- 3.14.32

[packages/kernel.git] / kernel-imq.patch

net: add Intermediate Queueing Device (imq)

From: Jussi Kivilinna <jussi.kivilinna@iki.fi>

This patch is for kernel version 3.12.4+.

See: http://linuximq.net/

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
---
 drivers/net/Kconfig                     |  119 ++++
 drivers/net/Makefile                    |    1 
 drivers/net/imq.c                       | 1007 +++++++++++++++++++++++++++++++
 include/linux/imq.h                     |   13 
 include/linux/netfilter/xt_IMQ.h        |    9 
 include/linux/netfilter_ipv4/ipt_IMQ.h  |   10 
 include/linux/netfilter_ipv6/ip6t_IMQ.h |   10 
 include/linux/skbuff.h                  |   22 +
 include/net/netfilter/nf_queue.h        |    6 
 include/uapi/linux/netfilter.h          |    3 
 net/core/dev.c                          |    8 
 net/core/skbuff.c                       |  112 +++
 net/ipv6/ip6_output.c                   |   10 
 net/netfilter/Kconfig                   |   12 
 net/netfilter/Makefile                  |    1 
 net/netfilter/core.c                    |    6 
 net/netfilter/nf_internals.h            |    2 
 net/netfilter/nf_queue.c                |   36 +
 net/netfilter/xt_IMQ.c                  |   72 ++
 19 files changed, 1449 insertions(+), 10 deletions(-)
 create mode 100644 drivers/net/imq.c
 create mode 100644 include/linux/imq.h
 create mode 100644 include/linux/netfilter/xt_IMQ.h
 create mode 100644 include/linux/netfilter_ipv4/ipt_IMQ.h
 create mode 100644 include/linux/netfilter_ipv6/ip6t_IMQ.h
 create mode 100644 net/netfilter/xt_IMQ.c

diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
index b45b240..5a20da0 100644
--- a/drivers/net/Kconfig
+++ b/drivers/net/Kconfig
@@ -203,6 +203,125 @@ config RIONET_RX_SIZE
        depends on RIONET
        default "128"
 
+config IMQ
+       tristate "IMQ (intermediate queueing device) support"
+       depends on NETDEVICES && NETFILTER
+       ---help---
+         The IMQ device(s) is used as placeholder for QoS queueing
+         disciplines. Every packet entering/leaving the IP stack can be
+         directed through the IMQ device where it's enqueued/dequeued to the
+         attached qdisc. This allows you to treat network devices as classes
+         and distribute bandwidth among them. Iptables is used to specify
+         through which IMQ device, if any, packets travel.
+
+         More information at: http://www.linuximq.net/
+
+         To compile this driver as a module, choose M here: the module
+         will be called imq.  If unsure, say N.
+
+choice
+       prompt "IMQ behavior (PRE/POSTROUTING)"
+       depends on IMQ
+       default IMQ_BEHAVIOR_AB
+       help
+         This setting defines how IMQ behaves in respect to its
+         hooking in PREROUTING and POSTROUTING.
+
+         IMQ can work in any of the following ways:
+
+             PREROUTING   |      POSTROUTING
+         -----------------|-------------------
+         #1  After NAT    |      After NAT
+         #2  After NAT    |      Before NAT
+         #3  Before NAT   |      After NAT
+         #4  Before NAT   |      Before NAT
+
+         The default behavior is to hook before NAT on PREROUTING
+         and after NAT on POSTROUTING (#3).
+
+         This settings are specially usefull when trying to use IMQ
+         to shape NATed clients.
+
+         More information can be found at: www.linuximq.net
+
+         If not sure leave the default settings alone.
+
+config IMQ_BEHAVIOR_AA
+       bool "IMQ AA"
+       help
+         This setting defines how IMQ behaves in respect to its
+         hooking in PREROUTING and POSTROUTING.
+
+         Choosing this option will make IMQ hook like this:
+
+         PREROUTING:   After NAT
+         POSTROUTING:  After NAT
+
+         More information can be found at: www.linuximq.net
+
+         If not sure leave the default settings alone.
+
+config IMQ_BEHAVIOR_AB
+       bool "IMQ AB"
+       help
+         This setting defines how IMQ behaves in respect to its
+         hooking in PREROUTING and POSTROUTING.
+
+         Choosing this option will make IMQ hook like this:
+
+         PREROUTING:   After NAT
+         POSTROUTING:  Before NAT
+
+         More information can be found at: www.linuximq.net
+
+         If not sure leave the default settings alone.
+
+config IMQ_BEHAVIOR_BA
+       bool "IMQ BA"
+       help
+         This setting defines how IMQ behaves in respect to its
+         hooking in PREROUTING and POSTROUTING.
+
+         Choosing this option will make IMQ hook like this:
+
+         PREROUTING:   Before NAT
+         POSTROUTING:  After NAT
+
+         More information can be found at: www.linuximq.net
+
+         If not sure leave the default settings alone.
+
+config IMQ_BEHAVIOR_BB
+       bool "IMQ BB"
+       help
+         This setting defines how IMQ behaves in respect to its
+         hooking in PREROUTING and POSTROUTING.
+
+         Choosing this option will make IMQ hook like this:
+
+         PREROUTING:   Before NAT
+         POSTROUTING:  Before NAT
+
+         More information can be found at: www.linuximq.net
+
+         If not sure leave the default settings alone.
+
+endchoice
+
+config IMQ_NUM_DEVS
+       int "Number of IMQ devices"
+       range 2 16
+       depends on IMQ
+       default "16"
+       help
+         This setting defines how many IMQ devices will be created.
+
+         The default value is 16.
+
+         More information can be found at: www.linuximq.net
+
+         If not sure leave the default settings alone.
+
 config TUN
        tristate "Universal TUN/TAP device driver support"
        select CRC32
diff --git a/drivers/net/Makefile b/drivers/net/Makefile
index 3fef8a8..12dafc0 100644
--- a/drivers/net/Makefile
+++ b/drivers/net/Makefile
@@ -9,6 +9,7 @@ obj-$(CONFIG_BONDING) += bonding/
 obj-$(CONFIG_DUMMY) += dummy.o
 obj-$(CONFIG_EQUALIZER) += eql.o
 obj-$(CONFIG_IFB) += ifb.o
+obj-$(CONFIG_IMQ) += imq.o
 obj-$(CONFIG_MACVLAN) += macvlan.o
 obj-$(CONFIG_MACVTAP) += macvtap.o
 obj-$(CONFIG_MII) += mii.o
diff --git a/drivers/net/imq.c b/drivers/net/imq.c
new file mode 100644
index 0000000..801bc8c
--- /dev/null
+++ b/drivers/net/imq.c
@@ -0,0 +1,1012 @@
+/*
+ *             Pseudo-driver for the intermediate queue device.
+ *
+ *             This program is free software; you can redistribute it and/or
+ *             modify it under the terms of the GNU General Public License
+ *             as published by the Free Software Foundation; either version
+ *             2 of the License, or (at your option) any later version.
+ *
+ * Authors:    Patrick McHardy, <kaber@trash.net>
+ *
+ *            The first version was written by Martin Devera, <devik@cdi.cz>
+ *
+ * Credits:    Jan Rafaj <imq2t@cedric.vabo.cz>
+ *              - Update patch to 2.4.21
+ *             Sebastian Strollo <sstrollo@nortelnetworks.com>
+ *              - Fix "Dead-loop on netdevice imq"-issue
+ *             Marcel Sebek <sebek64@post.cz>
+ *              - Update to 2.6.2-rc1
+ *
+ *            After some time of inactivity there is a group taking care
+ *            of IMQ again: http://www.linuximq.net
+ *
+ *
+ *            2004/06/30 - New version of IMQ patch to kernels <=2.6.7
+ *             including the following changes:
+ *
+ *            - Correction of ipv6 support "+"s issue (Hasso Tepper)
+ *            - Correction of imq_init_devs() issue that resulted in
+ *            kernel OOPS unloading IMQ as module (Norbert Buchmuller)
+ *            - Addition of functionality to choose number of IMQ devices
+ *            during kernel config (Andre Correa)
+ *            - Addition of functionality to choose how IMQ hooks on
+ *            PRE and POSTROUTING (after or before NAT) (Andre Correa)
+ *            - Cosmetic corrections (Norbert Buchmuller) (Andre Correa)
+ *
+ *
+ *             2005/12/16 - IMQ versions between 2.6.7 and 2.6.13 were
+ *             released with almost no problems. 2.6.14-x was released
+ *             with some important changes: nfcache was removed; After
+ *             some weeks of trouble we figured out that some IMQ fields
+ *             in skb were missing in skbuff.c - skb_clone and copy_skb_header.
+ *             These functions are correctly patched by this new patch version.
+ *
+ *             Thanks for all who helped to figure out all the problems with
+ *             2.6.14.x: Patrick McHardy, Rune Kock, VeNoMouS, Max CtRiX,
+ *             Kevin Shanahan, Richard Lucassen, Valery Dachev (hopefully
+ *             I didn't forget anybody). I apologize again for my lack of time.
+ *
+ *
+ *             2008/06/17 - 2.6.25 - Changed imq.c to use qdisc_run() instead
+ *             of qdisc_restart() and moved qdisc_run() to tasklet to avoid
+ *             recursive locking. New initialization routines to fix 'rmmod' not
+ *             working anymore. Used code from ifb.c. (Jussi Kivilinna)
+ *
+ *             2008/08/06 - 2.6.26 - (JK)
+ *              - Replaced tasklet with 'netif_schedule()'.
+ *              - Cleaned up and added comments for imq_nf_queue().
+ *
+ *             2009/04/12
+ *              - Add skb_save_cb/skb_restore_cb helper functions for backuping
+ *                control buffer. This is needed because qdisc-layer on kernels
+ *                2.6.27 and newer overwrite control buffer. (Jussi Kivilinna)
+ *              - Add better locking for IMQ device. Hopefully this will solve
+ *                SMP issues. (Jussi Kivilinna)
+ *              - Port to 2.6.27
+ *              - Port to 2.6.28
+ *              - Port to 2.6.29 + fix rmmod not working
+ *
+ *             2009/04/20 - (Jussi Kivilinna)
+ *              - Use netdevice feature flags to avoid extra packet handling
+ *                by core networking layer and possibly increase performance.
+ *
+ *             2009/09/26 - (Jussi Kivilinna)
+ *              - Add imq_nf_reinject_lockless to fix deadlock with
+ *                imq_nf_queue/imq_nf_reinject.
+ *
+ *             2009/12/08 - (Jussi Kivilinna)
+ *              - Port to 2.6.32
+ *              - Add check for skb->nf_queue_entry==NULL in imq_dev_xmit()
+ *              - Also add better error checking for skb->nf_queue_entry usage
+ *
+ *             2010/02/25 - (Jussi Kivilinna)
+ *              - Port to 2.6.33
+ *
+ *             2010/08/15 - (Jussi Kivilinna)
+ *              - Port to 2.6.35
+ *              - Simplify hook registration by using nf_register_hooks.
+ *              - nf_reinject doesn't need spinlock around it, therefore remove
+ *                imq_nf_reinject function. Other nf_reinject users protect
+ *                their own data with spinlock. With IMQ however all data is
+ *                needed is stored per skbuff, so no locking is needed.
+ *              - Changed IMQ to use 'separate' NF_IMQ_QUEUE instead of
+ *                NF_QUEUE, this allows working coexistance of IMQ and other
+ *                NF_QUEUE users.
+ *              - Make IMQ multi-queue. Number of IMQ device queues can be
+ *                increased with 'numqueues' module parameters. Default number
+ *                of queues is 1, in other words by default IMQ works as
+ *                single-queue device. Multi-queue selection is based on
+ *                IFB multi-queue patch by Changli Gao <xiaosuo@gmail.com>.
+ *
+ *             2011/03/18 - (Jussi Kivilinna)
+ *              - Port to 2.6.38
+ *
+ *             2011/07/12 - (syoder89@gmail.com)
+ *              - Crash fix that happens when the receiving interface has more
+ *                than one queue (add missing skb_set_queue_mapping in
+ *                imq_select_queue).
+ *
+ *             2011/07/26 - (Jussi Kivilinna)
+ *              - Add queue mapping checks for packets exiting IMQ.
+ *              - Port to 3.0
+ *
+ *             2011/08/16 - (Jussi Kivilinna)
+ *              - Clear IFF_TX_SKB_SHARING flag that was added for linux 3.0.2
+ *
+ *             2011/11/03 - Germano Michel <germanomichel@gmail.com>
+ *              - Fix IMQ for net namespaces
+ *
+ *             2011/11/04 - Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
+ *              - Port to 3.1
+ *              - Clean-up, move 'get imq device pointer by imqX name' to
+ *                separate function from imq_nf_queue().
+ *
+ *             2012/01/05 - Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
+ *              - Port to 3.2
+ *
+ *             2012/03/19 - Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
+ *              - Port to 3.3
+ *
+ *             2012/12/12 - Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
+ *              - Port to 3.7
+ *              - Fix checkpatch.pl warnings
+ *
+ *             2013/09/10 - Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *              - Fixed GSO handling for 3.10, see imq_nf_queue() for comments.
+ *              - Don't copy skb->cb_next when copying or cloning skbuffs.
+ *
+ *             2013/09/16 - Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *              - Port to 3.11
+ *
+ *             2013/11/12 - Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *              - Port to 3.12
+ *
+ *            Also, many thanks to pablo Sebastian Greco for making the initial
+ *            patch and to those who helped the testing.
+ *
+ *             More info at: http://www.linuximq.net/ (Andre Correa)
+ */
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/moduleparam.h>
+#include <linux/list.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/etherdevice.h>
+#include <linux/rtnetlink.h>
+#include <linux/if_arp.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+       #include <linux/netfilter_ipv6.h>
+#endif
+#include <linux/imq.h>
+#include <net/pkt_sched.h>
+#include <net/netfilter/nf_queue.h>
+#include <net/sock.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/if_vlan.h>
+#include <linux/if_pppox.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+
+static int imq_nf_queue(struct nf_queue_entry *entry, unsigned queue_num);
+
+static unsigned int imq_nf_hook(const struct nf_hook_ops *ops,
+                               struct sk_buff *pskb,
+                               const struct net_device *indev,
+                               const struct net_device *outdev,
+                               int (*okfn)(struct sk_buff *));
+
+static struct nf_hook_ops imq_ops[] = {
+       {
+       /* imq_ingress_ipv4 */
+               .hook           = imq_nf_hook,
+               .owner          = THIS_MODULE,
+               .pf             = PF_INET,
+               .hooknum        = NF_INET_PRE_ROUTING,
+#if defined(CONFIG_IMQ_BEHAVIOR_BA) || defined(CONFIG_IMQ_BEHAVIOR_BB)
+               .priority       = NF_IP_PRI_MANGLE + 1,
+#else
+               .priority       = NF_IP_PRI_NAT_DST + 1,
+#endif
+       },
+       {
+       /* imq_egress_ipv4 */
+               .hook           = imq_nf_hook,
+               .owner          = THIS_MODULE,
+               .pf             = PF_INET,
+               .hooknum        = NF_INET_POST_ROUTING,
+#if defined(CONFIG_IMQ_BEHAVIOR_AA) || defined(CONFIG_IMQ_BEHAVIOR_BA)
+               .priority       = NF_IP_PRI_LAST,
+#else
+               .priority       = NF_IP_PRI_NAT_SRC - 1,
+#endif
+       },
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+       {
+       /* imq_ingress_ipv6 */
+               .hook           = imq_nf_hook,
+               .owner          = THIS_MODULE,
+               .pf             = PF_INET6,
+               .hooknum        = NF_INET_PRE_ROUTING,
+#if defined(CONFIG_IMQ_BEHAVIOR_BA) || defined(CONFIG_IMQ_BEHAVIOR_BB)
+               .priority       = NF_IP6_PRI_MANGLE + 1,
+#else
+               .priority       = NF_IP6_PRI_NAT_DST + 1,
+#endif
+       },
+       {
+       /* imq_egress_ipv6 */
+               .hook           = imq_nf_hook,
+               .owner          = THIS_MODULE,
+               .pf             = PF_INET6,
+               .hooknum        = NF_INET_POST_ROUTING,
+#if defined(CONFIG_IMQ_BEHAVIOR_AA) || defined(CONFIG_IMQ_BEHAVIOR_BA)
+               .priority       = NF_IP6_PRI_LAST,
+#else
+               .priority       = NF_IP6_PRI_NAT_SRC - 1,
+#endif
+       },
+#endif
+};
+
+#if defined(CONFIG_IMQ_NUM_DEVS)
+static int numdevs = CONFIG_IMQ_NUM_DEVS;
+#else
+static int numdevs = IMQ_MAX_DEVS;
+#endif
+
+static struct net_device *imq_devs_cache[IMQ_MAX_DEVS];
+
+#define IMQ_MAX_QUEUES 32
+static int numqueues = 1;
+static u32 imq_hashrnd;
+
+static inline __be16 pppoe_proto(const struct sk_buff *skb)
+{
+       return *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
+                       sizeof(struct pppoe_hdr)));
+}
+
+static u16 imq_hash(struct net_device *dev, struct sk_buff *skb)
+{
+       unsigned int pull_len;
+       u16 protocol = skb->protocol;
+       u32 addr1, addr2;
+       u32 hash, ihl = 0;
+       union {
+               u16 in16[2];
+               u32 in32;
+       } ports;
+       u8 ip_proto;
+
+       pull_len = 0;
+
+recheck:
+       switch (protocol) {
+       case htons(ETH_P_8021Q): {
+               if (unlikely(skb_pull(skb, VLAN_HLEN) == NULL))
+                       goto other;
+
+               pull_len += VLAN_HLEN;
+               skb->network_header += VLAN_HLEN;
+
+               protocol = vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
+               goto recheck;
+       }
+
+       case htons(ETH_P_PPP_SES): {
+               if (unlikely(skb_pull(skb, PPPOE_SES_HLEN) == NULL))
+                       goto other;
+
+               pull_len += PPPOE_SES_HLEN;
+               skb->network_header += PPPOE_SES_HLEN;
+
+               protocol = pppoe_proto(skb);
+               goto recheck;
+       }
+
+       case htons(ETH_P_IP): {
+               const struct iphdr *iph = ip_hdr(skb);
+
+               if (unlikely(!pskb_may_pull(skb, sizeof(struct iphdr))))
+                       goto other;
+
+               addr1 = iph->daddr;
+               addr2 = iph->saddr;
+
+               ip_proto = !(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) ?
+                                iph->protocol : 0;
+               ihl = ip_hdrlen(skb);
+
+               break;
+       }
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+       case htons(ETH_P_IPV6): {
+               const struct ipv6hdr *iph = ipv6_hdr(skb);
+               __be16 fo = 0;
+
+               if (unlikely(!pskb_may_pull(skb, sizeof(struct ipv6hdr))))
+                       goto other;
+
+               addr1 = iph->daddr.s6_addr32[3];
+               addr2 = iph->saddr.s6_addr32[3];
+               ihl = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &ip_proto,
+                                      &fo);
+               if (unlikely(ihl < 0))
+                       goto other;
+
+               break;
+       }
+#endif
+       default:
+other:
+               if (pull_len != 0) {
+                       skb_push(skb, pull_len);
+                       skb->network_header -= pull_len;
+               }
+
+               return (u16)(ntohs(protocol) % dev->real_num_tx_queues);
+       }
+
+       if (addr1 > addr2)
+               swap(addr1, addr2);
+
+       switch (ip_proto) {
+       case IPPROTO_TCP:
+       case IPPROTO_UDP:
+       case IPPROTO_DCCP:
+       case IPPROTO_ESP:
+       case IPPROTO_AH:
+       case IPPROTO_SCTP:
+       case IPPROTO_UDPLITE: {
+               if (likely(skb_copy_bits(skb, ihl, &ports.in32, 4) >= 0)) {
+                       if (ports.in16[0] > ports.in16[1])
+                               swap(ports.in16[0], ports.in16[1]);
+                       break;
+               }
+               /* fall-through */
+       }
+       default:
+               ports.in32 = 0;
+               break;
+       }
+
+       if (pull_len != 0) {
+               skb_push(skb, pull_len);
+               skb->network_header -= pull_len;
+       }
+
+       hash = jhash_3words(addr1, addr2, ports.in32, imq_hashrnd ^ ip_proto);
+
+       return (u16)(((u64)hash * dev->real_num_tx_queues) >> 32);
+}
+
+static inline bool sk_tx_queue_recorded(struct sock *sk)
+{
+       return (sk_tx_queue_get(sk) >= 0);
+}
+
+static struct netdev_queue *imq_select_queue(struct net_device *dev,
+                                               struct sk_buff *skb)
+{
+       u16 queue_index = 0;
+       u32 hash;
+
+       if (likely(dev->real_num_tx_queues == 1))
+               goto out;
+
+       /* IMQ can be receiving ingress or engress packets. */
+
+       /* Check first for if rx_queue is set */
+       if (skb_rx_queue_recorded(skb)) {
+               queue_index = skb_get_rx_queue(skb);
+               goto out;
+       }
+
+       /* Check if socket has tx_queue set */
+       if (sk_tx_queue_recorded(skb->sk)) {
+               queue_index = sk_tx_queue_get(skb->sk);
+               goto out;
+       }
+
+       /* Try use socket hash */
+       if (skb->sk && skb->sk->sk_hash) {
+               hash = skb->sk->sk_hash;
+               queue_index =
+                       (u16)(((u64)hash * dev->real_num_tx_queues) >> 32);
+               goto out;
+       }
+
+       /* Generate hash from packet data */
+       queue_index = imq_hash(dev, skb);
+
+out:
+       if (unlikely(queue_index >= dev->real_num_tx_queues))
+               queue_index = (u16)((u32)queue_index % dev->real_num_tx_queues);
+
+       skb_set_queue_mapping(skb, queue_index);
+       return netdev_get_tx_queue(dev, queue_index);
+}
+
+static struct net_device_stats *imq_get_stats(struct net_device *dev)
+{
+       return &dev->stats;
+}
+
+/* called for packets kfree'd in qdiscs at places other than enqueue */
+static void imq_skb_destructor(struct sk_buff *skb)
+{
+       struct nf_queue_entry *entry = skb->nf_queue_entry;
+
+       skb->nf_queue_entry = NULL;
+
+       if (entry) {
+               nf_queue_entry_release_refs(entry);
+               kfree(entry);
+       }
+
+       skb_restore_cb(skb); /* kfree backup */
+}
+
+static void imq_done_check_queue_mapping(struct sk_buff *skb,
+                                        struct net_device *dev)
+{
+       unsigned int queue_index;
+
+       /* Don't let queue_mapping be left too large after exiting IMQ */
+       if (likely(skb->dev != dev && skb->dev != NULL)) {
+               queue_index = skb_get_queue_mapping(skb);
+               if (unlikely(queue_index >= skb->dev->real_num_tx_queues)) {
+                       queue_index = (u16)((u32)queue_index %
+                                               skb->dev->real_num_tx_queues);
+                       skb_set_queue_mapping(skb, queue_index);
+               }
+       } else {
+               /* skb->dev was IMQ device itself or NULL, be on safe side and
+                * just clear queue mapping.
+                */
+               skb_set_queue_mapping(skb, 0);
+       }
+}
+
+static netdev_tx_t imq_dev_xmit(struct sk_buff *skb, struct net_device *dev)
+{
+       struct nf_queue_entry *entry = skb->nf_queue_entry;
+
+       skb->nf_queue_entry = NULL;
+       dev->trans_start = jiffies;
+
+       dev->stats.tx_bytes += skb->len;
+       dev->stats.tx_packets++;
+
+       if (unlikely(entry == NULL)) {
+               /* We don't know what is going on here.. packet is queued for
+                * imq device, but (probably) not by us.
+                *
+                * If this packet was not send here by imq_nf_queue(), then
+                * skb_save_cb() was not used and skb_free() should not show:
+                *   WARNING: IMQ: kfree_skb: skb->cb_next:..
+                * and/or
+                *   WARNING: IMQ: kfree_skb: skb->nf_queue_entry...
+                *
+                * However if this message is shown, then IMQ is somehow broken
+                * and you should report this to linuximq.net.
+                */
+
+               /* imq_dev_xmit is black hole that eats all packets, report that
+                * we eat this packet happily and increase dropped counters.
+                */
+
+               dev->stats.tx_dropped++;
+               dev_kfree_skb(skb);
+
+               return NETDEV_TX_OK;
+       }
+
+       skb_restore_cb(skb); /* restore skb->cb */
+
+       skb->imq_flags = 0;
+       skb->destructor = NULL;
+
+       imq_done_check_queue_mapping(skb, dev);
+
+       nf_reinject(entry, NF_ACCEPT);
+
+       return NETDEV_TX_OK;
+}
+
+static struct net_device *get_imq_device_by_index(int index)
+{
+       struct net_device *dev = NULL;
+       struct net *net;
+       char buf[8];
+
+       /* get device by name and cache result */
+       snprintf(buf, sizeof(buf), "imq%d", index);
+
+       /* Search device from all namespaces. */
+       for_each_net(net) {
+               dev = dev_get_by_name(net, buf);
+               if (dev)
+                       break;
+       }
+
+       if (WARN_ON_ONCE(dev == NULL)) {
+               /* IMQ device not found. Exotic config? */
+               return ERR_PTR(-ENODEV);
+       }
+
+       imq_devs_cache[index] = dev;
+       dev_put(dev);
+
+       return dev;
+}
+
+static struct nf_queue_entry *nf_queue_entry_dup(struct nf_queue_entry *e)
+{
+       struct nf_queue_entry *entry = kmemdup(e, e->size, GFP_ATOMIC);
+       if (entry) {
+               if (nf_queue_entry_get_refs(entry))
+                       return entry;
+               kfree(entry);
+       }
+       return NULL;
+}
+
+#ifdef CONFIG_BRIDGE_NETFILTER
+/* When called from bridge netfilter, skb->data must point to MAC header
+ * before calling skb_gso_segment(). Else, original MAC header is lost
+ * and segmented skbs will be sent to wrong destination.
+ */
+static void nf_bridge_adjust_skb_data(struct sk_buff *skb)
+{
+       if (skb->nf_bridge)
+               __skb_push(skb, skb->network_header - skb->mac_header);
+}
+
+static void nf_bridge_adjust_segmented_data(struct sk_buff *skb)
+{
+       if (skb->nf_bridge)
+               __skb_pull(skb, skb->network_header - skb->mac_header);
+}
+#else
+#define nf_bridge_adjust_skb_data(s) do {} while (0)
+#define nf_bridge_adjust_segmented_data(s) do {} while (0)
+#endif
+
+static void free_entry(struct nf_queue_entry *entry)
+{
+       nf_queue_entry_release_refs(entry);
+       kfree(entry);
+}
+
+static int __imq_nf_queue(struct nf_queue_entry *entry, struct net_device *dev);
+
+static int __imq_nf_queue_gso(struct nf_queue_entry *entry,
+                             struct net_device *dev, struct sk_buff *skb)
+{
+       int ret = -ENOMEM;
+       struct nf_queue_entry *entry_seg;
+
+       nf_bridge_adjust_segmented_data(skb);
+
+       if (skb->next == NULL) { /* last packet, no need to copy entry */
+               struct sk_buff *gso_skb = entry->skb;
+               entry->skb = skb;
+               ret = __imq_nf_queue(entry, dev);
+               if (ret)
+                       entry->skb = gso_skb;
+               return ret;
+       }
+
+       skb->next = NULL;
+
+       entry_seg = nf_queue_entry_dup(entry);
+       if (entry_seg) {
+               entry_seg->skb = skb;
+               ret = __imq_nf_queue(entry_seg, dev);
+               if (ret)
+                       free_entry(entry_seg);
+       }
+       return ret;
+}
+
+static int imq_nf_queue(struct nf_queue_entry *entry, unsigned queue_num)
+{
+       struct sk_buff *skb, *segs;
+       struct net_device *dev;
+       unsigned int queued;
+       int index, retval, err;
+
+       index = entry->skb->imq_flags & IMQ_F_IFMASK;
+       if (unlikely(index > numdevs - 1)) {
+               if (net_ratelimit())
+                       pr_warn("IMQ: invalid device specified, highest is %u\n",
+                               numdevs - 1);
+               retval = -EINVAL;
+               goto out_no_dev;
+       }
+
+       /* check for imq device by index from cache */
+       dev = imq_devs_cache[index];
+       if (unlikely(!dev)) {
+               dev = get_imq_device_by_index(index);
+               if (IS_ERR(dev)) {
+                       retval = PTR_ERR(dev);
+                       goto out_no_dev;
+               }
+       }
+
+       if (unlikely(!(dev->flags & IFF_UP))) {
+               entry->skb->imq_flags = 0;
+               retval = -ECANCELED;
+               goto out_no_dev;
+       }
+
+       if (!skb_is_gso(entry->skb))
+               return __imq_nf_queue(entry, dev);
+
+       /* Since 3.10.x, GSO handling moved here as result of upstream commit
+        * a5fedd43d5f6c94c71053a66e4c3d2e35f1731a2 (netfilter: move
+        * skb_gso_segment into nfnetlink_queue module).
+        *
+        * Following code replicates the gso handling from
+        * 'net/netfilter/nfnetlink_queue_core.c':nfqnl_enqueue_packet().
+        */
+
+       skb = entry->skb;
+
+       switch (entry->pf) {
+       case NFPROTO_IPV4:
+               skb->protocol = htons(ETH_P_IP);
+               break;
+       case NFPROTO_IPV6:
+               skb->protocol = htons(ETH_P_IPV6);
+               break;
+       }
+
+       nf_bridge_adjust_skb_data(skb);
+       segs = skb_gso_segment(skb, 0);
+       /* Does not use PTR_ERR to limit the number of error codes that can be
+        * returned by nf_queue.  For instance, callers rely on -ECANCELED to
+        * mean 'ignore this hook'.
+        */
+       err = -ENOBUFS;
+       if (IS_ERR(segs))
+               goto out_err;
+       queued = 0;
+       err = 0;
+       do {
+               struct sk_buff *nskb = segs->next;
+               if (nskb && nskb->next)
+                       nskb->cb_next = NULL;
+               if (err == 0)
+                       err = __imq_nf_queue_gso(entry, dev, segs);
+               if (err == 0)
+                       queued++;
+               else
+                       kfree_skb(segs);
+               segs = nskb;
+       } while (segs);
+
+       if (queued) {
+               if (err) /* some segments are already queued */
+                       free_entry(entry);
+               kfree_skb(skb);
+               return 0;
+       }
+
+out_err:
+       nf_bridge_adjust_segmented_data(skb);
+       retval = err;
+out_no_dev:
+       return retval;
+}
+
+static int __imq_nf_queue(struct nf_queue_entry *entry, struct net_device *dev)
+{
+       struct sk_buff *skb_orig, *skb, *skb_shared;
+       struct Qdisc *q;
+       struct netdev_queue *txq;
+       spinlock_t *root_lock;
+       int users;
+       int retval = -EINVAL;
+       unsigned int orig_queue_index;
+
+       dev->last_rx = jiffies;
+
+       skb = entry->skb;
+       skb_orig = NULL;
+
+       /* skb has owner? => make clone */
+       if (unlikely(skb->destructor)) {
+               skb_orig = skb;
+               skb = skb_clone(skb, GFP_ATOMIC);
+               if (unlikely(!skb)) {
+                       retval = -ENOMEM;
+                       goto out;
+               }
+               skb->cb_next = NULL;
+               entry->skb = skb;
+       }
+
+       skb->nf_queue_entry = entry;
+
+       dev->stats.rx_bytes += skb->len;
+       dev->stats.rx_packets++;
+
+       if (!skb->dev) {
+               /* skb->dev == NULL causes problems, try the find cause. */
+               if (net_ratelimit()) {
+                       dev_warn(&dev->dev,
+                                "received packet with skb->dev == NULL\n");
+                       dump_stack();
+               }
+
+               skb->dev = dev;
+       }
+
+       /* Disables softirqs for lock below */
+       rcu_read_lock_bh();
+
+       /* Multi-queue selection */
+       orig_queue_index = skb_get_queue_mapping(skb);
+       txq = imq_select_queue(dev, skb);
+
+       q = rcu_dereference(txq->qdisc);
+       if (unlikely(!q->enqueue))
+               goto packet_not_eaten_by_imq_dev;
+
+       root_lock = qdisc_lock(q);
+       spin_lock(root_lock);
+
+       users = atomic_read(&skb->users);
+
+       skb_shared = skb_get(skb); /* increase reference count by one */
+
+       /* backup skb->cb, as qdisc layer will overwrite it */
+       skb_save_cb(skb_shared);
+       qdisc_enqueue_root(skb_shared, q); /* might kfree_skb */
+
+       if (likely(atomic_read(&skb_shared->users) == users + 1)) {
+               kfree_skb(skb_shared); /* decrease reference count by one */
+
+               skb->destructor = &imq_skb_destructor;
+
+               /* cloned? */
+               if (unlikely(skb_orig))
+                       kfree_skb(skb_orig); /* free original */
+
+               spin_unlock(root_lock);
+               rcu_read_unlock_bh();
+
+               /* schedule qdisc dequeue */
+               __netif_schedule(q);
+
+               retval = 0;
+               goto out;
+       } else {
+               skb_restore_cb(skb_shared); /* restore skb->cb */
+               skb->nf_queue_entry = NULL;
+               /*
+                * qdisc dropped packet and decreased skb reference count of
+                * skb, so we don't really want to and try refree as that would
+                * actually destroy the skb.
+                */
+               spin_unlock(root_lock);
+               goto packet_not_eaten_by_imq_dev;
+       }
+
+packet_not_eaten_by_imq_dev:
+       skb_set_queue_mapping(skb, orig_queue_index);
+       rcu_read_unlock_bh();
+
+       /* cloned? restore original */
+       if (unlikely(skb_orig)) {
+               kfree_skb(skb);
+               entry->skb = skb_orig;
+       }
+       retval = -1;
+out:
+       return retval;
+}
+
+static unsigned int imq_nf_hook(const struct nf_hook_ops *ops,
+                               struct sk_buff *pskb,
+                               const struct net_device *indev,
+                               const struct net_device *outdev,
+                               int (*okfn)(struct sk_buff *))
+{
+       return (pskb->imq_flags & IMQ_F_ENQUEUE) ? NF_IMQ_QUEUE : NF_ACCEPT;
+}
+
+static int imq_close(struct net_device *dev)
+{
+       netif_stop_queue(dev);
+       return 0;
+}
+
+static int imq_open(struct net_device *dev)
+{
+       netif_start_queue(dev);
+       return 0;
+}
+
+static const struct net_device_ops imq_netdev_ops = {
+       .ndo_open               = imq_open,
+       .ndo_stop               = imq_close,
+       .ndo_start_xmit         = imq_dev_xmit,
+       .ndo_get_stats          = imq_get_stats,
+};
+
+static void imq_setup(struct net_device *dev)
+{
+       dev->netdev_ops         = &imq_netdev_ops;
+       dev->type               = ARPHRD_VOID;
+       dev->mtu                = 16000; /* too small? */
+       dev->tx_queue_len       = 11000; /* too big? */
+       dev->flags              = IFF_NOARP;
+       dev->features           = NETIF_F_SG | NETIF_F_FRAGLIST |
+                                 NETIF_F_GSO | NETIF_F_HW_CSUM |
+                                 NETIF_F_HIGHDMA;
+       dev->priv_flags         &= ~(IFF_XMIT_DST_RELEASE |
+                                    IFF_TX_SKB_SHARING);
+}
+
+static int imq_validate(struct nlattr *tb[], struct nlattr *data[])
+{
+       int ret = 0;
+
+       if (tb[IFLA_ADDRESS]) {
+               if (nla_len(tb[IFLA_ADDRESS]) != ETH_ALEN) {
+                       ret = -EINVAL;
+                       goto end;
+               }
+               if (!is_valid_ether_addr(nla_data(tb[IFLA_ADDRESS]))) {
+                       ret = -EADDRNOTAVAIL;
+                       goto end;
+               }
+       }
+       return 0;
+end:
+       pr_warn("IMQ: imq_validate failed (%d)\n", ret);
+       return ret;
+}
+
+static struct rtnl_link_ops imq_link_ops __read_mostly = {
+       .kind           = "imq",
+       .priv_size      = 0,
+       .setup          = imq_setup,
+       .validate       = imq_validate,
+};
+
+static const struct nf_queue_handler imq_nfqh = {
+       .outfn = imq_nf_queue,
+};
+
+static int __init imq_init_hooks(void)
+{
+       int ret;
+
+       nf_register_queue_imq_handler(&imq_nfqh);
+
+       ret = nf_register_hooks(imq_ops, ARRAY_SIZE(imq_ops));
+       if (ret < 0)
+               nf_unregister_queue_imq_handler();
+
+       return ret;
+}
+
+static int __init imq_init_one(int index)
+{
+       struct net_device *dev;
+       int ret;
+
+       dev = alloc_netdev_mq(0, "imq%d", imq_setup, numqueues);
+       if (!dev)
+               return -ENOMEM;
+
+       ret = dev_alloc_name(dev, dev->name);
+       if (ret < 0)
+               goto fail;
+
+       dev->rtnl_link_ops = &imq_link_ops;
+       ret = register_netdevice(dev);
+       if (ret < 0)
+               goto fail;
+
+       return 0;
+fail:
+       free_netdev(dev);
+       return ret;
+}
+
+static int __init imq_init_devs(void)
+{
+       int err, i;
+
+       if (numdevs < 1 || numdevs > IMQ_MAX_DEVS) {
+               pr_err("IMQ: numdevs has to be betweed 1 and %u\n",
+                      IMQ_MAX_DEVS);
+               return -EINVAL;
+       }
+
+       if (numqueues < 1 || numqueues > IMQ_MAX_QUEUES) {
+               pr_err("IMQ: numqueues has to be betweed 1 and %u\n",
+                      IMQ_MAX_QUEUES);
+               return -EINVAL;
+       }
+
+       get_random_bytes(&imq_hashrnd, sizeof(imq_hashrnd));
+
+       rtnl_lock();
+       err = __rtnl_link_register(&imq_link_ops);
+
+       for (i = 0; i < numdevs && !err; i++)
+               err = imq_init_one(i);
+
+       if (err) {
+               __rtnl_link_unregister(&imq_link_ops);
+               memset(imq_devs_cache, 0, sizeof(imq_devs_cache));
+       }
+       rtnl_unlock();
+
+       return err;
+}
+
+static int __init imq_init_module(void)
+{
+       int err;
+
+#if defined(CONFIG_IMQ_NUM_DEVS)
+       BUILD_BUG_ON(CONFIG_IMQ_NUM_DEVS > 16);
+       BUILD_BUG_ON(CONFIG_IMQ_NUM_DEVS < 2);
+       BUILD_BUG_ON(CONFIG_IMQ_NUM_DEVS - 1 > IMQ_F_IFMASK);
+#endif
+
+       err = imq_init_devs();
+       if (err) {
+               pr_err("IMQ: Error trying imq_init_devs(net)\n");
+               return err;
+       }
+
+       err = imq_init_hooks();
+       if (err) {
+               pr_err(KERN_ERR "IMQ: Error trying imq_init_hooks()\n");
+               rtnl_link_unregister(&imq_link_ops);
+               memset(imq_devs_cache, 0, sizeof(imq_devs_cache));
+               return err;
+       }
+
+       pr_info("IMQ driver loaded successfully. (numdevs = %d, numqueues = %d)\n",
+               numdevs, numqueues);
+
+#if defined(CONFIG_IMQ_BEHAVIOR_BA) || defined(CONFIG_IMQ_BEHAVIOR_BB)
+       pr_info("\tHooking IMQ before NAT on PREROUTING.\n");
+#else
+       pr_info("\tHooking IMQ after NAT on PREROUTING.\n");
+#endif
+#if defined(CONFIG_IMQ_BEHAVIOR_AB) || defined(CONFIG_IMQ_BEHAVIOR_BB)
+       pr_info("\tHooking IMQ before NAT on POSTROUTING.\n");
+#else
+       pr_info("\tHooking IMQ after NAT on POSTROUTING.\n");
+#endif
+
+       return 0;
+}
+
+static void __exit imq_unhook(void)
+{
+       nf_unregister_hooks(imq_ops, ARRAY_SIZE(imq_ops));
+       nf_unregister_queue_imq_handler();
+}
+
+static void __exit imq_cleanup_devs(void)
+{
+       rtnl_link_unregister(&imq_link_ops);
+       memset(imq_devs_cache, 0, sizeof(imq_devs_cache));
+}
+
+static void __exit imq_exit_module(void)
+{
+       imq_unhook();
+       imq_cleanup_devs();
+       pr_info("IMQ driver unloaded successfully.\n");
+}
+
+module_init(imq_init_module);
+module_exit(imq_exit_module);
+
+module_param(numdevs, int, 0);
+module_param(numqueues, int, 0);
+MODULE_PARM_DESC(numdevs, "number of IMQ devices (how many imq* devices will be created)");
+MODULE_PARM_DESC(numqueues, "number of queues per IMQ device");
+MODULE_AUTHOR("http://www.linuximq.net");
+MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See http://www.linuximq.net/ for more information.");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_RTNL_LINK("imq");
+
diff --git a/include/linux/imq.h b/include/linux/imq.h
new file mode 100644
index 0000000..1babb09
--- /dev/null
+++ b/include/linux/imq.h
@@ -0,0 +1,13 @@
+#ifndef _IMQ_H
+#define _IMQ_H
+
+/* IFMASK (16 device indexes, 0 to 15) and flag(s) fit in 5 bits */
+#define IMQ_F_BITS     5
+
+#define IMQ_F_IFMASK   0x0f
+#define IMQ_F_ENQUEUE  0x10
+
+#define IMQ_MAX_DEVS   (IMQ_F_IFMASK + 1)
+
+#endif /* _IMQ_H */
+
diff --git a/include/linux/netfilter/xt_IMQ.h b/include/linux/netfilter/xt_IMQ.h
new file mode 100644
index 0000000..9b07230
--- /dev/null
+++ b/include/linux/netfilter/xt_IMQ.h
@@ -0,0 +1,9 @@
+#ifndef _XT_IMQ_H
+#define _XT_IMQ_H
+
+struct xt_imq_info {
+       unsigned int todev;     /* target imq device */
+};
+
+#endif /* _XT_IMQ_H */
+
diff --git a/include/linux/netfilter_ipv4/ipt_IMQ.h b/include/linux/netfilter_ipv4/ipt_IMQ.h
new file mode 100644
index 0000000..7af320f
--- /dev/null
+++ b/include/linux/netfilter_ipv4/ipt_IMQ.h
@@ -0,0 +1,10 @@
+#ifndef _IPT_IMQ_H
+#define _IPT_IMQ_H
+
+/* Backwards compatibility for old userspace */
+#include <linux/netfilter/xt_IMQ.h>
+
+#define ipt_imq_info xt_imq_info
+
+#endif /* _IPT_IMQ_H */
+
diff --git a/include/linux/netfilter_ipv6/ip6t_IMQ.h b/include/linux/netfilter_ipv6/ip6t_IMQ.h
new file mode 100644
index 0000000..198ac01
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_IMQ.h
@@ -0,0 +1,10 @@
+#ifndef _IP6T_IMQ_H
+#define _IP6T_IMQ_H
+
+/* Backwards compatibility for old userspace */
+#include <linux/netfilter/xt_IMQ.h>
+
+#define ip6t_imq_info xt_imq_info
+
+#endif /* _IP6T_IMQ_H */
+
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index f66f346..d699b19 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -33,6 +33,9 @@
 #include <linux/dma-mapping.h>
 #include <linux/netdev_features.h>
 #include <net/flow_keys.h>
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+#include <linux/imq.h>
+#endif
 
 /* Don't change this without changing skb_csum_unnecessary! */
 #define CHECKSUM_NONE 0
@@ -418,6 +421,9 @@ struct sk_buff {
         * first. This is owned by whoever has the skb queued ATM.
         */
        char                    cb[48] __aligned(8);
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+       void                    *cb_next;
+#endif
 
        unsigned long           _skb_refdst;
 #ifdef CONFIG_XFRM
@@ -453,6 +459,9 @@ struct sk_buff {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
        struct nf_conntrack     *nfct;
 #endif
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+       struct nf_queue_entry   *nf_queue_entry;
+#endif
 #ifdef CONFIG_BRIDGE_NETFILTER
        struct nf_bridge_info   *nf_bridge;
 #endif
@@ -490,6 +499,9 @@ struct sk_buff {
         */
        __u8                    encapsulation:1;
        /* 6/8 bit hole (depending on ndisc_nodetype presence) */
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+       __u8                    imq_flags:IMQ_F_BITS;
+#endif
        kmemcheck_bitfield_end(flags2);
 
 #if defined CONFIG_NET_DMA || defined CONFIG_NET_RX_BUSY_POLL
@@ -625,6 +637,12 @@ static inline struct rtable *skb_rtable(const struct sk_buff *skb)
        return (struct rtable *)skb_dst(skb);
 }
 
+
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+extern int skb_save_cb(struct sk_buff *skb);
+extern int skb_restore_cb(struct sk_buff *skb);
+#endif
+
 void kfree_skb(struct sk_buff *skb);
 void kfree_skb_list(struct sk_buff *segs);
 void skb_tx_error(struct sk_buff *skb);
@@ -2635,6 +2653,10 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
        nf_conntrack_get(src->nfct);
        dst->nfctinfo = src->nfctinfo;
 #endif
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+       dst->imq_flags = src->imq_flags;
+       dst->nf_queue_entry = src->nf_queue_entry;
+#endif
 #ifdef CONFIG_BRIDGE_NETFILTER
        dst->nf_bridge  = src->nf_bridge;
        nf_bridge_get(src->nf_bridge);
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
index aaba4bb..f6e92a4 100644
--- a/include/net/netfilter/nf_queue.h
+++ b/include/net/netfilter/nf_queue.h
@@ -29,6 +29,12 @@ struct nf_queue_handler {
 void nf_register_queue_handler(const struct nf_queue_handler *qh);
 void nf_unregister_queue_handler(void);
 void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict);
+extern void nf_queue_entry_release_refs(struct nf_queue_entry *entry);
+
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+extern void nf_register_queue_imq_handler(const struct nf_queue_handler *qh);
+extern void nf_unregister_queue_imq_handler(void);
+#endif
 
 bool nf_queue_entry_get_refs(struct nf_queue_entry *entry);
 void nf_queue_entry_release_refs(struct nf_queue_entry *entry);
diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h
index f7dc0eb..58c46a9 100644
--- a/include/uapi/linux/netfilter.h
+++ b/include/uapi/linux/netfilter.h
@@ -13,7 +13,8 @@
 #define NF_QUEUE 3
 #define NF_REPEAT 4
 #define NF_STOP 5
-#define NF_MAX_VERDICT NF_STOP
+#define NF_IMQ_QUEUE 6
+#define NF_MAX_VERDICT NF_IMQ_QUEUE
 
 /* we overload the higher bits for encoding auxiliary data such as the queue
  * number or errno values. Not nice, but better than additional function
diff --git a/net/core/dev.c b/net/core/dev.c
index 3d13874..9842f21 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -131,6 +131,9 @@
 #include <linux/hashtable.h>
 #include <linux/vmalloc.h>
 #include <linux/if_macvlan.h>
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+#include <linux/imq.h>
+#endif
 
 #include "net-sysfs.h"
 
@@ -2595,7 +2598,12 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
                        }
                }
 
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+               if (!list_empty(&ptype_all) &&
+                                       !(skb->imq_flags & IMQ_F_ENQUEUE))
+#else
                if (!list_empty(&ptype_all))
+#endif
                        dev_queue_xmit_nit(skb, dev);
 
                skb_len = skb->len;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index c28c7fe..a5f1888 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -73,6 +73,84 @@
 
 struct kmem_cache *skbuff_head_cache __read_mostly;
 static struct kmem_cache *skbuff_fclone_cache __read_mostly;
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+static struct kmem_cache *skbuff_cb_store_cache __read_mostly;
+
+/* Control buffer save/restore for IMQ devices */
+struct skb_cb_table {
+       char                    cb[48] __aligned(8);
+       void                    *cb_next;
+       atomic_t                refcnt;
+};
+
+static DEFINE_SPINLOCK(skb_cb_store_lock);
+
+int skb_save_cb(struct sk_buff *skb)
+{
+       struct skb_cb_table *next;
+
+       next = kmem_cache_alloc(skbuff_cb_store_cache, GFP_ATOMIC);
+       if (!next)
+               return -ENOMEM;
+
+       BUILD_BUG_ON(sizeof(skb->cb) != sizeof(next->cb));
+
+       memcpy(next->cb, skb->cb, sizeof(skb->cb));
+       next->cb_next = skb->cb_next;
+
+       atomic_set(&next->refcnt, 1);
+
+       skb->cb_next = next;
+       return 0;
+}
+EXPORT_SYMBOL(skb_save_cb);
+
+int skb_restore_cb(struct sk_buff *skb)
+{
+       struct skb_cb_table *next;
+
+       if (!skb->cb_next)
+               return 0;
+
+       next = skb->cb_next;
+
+       BUILD_BUG_ON(sizeof(skb->cb) != sizeof(next->cb));
+
+       memcpy(skb->cb, next->cb, sizeof(skb->cb));
+       skb->cb_next = next->cb_next;
+
+       spin_lock(&skb_cb_store_lock);
+
+       if (atomic_dec_and_test(&next->refcnt))
+               kmem_cache_free(skbuff_cb_store_cache, next);
+
+       spin_unlock(&skb_cb_store_lock);
+
+       return 0;
+}
+EXPORT_SYMBOL(skb_restore_cb);
+
+static void skb_copy_stored_cb(struct sk_buff *new, const struct sk_buff *__old)
+{
+       struct skb_cb_table *next;
+       struct sk_buff *old;
+
+       if (!__old->cb_next) {
+               new->cb_next = NULL;
+               return;
+       }
+
+       spin_lock(&skb_cb_store_lock);
+
+       old = (struct sk_buff *)__old;
+
+       next = old->cb_next;
+       atomic_inc(&next->refcnt);
+       new->cb_next = next;
+
+       spin_unlock(&skb_cb_store_lock);
+}
+#endif
 
 /**
  *     skb_panic - private function for out-of-line support
@@ -577,6 +656,28 @@ static void skb_release_head_state(struct sk_buff *skb)
                WARN_ON(in_irq());
                skb->destructor(skb);
        }
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+       /*
+        * This should not happen. When it does, avoid memleak by restoring
+        * the chain of cb-backups.
+        */
+       while (skb->cb_next != NULL) {
+               if (net_ratelimit())
+                       pr_warn("IMQ: kfree_skb: skb->cb_next: %08x\n",
+                               (unsigned int)skb->cb_next);
+
+               skb_restore_cb(skb);
+       }
+       /*
+        * This should not happen either, nf_queue_entry is nullified in
+        * imq_dev_xmit(). If we have non-NULL nf_queue_entry then we are
+        * leaking entry pointers, maybe memory. We don't know if this is
+        * pointer to already freed memory, or should this be freed.
+        * If this happens we need to add refcounting, etc for nf_queue_entry.
+        */
+       if (skb->nf_queue_entry && net_ratelimit())
+               pr_warn("%s\n", "IMQ: kfree_skb: skb->nf_queue_entry != NULL");
+#endif
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
        nf_conntrack_put(skb->nfct);
 #endif
@@ -709,6 +810,10 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
        new->sp                 = secpath_get(old->sp);
 #endif
        memcpy(new->cb, old->cb, sizeof(old->cb));
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+       new->cb_next = NULL;
+       /*skb_copy_stored_cb(new, old);*/
+#endif
        new->csum               = old->csum;
        new->local_df           = old->local_df;
        new->pkt_type           = old->pkt_type;
@@ -3112,6 +3217,13 @@ void __init skb_init(void)
                                                0,
                                                SLAB_HWCACHE_ALIGN|SLAB_PANIC,
                                                NULL);
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+       skbuff_cb_store_cache = kmem_cache_create("skbuff_cb_store_cache",
+                                                 sizeof(struct skb_cb_table),
+                                                 0,
+                                                 SLAB_HWCACHE_ALIGN|SLAB_PANIC,
+                                                 NULL);
+#endif
 }
 
 /**
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index b6fa35e..08dcfef 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -64,9 +64,6 @@ static int ip6_finish_output2(struct sk_buff *skb)
        struct in6_addr *nexthop;
        int ret;
 
-       skb->protocol = htons(ETH_P_IPV6);
-       skb->dev = dev;
-
        if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {
                struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
 
@@ -143,6 +140,13 @@ int ip6_output(struct sk_buff *skb)
                return 0;
        }
 
+       /*
+        * IMQ-patch: moved setting skb->dev and skb->protocol from
+        * ip6_finish_output2 to fix crashing at netif_skb_features().
+        */
+       skb->protocol = htons(ETH_P_IPV6);
+       skb->dev = dev;
+
        return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL, dev,
                            ip6_finish_output,
                            !(IP6CB(skb)->flags & IP6SKB_REROUTED));
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6e839b6..45ac31c 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -630,6 +630,18 @@ config NETFILTER_XT_TARGET_LOG
 
          To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_TARGET_IMQ
+        tristate '"IMQ" target support'
+       depends on NETFILTER_XTABLES
+       depends on IP_NF_MANGLE || IP6_NF_MANGLE
+       select IMQ
+       default m if NETFILTER_ADVANCED=n
+        help
+          This option adds a `IMQ' target which is used to specify if and
+          to which imq device packets should get enqueued/dequeued.
+
+          To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_TARGET_MARK
        tristate '"MARK" target support'
        depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index c3a0a12..9647f06 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -82,6 +82,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_IMQ) += xt_IMQ.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_LOG) += xt_LOG.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NETMAP) += xt_NETMAP.o
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 593b16e..740cd69 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -191,9 +191,11 @@ next_hook:
                ret = NF_DROP_GETERR(verdict);
                if (ret == 0)
                        ret = -EPERM;
-       } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
+       } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE ||
+                  (verdict & NF_VERDICT_MASK) == NF_IMQ_QUEUE) {
                int err = nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
-                                               verdict >> NF_VERDICT_QBITS);
+                                               verdict >> NF_VERDICT_QBITS,
+                                               verdict & NF_VERDICT_MASK);
                if (err < 0) {
                        if (err == -ECANCELED)
                                goto next_hook;
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
index 3deec99..c1a1397 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
@@ -29,7 +29,7 @@ extern int nf_queue(struct sk_buff *skb,
 int nf_queue(struct sk_buff *skb, struct nf_hook_ops *elem, u_int8_t pf,
             unsigned int hook, struct net_device *indev,
             struct net_device *outdev, int (*okfn)(struct sk_buff *),
-            unsigned int queuenum);
+            unsigned int queuenum, unsigned int queuetype);
 int __init netfilter_queue_init(void);
 
 /* nf_log.c */
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 5d24b1f..28317dc 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -27,6 +27,23 @@
  */
 static const struct nf_queue_handler __rcu *queue_handler __read_mostly;
 
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+static const struct nf_queue_handler __rcu *queue_imq_handler __read_mostly;
+
+void nf_register_queue_imq_handler(const struct nf_queue_handler *qh)
+{
+       rcu_assign_pointer(queue_imq_handler, qh);
+}
+EXPORT_SYMBOL_GPL(nf_register_queue_imq_handler);
+
+void nf_unregister_queue_imq_handler(void)
+{
+       RCU_INIT_POINTER(queue_imq_handler, NULL);
+       synchronize_rcu();
+}
+EXPORT_SYMBOL_GPL(nf_unregister_queue_imq_handler);
+#endif
+
 /* return EBUSY when somebody else is registered, return EEXIST if the
  * same handler is registered, return 0 in case of success. */
 void nf_register_queue_handler(const struct nf_queue_handler *qh)
@@ -105,7 +122,8 @@ int nf_queue(struct sk_buff *skb,
                      struct net_device *indev,
                      struct net_device *outdev,
                      int (*okfn)(struct sk_buff *),
-                     unsigned int queuenum)
+                     unsigned int queuenum,
+                     unsigned int queuetype)
 {
        int status = -ENOENT;
        struct nf_queue_entry *entry = NULL;
@@ -115,7 +133,17 @@ int nf_queue(struct sk_buff *skb,
        /* QUEUE == DROP if no one is waiting, to be safe. */
        rcu_read_lock();
 
-       qh = rcu_dereference(queue_handler);
+       if (queuetype == NF_IMQ_QUEUE) {
+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
+               qh = rcu_dereference(queue_imq_handler);
+#else
+               BUG();
+               goto err_unlock;
+#endif
+       } else {
+               qh = rcu_dereference(queue_handler);
+       }
+
        if (!qh) {
                status = -ESRCH;
                goto err_unlock;
@@ -205,9 +233,11 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
                local_bh_enable();
                break;
        case NF_QUEUE:
+       case NF_IMQ_QUEUE:
                err = nf_queue(skb, elem, entry->pf, entry->hook,
                                entry->indev, entry->outdev, entry->okfn,
-                               verdict >> NF_VERDICT_QBITS);
+                               verdict >> NF_VERDICT_QBITS,
+                               verdict & NF_VERDICT_MASK);
                if (err < 0) {
                        if (err == -ECANCELED)
                                goto next_hook;
diff --git a/net/netfilter/xt_IMQ.c b/net/netfilter/xt_IMQ.c
new file mode 100644
index 0000000..1c3cd66
--- /dev/null
+++ b/net/netfilter/xt_IMQ.c
@@ -0,0 +1,72 @@
+/*
+ * This target marks packets to be enqueued to an imq device
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_IMQ.h>
+#include <linux/imq.h>
+
+static unsigned int imq_target(struct sk_buff *pskb,
+                               const struct xt_action_param *par)
+{
+       const struct xt_imq_info *mr = par->targinfo;
+
+       pskb->imq_flags = (mr->todev & IMQ_F_IFMASK) | IMQ_F_ENQUEUE;
+
+       return XT_CONTINUE;
+}
+
+static int imq_checkentry(const struct xt_tgchk_param *par)
+{
+       struct xt_imq_info *mr = par->targinfo;
+
+       if (mr->todev > IMQ_MAX_DEVS - 1) {
+               pr_warn("IMQ: invalid device specified, highest is %u\n",
+                       IMQ_MAX_DEVS - 1);
+               return -EINVAL;
+       }
+
+       return 0;
+}
+
+static struct xt_target xt_imq_reg[] __read_mostly = {
+       {
+               .name           = "IMQ",
+               .family         = AF_INET,
+               .checkentry     = imq_checkentry,
+               .target         = imq_target,
+               .targetsize     = sizeof(struct xt_imq_info),
+               .table          = "mangle",
+               .me             = THIS_MODULE
+       },
+       {
+               .name           = "IMQ",
+               .family         = AF_INET6,
+               .checkentry     = imq_checkentry,
+               .target         = imq_target,
+               .targetsize     = sizeof(struct xt_imq_info),
+               .table          = "mangle",
+               .me             = THIS_MODULE
+       },
+};
+
+static int __init imq_init(void)
+{
+       return xt_register_targets(xt_imq_reg, ARRAY_SIZE(xt_imq_reg));
+}
+
+static void __exit imq_fini(void)
+{
+       xt_unregister_targets(xt_imq_reg, ARRAY_SIZE(xt_imq_reg));
+}
+
+module_init(imq_init);
+module_exit(imq_fini);
+
+MODULE_AUTHOR("http://www.linuximq.net");
+MODULE_DESCRIPTION("Pseudo-driver for the intermediate queue device. See http://www.linuximq.net/ for more information.");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_IMQ");
+MODULE_ALIAS("ip6t_IMQ");
+