[packages/kernel.git] / 2.6.x-patch-o-matic-ng-base-20040307.patch

diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter.h linux-2.6.4-rc2/include/linux/netfilter.h
--- linux-2.6.4-rc2.org/include/linux/netfilter.h	2004-03-04 06:16:47.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter.h	2004-03-07 08:43:12.000000000 +0000
@@ -99,6 +99,24 @@
 
 extern struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS];
 
+typedef void nf_logfn(unsigned int hooknum,
+		      const struct sk_buff *skb,
+		      const struct net_device *in,
+		      const struct net_device *out,
+		      const char *prefix);
+
+/* Function to register/unregister log function. */
+int nf_log_register(int pf, nf_logfn *logfn);
+void nf_log_unregister(int pf, nf_logfn *logfn);
+
+/* Calls the registered backend logging function */
+void nf_log_packet(int pf,
+		   unsigned int hooknum,
+		   const struct sk_buff *skb,
+		   const struct net_device *in,
+		   const struct net_device *out,
+		   const char *fmt, ...);
+                   
 /* Activate hook; either okfn or kfree_skb called, unless a hook
    returns NF_STOLEN (in which case, it's up to the hook to deal with
    the consequences).
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ip_conntrack.h	2004-03-04 06:17:04.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ip_conntrack.h	2004-03-07 08:43:29.000000000 +0000
@@ -251,6 +251,9 @@
 /* Call me when a conntrack is destroyed. */
 extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
 
+/* Fake conntrack entry for untracked connections */
+extern struct ip_conntrack ip_conntrack_untracked;
+
 /* Returns new sk_buff, or NULL */
 struct sk_buff *
 ip_ct_gather_frags(struct sk_buff *skb);
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_TTL.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_TTL.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_TTL.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_TTL.h	2004-03-07 08:43:16.000000000 +0000
@@ -0,0 +1,21 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+enum {
+	IPT_TTL_SET = 0,
+	IPT_TTL_INC,
+	IPT_TTL_DEC
+};
+
+#define IPT_TTL_MAXMODE	IPT_TTL_DEC
+
+struct ipt_TTL_info {
+	u_int8_t	mode;
+	u_int8_t	ttl;
+};
+
+
+#endif
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_ULOG.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_ULOG.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_ULOG.h	2004-03-04 06:16:43.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_ULOG.h	2004-03-07 08:43:12.000000000 +0000
@@ -11,6 +11,9 @@
 #define NETLINK_NFLOG 	5
 #endif
 
+#define ULOG_DEFAULT_NLGROUP	1
+#define ULOG_DEFAULT_QTHRESHOLD	1
+
 #define ULOG_MAC_LEN	80
 #define ULOG_PREFIX_LEN	32
 
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_connlimit.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_connlimit.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_connlimit.h	2004-03-07 08:43:18.000000000 +0000
@@ -0,0 +1,12 @@
+#ifndef _IPT_CONNLIMIT_H
+#define _IPT_CONNLIMIT_H
+
+struct ipt_connlimit_data;
+
+struct ipt_connlimit_info {
+	int limit;
+	int inverse;
+	u_int32_t mask;
+	struct ipt_connlimit_data *data;
+};
+#endif /* _IPT_CONNLIMIT_H */
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_conntrack.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_conntrack.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_conntrack.h	2004-03-04 06:16:55.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_conntrack.h	2004-03-07 08:43:29.000000000 +0000
@@ -10,6 +10,7 @@
 
 #define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
 #define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
+#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
 
 /* flags, invflags: */
 #define IPT_CONNTRACK_STATE	0x01
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_dstlimit.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_dstlimit.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_dstlimit.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_dstlimit.h	2004-03-07 08:43:19.000000000 +0000
@@ -0,0 +1,39 @@
+#ifndef _IPT_DSTLIMIT_H
+#define _IPT_DSTLIMIT_H
+
+/* timings are in milliseconds. */
+#define IPT_DSTLIMIT_SCALE 10000
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+   seconds, or one every 59 hours. */
+
+/* details of this structure hidden by the implementation */
+struct ipt_dstlimit_htable;
+
+#define IPT_DSTLIMIT_HASH_DIP	0x0001
+#define IPT_DSTLIMIT_HASH_DPT	0x0002
+#define IPT_DSTLIMIT_HASH_SIP	0x0004
+
+struct dstlimit_cfg {
+	u_int32_t mode;	  /* bitmask of IPT_DSTLIMIT_HASH_* */
+	u_int32_t avg;    /* Average secs between packets * scale */
+	u_int32_t burst;  /* Period multiplier for upper limit. */
+
+	/* user specified */
+	u_int32_t size;		/* how many buckets */
+	u_int32_t max;		/* max number of entries */
+	u_int32_t gc_interval;	/* gc interval */
+	u_int32_t expire;	/* when do entries expire? */
+};
+
+struct ipt_dstlimit_info {
+	char name [IFNAMSIZ];		/* name */
+	struct dstlimit_cfg cfg;
+	struct ipt_dstlimit_htable *hinfo;
+
+	/* Used internally by the kernel */
+	union {
+		void *ptr;
+		struct ipt_dstlimit_info *master;
+	} u;
+};
+#endif /*_IPT_DSTLIMIT_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_fuzzy.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_fuzzy.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_fuzzy.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_fuzzy.h	2004-03-07 08:43:19.000000000 +0000
@@ -0,0 +1,21 @@
+#ifndef _IPT_FUZZY_H
+#define _IPT_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ipt_fuzzy_info {
+	u_int32_t minimum_rate;
+	u_int32_t maximum_rate;
+	u_int32_t packets_total;
+	u_int32_t bytes_total;
+	u_int32_t previous_time;
+	u_int32_t present_time;
+	u_int32_t mean_rate;
+	u_int8_t acceptance_rate;
+};
+
+#endif /*_IPT_FUZZY_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_ipv4options.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_ipv4options.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_ipv4options.h	2004-03-07 08:43:20.000000000 +0000
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+#define IPT_IPV4OPTION_MATCH_SSRR		0x01  /* For strict source routing */
+#define IPT_IPV4OPTION_MATCH_LSRR		0x02  /* For loose source routing */
+#define IPT_IPV4OPTION_DONT_MATCH_SRR		0x04  /* any source routing */
+#define IPT_IPV4OPTION_MATCH_RR			0x08  /* For Record route */
+#define IPT_IPV4OPTION_DONT_MATCH_RR		0x10
+#define IPT_IPV4OPTION_MATCH_TIMESTAMP		0x20  /* For timestamp request */
+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP	0x40
+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT	0x80  /* For router-alert */
+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT	0x100
+#define IPT_IPV4OPTION_MATCH_ANY_OPT		0x200 /* match packet with any option */
+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT	0x400 /* match packet with no option */
+
+struct ipt_ipv4options_info {
+	u_int16_t options;
+};
+
+
+#endif /* __ipt_ipv4options_h_included__ */
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_mport.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_mport.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_mport.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_mport.h	2004-03-07 08:43:23.000000000 +0000
@@ -0,0 +1,24 @@
+#ifndef _IPT_MPORT_H
+#define _IPT_MPORT_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#define IPT_MPORT_SOURCE (1<<0)
+#define IPT_MPORT_DESTINATION (1<<1)
+#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION)
+
+#define IPT_MULTI_PORTS	15
+
+/* Must fit inside union ipt_matchinfo: 32 bytes */
+/* every entry in ports[] except for the last one has one bit in pflags
+ * associated with it. If this bit is set, the port is the first port of
+ * a portrange, with the next entry being the last.
+ * End of list is marked with pflags bit set and port=65535.
+ * If 14 ports are used (last one does not have a pflag), the last port
+ * is repeated to fill the last entry in ports[] */
+struct ipt_mport
+{
+	u_int8_t flags:2;			/* Type of comparison */
+	u_int16_t pflags:14;			/* Port flags */
+	u_int16_t ports[IPT_MULTI_PORTS];	/* Ports */
+};
+#endif /*_IPT_MPORT_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_nth.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_nth.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_nth.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_nth.h	2004-03-07 08:43:24.000000000 +0000
@@ -0,0 +1,19 @@
+#ifndef _IPT_NTH_H
+#define _IPT_NTH_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#ifndef IPT_NTH_NUM_COUNTERS
+#define IPT_NTH_NUM_COUNTERS 16
+#endif
+
+struct ipt_nth_info {
+	u_int8_t every;
+	u_int8_t not;
+	u_int8_t startat;
+	u_int8_t counter;
+	u_int8_t packet;
+};
+
+#endif /*_IPT_NTH_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_quota.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_quota.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_quota.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_quota.h	2004-03-07 08:43:28.000000000 +0000
@@ -0,0 +1,11 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+        u_int64_t quota;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_realm.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_realm.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_realm.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_realm.h	2004-03-07 08:43:30.000000000 +0000
@@ -0,0 +1,9 @@
+#ifndef _IPT_REALM_H
+#define _IPT_REALM_H
+
+struct ipt_realm_info {
+	u_int32_t id;
+	u_int32_t mask;
+	u_int8_t invert;
+};
+#endif /*_IPT_REALM_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_sctp.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_sctp.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_sctp.h	2004-03-07 08:43:31.000000000 +0000
@@ -0,0 +1,107 @@
+#ifndef _IPT_SCTP_H_
+#define _IPT_SCTP_H_
+
+#define IPT_SCTP_SRC_PORTS	        0x01
+#define IPT_SCTP_DEST_PORTS	        0x02
+#define IPT_SCTP_CHUNK_TYPES		0x04
+
+#define IPT_SCTP_VALID_FLAGS		0x07
+
+#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
+
+
+struct ipt_sctp_flag_info {
+	u_int8_t chunktype;
+	u_int8_t flag;
+	u_int8_t flag_mask;
+};
+
+#define IPT_NUM_SCTP_FLAGS	4
+
+struct ipt_sctp_info {
+	u_int16_t dpts[2];  /* Min, Max */
+	u_int16_t spts[2];  /* Min, Max */
+
+	u_int32_t chunkmap[256 / sizeof (u_int32_t)];  /* Bit mask of chunks to be matched according to RFC 2960 */
+
+#define SCTP_CHUNK_MATCH_ANY   0x01  /* Match if any of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ALL   0x02  /* Match if all of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ONLY  0x04  /* Match if these are the only chunk types present */
+
+	u_int32_t chunk_match_type;
+	struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS];
+	int flag_count;
+
+	u_int32_t flags;
+	u_int32_t invflags;
+};
+
+#define bytes(type) (sizeof(type) * 8)
+
+#define SCTP_CHUNKMAP_SET(chunkmap, type) 		\
+	do { 						\
+		chunkmap[type / bytes(u_int32_t)] |= 	\
+			1 << (type % bytes(u_int32_t));	\
+	} while (0)
+
+#define SCTP_CHUNKMAP_CLEAR(chunkmap, type)		 	\
+	do {							\
+		chunkmap[type / bytes(u_int32_t)] &= 		\
+			~(1 << (type % bytes(u_int32_t)));	\
+	} while (0)
+
+#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) 			\
+({								\
+	(chunkmap[type / bytes (u_int32_t)] & 			\
+		(1 << (type % bytes (u_int32_t)))) ? 1: 0;	\
+})
+
+#define SCTP_CHUNKMAP_RESET(chunkmap) 				\
+	do {							\
+		int i; 						\
+		for (i = 0; i < ELEMCOUNT(chunkmap); i++)	\
+			chunkmap[i] = 0;			\
+	} while (0)
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) 			\
+	do {							\
+		int i; 						\
+		for (i = 0; i < ELEMCOUNT(chunkmap); i++) 	\
+			chunkmap[i] = ~0;			\
+	} while (0)
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) 			\
+	do {							\
+		int i; 						\
+		for (i = 0; i < ELEMCOUNT(chunkmap); i++) 	\
+			destmap[i] = srcmap[i];			\
+	} while (0)
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) 		\
+({							\
+	int i; 						\
+	int flag = 1;					\
+	for (i = 0; i < ELEMCOUNT(chunkmap); i++) {	\
+		if (chunkmap[i]) {			\
+			flag = 0;			\
+			break;				\
+		}					\
+	}						\
+        flag;						\
+})
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) 		\
+({							\
+	int i; 						\
+	int flag = 1;					\
+	for (i = 0; i < ELEMCOUNT(chunkmap); i++) {	\
+		if (chunkmap[i] != ~0) {		\
+			flag = 0;			\
+				break;			\
+		}					\
+	}						\
+        flag;						\
+})
+
+#endif /* _IPT_SCTP_H_ */
+
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_state.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_state.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_state.h	2004-03-04 06:17:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_state.h	2004-03-07 08:43:29.000000000 +0000
@@ -4,6 +4,8 @@
 #define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
 #define IPT_STATE_INVALID (1 << 0)
 
+#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
+
 struct ipt_state_info
 {
 	unsigned int statemask;
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_u32.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_u32.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_u32.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_u32.h	2004-03-07 08:44:17.000000000 +0000
@@ -0,0 +1,40 @@
+#ifndef _IPT_U32_H
+#define _IPT_U32_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+enum ipt_u32_ops
+{
+	IPT_U32_AND,
+	IPT_U32_LEFTSH,
+	IPT_U32_RIGHTSH,
+	IPT_U32_AT
+};
+
+struct ipt_u32_location_element
+{
+	u_int32_t number;
+	u_int8_t nextop;
+};
+struct ipt_u32_value_element
+{
+	u_int32_t min;
+	u_int32_t max;
+};
+/* *** any way to allow for an arbitrary number of elements?
+   for now I settle for a limit of 10 of each */
+#define U32MAXSIZE 10
+struct ipt_u32_test
+{
+	u_int8_t nnums;
+	struct ipt_u32_location_element location[U32MAXSIZE+1];
+	u_int8_t nvalues;
+	struct ipt_u32_value_element value[U32MAXSIZE+1];
+};
+
+struct ipt_u32
+{
+	u_int8_t ntests;
+	struct ipt_u32_test tests[U32MAXSIZE+1];
+};
+
+#endif /*_IPT_U32_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv4.h linux-2.6.4-rc2/include/linux/netfilter_ipv4.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4.h	2004-03-04 06:16:58.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4.h	2004-03-07 08:43:29.000000000 +0000
@@ -51,6 +51,8 @@
 
 enum nf_ip_hook_priorities {
 	NF_IP_PRI_FIRST = INT_MIN,
+	NF_IP_PRI_CONNTRACK_DEFRAG = -400,
+	NF_IP_PRI_RAW = -300,
 	NF_IP_PRI_SELINUX_FIRST = -225,
 	NF_IP_PRI_CONNTRACK = -200,
 	NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_HL.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_HL.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_HL.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_HL.h	2004-03-07 08:43:13.000000000 +0000
@@ -0,0 +1,22 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * Based on HW's TTL module */
+
+#ifndef _IP6T_HL_H
+#define _IP6T_HL_H
+
+enum {
+	IP6T_HL_SET = 0,
+	IP6T_HL_INC,
+	IP6T_HL_DEC
+};
+
+#define IP6T_HL_MAXMODE	IP6T_HL_DEC
+
+struct ip6t_HL_info {
+	u_int8_t	mode;
+	u_int8_t	hop_limit;
+};
+
+
+#endif
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_REJECT.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_REJECT.h	2004-03-04 06:16:34.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_REJECT.h	2004-03-07 08:43:15.000000000 +0000
@@ -2,15 +2,17 @@
 #define _IP6T_REJECT_H
 
 enum ip6t_reject_with {
-	IP6T_ICMP_NET_UNREACHABLE,
-	IP6T_ICMP_HOST_UNREACHABLE,
-	IP6T_ICMP_PROT_UNREACHABLE,
-	IP6T_ICMP_PORT_UNREACHABLE,
-	IP6T_ICMP_ECHOREPLY
+	IP6T_ICMP6_NO_ROUTE,
+	IP6T_ICMP6_ADM_PROHIBITED,
+	IP6T_ICMP6_NOT_NEIGHBOUR,
+	IP6T_ICMP6_ADDR_UNREACH,
+	IP6T_ICMP6_PORT_UNREACH,
+	IP6T_ICMP6_ECHOREPLY,
+	IP6T_TCP_RESET
 };
 
 struct ip6t_reject_info {
 	enum ip6t_reject_with with;      /* reject type */
 };
 
-#endif /*_IPT_REJECT_H*/
+#endif /*_IP6T_REJECT_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_fuzzy.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_fuzzy.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_fuzzy.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_fuzzy.h	2004-03-07 08:43:19.000000000 +0000
@@ -0,0 +1,21 @@
+#ifndef _IP6T_FUZZY_H
+#define _IP6T_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ip6t_fuzzy_info {
+	u_int32_t minimum_rate;
+	u_int32_t maximum_rate;
+	u_int32_t packets_total;
+	u_int32_t bytes_total;
+	u_int32_t previous_time;
+	u_int32_t present_time;
+	u_int32_t mean_rate;
+	u_int8_t acceptance_rate;
+};
+
+#endif /*_IP6T_FUZZY_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_nth.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_nth.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_nth.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_nth.h	2004-03-07 08:43:24.000000000 +0000
@@ -0,0 +1,19 @@
+#ifndef _IP6T_NTH_H
+#define _IP6T_NTH_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#ifndef IP6T_NTH_NUM_COUNTERS
+#define IP6T_NTH_NUM_COUNTERS 16
+#endif
+
+struct ip6t_nth_info {
+	u_int8_t every;
+	u_int8_t not;
+	u_int8_t startat;
+	u_int8_t counter;
+	u_int8_t packet;
+};
+
+#endif /*_IP6T_NTH_H*/
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/core/netfilter.c linux-2.6.4-rc2/net/core/netfilter.c
--- linux-2.6.4-rc2.org/net/core/netfilter.c	2004-03-04 06:16:45.000000000 +0000
+++ linux-2.6.4-rc2/net/core/netfilter.c	2004-03-07 08:43:12.000000000 +0000
@@ -8,8 +8,10 @@
  *
  * February 2000: Modified by James Morris to have 1 queue per protocol.
  * 15-Mar-2000:   Added NF_REPEAT --RR.
+ * 08-May-2003:	  Internal logging interface added by Jozsef Kadlecsik.
  */
 #include <linux/config.h>
+#include <linux/kernel.h>
 #include <linux/netfilter.h>
 #include <net/protocol.h>
 #include <linux/init.h>
@@ -58,6 +60,10 @@
 } queue_handler[NPROTO];
 static rwlock_t queue_handler_lock = RW_LOCK_UNLOCKED;
 
+/**
+ * nf_register_hook - Register with a netfilter hook
+ * @reg: Hook operations to be registered
+ */
 int nf_register_hook(struct nf_hook_ops *reg)
 {
 	struct list_head *i;
@@ -74,6 +80,10 @@
 	return 0;
 }
 
+/**
+ * nf_unregister_hook - Unregister from a netfilter hook
+ * @reg: hook operations to be unregistered
+ */
 void nf_unregister_hook(struct nf_hook_ops *reg)
 {
 	spin_lock_bh(&nf_hook_lock);
@@ -386,6 +396,18 @@
 	return NF_ACCEPT;
 }
 
+/**
+ * nf_register_queue_handler - Registere a queue handler with netfilter
+ * @pf: protocol family
+ * @outfn: function called by core to enqueue a packet
+ * @data: opaque parameter, passed through
+ *
+ * This function registers a queue handler with netfilter.  There can only
+ * be one queue handler for every protocol family.
+ *
+ * A queue handler _must_ reinject every packet via nf_reinject, no
+ * matter what.
+ */
 int nf_register_queue_handler(int pf, nf_queue_outfn_t outfn, void *data)
 {      
 	int ret;
@@ -403,7 +425,12 @@
 	return ret;
 }
 
-/* The caller must flush their queue before this */
+/**
+ * nf_unregister_queue_handler - Unregister queue handler from netfilter
+ * @pf: protocol family
+ *
+ * The caller must flush their queue before unregistering
+ */
 int nf_unregister_queue_handler(int pf)
 {
 	write_lock_bh(&queue_handler_lock);
@@ -546,6 +573,15 @@
 	return ret;
 }
 
+/**
+ * nf_reinject - Reinject a packet from a queue handler
+ * @skb: the packet to be reinjected
+ * @info: info which was passed to the outfn() of the queue handler
+ * @verdict: verdict (NF_ACCEPT, ...) for this packet
+ *
+ * This is the function called by a queue handler to reinject a
+ * packet.
+ */
 void nf_reinject(struct sk_buff *skb, struct nf_info *info,
 		 unsigned int verdict)
 {
@@ -740,6 +776,72 @@
 EXPORT_SYMBOL(skb_ip_make_writable);
 #endif /*CONFIG_INET*/
 
+/* Internal logging interface, which relies on the real 
+   LOG target modules */
+
+#define NF_LOG_PREFIXLEN		128
+
+static nf_logfn *nf_logging[NPROTO]; /* = NULL */
+static int reported = 0;
+static spinlock_t nf_log_lock = SPIN_LOCK_UNLOCKED;
+
+int nf_log_register(int pf, nf_logfn *logfn)
+{
+	int ret = -EBUSY;
+
+	/* Any setup of logging members must be done before
+	 * substituting pointer. */
+	smp_wmb();
+	spin_lock(&nf_log_lock);
+	if (!nf_logging[pf]) {
+		nf_logging[pf] = logfn;
+		ret = 0;
+	}
+	spin_unlock(&nf_log_lock);
+	return ret;
+}		
+
+void nf_log_unregister(int pf, nf_logfn *logfn)
+{
+	spin_lock(&nf_log_lock);
+	if (nf_logging[pf] == logfn)
+		nf_logging[pf] = NULL;
+	spin_unlock(&nf_log_lock);
+
+	/* Give time to concurrent readers. */
+	synchronize_net();
+}		
+
+void nf_log_packet(int pf,
+		   unsigned int hooknum,
+		   const struct sk_buff *skb,
+		   const struct net_device *in,
+		   const struct net_device *out,
+		   const char *fmt, ...)
+{
+	va_list args;
+	char prefix[NF_LOG_PREFIXLEN];
+	nf_logfn *logfn;
+	
+	rcu_read_lock();
+	logfn = nf_logging[pf];
+	if (logfn) {
+		va_start(args, fmt);
+		vsnprintf(prefix, sizeof(prefix), fmt, args);
+		va_end(args);
+		/* We must read logging before nf_logfn[pf] */
+		smp_read_barrier_depends();
+		logfn(hooknum, skb, in, out, prefix);
+	} else if (!reported) {
+		printk(KERN_WARNING "nf_log_packet: can\'t log yet, "
+		       "no backend logging module loaded in!\n");
+		reported++;
+	}
+	rcu_read_unlock();
+}
+EXPORT_SYMBOL(nf_log_register);
+EXPORT_SYMBOL(nf_log_unregister);
+EXPORT_SYMBOL(nf_log_packet);
 
 /* This does not belong here, but ipt_REJECT needs it if connection
    tracking in use: without this, connection may not be in hash table,
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/Kconfig linux-2.6.4-rc2/net/ipv4/netfilter/Kconfig
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/Kconfig	2004-03-04 06:16:58.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/Kconfig	2004-03-07 08:44:17.000000000 +0000
@@ -579,5 +579,89 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_TARGET_IPV4OPTSSTRIP
+	tristate  'IPV4OPTSSTRIP target support'
+	depends on IP_NF_MANGLE
+	  help
+
+config IP_NF_TARGET_TTL
+	tristate  'TTL target support'
+	depends on IP_NF_MANGLE
+	  help
+
+config IP_NF_MATCH_CONNLIMIT
+	tristate  'Connections/IP limit match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_DSTLIMIT
+	tristate  'dstlimit match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_FUZZY
+	tristate  'fuzzy match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_IPV4OPTIONS
+	tristate  'IPV4OPTIONS match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_MPORT
+	tristate  'Multiple port with ranges match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_NTH
+	tristate  'Nth match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_QUOTA
+	tristate  'quota match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_TARGET_NOTRACK
+	tristate  'NOTRACK target support'
+	depends on IP_NF_RAW
+	help
+	  The NOTRACK target allows a select rule to specify
+	  which packets *not* to enter the conntrack/NAT
+	  subsystem with all the consequences (no ICMP error tracking,
+	  no protocol helpers for the selected packets).
+	
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
+config IP_NF_RAW
+	tristate  'raw table support (required for NOTRACK/TRACE)'
+	depends on IP_NF_IPTABLES
+	help
+	  This option adds a `raw' table to iptables. This table is the very
+	  first in the netfilter framework and hooks in at the PREROUTING
+	  and OUTPUT chains.
+	
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/modules.txt>.  If unsure, say `N'.
+	  help
+
+config IP_NF_MATCH_REALM
+	tristate  'realm match support'
+	depends on IP_NF_IPTABLES && NET_CLS_ROUTE
+	  help
+
+config IP_NF_MATCH_SCTP
+	tristate  'SCTP protocol match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_U32
+	tristate  'U32 match support'
+	depends on IP_NF_IPTABLES
+	  help
+
 endmenu
 
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/Makefile linux-2.6.4-rc2/net/ipv4/netfilter/Makefile
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/Makefile	2004-03-04 06:16:38.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/Makefile	2004-03-07 08:44:17.000000000 +0000
@@ -38,19 +38,33 @@
 obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
 obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
 obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
+obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
+obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
+obj-$(CONFIG_IP_NF_MATCH_DSTLIMIT) += ipt_dstlimit.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 
 obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
 obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
+
+obj-$(CONFIG_IP_NF_MATCH_MPORT) += ipt_mport.o
+
 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 
+obj-$(CONFIG_IP_NF_MATCH_NTH) += ipt_nth.o
+
+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
+
+
+obj-$(CONFIG_IP_NF_MATCH_FUZZY) += ipt_fuzzy.o
+
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
 
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
@@ -59,10 +73,15 @@
 
 obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length.o
 
+obj-$(CONFIG_IP_NF_MATCH_U32) += ipt_u32.o
+
+
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
 
 obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
 
@@ -79,8 +98,11 @@
 obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
+obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
+obj-$(CONFIG_IP_NF_TARGET_NOTRACK) += ipt_NOTRACK.o
 
 # generic ARP tables
 obj-$(CONFIG_IP_NF_ARPTABLES) += arp_tables.o
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_core.c	2004-03-04 06:16:34.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_core.c	2004-03-07 08:43:29.000000000 +0000
@@ -15,6 +15,8 @@
  * 16 Jul 2002: Harald Welte <laforge@gnumonks.org>
  * 	- add usage/reference counts to ip_conntrack_expect
  *	- export ip_conntrack[_expect]_{find_get,put} functions
+ * 05 Aug 2002: Harald Welte <laforge@gnumonks.org>
+ * 	- added DocBook-style comments for public API
  * */
 
 #include <linux/config.h>
@@ -67,6 +69,7 @@
 static atomic_t ip_conntrack_count = ATOMIC_INIT(0);
 struct list_head *ip_conntrack_hash;
 static kmem_cache_t *ip_conntrack_cachep;
+struct ip_conntrack ip_conntrack_untracked;
 
 extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
 
@@ -89,6 +92,10 @@
 	return p;
 }
 
+/**
+ * ip_ct_find_proto - Find layer 4 protocol helper for given protocol number
+ * @protocol: protocol number
+ */
 struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol)
 {
 	struct ip_conntrack_protocol *p;
@@ -112,6 +119,11 @@
 static int ip_conntrack_hash_rnd_initted;
 static unsigned int ip_conntrack_hash_rnd;
 
+/**
+ * hash_conntrack - Calculate the position of an entry in the connection 
+ * tracking table.
+ * @tuple: conntrack tuple which we want to calculate the hash position
+ */
 static u_int32_t
 hash_conntrack(const struct ip_conntrack_tuple *tuple)
 {
@@ -124,6 +136,19 @@
 	                     ip_conntrack_hash_rnd) % ip_conntrack_htable_size);
 }
 
+/**
+ * get_tuple - set all the fields of a tuple which is passed as parameter
+ * given a network buffer.
+ * @iph:pointer an IP header. 
+ * @skb:network buffer for which we want to generate the tuple
+ * @dataoff: FIXME: Deprecated?
+ * @tuple: tuple which will be generate. Used as return parameter.
+ * @protocol: structure which contains pointer to protocol specific functions.
+ *
+ * Note: This function doesn't allocate space for the tuple passed as 
+ * parameter. The function pkt_to_packet which set all the protocol specific
+ * fields of a given tuple.
+ */
 int
 get_tuple(const struct iphdr *iph,
 	  const struct sk_buff *skb,
@@ -145,6 +170,15 @@
 	return protocol->pkt_to_tuple(skb, dataoff, tuple);
 }
 
+/**
+ * invert_tuple - Returns the inverse of a given tuple. It is used to 
+ * calculate the tuple which represents the other sense of the flow
+ * of a connection.
+ * @inverse: the inverted tuple. Use as return value.
+ * @orig: the original tuple which will be inverted.
+ * @protocol: a pointer to the protocol structure which contains all the
+ * specifical functions available for this tuple.
+ */
 static int
 invert_tuple(struct ip_conntrack_tuple *inverse,
 	     const struct ip_conntrack_tuple *orig,
@@ -160,7 +194,15 @@
 
 /* ip_conntrack_expect helper functions */
 
-/* Compare tuple parts depending on mask. */
+/**
+ * expect_cmp - compare a tuple with a expectation depending on a mask
+ * @i: pointer to an expectation.
+ * @tuple: tuple which will be compared with the expectation tuple.
+ *
+ * Actually the tuple field of an expectation is compared with a tuple
+ * This function is used by LIST_FIND to find a expectation which match a te
+ * given tuple.
+ */
 static inline int expect_cmp(const struct ip_conntrack_expect *i,
 			     const struct ip_conntrack_tuple *tuple)
 {
@@ -168,6 +210,10 @@
 	return ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask);
 }
 
+/**
+ * destroy_expect - Release all the resources allocated by an expectation.
+ * @exp: pointer to the expectation which we want to release.
+ */
 static void
 destroy_expect(struct ip_conntrack_expect *exp)
 {
@@ -178,7 +224,11 @@
 	kfree(exp);
 }
 
-
+/**
+ * ip_conntrack_expect_put - it decrements the counter of use related 
+ * associated to an expectation and it calls destroy_expect.
+ * @exp: pointer to the expectation which we want to release.
+ */
 inline void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
 {
 	IP_NF_ASSERT(exp);
@@ -198,7 +248,14 @@
 			 struct ip_conntrack_expect *, tuple);
 }
 
-/* Find a expectation corresponding to a tuple. */
+/**
+ * ip_conntrack_find_get - find conntrack according to tuple
+ * @tuple: conntrack tuple for which we search conntrack
+ * @ignored_conntrack: ignore this conntrack during search
+ *
+ * This function increments the reference count of the found
+ * conntrack (if any).
+ */
 struct ip_conntrack_expect *
 ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple)
 {
@@ -381,7 +438,14 @@
 	return h;
 }
 
-/* Find a connection corresponding to a tuple. */
+/**
+ * ip_conntrack_find_get - find conntrack according to tuple
+ * @tuple: conntrack tuple for which we search conntrack
+ * @ignored_conntrack: ignore this conntrack during search
+ *
+ * This function increments the reference count of the found
+ * conntrack (if any).
+ */
 struct ip_conntrack_tuple_hash *
 ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
 		      const struct ip_conntrack *ignored_conntrack)
@@ -409,7 +473,14 @@
 	return ct;
 }
 
-/* Return conntrack and conntrack_info given skb->nfct->master */
+/**
+ * ip_conntrack_get - Return conntrack and conntrack_info for given skb
+ * @skb: skb for which we want to find conntrack and conntrack_info
+ * @ctinfo: pointer to ctinfo, used as return value
+ *
+ * This function resolves the respective conntrack and conntrack_info
+ * structures for the connection this packet (skb) is part of.
+ */
 struct ip_conntrack *
 ip_conntrack_get(struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
 {
@@ -479,8 +550,14 @@
 	return NF_DROP;
 }
 
-/* Returns true if a connection correspondings to the tuple (required
-   for NAT). */
+/**
+ * ip_conntrack_tuple_taken - Find out if tuple is already in use
+ * @tuple: tuple to be used for this test
+ * @ignored_conntrack: conntrack which is excluded from result
+ *
+ * This function is called by the NAT code in order to find out if
+ * a particular tuple is already in use by some connection.
+ */
 int
 ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
 			 const struct ip_conntrack *ignored_conntrack)
@@ -606,7 +683,13 @@
 {
 	return ip_ct_tuple_mask_cmp(rtuple, &i->tuple, &i->mask);
 }
-
+/**
+ * ip_ct_find_helper - Find application helper according to tuple
+ * @tuple: tuple for which helper needs to be found
+ *
+ * This function is used to determine if any registered conntrack helper
+ * is to be used for the given tuple.
+ */
 struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple)
 {
 	return LIST_FIND(&helpers, helper_cmp,
@@ -691,42 +774,50 @@
 			     struct ip_conntrack_expect *, tuple);
 	READ_UNLOCK(&ip_conntrack_expect_tuple_lock);
 
-	/* If master is not in hash table yet (ie. packet hasn't left
-	   this machine yet), how can other end know about expected?
-	   Hence these are not the droids you are looking for (if
-	   master ct never got confirmed, we'd hold a reference to it
-	   and weird things would happen to future packets). */
-	if (expected && !is_confirmed(expected->expectant))
-		expected = NULL;
-
-	/* Look up the conntrack helper for master connections only */
-	if (!expected)
-		conntrack->helper = ip_ct_find_helper(&repl_tuple);
-
-	/* If the expectation is dying, then this is a loser. */
-	if (expected
-	    && expected->expectant->helper->timeout
-	    && ! del_timer(&expected->timeout))
-		expected = NULL;
-
 	if (expected) {
-		DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
-			conntrack, expected);
-		/* Welcome, Mr. Bond.  We've been expecting you... */
-		IP_NF_ASSERT(master_ct(conntrack));
-		__set_bit(IPS_EXPECTED_BIT, &conntrack->status);
-		conntrack->master = expected;
-		expected->sibling = conntrack;
-		LIST_DELETE(&ip_conntrack_expect_list, expected);
-		expected->expectant->expecting--;
-		nf_conntrack_get(&master_ct(conntrack)->infos[0]);
-	}
-	atomic_inc(&ip_conntrack_count);
+		/* If master is not in hash table yet (ie. packet hasn't left
+		   this machine yet), how can other end know about expected?
+		   Hence these are not the droids you are looking for (if
+		   master ct never got confirmed, we'd hold a reference to it
+		   and weird things would happen to future packets). */
+		if (!is_confirmed(expected->expectant)) {
+			
+			conntrack->helper = ip_ct_find_helper(&repl_tuple);
+			goto end;
+		}
+
+		/* Expectation is dying... */
+		if (expected->expectant->helper->timeout
+		    && ! del_timer(&expected->timeout)) {
+			goto end;	
+		}
+
+                DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
+                       conntrack, expected);
+                /* Welcome, Mr. Bond.  We've been expecting you... */
+                IP_NF_ASSERT(master_ct(conntrack));
+                __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
+                conntrack->master = expected;
+                expected->sibling = conntrack;
+                LIST_DELETE(&ip_conntrack_expect_list, expected);
+                expected->expectant->expecting--;
+                nf_conntrack_get(&master_ct(conntrack)->infos[0]);
+
+		/* this is a braindead... --pablo */
+	        atomic_inc(&ip_conntrack_count);
+	        WRITE_UNLOCK(&ip_conntrack_lock);
+
+	        if (expected->expectfn)
+			expected->expectfn(conntrack);
+
+		goto ret;
+        } else 
+                conntrack->helper = ip_ct_find_helper(&repl_tuple);
+
+end:	atomic_inc(&ip_conntrack_count);
 	WRITE_UNLOCK(&ip_conntrack_lock);
 
-	if (expected && expected->expectfn)
-		expected->expectfn(conntrack);
-	return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
+ret:	return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
 }
 
 /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
@@ -794,6 +885,15 @@
 	int set_reply;
 	int ret;
 
+	/* Never happen */
+	if ((*pskb)->nh.iph->frag_off & htons(IP_OFFSET)) {
+		if (net_ratelimit()) {
+		printk(KERN_ERR "ip_conntrack_in: Frag of proto %u (hook=%u)\n",
+		       (*pskb)->nh.iph->protocol, hooknum);
+		}
+		return NF_DROP;
+	}
+
 	/* FIXME: Do this right please. --RR */
 	(*pskb)->nfcache |= NFC_UNKNOWN;
 
@@ -812,18 +912,10 @@
 	}
 #endif
 
-	/* Previously seen (loopback)?  Ignore.  Do this before
-           fragment check. */
+	/* Previously seen (loopback or untracked)?  Ignore. */
 	if ((*pskb)->nfct)
 		return NF_ACCEPT;
 
-	/* Gather fragments. */
-	if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
-		*pskb = ip_ct_gather_frags(*pskb);
-		if (!*pskb)
-			return NF_STOLEN;
-	}
-
 	proto = ip_ct_find_proto((*pskb)->nh.iph->protocol);
 
 	/* It may be an icmp error... */
@@ -900,6 +992,14 @@
 	return ip_ct_tuple_mask_cmp(&i->tuple, tuple, &intersect_mask);
 }
 
+/**
+ * ip_conntrack_unexpect_related - Unexpect a related connection
+ * @expect: expecattin to be removed
+ *
+ * This function removes an existing expectation, that has not yet been
+ * confirmed (i.e. expectation was issued, but expected connection didn't
+ * arrive yet)
+ */
 inline void ip_conntrack_unexpect_related(struct ip_conntrack_expect *expect)
 {
 	WRITE_LOCK(&ip_conntrack_lock);
@@ -917,7 +1017,20 @@
 	WRITE_UNLOCK(&ip_conntrack_lock);
 }
 
-/* Add a related connection. */
+/**
+ * ip_conntrack_expect_related - Expect a related connection
+ * @related_to: master conntrack
+ * @expect: expectation with all values filled in
+ *
+ * This function is called by conntrack application helpers who
+ * have detected that the control (master) connection is just about
+ * to negotiate a related slave connection. 
+ *
+ * Note: This function allocates it's own struct ip_conntrack_expect,
+ * copying the values from the 'expect' parameter.  Thus, 'expect' can
+ * be allocated on the stack and does not need to be valid after this
+ * function returns.
+ */
 int ip_conntrack_expect_related(struct ip_conntrack *related_to,
 				struct ip_conntrack_expect *expect)
 {
@@ -1047,7 +1160,15 @@
 	return ret;
 }
 
-/* Change tuple in an existing expectation */
+/**
+ * ip_conntrack_change_expect - Change tuple in existing expectation
+ * @expect: expectation which is to be changed
+ * @newtuple: new tuple for expect
+ *
+ * This function is mostly called by NAT application helpers, who want to
+ * change an expectation issued by their respective conntrack application
+ * helper counterpart.
+ */
 int ip_conntrack_change_expect(struct ip_conntrack_expect *expect,
 			       struct ip_conntrack_tuple *newtuple)
 {
@@ -1088,8 +1209,15 @@
 	return ret;
 }
 
-/* Alter reply tuple (maybe alter helper).  If it's already taken,
-   return 0 and don't do alteration. */
+/**
+ * ip_conntrack_alter_reply - Alter reply tuple of conntrack
+ * @conntrack: conntrack whose reply tuple we want to alter
+ * @newreply: designated reply tuple for this conntrack
+ *
+ * This function alters the reply tuple of a conntrack to the given
+ * newreply tuple.  If this newreply tuple is already taken, return 0
+ * and don't do alteration
+ */
 int ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
 			     const struct ip_conntrack_tuple *newreply)
 {
@@ -1114,6 +1242,13 @@
 	return 1;
 }
 
+/**
+ * ip_conntrack_helper_register - Register a conntrack application helper
+ * @me: structure describing the helper
+ *
+ * This function is called by conntrack application helpers to register
+ * themselves with the conntrack core.
+ */
 int ip_conntrack_helper_register(struct ip_conntrack_helper *me)
 {
 	WRITE_LOCK(&ip_conntrack_lock);
@@ -1135,6 +1270,13 @@
 	return 0;
 }
 
+/**
+ * ip_conntrack_helper_unregister - Unregister a conntrack application helper
+ * @me: structure describing the helper
+ *
+ * This function is called by conntrack application helpers to unregister
+ * themselvers from the conntrack core.
+ */
 void ip_conntrack_helper_unregister(struct ip_conntrack_helper *me)
 {
 	unsigned int i;
@@ -1153,7 +1295,14 @@
 	synchronize_net();
 }
 
-/* Refresh conntrack for this many jiffies. */
+/**
+ * ip_ct_refresh - Refresh conntrack timer for given conntrack
+ * @ct: conntrack which we want to refresh
+ * @extra_jiffies: number of jiffies to add
+ *
+ * This function is called by protocol helpers and application helpers in
+ * order to change the expiration timer of a conntrack entry.
+ */
 void ip_ct_refresh(struct ip_conntrack *ct, unsigned long extra_jiffies)
 {
 	IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
@@ -1172,7 +1321,16 @@
 	WRITE_UNLOCK(&ip_conntrack_lock);
 }
 
-/* Returns new sk_buff, or NULL */
+
+/**
+ * ip_ct_gather_frags - Gather fragments of a particular skb
+ * @skb: pointer to sk_buff of fragmented IP packet
+ *
+ * This code is just a wrapper around the defragmentation code in the core IPv4
+ * stack.  It also takes care of nonlinear skb's.
+ *
+ * Returns new sk_buff, or NULL
+ */
 struct sk_buff *
 ip_ct_gather_frags(struct sk_buff *skb)
 {
@@ -1256,6 +1414,16 @@
 	return h;
 }
 
+/**
+ * ip_ct_selective_cleanup - Selectively delete a set of conntrack entries
+ * @kill: callback function selecting which entries to delete
+ * @data: opaque data pointer, becomes 2nd argument for kill function
+ *
+ * This function can be used to selectively delete elements of the conntrack
+ * hashtable.  The function iterates over the list of conntrack entries and
+ * calls the 'kill' function for every entry.  If the return value is true,
+ * the connection is deleted (death_by_timeout).
+ */
 void
 ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data),
 			void *data)
@@ -1422,6 +1590,18 @@
 
 	/* For use by ipt_REJECT */
 	ip_ct_attach = ip_conntrack_attach;
+
+	/* Set up fake conntrack:
+	    - to never be deleted, not in any hashes */
+	atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
+	/*  - and look it like as a confirmed connection */
+	set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
+	/*  - and prepare the ctinfo field for REJECT & NAT. */
+	ip_conntrack_untracked.infos[IP_CT_NEW].master =
+	ip_conntrack_untracked.infos[IP_CT_RELATED].master =
+	ip_conntrack_untracked.infos[IP_CT_RELATED + IP_CT_IS_REPLY].master = 
+			&ip_conntrack_untracked.ct_general;
+
 	return ret;
 
 err_free_hash:
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c	2004-03-04 06:16:44.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c	2004-03-07 08:43:29.000000000 +0000
@@ -194,6 +194,26 @@
 	return ip_conntrack_confirm(*pskb);
 }
 
+static unsigned int ip_conntrack_defrag(unsigned int hooknum,
+				        struct sk_buff **pskb,
+				        const struct net_device *in,
+				        const struct net_device *out,
+				        int (*okfn)(struct sk_buff *))
+{
+	/* Previously seen (loopback)?  Ignore.  Do this before
+           fragment check. */
+	if ((*pskb)->nfct)
+		return NF_ACCEPT;
+
+	/* Gather fragments. */
+	if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
+		*pskb = ip_ct_gather_frags(*pskb);
+		if (!*pskb)
+			return NF_STOLEN;
+	}
+	return NF_ACCEPT;
+}
+
 static unsigned int ip_refrag(unsigned int hooknum,
 			      struct sk_buff **pskb,
 			      const struct net_device *in,
@@ -236,6 +256,14 @@
 
 /* Connection tracking may drop packets, but never alters them, so
    make it the first hook. */
+static struct nf_hook_ops ip_conntrack_defrag_ops = {
+	.hook		= ip_conntrack_defrag,
+	.owner		= THIS_MODULE,
+	.pf		= PF_INET,
+	.hooknum	= NF_IP_PRE_ROUTING,
+	.priority	= NF_IP_PRI_CONNTRACK_DEFRAG,
+};
+
 static struct nf_hook_ops ip_conntrack_in_ops = {
 	.hook		= ip_conntrack_in,
 	.owner		= THIS_MODULE,
@@ -244,6 +272,14 @@
 	.priority	= NF_IP_PRI_CONNTRACK,
 };
 
+static struct nf_hook_ops ip_conntrack_defrag_local_out_ops = {
+	.hook		= ip_conntrack_defrag,
+	.owner		= THIS_MODULE,
+	.pf		= PF_INET,
+	.hooknum	= NF_IP_LOCAL_OUT,
+	.priority	= NF_IP_PRI_CONNTRACK_DEFRAG,
+};
+
 static struct nf_hook_ops ip_conntrack_local_out_ops = {
 	.hook		= ip_conntrack_local,
 	.owner		= THIS_MODULE,
@@ -470,10 +506,20 @@
 	if (!proc) goto cleanup_init;
 	proc->owner = THIS_MODULE;
 
+	ret = nf_register_hook(&ip_conntrack_defrag_ops);
+	if (ret < 0) {
+		printk("ip_conntrack: can't register pre-routing defrag hook.\n");
+		goto cleanup_proc;
+	}
+	ret = nf_register_hook(&ip_conntrack_defrag_local_out_ops);
+	if (ret < 0) {
+		printk("ip_conntrack: can't register local_out defrag hook.\n");
+		goto cleanup_defragops;
+	}
 	ret = nf_register_hook(&ip_conntrack_in_ops);
 	if (ret < 0) {
 		printk("ip_conntrack: can't register pre-routing hook.\n");
-		goto cleanup_proc;
+		goto cleanup_defraglocalops;
 	}
 	ret = nf_register_hook(&ip_conntrack_local_out_ops);
 	if (ret < 0) {
@@ -511,6 +557,10 @@
 	nf_unregister_hook(&ip_conntrack_local_out_ops);
  cleanup_inops:
 	nf_unregister_hook(&ip_conntrack_in_ops);
+ cleanup_defraglocalops:
+	nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
+ cleanup_defragops:
+	nf_unregister_hook(&ip_conntrack_defrag_ops);
  cleanup_proc:
 	proc_net_remove("ip_conntrack");
  cleanup_init:
@@ -519,13 +569,20 @@
 	return ret;
 }
 
-/* FIXME: Allow NULL functions and sub in pointers to generic for
-   them. --RR */
+/**
+ * ip_conntrack_protocol_register - Register layer 4 protocol helper
+ * @proto: structure describing this layer 4 protocol helper
+ *
+ * This function is called by layer 4 protocol helpers to register 
+ * themselves with the conntrack core.
+ */
 int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
 {
 	int ret = 0;
 	struct list_head *i;
 
+	/* FIXME: Allow NULL functions and sub in pointers to generic for
+	   them. --RR */
 	WRITE_LOCK(&ip_conntrack_lock);
 	list_for_each(i, &protocol_list) {
 		if (((struct ip_conntrack_protocol *)i)->proto
@@ -542,12 +599,20 @@
 	return ret;
 }
 
+/**
+ * ip_conntrack_protocol_unregister - Unregister layer 4 protocol helper
+ * @proto: structure describing this layer 4 protocol helper
+ *
+ * This function is called byh layer 4 protocol helpers to unregister
+ * themselvers from the conntrack core.  Please note that all conntrack
+ * entries for this protocol are deleted from the conntrack hash table.
+ */
 void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto)
 {
 	WRITE_LOCK(&ip_conntrack_lock);
 
-	/* ip_ct_find_proto() returns proto_generic in case there is no protocol 
-	 * helper. So this should be enough - HW */
+	/* ip_ct_find_proto() returns proto_generic in case there is no
+	 * protocol helper. So this should be enough - HW */
 	LIST_DELETE(&protocol_list, proto);
 	WRITE_UNLOCK(&ip_conntrack_lock);
 	
@@ -602,5 +667,6 @@
 EXPORT_SYMBOL(ip_conntrack_expect_list);
 EXPORT_SYMBOL(ip_conntrack_lock);
 EXPORT_SYMBOL(ip_conntrack_hash);
+EXPORT_SYMBOL(ip_conntrack_untracked);
 EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
 EXPORT_SYMBOL_GPL(ip_conntrack_put);
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_nat_core.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_nat_core.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_nat_core.c	2004-03-04 06:16:37.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_nat_core.c	2004-03-07 08:43:29.000000000 +0000
@@ -96,9 +96,16 @@
 	WRITE_UNLOCK(&ip_nat_lock);
 }
 
-/* We do checksum mangling, so if they were wrong before they're still
- * wrong.  Also works for incomplete packets (eg. ICMP dest
- * unreachables.) */
+/**
+ * ip_nat_cheat_check - Incremental checksum change for IP/TCP checksum
+ * @oldvalinv: bit-inverted old value of 32bit word
+ * @newval: new value of 32bit word
+ * @oldcheck: old checksum value
+ *
+ * This function implements incremental checksum mangling, so if a checksum
+ * was wrong it will still be wrong after mangling.  Also works for incomplete
+ * packets (eg. ICMP dest unreachables).  Return value is the new checksum.
+ */
 u_int16_t
 ip_nat_cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
 {
@@ -124,7 +131,14 @@
 	return i;
 }
 
-/* Is this tuple already taken? (not by us) */
+/**
+ * ip_nat_used_tuple - Is this tuple already in use?
+ * @tuple: tuple to be used for this check
+ * @ignored_conntrack: conntrack excluded from this check
+ *
+ * This function checks for the reply (inverted) tuple in the conntrack
+ * hash.  This is necessarry with NAT, since there is no fixed mapping.
+ */
 int
 ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple,
 		  const struct ip_conntrack *ignored_conntrack)
@@ -515,6 +529,19 @@
 #endif
 };
 
+/**
+ * ip_nat_setup_info - Set up NAT mappings for NEW packet
+ * @conntrack: conntrack on which we operate
+ * @mr: address/port range which is valid for this NAT mapping
+ * @hooknum: hook at which this NAT mapping applies
+ *
+ * This function is called by NAT targets (SNAT,DNAT,...) and by
+ * the NAT application helper modules.  It is called for the NEW packet
+ * of a connection in order to specify which NAT mappings shall apply to
+ * this connection at a given hook.
+ *
+ * Note: The reply mappings are created automagically by this function. 
+ */
 unsigned int
 ip_nat_setup_info(struct ip_conntrack *conntrack,
 		  const struct ip_nat_multi_range *mr,
@@ -1016,6 +1043,10 @@
 	/* FIXME: Man, this is a hack.  <SIGH> */
 	IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
 	ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
+	
+	/* Initialize fake conntrack so that NAT will skip it */
+	ip_conntrack_untracked.nat.info.initialized |= 
+		(1 << IP_NAT_MANIP_SRC) | (1 << IP_NAT_MANIP_DST);
 
 	return 0;
 }
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_nat_helper.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_nat_helper.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_nat_helper.c	2004-03-04 06:16:38.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_nat_helper.c	2004-03-07 08:43:10.000000000 +0000
@@ -150,9 +150,19 @@
 	return 1;
 }
 
-/* Generic function for mangling variable-length address changes inside
- * NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX
- * command in FTP).
+/**
+ * ip_nat_mangle_tcp_packet - Mangle and potentially resize payload packet
+ * @skb: pointer to skb of packet on which we operate
+ * @ct: conntrack of the connection to which this packet belongs
+ * @ctinfo: conntrack_info of the connection to which this packet belongs
+ * @match_offset: offset in bytes where to-be-manipulated part starts
+ * @match_len: lenght of the to-be-manipulated part
+ * @rep_buffer: pointer to buffer containing replacement
+ * @rep_len: length of replacement
+ *
+ * Generic function for mangling fixed and variable-length changes inside
+ * NATed TCP connections (like the PORT XXX,XXX,XXX,XXX,XXX,XXX command 
+ * in FTP).
  *
  * Takes care about all the nasty sequence number changes, checksumming,
  * skb enlargement, ...
@@ -198,16 +208,27 @@
 	return 1;
 }
 			
-/* Generic function for mangling variable-length address changes inside
- * NATed UDP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX
- * command in the Amanda protocol)
+/**
+ * ip_nat_mangle_udp_packet - Mangle and potentially resize payload packet
+ * @skb: pointer to skb of packet on which we operate
+ * @ct: conntrack of the connection to which this packet belongs
+ * @ctinfo: conntrack_info of the connection to which this packet belongs
+ * @match_offset: offset in bytes where to-be-manipulated part starts
+ * @match_len: lenght of the to-be-manipulated part
+ * @rep_buffer: pointer to buffer containing replacement
+ * @rep_len: length of replacement
+ *
+ * Generic function for mangling fixed and variable-length changes inside
+ * NATed TCP connections (like the CONNECT DATA XXXXX MESG XXXXX INDEX XXXXX
+ * commad in the Amanda protocol)
  *
  * Takes care about all the nasty sequence number changes, checksumming,
  * skb enlargement, ...
  *
- * XXX - This function could be merged with ip_nat_mangle_tcp_packet which
- *       should be fairly easy to do.
- */
+ * FIXME: should be unified with ip_nat_mangle_tcp_packet!!
+ *
+ * */
+
 int 
 ip_nat_mangle_udp_packet(struct sk_buff **pskb,
 			 struct ip_conntrack *ct,
@@ -405,6 +426,13 @@
 	return ip_ct_tuple_mask_cmp(tuple, &helper->tuple, &helper->mask);
 }
 
+/**
+ * ip_nat_helper_register - Register NAT application helper
+ * @me: structure describing the helper
+ *
+ * This function is called by NAT application helpers to register
+ * themselves with the NAT core.
+ */
 int ip_nat_helper_register(struct ip_nat_helper *me)
 {
 	int ret = 0;
@@ -431,6 +459,13 @@
 	return ret;
 }
 
+/**
+ * ip_nat_helper_unregister - Unregister NAT application helper
+ * @me: structure describing the helper
+ *
+ * This function is called by NAT application helpers to unregister
+ * themselves from the NAT core.
+ */
 void ip_nat_helper_unregister(struct ip_nat_helper *me)
 {
 	WRITE_LOCK(&ip_nat_lock);
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_nat_standalone.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_nat_standalone.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_nat_standalone.c	2004-03-04 06:16:55.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_nat_standalone.c	2004-03-07 08:43:10.000000000 +0000
@@ -266,7 +266,13 @@
 };
 #endif
 
-/* Protocol registration. */
+/**
+ * ip_nat_protocol_register - Register a layer 4 protocol helper
+ * @proto: structure describing this helper
+ * 
+ * This function is called by NAT layer 4 protocol helpers to register
+ * themselvers with the NAT core.
+ */
 int ip_nat_protocol_register(struct ip_nat_protocol *proto)
 {
 	int ret = 0;
@@ -287,9 +293,16 @@
 	return ret;
 }
 
-/* Noone stores the protocol anywhere; simply delete it. */
+/**
+ * ip_nat_protocol_unregister - Unregister a layer 4 protocol helper
+ * @proto: structure describing the helper
+ *
+ * This function is called by NAT layer 4 protocol helpers to
+ * unregister themselves from the NAT core.
+ */
 void ip_nat_protocol_unregister(struct ip_nat_protocol *proto)
 {
+	/* Noone stores the protocol anywhere; simply delete it. */
 	WRITE_LOCK(&ip_nat_lock);
 	LIST_DELETE(&protos, proto);
 	WRITE_UNLOCK(&ip_nat_lock);
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	2004-03-07 08:43:14.000000000 +0000
@@ -0,0 +1,89 @@
+/**
+ * Strip all IP options in the IP packet header.
+ *
+ * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
+ * This software is distributed under GNU GPL v2, 1991
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");
+MODULE_DESCRIPTION("Strip all options in IPv4 packets");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+	struct iphdr *iph;
+	struct sk_buff *skb;
+	struct ip_options *opt;
+	unsigned char *optiph;
+	int l;
+	
+	if (!skb_ip_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
+ 
+	skb = (*pskb);
+	iph = (*pskb)->nh.iph;
+	optiph = skb->nh.raw;
+	l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
+
+	/* if no options in packet then nothing to clear. */
+	if (iph->ihl * 4 == sizeof(struct iphdr))
+		return IPT_CONTINUE;
+
+	/* else clear all options */
+	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+	memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
+	opt = &(IPCB(skb)->opt);
+	opt->is_data = 0;
+	opt->optlen = l;
+
+	skb->nfcache |= NFC_ALTERED;
+
+        return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+           void *targinfo,
+           unsigned int targinfosize,
+           unsigned int hook_mask)
+{
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+	/* nothing else to check because no parameters */
+	return 1;
+}
+
+static struct ipt_target ipt_ipv4optsstrip_reg = { 
+	.name = "IPV4OPTSSTRIP",
+	.target = target,
+	.checkentry = checkentry,
+	.me = THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_ipv4optsstrip_reg);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_ipv4optsstrip_reg);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_LOG.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_LOG.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_LOG.c	2004-03-04 06:17:03.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_LOG.c	2004-03-07 08:43:12.000000000 +0000
@@ -19,6 +19,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 
+#include <linux/netfilter.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
@@ -26,6 +27,10 @@
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 MODULE_DESCRIPTION("iptables syslog logging module");
 
+static unsigned int nflog = 1;
+MODULE_PARM(nflog, "i");
+MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
+ 
 #if 0
 #define DEBUGP printk
 #else
@@ -324,28 +329,25 @@
 	/* maxlen = 230+   91  + 230 + 252 = 803 */
 }
 
-static unsigned int
-ipt_log_target(struct sk_buff **pskb,
+static void
+ipt_log_packet(unsigned int hooknum,
+	       const struct sk_buff *skb,
 	       const struct net_device *in,
 	       const struct net_device *out,
-	       unsigned int hooknum,
-	       const void *targinfo,
-	       void *userinfo)
+	       const struct ipt_log_info *loginfo,
+	       const char *level_string,
+	       const char *prefix)
 {
-	const struct ipt_log_info *loginfo = targinfo;
-	char level_string[4] = "< >";
-
-	level_string[1] = '0' + (loginfo->level % 8);
 	spin_lock_bh(&log_lock);
 	printk(level_string);
 	printk("%sIN=%s OUT=%s ",
-	       loginfo->prefix,
+	       prefix == NULL ? loginfo->prefix : prefix,
 	       in ? in->name : "",
 	       out ? out->name : "");
 #ifdef CONFIG_BRIDGE_NETFILTER
-	if ((*pskb)->nf_bridge) {
-		struct net_device *physindev = (*pskb)->nf_bridge->physindev;
-		struct net_device *physoutdev = (*pskb)->nf_bridge->physoutdev;
+	if (skb->nf_bridge) {
+		struct net_device *physindev = skb->nf_bridge->physindev;
+		struct net_device *physoutdev = skb->nf_bridge->physoutdev;
 
 		if (physindev && in != physindev)
 			printk("PHYSIN=%s ", physindev->name);
@@ -357,25 +359,56 @@
 	if (in && !out) {
 		/* MAC logging for input chain only. */
 		printk("MAC=");
-		if ((*pskb)->dev && (*pskb)->dev->hard_header_len
-		    && (*pskb)->mac.raw != (void*)(*pskb)->nh.iph) {
+		if (skb->dev && skb->dev->hard_header_len
+		    && skb->mac.raw != (void*)skb->nh.iph) {
 			int i;
-			unsigned char *p = (*pskb)->mac.raw;
-			for (i = 0; i < (*pskb)->dev->hard_header_len; i++,p++)
+			unsigned char *p = skb->mac.raw;
+			for (i = 0; i < skb->dev->hard_header_len; i++,p++)
 				printk("%02x%c", *p,
-				       i==(*pskb)->dev->hard_header_len - 1
+				       i==skb->dev->hard_header_len - 1
 				       ? ' ':':');
 		} else
 			printk(" ");
 	}
 
-	dump_packet(loginfo, *pskb, 0);
+	dump_packet(loginfo, skb, 0);
 	printk("\n");
 	spin_unlock_bh(&log_lock);
+}
+
+static unsigned int
+ipt_log_target(struct sk_buff **pskb,
+	       const struct net_device *in,
+	       const struct net_device *out,
+	       unsigned int hooknum,
+	       const void *targinfo,
+	       void *userinfo)
+{
+	const struct ipt_log_info *loginfo = targinfo;
+	char level_string[4] = "< >";
+
+	level_string[1] = '0' + (loginfo->level % 8);
+	ipt_log_packet(hooknum, *pskb, in, out, loginfo, level_string, NULL);
 
 	return IPT_CONTINUE;
 }
 
+static void
+ipt_logfn(unsigned int hooknum,
+	  const struct sk_buff *skb,
+	  const struct net_device *in,
+	  const struct net_device *out,
+	  const char *prefix)
+{
+	struct ipt_log_info loginfo = { 
+		.level = 0, 
+		.logflags = IPT_LOG_MASK, 
+		.prefix = "" 
+	};
+
+	ipt_log_packet(hooknum, skb, in, out, &loginfo, KERN_WARNING, prefix);
+}
+
 static int ipt_log_checkentry(const char *tablename,
 			      const struct ipt_entry *e,
 			      void *targinfo,
@@ -413,11 +446,18 @@
 
 static int __init init(void)
 {
-	return ipt_register_target(&ipt_log_reg);
+	if (ipt_register_target(&ipt_log_reg))
+		return -EINVAL;
+	if (nflog)
+		nf_log_register(PF_INET, &ipt_logfn);
+	
+	return 0;
 }
 
 static void __exit fini(void)
 {
+	if (nflog)
+		nf_log_unregister(PF_INET, &ipt_logfn);
 	ipt_unregister_target(&ipt_log_reg);
 }
 
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_NOTRACK.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_NOTRACK.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_NOTRACK.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_NOTRACK.c	2004-03-07 08:43:29.000000000 +0000
@@ -0,0 +1,75 @@
+/* This is a module which is used for setting up fake conntracks
+ * on packets so that they are not seen by the conntrack/NAT code.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+	/* Previously seen (loopback)? Ignore. */
+	if ((*pskb)->nfct != NULL)
+		return IPT_CONTINUE;
+
+	/* Attach fake conntrack entry. 
+	   If there is a real ct entry correspondig to this packet, 
+	   it'll hang aroun till timing out. We don't deal with it
+	   for performance reasons. JK */
+	(*pskb)->nfct = &ip_conntrack_untracked.infos[IP_CT_NEW];
+	nf_conntrack_get((*pskb)->nfct);
+
+	return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+           void *targinfo,
+           unsigned int targinfosize,
+           unsigned int hook_mask)
+{
+	if (targinfosize != 0) {
+		printk(KERN_WARNING "NOTRACK: targinfosize %u != 0\n",
+		       targinfosize);
+		return 0;
+	}
+
+	if (strcmp(tablename, "raw") != 0) {
+		printk(KERN_WARNING "NOTRACK: can only be called from \"raw\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+
+	return 1;
+}
+
+static struct ipt_target ipt_notrack_reg = { 
+	.name = "NOTRACK", 
+	.target = target, 
+	.checkentry = checkentry,
+	.me = THIS_MODULE 
+};
+
+static int __init init(void)
+{
+	if (ipt_register_target(&ipt_notrack_reg))
+		return -EINVAL;
+
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_notrack_reg);
+}
+
+module_init(init);
+module_exit(fini);
+MODULE_LICENSE("GPL");
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_TTL.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_TTL.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_TTL.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_TTL.c	2004-03-07 08:43:16.000000000 +0000
@@ -0,0 +1,120 @@
+/* TTL modification target for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org>
+ *
+ * Version: $Revision$
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_TTL.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
+MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_LICENSE("GPL");
+
+static unsigned int 
+ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in, 
+		const struct net_device *out, unsigned int hooknum, 
+		const void *targinfo, void *userinfo)
+{
+	struct iphdr *iph;
+	const struct ipt_TTL_info *info = targinfo;
+	u_int16_t diffs[2];
+	int new_ttl;
+
+	if (!skb_ip_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
+
+	iph = (*pskb)->nh.iph;
+			 
+	switch (info->mode) {
+		case IPT_TTL_SET:
+			new_ttl = info->ttl;
+			break;
+		case IPT_TTL_INC:
+			new_ttl = iph->ttl + info->ttl;
+			if (new_ttl > 255)
+				new_ttl = 255;
+			break;
+		case IPT_TTL_DEC:
+			new_ttl = iph->ttl + info->ttl;
+			if (new_ttl < 0)
+				new_ttl = 0;
+			break;
+		default:
+			new_ttl = iph->ttl;
+			break;
+	}
+
+	if (new_ttl != iph->ttl) {
+		diffs[0] = htons(((unsigned)iph->ttl) << 8) ^ 0xFFFF;
+		iph->ttl = new_ttl;
+		diffs[1] = htons(((unsigned)iph->ttl) << 8);
+		iph->check = csum_fold(csum_partial((char *)diffs,
+						    sizeof(diffs),
+				 	            iph->check^0xFFFF));
+									                	(*pskb)->nfcache |= NFC_ALTERED;
+	}
+
+	return IPT_CONTINUE;
+}
+
+static int ipt_ttl_checkentry(const char *tablename,
+		const struct ipt_entry *e,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask)
+{
+	struct ipt_TTL_info *info = targinfo;
+
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) {
+		printk(KERN_WARNING "TTL: targinfosize %u != %Zu\n",
+				targinfosize,
+				IPT_ALIGN(sizeof(struct ipt_TTL_info)));
+		return 0;	
+	}	
+
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "TTL: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+
+	if (info->mode > IPT_TTL_MAXMODE) {
+		printk(KERN_WARNING "TTL: invalid or unknown Mode %u\n", 
+			info->mode);
+		return 0;
+	}
+
+	if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) {
+		printk(KERN_WARNING "TTL: increment/decrement doesn't make sense with value 0\n");
+		return 0;
+	}
+	
+	return 1;
+}
+
+static struct ipt_target ipt_TTL = { 
+	.name = "TTL",
+	.target = ipt_ttl_target, 
+	.checkentry = ipt_ttl_checkentry, 
+	.me = THIS_MODULE 
+};
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_TTL);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_TTL);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_ULOG.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_ULOG.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_ULOG.c	2004-03-04 06:16:42.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_ULOG.c	2004-03-07 08:43:12.000000000 +0000
@@ -50,6 +50,7 @@
 #include <linux/netlink.h>
 #include <linux/netdevice.h>
 #include <linux/mm.h>
+#include <linux/netfilter.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <linux/netfilter_ipv4/lockhelp.h>
@@ -80,6 +81,10 @@
 MODULE_PARM(flushtimeout, "i");
 MODULE_PARM_DESC(flushtimeout, "buffer flush timeout");
 
+static unsigned int nflog = 1;
+MODULE_PARM(nflog, "i");
+MODULE_PARM_DESC(nflog, "register as internal netfilter logging module");
+
 /* global data structures */
 
 typedef struct {
@@ -157,17 +162,17 @@
 	return skb;
 }
 
-static unsigned int ipt_ulog_target(struct sk_buff **pskb,
-				    const struct net_device *in,
-				    const struct net_device *out,
-				    unsigned int hooknum,
-				    const void *targinfo, void *userinfo)
+static void ipt_ulog_packet(unsigned int hooknum,
+			    const struct sk_buff *skb,
+			    const struct net_device *in,
+			    const struct net_device *out,
+			    const struct ipt_ulog_info *loginfo,
+			    const char *prefix)
 {
 	ulog_buff_t *ub;
 	ulog_packet_msg_t *pm;
 	size_t size, copy_len;
 	struct nlmsghdr *nlh;
-	struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
 
 	/* ffs == find first bit set, necessary because userspace
 	 * is already shifting groupnumber, but we need unshifted.
@@ -176,8 +181,8 @@
 
 	/* calculate the size of the skb needed */
 	if ((loginfo->copy_range == 0) ||
-	    (loginfo->copy_range > (*pskb)->len)) {
-		copy_len = (*pskb)->len;
+	    (loginfo->copy_range > skb->len)) {
+		copy_len = skb->len;
 	} else {
 		copy_len = loginfo->copy_range;
 	}
@@ -214,19 +219,21 @@
 
 	/* copy hook, prefix, timestamp, payload, etc. */
 	pm->data_len = copy_len;
-	pm->timestamp_sec = (*pskb)->stamp.tv_sec;
-	pm->timestamp_usec = (*pskb)->stamp.tv_usec;
-	pm->mark = (*pskb)->nfmark;
+	pm->timestamp_sec = skb->stamp.tv_sec;
+	pm->timestamp_usec = skb->stamp.tv_usec;
+	pm->mark = skb->nfmark;
 	pm->hook = hooknum;
-	if (loginfo->prefix[0] != '\0')
+	if (prefix != NULL)
+		strncpy(pm->prefix, prefix, sizeof(pm->prefix));
+	else if (loginfo->prefix[0] != '\0')
 		strncpy(pm->prefix, loginfo->prefix, sizeof(pm->prefix));
 	else
 		*(pm->prefix) = '\0';
 
 	if (in && in->hard_header_len > 0
-	    && (*pskb)->mac.raw != (void *) (*pskb)->nh.iph
+	    && skb->mac.raw != (void *) skb->nh.iph
 	    && in->hard_header_len <= ULOG_MAC_LEN) {
-		memcpy(pm->mac, (*pskb)->mac.raw, in->hard_header_len);
+		memcpy(pm->mac, skb->mac.raw, in->hard_header_len);
 		pm->mac_len = in->hard_header_len;
 	} else
 		pm->mac_len = 0;
@@ -241,8 +248,8 @@
 	else
 		pm->outdev_name[0] = '\0';
 
-	/* copy_len <= (*pskb)->len, so can't fail. */
-	if (skb_copy_bits(*pskb, 0, pm->payload, copy_len) < 0)
+	/* copy_len <= skb->len, so can't fail. */
+	if (skb_copy_bits(skb, 0, pm->payload, copy_len) < 0)
 		BUG();
 	
 	/* check if we are building multi-part messages */
@@ -266,8 +273,7 @@
 
 	UNLOCK_BH(&ulog_lock);
 
-	return IPT_CONTINUE;
-
+	return;
 
 nlmsg_failure:
 	PRINTR("ipt_ULOG: error during NLMSG_PUT\n");
@@ -276,8 +282,35 @@
 	PRINTR("ipt_ULOG: Error building netlink message\n");
 
 	UNLOCK_BH(&ulog_lock);
+}
+
+static unsigned int ipt_ulog_target(struct sk_buff **pskb,
+				    const struct net_device *in,
+				    const struct net_device *out,
+				    unsigned int hooknum,
+				    const void *targinfo, void *userinfo)
+{
+	struct ipt_ulog_info *loginfo = (struct ipt_ulog_info *) targinfo;
 
-	return IPT_CONTINUE;
+	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
+ 
+ 	return IPT_CONTINUE;
+}
+ 
+static void ipt_logfn(unsigned int hooknum,
+		      const struct sk_buff *skb,
+		      const struct net_device *in,
+		      const struct net_device *out,
+		      const char *prefix)
+{
+	struct ipt_ulog_info loginfo = { 
+		.nl_group = ULOG_DEFAULT_NLGROUP,
+		.copy_range = 0,
+		.qthreshold = ULOG_DEFAULT_QTHRESHOLD,
+		.prefix = ""
+	};
+
+	ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
 }
 
 static int ipt_ulog_checkentry(const char *tablename,
@@ -341,7 +374,9 @@
 		sock_release(nflognl->sk_socket);
 		return -EINVAL;
 	}
-
+	if (nflog)
+		nf_log_register(PF_INET, &ipt_logfn);
+	
 	return 0;
 }
 
@@ -352,6 +387,8 @@
 
 	DEBUGP("ipt_ULOG: cleanup_module\n");
 
+	if (nflog)
+		nf_log_unregister(PF_INET, &ipt_logfn);
 	ipt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_connlimit.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_connlimit.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_connlimit.c	2004-03-07 08:43:18.000000000 +0000
@@ -0,0 +1,230 @@
+/*
+ * netfilter module to limit the number of parallel tcp
+ * connections per IP address.
+ *   (c) 2000 Gerd Knorr <kraxel@bytesex.org>
+ *   Nov 2002: Martin Bene <martin.bene@icomedias.com>:
+ *		only ignore TIME_WAIT or gone connections
+ *
+ * based on ...
+ *
+ * Kernel module to match connection tracking information.
+ * GPL (C) 1999  Rusty Russell (rusty@rustcorp.com.au).
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/list.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_core.h>
+#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_connlimit.h>
+
+#define DEBUG 0
+
+MODULE_LICENSE("GPL");
+
+/* we'll save the tuples of all connections we care about */
+struct ipt_connlimit_conn
+{
+        struct list_head list;
+	struct ip_conntrack_tuple tuple;
+};
+
+struct ipt_connlimit_data {
+	spinlock_t lock;
+	struct list_head iphash[256];
+};
+
+static int ipt_iphash(u_int32_t addr)
+{
+	int hash;
+
+	hash  =  addr        & 0xff;
+	hash ^= (addr >>  8) & 0xff;
+	hash ^= (addr >> 16) & 0xff;
+	hash ^= (addr >> 24) & 0xff;
+	return hash;
+}
+
+static int count_them(struct ipt_connlimit_data *data,
+		      u_int32_t addr, u_int32_t mask,
+		      struct ip_conntrack *ct)
+{
+#if DEBUG
+	const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv",
+				     "fin_wait", "time_wait", "close", "close_wait",
+				     "last_ack", "listen" };
+#endif
+	int addit = 1, matches = 0;
+	struct ip_conntrack_tuple tuple;
+	struct ip_conntrack_tuple_hash *found;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash,*lh;
+
+	spin_lock(&data->lock);
+	tuple = ct->tuplehash[0].tuple;
+	hash = &data->iphash[ipt_iphash(addr & mask)];
+
+	/* check the saved connections */
+	for (lh = hash->next; lh != hash; lh = lh->next) {
+		conn = list_entry(lh,struct ipt_connlimit_conn,list);
+		found = ip_conntrack_find_get(&conn->tuple,ct);
+		if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
+		    found != NULL &&
+		    found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
+			/* Just to be sure we have it only once in the list.
+			   We should'nt see tuples twice unless someone hooks this
+			   into a table without "-p tcp --syn" */
+			addit = 0;
+		}
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port),
+		       NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port),
+		       (NULL != found) ? tcp[found->ctrack->proto.tcp.state] : "gone");
+#endif
+		if (NULL == found) {
+			/* this one is gone */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			continue;
+		}
+		if (found->ctrack->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) {
+			/* we don't care about connections which are
+			   closed already -> ditch it */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			nf_conntrack_put(&found->ctrack->infos[0]);
+			continue;
+		}
+		if ((addr & mask) == (conn->tuple.src.ip & mask)) {
+			/* same source IP address -> be counted! */
+			matches++;
+		}
+		nf_conntrack_put(&found->ctrack->infos[0]);
+	}
+	if (addit) {
+		/* save the new connection in our list */
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
+		       NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
+#endif
+		conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
+		if (NULL == conn)
+			return -1;
+		memset(conn,0,sizeof(*conn));
+		INIT_LIST_HEAD(&conn->list);
+		conn->tuple = tuple;
+		list_add(&conn->list,hash);
+		matches++;
+	}
+	spin_unlock(&data->lock);
+	return matches;
+}
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      int *hotdrop)
+{
+	const struct ipt_connlimit_info *info = matchinfo;
+	int connections, match;
+	struct ip_conntrack *ct;
+	enum ip_conntrack_info ctinfo;
+
+	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+	if (NULL == ct) {
+		printk("ipt_connlimit: Oops: invalid ct state ?\n");
+		*hotdrop = 1;
+		return 0;
+	}
+	connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct);
+	if (-1 == connections) {
+		printk("ipt_connlimit: Hmm, kmalloc failed :-(\n");
+		*hotdrop = 1; /* let's free some memory :-) */
+		return 0;
+	}
+        match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit);
+#if DEBUG
+	printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u "
+	       "connections=%d limit=%d match=%s\n",
+	       NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask),
+	       connections, info->limit, match ? "yes" : "no");
+#endif
+
+	return match;
+}
+
+static int check(const char *tablename,
+		 const struct ipt_ip *ip,
+		 void *matchinfo,
+		 unsigned int matchsize,
+		 unsigned int hook_mask)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	int i;
+
+	/* verify size */
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info)))
+		return 0;
+
+	/* refuse anything but tcp */
+	if (ip->proto != IPPROTO_TCP)
+		return 0;
+
+	/* init private data */
+	info->data = kmalloc(sizeof(struct ipt_connlimit_data),GFP_KERNEL);
+	spin_lock_init(&(info->data->lock));
+	for (i = 0; i < 256; i++)
+		INIT_LIST_HEAD(&(info->data->iphash[i]));
+	
+	return 1;
+}
+
+static void destroy(void *matchinfo, unsigned int matchinfosize)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash;
+	int i;
+
+	/* cleanup */
+	for (i = 0; i < 256; i++) {
+		hash = &(info->data->iphash[i]);
+		while (hash != hash->next) {
+			conn = list_entry(hash->next,struct ipt_connlimit_conn,list);
+			list_del(hash->next);
+			kfree(conn);
+		}
+	}
+	kfree(info->data);
+}
+
+static struct ipt_match connlimit_match = { 
+	.name = "connlimit",
+	.match = &match,
+	.checkentry = &check,
+	.destroy = &destroy,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&connlimit_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&connlimit_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_conntrack.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_conntrack.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_conntrack.c	2004-03-04 06:17:04.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_conntrack.c	2004-03-07 08:43:29.000000000 +0000
@@ -35,11 +35,13 @@
 
 #define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
 
-	if (ct)
-		statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
-	else
-		statebit = IPT_CONNTRACK_STATE_INVALID;
-
+	if (skb->nfct == &ip_conntrack_untracked.infos[IP_CT_NEW])
+		statebit = IPT_CONNTRACK_STATE_UNTRACKED;
+	else if (ct)
+ 		statebit = IPT_CONNTRACK_STATE_BIT(ctinfo);
+ 	else
+ 		statebit = IPT_CONNTRACK_STATE_INVALID;
+ 
 	if(sinfo->flags & IPT_CONNTRACK_STATE) {
 		if (ct) {
 			if(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip !=
diff -Nur --exclude '*.orig' linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_dstlimit.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_dstlimit.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_dstlimit.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_dstlimit.c	2004-03-07 08:43:19.000000000 +0000
@@ -0,0 +1,690 @@
+/* iptables match extension to limit the number of packets per second
+ * seperately for each destination.
+ *
+ * (C) 2003 by Harald Welte <laforge@netfilter.org>
+ *
+ * $Id$
+ *
+ * Development of this code was funded by Astaro AG, http://www.astaro.com/
+ *
+ * based on ipt_limit.c by: