rpc_tcp_lock);
+DECLARE_RWLOCK_EXTERN(ipct_rpc_udp_lock);
+
+#define ASSERT_READ_LOCK(x)					\
+do {								\
+	if (x == &request_p_list_udp)				\
+		MUST_BE_READ_LOCKED(&ipct_rpc_udp_lock);	\
+	else if (x == &request_p_list_tcp)			\
+		MUST_BE_READ_LOCKED(&ipct_rpc_tcp_lock);	\
+} while (0)
+
+#define ASSERT_WRITE_LOCK(x)					\
+do {								\
+	if (x == &request_p_list_udp)				\
+		MUST_BE_WRITE_LOCKED(&ipct_rpc_udp_lock);	\
+	else if (x == &request_p_list_tcp)			\
+		MUST_BE_WRITE_LOCKED(&ipct_rpc_tcp_lock);	\
+} while (0)
+
+#include <linux/netfilter_ipv4/listhelp.h>
+
+const int IPT_RPC_CHAR_LEN = 11;
+
+
+static int k_atoi(char *string)
+{
+	unsigned int result = 0;
+	int maxoctet = IPT_RPC_CHAR_LEN;
+
+	for ( ; *string != 0 && maxoctet != 0; maxoctet--, string++) {
+		if (*string < 0)
+			return(0);
+		if (*string == 0)
+			break;
+		if (*string < 48 || *string > 57) {
+			return(0);
+		}
+		result = result * 10 + ( *string - 48 );
+	}
+	return(result);
+}
+
+
+static int match_rpcs(char *c_procs, int i_procs, int proc)
+{
+	int   proc_ctr;
+	char *proc_ptr;
+	unsigned int proc_num;
+
+	DEBUGP("entered match_rpcs [%i] [%i] ..\n", i_procs, proc);
+
+	if (i_procs == -1)
+		return 1;
+
+	for (proc_ctr=0; proc_ctr <= i_procs; proc_ctr++) {
+
+		proc_ptr = c_procs;
+		proc_ptr += proc_ctr * IPT_RPC_CHAR_LEN;
+		proc_num = k_atoi(proc_ptr);
+
+		if (proc_num == proc)
+			return 1;
+	}
+
+	return 0;
+}
+
+
+static int check_rpc_packet(const u_int32_t *data, const void *matchinfo,
+			int *hotdrop, int dir, struct ip_conntrack *ct,
+			int offset, struct list_head request_p_list)
+{
+	const struct ipt_rpc_info *rpcinfo = matchinfo;
+	struct request_p *req_p;
+	u_int32_t xid;
+
+
+	/* Get XID */
+	xid = *data;
+
+ 	/* This does sanity checking on RPC payloads,
+	 * and permits only the RPC "get port" (3)
+	 * in authorised procedures in client
+	 * communications with the portmapper.
+	 */
+
+	data += 5;
+
+	/* Get RPC requestor */
+	if (IXDR_GET_INT32(data) != 3) {
+		DEBUGP("RPC packet contains an invalid (non \"get\") requestor. [skip]\n");
+		if(rpcinfo->strict == 1)
+			*hotdrop = 1;
+		return 0;
+	}
+	DEBUGP("RPC packet contains a \"get\" requestor. [cont]\n");
+
+	data++;
+
+	/* Jump Credentials and Verfifier */
+	data = data + IXDR_GET_INT32(data) + 2;
+	data = data + IXDR_GET_INT32(data) + 2;
+
+	/* Get RPC procedure */
+	if (match_rpcs((char *)&rpcinfo->c_procs,
+	    rpcinfo->i_procs, IXDR_GET_INT32(data)) == 0) {
+		DEBUGP("RPC packet contains illegal procedure request [%u]. [drop]\n",
+			(unsigned int)IXDR_GET_INT32(data));
+
+		/* If the RPC conntrack half entry already exists .. */
+
+		switch (ct->tuplehash[0].tuple.dst.protonum) {
+			case IPPROTO_UDP:
+				WRITE_LOCK(&ipct_rpc_udp_lock);
+			case IPPROTO_TCP:
+				WRITE_LOCK(&ipct_rpc_tcp_lock);
+		}
+		req_p = LIST_FIND(&request_p_list, request_p_cmp,
+				  struct request_p *, xid,
+				  ct->tuplehash[dir].tuple.src.ip,
+				  ct->tuplehash[dir].tuple.src.u.all);
+
+		if (req_p) {
+			DEBUGP("found req_p for xid=%u proto=%u %u.%u.%u.%u:%u\n",
+				xid, ct->tuplehash[dir].tuple.dst.protonum,
+				NIPQUAD(ct->tuplehash[dir].tuple.src.ip),
+				ntohs(ct->tuplehash[dir].tuple.src.u.all));
+
+			/* .. remove it */
+			if (del_timer(&req_p->timeout))
+				req_p->timeout.expires = 0;
+
+       			LIST_DELETE(&request_p_list, req_p);
+			DEBUGP("RPC req_p removed. [done]\n");
+
+		} else {
+			DEBUGP("no req_p found for xid=%u proto=%u %u.%u.%u.%u:%u\n",
+				xid, ct->tuplehash[dir].tuple.dst.protonum,
+				NIPQUAD(ct->tuplehash[dir].tuple.src.ip),
+				ntohs(ct->tuplehash[dir].tuple.src.u.all));
+
+		}
+		switch (ct->tuplehash[0].tuple.dst.protonum) {
+			case IPPROTO_UDP:
+				WRITE_UNLOCK(&ipct_rpc_udp_lock);
+			case IPPROTO_TCP:
+				WRITE_UNLOCK(&ipct_rpc_tcp_lock);
+		}
+
+		if(rpcinfo->strict == 1)
+			*hotdrop = 1;
+		return 0;
+	}
+
+	DEBUGP("RPC packet contains authorised procedure request [%u]. [match]\n",
+		(unsigned int)IXDR_GET_INT32(data));
+	return (1 && (!offset));
+}
+
+
+static int match(const struct sk_buff *skb, const struct net_device *in,
+		 const struct net_device *out, const void *matchinfo,
+		 int offset, const void *hdr, u_int16_t datalen, int *hotdrop)
+{
+	struct ip_conntrack *ct;
+	enum ip_conntrack_info ctinfo;
+	const u_int32_t *data;
+	enum ip_conntrack_dir dir;
+	const struct tcphdr *tcp;
+	const struct ipt_rpc_info *rpcinfo = matchinfo;
+	int port, portsok;
+	int tval;
+
+
+	DEBUGP("new packet to evaluate ..\n");
+
+	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+	if (!ct) {
+		DEBUGP("no ct available [skip]\n");
+		return 0;
+	}
+
+	DEBUGP("ct detected. [cont]\n");
+	dir = CTINFO2DIR(ctinfo);
+
+	/* we only want the client to server packets for matching */
+	if (dir != IP_CT_DIR_ORIGINAL)
+		return 0;
+
+	/* This does sanity checking on UDP or TCP packets,
+	 * like their respective modules.
+	 */
+
+	switch (ct->tuplehash[0].tuple.dst.protonum) {
+
+		case IPPROTO_UDP:
+			DEBUGP("PROTO_UDP [cont]\n");
+			if (offset == 0 && datalen < sizeof(struct udphdr)) {
+				DEBUGP("packet does not contain a complete header. [drop]\n");
+				return 0;
+			}
+
+			for (port=0,portsok=0; port <= ports_n_c; port++) {
+				if (ntohs(ct->tuplehash[dir].tuple.dst.u.all) == ports[port]) {
+					portsok++;
+					break;
+				}
+			}
+			if (portsok == 0) {
+				DEBUGP("packet is not destined for a portmapper [%u]. [skip]\n",
+					ntohs(ct->tuplehash[dir].tuple.dst.u.all));
+				return 0;
+			}
+
+			if ((datalen - sizeof(struct udphdr)) != 56) {
+				DEBUGP("packet length is not correct for RPC content. [skip]\n");
+				if (rpcinfo->strict == 1)
+					*hotdrop = 1;
+				return 0;
+			}
+			DEBUGP("packet length is correct. [cont]\n");
+
+			/* Get to the data */
+			data = (const u_int32_t *)hdr + 2;
+
+			/* Check the RPC data */
+			tval = check_rpc_packet(data, matchinfo, hotdrop,
+						dir, ct, offset,
+						request_p_list_udp);
+
+			return tval;
+			
+		
+		case IPPROTO_TCP:
+			DEBUGP("PROTO_TCP [cont]\n");
+			if (offset == 0 && datalen < sizeof(struct tcphdr)) {
+				DEBUGP("packet does not contain a complete header. [drop]\n");
+				return 0;
+			}
+	
+			for (port=0,portsok=0; port <= ports_n_c; port++) {
+				if (ntohs(ct->tuplehash[dir].tuple.dst.u.all) == ports[port]) {
+					portsok++;
+					break;
+				}
+			}
+			if (portsok == 0) {
+				DEBUGP("packet is not destined for a portmapper [%u]. [skip]\n",
+					ntohs(ct->tuplehash[dir].tuple.dst.u.all));
+				return 0;
+			}
+
+			tcp = hdr;
+			if (datalen == (tcp->doff * 4)) {
+				DEBUGP("packet does not contain any data. [match]\n");
+				return (1 && (!offset));
+			}
+
+			/* Tests if packet len is ok */
+			if ((datalen - (tcp->doff * 4)) != 60) {
+				DEBUGP("packet length is not correct for RPC content. [skip]\n");
+				if(rpcinfo->strict == 1)
+					*hotdrop = 1;
+				return 0;
+			}
+			DEBUGP("packet length is correct. [cont]\n");
+
+			/* Get to the data */
+			data = (const u_int32_t *)tcp + tcp->doff + 1;	
+
+			/* Check the RPC data */
+			tval = check_rpc_packet(data, matchinfo, hotdrop,
+						dir, ct, offset,
+						request_p_list_tcp);
+
+			return tval;
+
+	}
+
+	DEBUGP("transport protocol=%u, is not supported [skip]\n",
+		ct->tuplehash[0].tuple.dst.protonum);
+	return 0;
+}
+
+
+static int checkentry(const char *tablename, const struct ipt_ip *ip, void *matchinfo,
+		   unsigned int matchsize, unsigned int hook_mask)
+{
+	if (hook_mask
+	    & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_FORWARD) | (1 << NF_IP_POST_ROUTING)
+		| (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_LOCAL_OUT))) {
+		printk("ipt_rpc: only valid for PRE_ROUTING, FORWARD, POST_ROUTING, LOCAL_IN and/or LOCAL_OUT targets.\n");
+		return 0;
+	}
+
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_rpc_info)))
+		return 0;
+
+	return 1;
+}
+
+
+static struct ipt_match rpc_match = { { NULL, NULL }, "rpc",
+					&match, &checkentry, NULL,
+					THIS_MODULE };
+
+
+static int __init init(void)
+{
+	int port;
+
+	DEBUGP("incrementing usage counts\n");
+	__MOD_INC_USE_COUNT(ip_conntrack_rpc_udp);
+	__MOD_INC_USE_COUNT(ip_conntrack_rpc_tcp);
+
+	/* If no port given, default to standard RPC port */
+	if (ports[0] == 0)
+		ports[0] = RPC_PORT;
+
+	DEBUGP("registering match [%s] for;\n", rpc_match.name);
+	for (port = 0; (port < MAX_PORTS) && ports[port]; port++) {
+		DEBUGP("  port %i (UDP|TCP);\n", ports[port]);
+		ports_n_c++;
+	}
+	
+	return ipt_register_match(&rpc_match);
+}
+
+
+static void fini(void)
+{
+	DEBUGP("unregistering match\n");
+	ipt_unregister_match(&rpc_match);
+
+	DEBUGP("decrementing usage counts\n");
+	__MOD_DEC_USE_COUNT(ip_conntrack_rpc_tcp);
+	__MOD_DEC_USE_COUNT(ip_conntrack_rpc_udp);
+}
+
+
+module_init(init);
+module_exit(fini);
+
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_string.c linux-2.6.5-rc1/net/ipv4/netfilter/ipt_string.c
--- linux-2.6.5-rc1.org/net/ipv4/netfilter/ipt_string.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/netfilter/ipt_string.c	2004-03-16 12:06:26.000000000 +0000
@@ -0,0 +1,220 @@
+/* Kernel module to match a string into a packet.
+ *
+ * Copyright (C) 2000 Emmanuel Roger  <winfield@freegates.be>
+ * 
+ * ChangeLog
+ *	19.02.2002: Gianni Tedesco <gianni@ecsc.co.uk>
+ *		Fixed SMP re-entrancy problem using per-cpu data areas
+ *		for the skip/shift tables.
+ *	02.05.2001: Gianni Tedesco <gianni@ecsc.co.uk>
+ *		Fixed kernel panic, due to overrunning boyer moore string
+ *		tables. Also slightly tweaked heuristic for deciding what
+ * 		search algo to use.
+ * 	27.01.2001: Gianni Tedesco <gianni@ecsc.co.uk>
+ * 		Implemented Boyer Moore Sublinear search algorithm
+ * 		alongside the existing linear search based on memcmp().
+ * 		Also a quick check to decide which method to use on a per
+ * 		packet basis.
+ */
+
+#include <linux/smp.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/file.h>
+#include <net/sock.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_string.h>
+
+MODULE_LICENSE("GPL");
+
+struct string_per_cpu {
+	int *skip;
+	int *shift;
+	int *len;
+};
+
+struct string_per_cpu *bm_string_data=NULL;
+
+int smp_num_cpus = 1;
+
+/* Boyer Moore Sublinear string search - VERY FAST */
+char *search_sublinear (char *needle, char *haystack, int needle_len, int haystack_len) 
+{
+	int M1, right_end, sk, sh;  
+	int ended, j, i;
+
+	int *skip, *shift, *len;
+	
+	/* use data suitable for this CPU */
+	shift=bm_string_data[smp_processor_id()].shift;
+	skip=bm_string_data[smp_processor_id()].skip;
+	len=bm_string_data[smp_processor_id()].len;
+	
+	/* Setup skip/shift tables */
+	M1 = right_end = needle_len-1;
+	for (i = 0; i < BM_MAX_HLEN; i++) skip[i] = needle_len;  
+	for (i = 0; needle[i]; i++) skip[needle[i]] = M1 - i;  
+
+	for (i = 1; i < needle_len; i++) {   
+		for (j = 0; j < needle_len && needle[M1 - j] == needle[M1 - i - j]; j++);  
+		len[i] = j;  
+	}  
+
+	shift[0] = 1;  
+	for (i = 1; i < needle_len; i++) shift[i] = needle_len;  
+	for (i = M1; i > 0; i--) shift[len[i]] = i;  
+	ended = 0;  
+	
+	for (i = 0; i < needle_len; i++) {  
+		if (len[i] == M1 - i) ended = i;  
+		if (ended) shift[i] = ended;  
+	}  
+
+	/* Do the search*/  
+	while (right_end < haystack_len)
+	{
+		for (i = 0; i < needle_len && haystack[right_end - i] == needle[M1 - i]; i++);  
+		if (i == needle_len) {
+			return haystack+(right_end - M1);
+		}
+		
+		sk = skip[haystack[right_end - i]];  
+		sh = shift[i];
+		right_end = max(right_end - i + sk, right_end + sh);  
+	}
+
+	return NULL;
+}  
+
+/* Linear string search based on memcmp() */
+char *search_linear (char *needle, char *haystack, int needle_len, int haystack_len) 
+{
+	char *k = haystack + (haystack_len-needle_len);
+	char *t = haystack;
+	
+	while ( t <= k ) {
+		if (memcmp(t, needle, needle_len) == 0)
+			return t;
+		t++;
+	}
+
+	return NULL;
+}
+
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct ipt_string_info *info = matchinfo;
+	struct iphdr *ip = skb->nh.iph;
+	int hlen, nlen;
+	char *needle, *haystack;
+	proc_ipt_search search=search_linear;
+
+	if ( !ip ) return 0;
+
+	/* get lenghts, and validate them */
+	nlen=info->len;
+	hlen=ntohs(ip->tot_len)-(ip->ihl*4);
+	if ( nlen > hlen ) return 0;
+
+	needle=(char *)&info->string;
+	haystack=(char *)ip+(ip->ihl*4);
+
+	/* The sublinear search comes in to its own
+	 * on the larger packets */
+	if ( (hlen>IPT_STRING_HAYSTACK_THRESH) &&
+	  	(nlen>IPT_STRING_NEEDLE_THRESH) ) {
+		if ( hlen < BM_MAX_HLEN ) {
+			search=search_sublinear;
+		}else{
+			if (net_ratelimit())
+				printk(KERN_INFO "ipt_string: Packet too big "
+					"to attempt sublinear string search "
+					"(%d bytes)\n", hlen );
+		}
+	}
+	
+    return ((search(needle, haystack, nlen, hlen)!=NULL) ^ info->invert);
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo,
+           unsigned int matchsize,
+           unsigned int hook_mask)
+{
+
+       if (matchsize != IPT_ALIGN(sizeof(struct ipt_string_info)))
+               return 0;
+
+       return 1;
+}
+
+void string_freeup_data(void)
+{
+	int c;
+	
+	if ( bm_string_data ) {
+		for(c=0; c<smp_num_cpus; c++) {
+			if ( bm_string_data[c].shift ) kfree(bm_string_data[c].shift);
+			if ( bm_string_data[c].skip ) kfree(bm_string_data[c].skip);
+			if ( bm_string_data[c].len ) kfree(bm_string_data[c].len);
+		}
+		kfree(bm_string_data);
+	}
+}
+
+static struct ipt_match string_match
+= { { NULL, NULL }, "string", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	int c;
+	size_t tlen;
+	size_t alen;
+
+	tlen=sizeof(struct string_per_cpu)*smp_num_cpus;
+	alen=sizeof(int)*BM_MAX_HLEN;
+	
+	/* allocate array of structures */
+	if ( !(bm_string_data=kmalloc(tlen,GFP_KERNEL)) ) {
+		return 0;
+	}
+	
+	memset(bm_string_data, 0, tlen);
+	
+	/* allocate our skip/shift tables */
+	for(c=0; c<smp_num_cpus; c++) {
+		if ( !(bm_string_data[c].shift=kmalloc(alen, GFP_KERNEL)) )
+			goto alloc_fail;
+		if ( !(bm_string_data[c].skip=kmalloc(alen, GFP_KERNEL)) )
+			goto alloc_fail;
+		if ( !(bm_string_data[c].len=kmalloc(alen, GFP_KERNEL)) )
+			goto alloc_fail;
+	}
+	
+	return ipt_register_match(&string_match);
+
+alloc_fail:
+	string_freeup_data();
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&string_match);
+	string_freeup_data();
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/tcp_ipv4.c linux-2.6.5-rc1/net/ipv4/tcp_ipv4.c
--- linux-2.6.5-rc1.org/net/ipv4/tcp_ipv4.c	2004-03-16 05:45:58.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/tcp_ipv4.c	2004-03-16 12:04:38.000000000 +0000
@@ -2667,6 +2667,7 @@
 EXPORT_SYMBOL(tcp_v4_connect);
 EXPORT_SYMBOL(tcp_v4_do_rcv);
 EXPORT_SYMBOL(tcp_v4_lookup_listener);
+EXPORT_SYMBOL(tcp_v4_lookup);
 EXPORT_SYMBOL(tcp_v4_rebuild_header);
 EXPORT_SYMBOL(tcp_v4_remember_stamp);
 EXPORT_SYMBOL(tcp_v4_send_check);
diff -Nur --exclude '*.orig' linux-2.6.5-rc1.org/net/ipv4/udp.c linux-2.6.5-rc1/net/ipv4/udp.c
--- linux-2.6.5-rc1.org/net/ipv4/udp.c	2004-03-16 05:45:49.000000000 +0000
+++ linux-2.6.5-rc1/net/ipv4/udp.c	2004-03-16 12:04:38.000000000 +0000
@@ -1543,6 +1543,7 @@
 EXPORT_SYMBOL(udp_port_rover);
 EXPORT_SYMBOL(udp_prot);
 EXPORT_SYMBOL(udp_sendmsg);
+EXPORT_SYMBOL(udp_v4_lookup);
 
 #ifdef CONFIG_PROC_FS
 EXPORT_SYMBOL(udp_proc_register);