[packages/kernel.git] / 2.6.6-pom-ng-20040518.patch

  Netfilter SNAP 20040518
   included:
   PENDING/expect-evict-order
   PENDING/init_conntrack-optimize
   PENDING/ipt_helper-invert-fix
   PENDING/nf-log
   PENDING/nf_reset
   PENDING/orphaned-expect-fix
   PENDING/proc-no-internal-targets
   BASE/HOPLIMIT
   BASE/IPV4OPTSSTRING
   BASE/NETLINK			// fix socket -> sk_socket
   BASE/REJECT
   BASE/TTL
   BASE/connlimit
   BASE/dstlimit
   BASE/fuzzy
   BASE/ipv4options
   BASE/mport
   BASE/nth
   BASE/osf			// fix socket -> sk_socket
   BASE/pool			// added EXPORT_SYMBOL(ip_pool_mod, ip_pool_match)
   BASE/psd
   BASE/quota
   BASE/random
   BASE/realm
   BASE/sctp
   BASE/time
   BASE/u32
   EXTRA/CONNMARK
   EXTRA/IPMARK
   EXTRA/ROUTE
   EXTRA/TARPIT			// fix Makefile.ladd and req patch for 2.6
   EXTRA/TRACE
   EXTRA/XOR
   EXTRA/addrtype
   EXTRA/eggdrop-conntrack
   EXTRA/h323-conntrack-nat
   EXTRA/ipsec-01-output-hooks
   EXTRA/ipsec-02-input-hooks
   EXTRA/ipsec-03-policy-lookup
   EXTRA/ipsec-04-policy-check
   EXTRA/ipt_helper-any
   EXTRA/mms-conntrack-nat
   EXTRA/owner-socketlookup
   EXTRA/ownercmd
   EXTRA/policy
   EXTRA/quake3-conntrack-nat
   EXTRA/rsh
   EXTRA/rtsp-conntrack
   EXTRA/sctp-conntrack-nat
   EXTRA/string			// required unclean module - included - req fix
   EXTRA/talk-conntrack-nat
   
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter.h linux-2.6.6/include/linux/netfilter.h
--- linux-2.6.6.org/include/linux/netfilter.h	2004-05-10 04:32:37.000000000 +0200
+++ linux-2.6.6/include/linux/netfilter.h	2004-05-18 14:28:50.000000000 +0200
@@ -23,6 +23,7 @@
    <= 0x2000 is used for protocol-flags. */
 #define NFC_UNKNOWN 0x4000
 #define NFC_ALTERED 0x8000
+#define NFC_TRACE   0x10000
 
 #ifdef __KERNEL__
 #include <linux/config.h>
@@ -137,12 +138,14 @@
 /* This is gross, but inline doesn't cut it for avoiding the function
    call in fast path: gcc doesn't inline (needs value tracking?). --RR */
 #ifdef CONFIG_NETFILTER_DEBUG
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn)			\
- nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN)
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond)		\
+(!(cond)								\
+ ? (okfn)(skb) 								\
+ : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN))
 #define NF_HOOK_THRESH nf_hook_slow
 #else
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn)			\
-(list_empty(&nf_hooks[(pf)][(hook)])					\
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond)		\
+(!(cond) || list_empty(&nf_hooks[(pf)][(hook)])				\
  ? (okfn)(skb)								\
  : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), INT_MIN))
 #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh)	\
@@ -150,6 +153,8 @@
  ? (okfn)(skb)								\
  : nf_hook_slow((pf), (hook), (skb), (indev), (outdev), (okfn), (thresh)))
 #endif
+#define NF_HOOK(pf, hook, skb, indev, outdev, okfn)			\
+ NF_HOOK_COND((pf), (hook), (skb), (indev), (outdev), (okfn), 1)
 
 int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
 		 struct net_device *indev, struct net_device *outdev,
@@ -182,7 +187,24 @@
 
 #else /* !CONFIG_NETFILTER */
 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
 #endif /*CONFIG_NETFILTER*/
 
+#ifdef CONFIG_XFRM
+#ifdef CONFIG_IP_NF_NAT_NEEDED
+struct flowi;
+extern void nf_nat_decode_session4(struct sk_buff *skb, struct flowi *fl);
+
+static inline void
+nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, int family)
+{
+	if (family == AF_INET)
+		nf_nat_decode_session4(skb, fl);
+}
+#else /* CONFIG_IP_NF_NAT_NEEDED */
+#define nf_nat_decode_session(skb,fl,family)
+#endif /* CONFIG_IP_NF_NAT_NEEDED */
+#endif /* CONFIG_XFRM */
+
 #endif /*__KERNEL__*/
 #endif /*__LINUX_NETFILTER_H*/
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_helpers.h linux-2.6.6/include/linux/netfilter_helpers.h
--- linux-2.6.6.org/include/linux/netfilter_helpers.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_helpers.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,133 @@
+/*
+ * Helpers for netfiler modules.  This file provides implementations for basic
+ * functions such as strncasecmp(), etc.
+ *
+ * gcc will warn for defined but unused functions, so we only include the
+ * functions requested.  The following macros are used:
+ *   NF_NEED_STRNCASECMP        nf_strncasecmp()
+ *   NF_NEED_STRTOU16           nf_strtou16()
+ *   NF_NEED_STRTOU32           nf_strtou32()
+ */
+#ifndef _NETFILTER_HELPERS_H
+#define _NETFILTER_HELPERS_H
+
+/* Only include these functions for kernel code. */
+#ifdef __KERNEL__
+
+#include <linux/ctype.h>
+#define iseol(c) ( (c) == '\r' || (c) == '\n' )
+
+/*
+ * The standard strncasecmp()
+ */
+#ifdef NF_NEED_STRNCASECMP
+static int
+nf_strncasecmp(const char* s1, const char* s2, u_int32_t len)
+{
+    if (s1 == NULL || s2 == NULL)
+    {
+        if (s1 == NULL && s2 == NULL)
+        {
+            return 0;
+        }
+        return (s1 == NULL) ? -1 : 1;
+    }
+    while (len > 0 && tolower(*s1) == tolower(*s2))
+    {
+        len--;
+        s1++;
+        s2++;
+    }
+    return ( (len == 0) ? 0 : (tolower(*s1) - tolower(*s2)) );
+}
+#endif /* NF_NEED_STRNCASECMP */
+
+/*
+ * Parse a string containing a 16-bit unsigned integer.
+ * Returns the number of chars used, or zero if no number is found.
+ */
+#ifdef NF_NEED_STRTOU16
+static int
+nf_strtou16(const char* pbuf, u_int16_t* pval)
+{
+    int n = 0;
+
+    *pval = 0;
+    while (isdigit(pbuf[n]))
+    {
+        *pval = (*pval * 10) + (pbuf[n] - '0');
+        n++;
+    }
+
+    return n;
+}
+#endif /* NF_NEED_STRTOU16 */
+
+/*
+ * Parse a string containing a 32-bit unsigned integer.
+ * Returns the number of chars used, or zero if no number is found.
+ */
+#ifdef NF_NEED_STRTOU32
+static int
+nf_strtou32(const char* pbuf, u_int32_t* pval)
+{
+    int n = 0;
+
+    *pval = 0;
+    while (pbuf[n] >= '0' && pbuf[n] <= '9')
+    {
+        *pval = (*pval * 10) + (pbuf[n] - '0');
+        n++;
+    }
+
+    return n;
+}
+#endif /* NF_NEED_STRTOU32 */
+
+/*
+ * Given a buffer and length, advance to the next line and mark the current
+ * line.
+ */
+#ifdef NF_NEED_NEXTLINE
+static int
+nf_nextline(char* p, uint len, uint* poff, uint* plineoff, uint* plinelen)
+{
+    uint    off = *poff;
+    uint    physlen = 0;
+
+    if (off >= len)
+    {
+        return 0;
+    }
+
+    while (p[off] != '\n')
+    {
+        if (len-off <= 1)
+        {
+            return 0;
+        }
+
+        physlen++;
+        off++;
+    }
+
+    /* if we saw a crlf, physlen needs adjusted */
+    if (physlen > 0 && p[off] == '\n' && p[off-1] == '\r')
+    {
+        physlen--;
+    }
+
+    /* advance past the newline */
+    off++;
+
+    *plineoff = *poff;
+    *plinelen = physlen;
+    *poff = off;
+
+    return 1;
+}
+#endif /* NF_NEED_NEXTLINE */
+
+#endif /* __KERNEL__ */
+
+#endif /* _NETFILTER_HELPERS_H */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack.h	2004-05-10 04:33:20.000000000 +0200
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack.h	2004-05-18 14:28:50.000000000 +0200
@@ -51,10 +51,12 @@
 
 #include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
+#include <linux/netfilter_ipv4/ip_conntrack_sctp.h>
 
 /* per conntrack: protocol private data */
 union ip_conntrack_proto {
 	/* insert conntrack proto private data here */
+	struct ip_ct_sctp sctp;
 	struct ip_ct_tcp tcp;
 	struct ip_ct_icmp icmp;
 };
@@ -64,6 +66,11 @@
 };
 
 /* Add protocol helper include file here */
+#include <linux/netfilter_ipv4/ip_conntrack_talk.h>
+#include <linux/netfilter_ipv4/ip_conntrack_rtsp.h>
+#include <linux/netfilter_ipv4/ip_conntrack_rsh.h>
+#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
+#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
 #include <linux/netfilter_ipv4/ip_conntrack_amanda.h>
 #include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_irc.h>
@@ -71,6 +78,11 @@
 /* per expectation: application helper private data */
 union ip_conntrack_expect_help {
 	/* insert conntrack helper private data (expect) here */
+	struct ip_ct_talk_expect exp_talk_info;
+	struct ip_ct_rtsp_expect exp_rtsp_info;
+	struct ip_ct_rsh_expect exp_rsh_info;
+	struct ip_ct_mms_expect exp_mms_info;
+	struct ip_ct_h225_expect exp_h225_info;
 	struct ip_ct_amanda_expect exp_amanda_info;
 	struct ip_ct_ftp_expect exp_ftp_info;
 	struct ip_ct_irc_expect exp_irc_info;
@@ -85,6 +97,11 @@
 /* per conntrack: application helper private data */
 union ip_conntrack_help {
 	/* insert conntrack helper private data (master) here */
+	struct ip_ct_talk_master ct_talk_info;
+	struct ip_ct_rtsp_master ct_rtsp_info;
+	struct ip_ct_rsh_master ct_rsh_info;
+	struct ip_ct_mms_master ct_mms_info;
+	struct ip_ct_h225_master ct_h225_info;
 	struct ip_ct_ftp_master ct_ftp_info;
 	struct ip_ct_irc_master ct_irc_info;
 };
@@ -207,6 +224,10 @@
 	} nat;
 #endif /* CONFIG_IP_NF_NAT_NEEDED */
 
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+	unsigned long mark;
+#endif
+
 };
 
 /* get master conntrack via master expectation */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_h323.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_h323.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_h323.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_h323.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,31 @@
+#ifndef _IP_CONNTRACK_H323_H
+#define _IP_CONNTRACK_H323_H
+/* H.323 connection tracking. */
+
+#ifdef __KERNEL__
+/* Protects H.323 related data */
+#include <linux/netfilter_ipv4/lockhelp.h>
+DECLARE_LOCK_EXTERN(ip_h323_lock);
+#endif
+
+/* Default H.225 port */
+#define H225_PORT	1720
+
+/* This structure is per expected connection */
+struct ip_ct_h225_expect {
+	u_int16_t port;			/* Port of the H.225 helper/RTCP/RTP channel */
+	enum ip_conntrack_dir dir;	/* Direction of the original connection */
+	unsigned int offset;		/* offset of the address in the payload */
+};
+
+/* This structure exists only once per master */
+struct ip_ct_h225_master {
+	int is_h225;				/* H.225 or H.245 connection */
+#ifdef CONFIG_IP_NF_NAT_NEEDED
+	enum ip_conntrack_dir dir;		/* Direction of the original connection */
+	u_int32_t seq[IP_CT_DIR_MAX];		/* Exceptional packet mangling for signal addressess... */
+	unsigned int offset[IP_CT_DIR_MAX];	/* ...and the offset of the addresses in the payload */
+#endif
+};
+
+#endif /* _IP_CONNTRACK_H323_H */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_mms.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_mms.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_mms.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_mms.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,31 @@
+#ifndef _IP_CONNTRACK_MMS_H
+#define _IP_CONNTRACK_MMS_H
+/* MMS tracking. */
+
+#ifdef __KERNEL__
+#include <linux/netfilter_ipv4/lockhelp.h>
+
+DECLARE_LOCK_EXTERN(ip_mms_lock);
+
+#define MMS_PORT                         1755
+#define MMS_SRV_MSG_ID                   196610
+
+#define MMS_SRV_MSG_OFFSET               36
+#define MMS_SRV_UNICODE_STRING_OFFSET    60
+#define MMS_SRV_CHUNKLENLV_OFFSET        16
+#define MMS_SRV_CHUNKLENLM_OFFSET        32
+#define MMS_SRV_MESSAGELENGTH_OFFSET     8
+#endif
+
+/* This structure is per expected connection */
+struct ip_ct_mms_expect {
+	u_int32_t len;
+	u_int32_t padding;
+	u_int16_t port;
+};
+
+/* This structure exists only once per master */
+struct ip_ct_mms_master {
+};
+
+#endif /* _IP_CONNTRACK_MMS_H */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_quake3.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_quake3.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_quake3.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_quake3.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,21 @@
+#ifndef _IP_CT_QUAKE3
+#define _IP_CT_QUAKE3
+
+/* Don't confuse with 27960, often used as the Server Port */
+#define QUAKE3_MASTER_PORT 27950
+
+struct quake3_search {
+	const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */
+	const char *pattern;
+	size_t plen;
+}; 
+
+/* This structure is per expected connection */
+struct ip_ct_quake3_expect {
+};
+
+/* This structure exists only once per master */
+struct ip_ct_quake3_master {
+};
+
+#endif /* _IP_CT_QUAKE3 */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_rsh.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_rsh.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_rsh.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_rsh.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,35 @@
+/* RSH extension for IP connection tracking, Version 1.0
+ * (C) 2002 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ * based on HW's ip_conntrack_irc.c     
+ *
+ * ip_conntrack_rsh.c,v 1.0 2002/07/17 14:49:26
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ */
+#ifndef _IP_CONNTRACK_RSH_H
+#define _IP_CONNTRACK_RSH_H
+
+#ifdef __KERNEL__
+#include <linux/netfilter_ipv4/lockhelp.h>
+
+DECLARE_LOCK_EXTERN(ip_rsh_lock);
+#endif
+
+
+#define RSH_PORT	514
+
+/* This structure is per expected connection */
+struct ip_ct_rsh_expect
+{
+	u_int16_t port;
+};
+
+/* This structure exists only once per master */
+struct ip_ct_rsh_master {
+};
+
+#endif /* _IP_CONNTRACK_RSH_H */
+
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_rtsp.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,68 @@
+/*
+ * RTSP extension for IP connection tracking.
+ * (C) 2003 by Tom Marshall <tmarshall@real.com>
+ * based on ip_conntrack_irc.h
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ */
+#ifndef _IP_CONNTRACK_RTSP_H
+#define _IP_CONNTRACK_RTSP_H
+
+/* #define IP_NF_RTSP_DEBUG */
+#define IP_NF_RTSP_VERSION "0.01"
+
+/* port block types */
+typedef enum {
+    pb_single,  /* client_port=x */
+    pb_range,   /* client_port=x-y */
+    pb_discon   /* client_port=x/y (rtspbis) */
+} portblock_t;
+
+/* We record seq number and length of rtsp headers here, all in host order. */
+
+/*
+ * This structure is per expected connection.  It is a member of struct
+ * ip_conntrack_expect.  The TCP SEQ for the conntrack expect is stored
+ * there and we are expected to only store the length of the data which
+ * needs replaced.  If a packet contains multiple RTSP messages, we create
+ * one expected connection per message.
+ *
+ * We use these variables to mark the entire header block.  This may seem
+ * like overkill, but the nature of RTSP requires it.  A header may appear
+ * multiple times in a message.  We must treat two Transport headers the
+ * same as one Transport header with two entries.
+ */
+struct ip_ct_rtsp_expect
+{
+    u_int32_t   len;        /* length of header block */
+    portblock_t pbtype;     /* Type of port block that was requested */
+    u_int16_t   loport;     /* Port that was requested, low or first */
+    u_int16_t   hiport;     /* Port that was requested, high or second */
+#if 0
+    uint        method;     /* RTSP method */
+    uint        cseq;       /* CSeq from request */
+#endif
+};
+
+/* This structure exists only once per master */
+struct ip_ct_rtsp_master
+{
+    /* Empty (?) */
+};
+
+
+#ifdef __KERNEL__
+
+#include <linux/netfilter_ipv4/lockhelp.h>
+
+#define RTSP_PORT   554
+
+/* Protects rtsp part of conntracks */
+DECLARE_LOCK_EXTERN(ip_rtsp_lock);
+
+#endif /* __KERNEL__ */
+
+#endif /* _IP_CONNTRACK_RTSP_H */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_sctp.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_sctp.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_sctp.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_sctp.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,25 @@
+#ifndef _IP_CONNTRACK_SCTP_H
+#define _IP_CONNTRACK_SCTP_H
+/* SCTP tracking. */
+
+enum sctp_conntrack {
+	SCTP_CONNTRACK_NONE,
+	SCTP_CONNTRACK_CLOSED,
+	SCTP_CONNTRACK_COOKIE_WAIT,
+	SCTP_CONNTRACK_COOKIE_ECHOED,
+	SCTP_CONNTRACK_ESTABLISHED,
+	SCTP_CONNTRACK_SHUTDOWN_SENT,
+	SCTP_CONNTRACK_SHUTDOWN_RECD,
+	SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
+	SCTP_CONNTRACK_MAX
+};
+
+struct ip_ct_sctp
+{
+	enum sctp_conntrack state;
+
+	u_int32_t vtag[IP_CT_DIR_MAX];
+	u_int32_t ttag[IP_CT_DIR_MAX];
+};
+
+#endif /* _IP_CONNTRACK_SCTP_H */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_talk.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_talk.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_talk.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_talk.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,152 @@
+#ifndef _IP_CONNTRACK_TALK_H
+#define _IP_CONNTRACK_TALK_H
+/* TALK tracking. */
+
+#ifdef __KERNEL__
+#include <linux/in.h>
+#include <linux/netfilter_ipv4/lockhelp.h>
+
+/* Protects talk part of conntracks */
+DECLARE_LOCK_EXTERN(ip_talk_lock);
+#endif
+
+
+#define TALK_PORT	517
+#define NTALK_PORT	518
+
+/* talk structures and constants from <protocols/talkd.h> */
+
+/*
+ * 4.3BSD struct sockaddr
+ */
+struct talk_addr {
+	u_int16_t ta_family;
+	u_int16_t ta_port;
+	u_int32_t ta_addr;
+	u_int32_t ta_junk1;
+	u_int32_t ta_junk2;
+};
+
+#define	TALK_OLD_NSIZE	9
+#define	TALK_NSIZE	12
+#define	TALK_TTY_NSIZE	16
+
+/*
+ * Client->server request message formats.
+ */
+struct talk_msg {
+	u_char	type;		/* request type, see below */
+	char	l_name[TALK_OLD_NSIZE];/* caller's name */
+	char	r_name[TALK_OLD_NSIZE];/* callee's name */
+	u_char	pad;
+	u_int32_t id_num;	/* message id */
+	int32_t	pid;		/* caller's process id */
+	char	r_tty[TALK_TTY_NSIZE];/* callee's tty name */
+	struct	talk_addr addr;		/* old (4.3) style */
+	struct	talk_addr ctl_addr;	/* old (4.3) style */
+};
+
+struct ntalk_msg {
+	u_char	vers;		/* protocol version */
+	u_char	type;		/* request type, see below */
+	u_char	answer;		/* not used */
+	u_char	pad;
+	u_int32_t id_num;	/* message id */
+	struct	talk_addr addr;		/* old (4.3) style */
+	struct	talk_addr ctl_addr;	/* old (4.3) style */
+	int32_t	pid;		/* caller's process id */
+	char	l_name[TALK_NSIZE];/* caller's name */
+	char	r_name[TALK_NSIZE];/* callee's name */
+	char	r_tty[TALK_TTY_NSIZE];/* callee's tty name */
+};
+
+struct ntalk2_msg {
+	u_char	vers;		/* talk protocol version    */
+	u_char	type;		/* request type             */
+	u_char	answer;		/*  */
+	u_char	extended;	/* !0 if additional parts   */
+	u_int32_t id_num;	/* message id number (dels) */
+	struct	talk_addr addr;		/* target address   */
+	struct	talk_addr ctl_addr;	/* reply to address */
+	int32_t	pid;		/* caller's process id */
+	char	l_name[TALK_NSIZE];  /* caller's name */
+	char	r_name[TALK_NSIZE];  /* callee's name */
+	char	r_tty[TALK_TTY_NSIZE];    /* callee's tty */
+};
+
+/*
+ * Server->client response message formats.
+ */
+struct talk_response {
+	u_char	type;		/* type of request message, see below */
+	u_char	answer;		/* response to request message, see below */
+	u_char	pad[2];
+	u_int32_t id_num;	/* message id */
+	struct	talk_addr addr;	/* address for establishing conversation */
+};
+
+struct ntalk_response {
+	u_char	vers;		/* protocol version */
+	u_char	type;		/* type of request message, see below */
+	u_char	answer;		/* response to request message, see below */
+	u_char	pad;
+	u_int32_t id_num;	/* message id */
+	struct	talk_addr addr;	/* address for establishing conversation */
+};
+
+struct ntalk2_response {
+	u_char	vers;		/* protocol version         */
+	u_char	type;		/* type of request message  */
+	u_char	answer;		/* response to request      */
+	u_char	rvers;		/* Version of answering vers*/
+	u_int32_t id_num;	/* message id number        */
+	struct	talk_addr addr;	/* address for connection   */
+	/* This is at the end to compatiblize this with NTALK version.   */
+	char	r_name[TALK_NSIZE]; /* callee's name            */
+};
+
+#define TALK_STR(data, talk_str, member) ((struct talk_str *)data)->member)
+#define TALK_RESP(data, ver, member) (ver ? ((struct ntalk_response *)data)->member : ((struct talk_response *)data)->member)
+#define TALK_MSG(data, ver, member) (ver ? ((struct ntalk_msg *)data)->member : ((struct talk_msg *)data)->member)
+
+#define	TALK_VERSION	0		/* protocol versions */
+#define	NTALK_VERSION	1
+#define	NTALK2_VERSION	2
+
+/* message type values */
+#define LEAVE_INVITE	0	/* leave invitation with server */
+#define LOOK_UP		1	/* check for invitation by callee */
+#define DELETE		2	/* delete invitation by caller */
+#define ANNOUNCE	3	/* announce invitation by caller */
+/* NTALK2 */
+#define REPLY_QUERY	4	/* request reply data from local daemon */
+
+/* answer values */
+#define SUCCESS		0	/* operation completed properly */
+#define NOT_HERE	1	/* callee not logged in */
+#define FAILED		2	/* operation failed for unexplained reason */
+#define MACHINE_UNKNOWN	3	/* caller's machine name unknown */
+#define PERMISSION_DENIED 4	/* callee's tty doesn't permit announce */
+#define UNKNOWN_REQUEST	5	/* request has invalid type value */
+#define	BADVERSION	6	/* request has invalid protocol version */
+#define	BADADDR		7	/* request has invalid addr value */
+#define	BADCTLADDR	8	/* request has invalid ctl_addr value */
+/* NTALK2 */
+#define NO_CALLER	9	/* no-one calling answer from REPLY   */
+#define TRY_HERE	10	/* Not on this machine, try this      */
+#define SELECTIVE_REFUSAL 11	/* User Filter refusal.               */
+#define MAX_RESPONSE_TYPE 11	/* Make sure this is updated          */
+
+/* We don't really need much for talk */
+struct ip_ct_talk_expect
+{
+	/* Port that was to be used */
+	u_int16_t port;
+};
+
+/* This structure exists only once per master */
+struct ip_ct_talk_master
+{
+};
+
+#endif /* _IP_CONNTRACK_TALK_H */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	2004-05-10 04:32:54.000000000 +0200
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	2004-05-18 14:28:50.000000000 +0200
@@ -25,6 +25,9 @@
 	struct {
 		u_int16_t id;
 	} icmp;
+	struct {
+		u_int16_t port;
+	} sctp;
 };
 
 /* The manipulable part of the tuple. */
@@ -55,6 +58,9 @@
 			struct {
 				u_int8_t type, code;
 			} icmp;
+			struct {
+				u_int16_t port;
+			} sctp;
 		} u;
 
 		/* The protocol. */
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_pool.h linux-2.6.6/include/linux/netfilter_ipv4/ip_pool.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_pool.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_pool.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,64 @@
+#ifndef _IP_POOL_H
+#define _IP_POOL_H
+
+/***************************************************************************/
+/*  This program is free software; you can redistribute it and/or modify   */
+/*  it under the terms of the GNU General Public License as published by   */
+/*  the Free Software Foundation; either version 2 of the License, or	   */
+/*  (at your option) any later version.					   */
+/*									   */
+/*  This program is distributed in the hope that it will be useful,	   */
+/*  but WITHOUT ANY WARRANTY; without even the implied warranty of	   */
+/*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the	   */
+/*  GNU General Public License for more details.			   */
+/*									   */
+/*  You should have received a copy of the GNU General Public License	   */
+/*  along with this program; if not, write to the Free Software	       	   */
+/*  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA*/
+/***************************************************************************/
+
+/* A sockopt of such quality has hardly ever been seen before on the open
+ * market!  This little beauty, hardly ever used: above 64, so it's
+ * traditionally used for firewalling, not touched (even once!) by the
+ * 2.0, 2.2 and 2.4 kernels!
+ *
+ * Comes with its own certificate of authenticity, valid anywhere in the
+ * Free world!
+ *
+ * Rusty, 19.4.2000
+ */
+#define SO_IP_POOL 81
+
+typedef int ip_pool_t;			/* pool index */
+#define IP_POOL_NONE	((ip_pool_t)-1)
+
+struct ip_pool_request {
+	int op;
+	ip_pool_t index;
+	u_int32_t addr;
+	u_int32_t addr2;
+};
+
+/* NOTE: I deliberately break the first cut ippool utility. Nobody uses it. */
+
+#define IP_POOL_BAD001		0x00000010
+
+#define IP_POOL_FLUSH		0x00000011	/* req.index, no arguments */
+#define IP_POOL_INIT		0x00000012	/* from addr to addr2 incl. */
+#define IP_POOL_DESTROY		0x00000013	/* req.index, no arguments */
+#define IP_POOL_ADD_ADDR	0x00000014	/* add addr to pool */
+#define IP_POOL_DEL_ADDR	0x00000015	/* del addr from pool */
+#define IP_POOL_HIGH_NR		0x00000016	/* result in req.index */
+#define IP_POOL_LOOKUP		0x00000017	/* result in addr and addr2 */
+#define IP_POOL_USAGE		0x00000018	/* result in addr */
+#define IP_POOL_TEST_ADDR	0x00000019	/* result (0/1) returned */
+
+#ifdef __KERNEL__
+
+/* NOTE: ip_pool_match() and ip_pool_mod() expect ADDR to be host byte order */
+extern int ip_pool_match(ip_pool_t pool, u_int32_t addr);
+extern int ip_pool_mod(ip_pool_t pool, u_int32_t addr, int isdel);
+
+#endif
+
+#endif /*_IP_POOL_H*/
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ip_tables.h linux-2.6.6/include/linux/netfilter_ipv4/ip_tables.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ip_tables.h	2004-05-10 04:32:37.000000000 +0200
+++ linux-2.6.6/include/linux/netfilter_ipv4/ip_tables.h	2004-05-18 14:28:50.000000000 +0200
@@ -104,7 +104,8 @@
 
 /* Values for "flag" field in struct ipt_ip (general ip structure). */
 #define IPT_F_FRAG		0x01	/* Set if rule is a fragment rule */
-#define IPT_F_MASK		0x01	/* All possible flag bits mask. */
+#define IPT_F_GOTO		0x02	/* Set if jump is a goto */
+#define IPT_F_MASK		0x03	/* All possible flag bits mask. */
 
 /* Values for "inv" field in struct ipt_ip. */
 #define IPT_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
@@ -134,6 +135,12 @@
 	/* Back pointer */
 	unsigned int comefrom;
 
+	/* Name of the chain */
+	char *chainname;
+	
+	/* Rule number in the chain. */
+	u_int32_t rulenum;
+
 	/* Packet and byte counters. */
 	struct ipt_counters counters;
 
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h linux-2.6.6/include/linux/netfilter_ipv4/ipt_CONNMARK.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_CONNMARK.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ipt_CONNMARK.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,25 @@
+#ifndef _IPT_CONNMARK_H_target
+#define _IPT_CONNMARK_H_target
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+	IPT_CONNMARK_SET = 0,
+	IPT_CONNMARK_SAVE,
+	IPT_CONNMARK_RESTORE
+};
+
+struct ipt_connmark_target_info {
+	unsigned long mark;
+	unsigned long mask;
+	u_int8_t mode;
+};
+
+#endif /*_IPT_CONNMARK_H_target*/
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_IPMARK.h linux-2.6.6/include/linux/netfilter_ipv4/ipt_IPMARK.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_IPMARK.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ipt_IPMARK.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,13 @@
+#ifndef _IPT_IPMARK_H_target
+#define _IPT_IPMARK_H_target
+
+struct ipt_ipmark_target_info {
+	unsigned long andmask;
+	unsigned long ormask;
+	unsigned int addr;
+};
+
+#define IPT_IPMARK_SRC    0
+#define IPT_IPMARK_DST    1
+
+#endif /*_IPT_IPMARK_H_target*/
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_MARK.h linux-2.6.6/include/linux/netfilter_ipv4/ipt_MARK.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_MARK.h	2004-05-10 04:32:26.000000000 +0200
+++ linux-2.6.6/include/linux/netfilter_ipv4/ipt_MARK.h	2004-05-18 14:28:50.000000000 +0200
@@ -1,8 +1,15 @@
 #ifndef _IPT_MARK_H_target
 #define _IPT_MARK_H_target
 
+enum {
+        IPT_MARK_SET,
+        IPT_MARK_AND,
+        IPT_MARK_OR
+};
+
 struct ipt_mark_target_info {
 	unsigned long mark;
+	u_int8_t mode;
 };
 
 #endif /*_IPT_MARK_H_target*/
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_NETLINK.h linux-2.6.6/include/linux/netfilter_ipv4/ipt_NETLINK.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_NETLINK.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ipt_NETLINK.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,27 @@
+#ifndef _IPT_FWMON_H
+#define _IPT_FWMON_H
+
+/* Bitmask macros */
+#define MASK(x,y) (x & y)
+#define MASK_SET(x,y) x |= y
+#define MASK_UNSET(x,y) x &= ~y
+
+#define USE_MARK	0x00000001
+#define USE_DROP	0x00000002
+#define USE_SIZE	0x00000004
+
+struct ipt_nldata
+{	
+	unsigned int flags;
+	unsigned int mark;
+	unsigned int size;
+};
+
+/* Old header */
+struct netlink_t {
+	unsigned int len;
+	unsigned int mark;
+	char iface[IFNAMSIZ];
+};
+
+#endif /*_IPT_FWMON_H*/
diff -Nur --exclude '*.orig' linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_ROUTE.h linux-2.6.6/include/linux/netfilter_ipv4/ipt_ROUTE.h
--- linux-2.6.6.org/include/linux/netfilter_ipv4/ipt_ROUTE.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.6/include/linux/netfilter_ipv4/ipt_ROUTE.h	2004-05-18 14:28:50.000000000 +0200
@@ -0,0 +1,22 @@
+/* Header file for iptables ipt_ROUTE target
+ *