- obsolete

[packages/kernel.git] / 2.6.x-patch-o-matic-ng-base-20040304.patch

diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ip_conntrack_helper.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ip_conntrack_helper.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ip_conntrack_helper.h	2004-03-04 06:16:37.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ip_conntrack_helper.h	2004-03-04 08:39:18.000000000 +0000
@@ -35,9 +35,13 @@
 
 extern struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple);
 
+
+/* Allocate space for an expectation: this is mandatory before calling 
+   ip_conntrack_expect_related. */
+extern int ip_conntrack_expect_alloc(struct ip_conntrack_expect **new);
 /* Add an expected connection: can have more than one per connection */
-extern int ip_conntrack_expect_related(struct ip_conntrack *related_to,
-				       struct ip_conntrack_expect *exp);
+extern int ip_conntrack_expect_related(struct ip_conntrack_expect *exp,
+				       struct ip_conntrack *related_to);
 extern int ip_conntrack_change_expect(struct ip_conntrack_expect *expect,
 				      struct ip_conntrack_tuple *newtuple);
 extern void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp);
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_TTL.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_TTL.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_TTL.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_TTL.h	2004-03-04 08:39:28.000000000 +0000
@@ -0,0 +1,21 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+enum {
+	IPT_TTL_SET = 0,
+	IPT_TTL_INC,
+	IPT_TTL_DEC
+};
+
+#define IPT_TTL_MAXMODE	IPT_TTL_DEC
+
+struct ipt_TTL_info {
+	u_int8_t	mode;
+	u_int8_t	ttl;
+};
+
+
+#endif
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_connlimit.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_connlimit.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_connlimit.h	2004-03-04 08:39:29.000000000 +0000
@@ -0,0 +1,12 @@
+#ifndef _IPT_CONNLIMIT_H
+#define _IPT_CONNLIMIT_H
+
+struct ipt_connlimit_data;
+
+struct ipt_connlimit_info {
+	int limit;
+	int inverse;
+	u_int32_t mask;
+	struct ipt_connlimit_data *data;
+};
+#endif /* _IPT_CONNLIMIT_H */
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_dstlimit.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_dstlimit.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_dstlimit.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_dstlimit.h	2004-03-04 08:39:30.000000000 +0000
@@ -0,0 +1,39 @@
+#ifndef _IPT_DSTLIMIT_H
+#define _IPT_DSTLIMIT_H
+
+/* timings are in milliseconds. */
+#define IPT_DSTLIMIT_SCALE 10000
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+   seconds, or one every 59 hours. */
+
+/* details of this structure hidden by the implementation */
+struct ipt_dstlimit_htable;
+
+#define IPT_DSTLIMIT_HASH_DIP	0x0001
+#define IPT_DSTLIMIT_HASH_DPT	0x0002
+#define IPT_DSTLIMIT_HASH_SIP	0x0004
+
+struct dstlimit_cfg {
+	u_int32_t mode;	  /* bitmask of IPT_DSTLIMIT_HASH_* */
+	u_int32_t avg;    /* Average secs between packets * scale */
+	u_int32_t burst;  /* Period multiplier for upper limit. */
+
+	/* user specified */
+	u_int32_t size;		/* how many buckets */
+	u_int32_t max;		/* max number of entries */
+	u_int32_t gc_interval;	/* gc interval */
+	u_int32_t expire;	/* when do entries expire? */
+};
+
+struct ipt_dstlimit_info {
+	char name [IFNAMSIZ];		/* name */
+	struct dstlimit_cfg cfg;
+	struct ipt_dstlimit_htable *hinfo;
+
+	/* Used internally by the kernel */
+	union {
+		void *ptr;
+		struct ipt_dstlimit_info *master;
+	} u;
+};
+#endif /*_IPT_DSTLIMIT_H*/
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_fuzzy.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_fuzzy.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_fuzzy.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_fuzzy.h	2004-03-04 08:39:30.000000000 +0000
@@ -0,0 +1,21 @@
+#ifndef _IPT_FUZZY_H
+#define _IPT_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ipt_fuzzy_info {
+	u_int32_t minimum_rate;
+	u_int32_t maximum_rate;
+	u_int32_t packets_total;
+	u_int32_t bytes_total;
+	u_int32_t previous_time;
+	u_int32_t present_time;
+	u_int32_t mean_rate;
+	u_int8_t acceptance_rate;
+};
+
+#endif /*_IPT_FUZZY_H*/
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_ipv4options.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_ipv4options.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_ipv4options.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_ipv4options.h	2004-03-04 08:39:31.000000000 +0000
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+
+#define IPT_IPV4OPTION_MATCH_SSRR		0x01  /* For strict source routing */
+#define IPT_IPV4OPTION_MATCH_LSRR		0x02  /* For loose source routing */
+#define IPT_IPV4OPTION_DONT_MATCH_SRR		0x04  /* any source routing */
+#define IPT_IPV4OPTION_MATCH_RR			0x08  /* For Record route */
+#define IPT_IPV4OPTION_DONT_MATCH_RR		0x10
+#define IPT_IPV4OPTION_MATCH_TIMESTAMP		0x20  /* For timestamp request */
+#define IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP	0x40
+#define IPT_IPV4OPTION_MATCH_ROUTER_ALERT	0x80  /* For router-alert */
+#define IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT	0x100
+#define IPT_IPV4OPTION_MATCH_ANY_OPT		0x200 /* match packet with any option */
+#define IPT_IPV4OPTION_DONT_MATCH_ANY_OPT	0x400 /* match packet with no option */
+
+struct ipt_ipv4options_info {
+	u_int16_t options;
+};
+
+
+#endif /* __ipt_ipv4options_h_included__ */
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_mport.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_mport.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_mport.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_mport.h	2004-03-04 08:39:33.000000000 +0000
@@ -0,0 +1,24 @@
+#ifndef _IPT_MPORT_H
+#define _IPT_MPORT_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#define IPT_MPORT_SOURCE (1<<0)
+#define IPT_MPORT_DESTINATION (1<<1)
+#define IPT_MPORT_EITHER (IPT_MPORT_SOURCE|IPT_MPORT_DESTINATION)
+
+#define IPT_MULTI_PORTS	15
+
+/* Must fit inside union ipt_matchinfo: 32 bytes */
+/* every entry in ports[] except for the last one has one bit in pflags
+ * associated with it. If this bit is set, the port is the first port of
+ * a portrange, with the next entry being the last.
+ * End of list is marked with pflags bit set and port=65535.
+ * If 14 ports are used (last one does not have a pflag), the last port
+ * is repeated to fill the last entry in ports[] */
+struct ipt_mport
+{
+	u_int8_t flags:2;			/* Type of comparison */
+	u_int16_t pflags:14;			/* Port flags */
+	u_int16_t ports[IPT_MULTI_PORTS];	/* Ports */
+};
+#endif /*_IPT_MPORT_H*/
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_nth.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_nth.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_nth.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_nth.h	2004-03-04 08:39:34.000000000 +0000
@@ -0,0 +1,19 @@
+#ifndef _IPT_NTH_H
+#define _IPT_NTH_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#ifndef IPT_NTH_NUM_COUNTERS
+#define IPT_NTH_NUM_COUNTERS 16
+#endif
+
+struct ipt_nth_info {
+	u_int8_t every;
+	u_int8_t not;
+	u_int8_t startat;
+	u_int8_t counter;
+	u_int8_t packet;
+};
+
+#endif /*_IPT_NTH_H*/
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_quota.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_quota.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_quota.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_quota.h	2004-03-04 08:39:36.000000000 +0000
@@ -0,0 +1,11 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+        u_int64_t quota;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_realm.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_realm.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_realm.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_realm.h	2004-03-04 08:39:54.000000000 +0000
@@ -0,0 +1,9 @@
+#ifndef _IPT_REALM_H
+#define _IPT_REALM_H
+
+struct ipt_realm_info {
+	u_int32_t id;
+	u_int32_t mask;
+	u_int8_t invert;
+};
+#endif /*_IPT_REALM_H*/
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_sctp.h linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_sctp.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv4/ipt_sctp.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv4/ipt_sctp.h	2004-03-04 08:39:55.000000000 +0000
@@ -0,0 +1,107 @@
+#ifndef _IPT_SCTP_H_
+#define _IPT_SCTP_H_
+
+#define IPT_SCTP_SRC_PORTS	        0x01
+#define IPT_SCTP_DEST_PORTS	        0x02
+#define IPT_SCTP_CHUNK_TYPES		0x04
+
+#define IPT_SCTP_VALID_FLAGS		0x07
+
+#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
+
+
+struct ipt_sctp_flag_info {
+	u_int8_t chunktype;
+	u_int8_t flag;
+	u_int8_t flag_mask;
+};
+
+#define IPT_NUM_SCTP_FLAGS	4
+
+struct ipt_sctp_info {
+	u_int16_t dpts[2];  /* Min, Max */
+	u_int16_t spts[2];  /* Min, Max */
+
+	u_int32_t chunkmap[256 / sizeof (u_int32_t)];  /* Bit mask of chunks to be matched according to RFC 2960 */
+
+#define SCTP_CHUNK_MATCH_ANY   0x01  /* Match if any of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ALL   0x02  /* Match if all of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ONLY  0x04  /* Match if these are the only chunk types present */
+
+	u_int32_t chunk_match_type;
+	struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS];
+	int flag_count;
+
+	u_int32_t flags;
+	u_int32_t invflags;
+};
+
+#define bytes(type) (sizeof(type) * 8)
+
+#define SCTP_CHUNKMAP_SET(chunkmap, type) 		\
+	do { 						\
+		chunkmap[type / bytes(u_int32_t)] |= 	\
+			1 << (type % bytes(u_int32_t));	\
+	} while (0)
+
+#define SCTP_CHUNKMAP_CLEAR(chunkmap, type)		 	\
+	do {							\
+		chunkmap[type / bytes(u_int32_t)] &= 		\
+			~(1 << (type % bytes(u_int32_t)));	\
+	} while (0)
+
+#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) 			\
+({								\
+	(chunkmap[type / bytes (u_int32_t)] & 			\
+		(1 << (type % bytes (u_int32_t)))) ? 1: 0;	\
+})
+
+#define SCTP_CHUNKMAP_RESET(chunkmap) 				\
+	do {							\
+		int i; 						\
+		for (i = 0; i < ELEMCOUNT(chunkmap); i++)	\
+			chunkmap[i] = 0;			\
+	} while (0)
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) 			\
+	do {							\
+		int i; 						\
+		for (i = 0; i < ELEMCOUNT(chunkmap); i++) 	\
+			chunkmap[i] = ~0;			\
+	} while (0)
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) 			\
+	do {							\
+		int i; 						\
+		for (i = 0; i < ELEMCOUNT(chunkmap); i++) 	\
+			destmap[i] = srcmap[i];			\
+	} while (0)
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) 		\
+({							\
+	int i; 						\
+	int flag = 1;					\
+	for (i = 0; i < ELEMCOUNT(chunkmap); i++) {	\
+		if (chunkmap[i]) {			\
+			flag = 0;			\
+			break;				\
+		}					\
+	}						\
+        flag;						\
+})
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) 		\
+({							\
+	int i; 						\
+	int flag = 1;					\
+	for (i = 0; i < ELEMCOUNT(chunkmap); i++) {	\
+		if (chunkmap[i] != ~0) {		\
+			flag = 0;			\
+				break;			\
+		}					\
+	}						\
+        flag;						\
+})
+
+#endif /* _IPT_SCTP_H_ */
+
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_HL.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_HL.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_HL.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_HL.h	2004-03-04 08:39:25.000000000 +0000
@@ -0,0 +1,22 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * Based on HW's TTL module */
+
+#ifndef _IP6T_HOPLIMIT_H
+#define _IP6T_HOPLIMIT_H
+
+enum {
+	IP6T_HOPLIMIT_SET = 0,
+	IP6T_HOPLIMIT_INC,
+	IP6T_HOPLIMIT_DEC
+};
+
+#define IP6T_HOPLIMIT_MAXMODE	IP6T_HOPLIMIT_DEC
+
+struct ip6t_HOPLIMIT_info {
+	u_int8_t	mode;
+	u_int8_t	hop_limit;
+};
+
+
+#endif
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_REJECT.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_REJECT.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_REJECT.h	2004-03-04 06:16:34.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_REJECT.h	2004-03-04 08:39:28.000000000 +0000
@@ -2,15 +2,17 @@
 #define _IP6T_REJECT_H
 
 enum ip6t_reject_with {
-	IP6T_ICMP_NET_UNREACHABLE,
-	IP6T_ICMP_HOST_UNREACHABLE,
-	IP6T_ICMP_PROT_UNREACHABLE,
-	IP6T_ICMP_PORT_UNREACHABLE,
-	IP6T_ICMP_ECHOREPLY
+	IP6T_ICMP6_NO_ROUTE,
+	IP6T_ICMP6_ADM_PROHIBITED,
+	IP6T_ICMP6_NOT_NEIGHBOUR,
+	IP6T_ICMP6_ADDR_UNREACH,
+	IP6T_ICMP6_PORT_UNREACH,
+	IP6T_ICMP6_ECHOREPLY,
+	IP6T_TCP_RESET
 };
 
 struct ip6t_reject_info {
 	enum ip6t_reject_with with;      /* reject type */
 };
 
-#endif /*_IPT_REJECT_H*/
+#endif /*_IP6T_REJECT_H*/
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_fuzzy.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_fuzzy.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_fuzzy.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_fuzzy.h	2004-03-04 08:39:30.000000000 +0000
@@ -0,0 +1,21 @@
+#ifndef _IP6T_FUZZY_H
+#define _IP6T_FUZZY_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#define MAXFUZZYRATE 10000000
+#define MINFUZZYRATE 3
+
+struct ip6t_fuzzy_info {
+	u_int32_t minimum_rate;
+	u_int32_t maximum_rate;
+	u_int32_t packets_total;
+	u_int32_t bytes_total;
+	u_int32_t previous_time;
+	u_int32_t present_time;
+	u_int32_t mean_rate;
+	u_int8_t acceptance_rate;
+};
+
+#endif /*_IP6T_FUZZY_H*/
diff -Nur linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_nth.h linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_nth.h
--- linux-2.6.4-rc2.org/include/linux/netfilter_ipv6/ip6t_nth.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/include/linux/netfilter_ipv6/ip6t_nth.h	2004-03-04 08:39:34.000000000 +0000
@@ -0,0 +1,19 @@
+#ifndef _IP6T_NTH_H
+#define _IP6T_NTH_H
+
+#include <linux/param.h>
+#include <linux/types.h>
+
+#ifndef IP6T_NTH_NUM_COUNTERS
+#define IP6T_NTH_NUM_COUNTERS 16
+#endif
+
+struct ip6t_nth_info {
+	u_int8_t every;
+	u_int8_t not;
+	u_int8_t startat;
+	u_int8_t counter;
+	u_int8_t packet;
+};
+
+#endif /*_IP6T_NTH_H*/
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/Kconfig linux-2.6.4-rc2/net/ipv4/netfilter/Kconfig
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/Kconfig	2004-03-04 06:16:58.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/Kconfig	2004-03-04 08:39:55.000000000 +0000
@@ -579,5 +579,60 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_TARGET_IPV4OPTSSTRIP
+	tristate  'IPV4OPTSSTRIP target support'
+	depends on IP_NF_MANGLE
+	  help
+
+config IP_NF_TARGET_TTL
+	tristate  'TTL target support'
+	depends on IP_NF_MANGLE
+	  help
+
+config IP_NF_MATCH_CONNLIMIT
+	tristate  'Connections/IP limit match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_DSTLIMIT
+	tristate  'dstlimit match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_FUZZY
+	tristate  'fuzzy match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_IPV4OPTIONS
+	tristate  'IPV4OPTIONS match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_MPORT
+	tristate  'Multiple port with ranges match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_NTH
+	tristate  'Nth match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_QUOTA
+	tristate  'quota match support'
+	depends on IP_NF_IPTABLES
+	  help
+
+config IP_NF_MATCH_REALM
+	tristate  'realm match support'
+	depends on IP_NF_IPTABLES && NET_CLS_ROUTE
+	  help
+
+config IP_NF_MATCH_SCTP
+	tristate  'SCTP protocol match support'
+	depends on IP_NF_IPTABLES
+	  help
+
 endmenu
 
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/Makefile linux-2.6.4-rc2/net/ipv4/netfilter/Makefile
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/Makefile	2004-03-04 06:16:38.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/Makefile	2004-03-04 08:39:55.000000000 +0000
@@ -42,15 +42,28 @@
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
+obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
+obj-$(CONFIG_IP_NF_MATCH_DSTLIMIT) += ipt_dstlimit.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 obj-$(CONFIG_IP_NF_MATCH_MAC) += ipt_mac.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 
 obj-$(CONFIG_IP_NF_MATCH_PKTTYPE) += ipt_pkttype.o
 obj-$(CONFIG_IP_NF_MATCH_MULTIPORT) += ipt_multiport.o
+
+obj-$(CONFIG_IP_NF_MATCH_MPORT) += ipt_mport.o
+
 obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o
 obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
 
+obj-$(CONFIG_IP_NF_MATCH_NTH) += ipt_nth.o
+
+obj-$(CONFIG_IP_NF_MATCH_IPV4OPTIONS) += ipt_ipv4options.o
+
+
+obj-$(CONFIG_IP_NF_MATCH_FUZZY) += ipt_fuzzy.o
+
 obj-$(CONFIG_IP_NF_MATCH_RECENT) += ipt_recent.o
 
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
@@ -61,8 +74,10 @@
 
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
+obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
 
 obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
 
@@ -79,6 +94,8 @@
 obj-$(CONFIG_IP_NF_TARGET_CLASSIFY) += ipt_CLASSIFY.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
+obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
 
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_amanda.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_amanda.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_amanda.c	2004-03-04 06:16:50.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_amanda.c	2004-03-04 08:39:18.000000000 +0000
@@ -46,7 +46,7 @@
 static int help(struct sk_buff *skb,
                 struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
 {
-	struct ip_conntrack_expect exp;
+	struct ip_conntrack_expect *exp;
 	struct ip_ct_amanda_expect *exp_amanda_info;
 	char *data, *data_limit, *tmp;
 	unsigned int dataoff, i;
@@ -79,20 +79,22 @@
 		goto out;
 	data += strlen("CONNECT ");
 
-	memset(&exp, 0, sizeof(exp));
-	exp.tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
-	exp.tuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
-	exp.tuple.dst.protonum = IPPROTO_TCP;
-	exp.mask.src.ip = 0xFFFFFFFF;
-	exp.mask.dst.ip = 0xFFFFFFFF;
-	exp.mask.dst.protonum = 0xFFFF;
-	exp.mask.dst.u.tcp.port = 0xFFFF;
+	if (ip_conntrack_expect_alloc(&exp) < 0)
+		return -ENOMEM;
+	
+	exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
+	exp->tuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
+	exp->tuple.dst.protonum = IPPROTO_TCP;
+	exp->mask.src.ip = 0xFFFFFFFF;
+	exp->mask.dst.ip = 0xFFFFFFFF;
+	exp->mask.dst.protonum = 0xFFFF;
+	exp->mask.dst.u.tcp.port = 0xFFFF;
 
 	/* Only search first line. */	
 	if ((tmp = strchr(data, '\n')))
 		*tmp = '\0';
 
-	exp_amanda_info = &exp.help.exp_amanda_info;
+	exp_amanda_info = &exp->help.exp_amanda_info;
 	for (i = 0; i < ARRAY_SIZE(conns); i++) {
 		char *match = strstr(data, conns[i]);
 		if (!match)
@@ -104,8 +106,8 @@
 		if (exp_amanda_info->port == 0 || exp_amanda_info->len > 5)
 			break;
 
-		exp.tuple.dst.u.tcp.port = htons(exp_amanda_info->port);
-		ip_conntrack_expect_related(ct, &exp);
+		exp->tuple.dst.u.tcp.port = htons(exp_amanda_info->port);
+		ip_conntrack_expect_related(exp, ct);
 	}
 
 out:
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_core.c	2004-03-04 06:16:34.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_core.c	2004-03-04 08:39:20.000000000 +0000
@@ -691,42 +691,50 @@
 			     struct ip_conntrack_expect *, tuple);
 	READ_UNLOCK(&ip_conntrack_expect_tuple_lock);
 
-	/* If master is not in hash table yet (ie. packet hasn't left
-	   this machine yet), how can other end know about expected?
-	   Hence these are not the droids you are looking for (if
-	   master ct never got confirmed, we'd hold a reference to it
-	   and weird things would happen to future packets). */
-	if (expected && !is_confirmed(expected->expectant))
-		expected = NULL;
-
-	/* Look up the conntrack helper for master connections only */
-	if (!expected)
-		conntrack->helper = ip_ct_find_helper(&repl_tuple);
-
-	/* If the expectation is dying, then this is a loser. */
-	if (expected
-	    && expected->expectant->helper->timeout
-	    && ! del_timer(&expected->timeout))
-		expected = NULL;
-
 	if (expected) {
-		DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
-			conntrack, expected);
-		/* Welcome, Mr. Bond.  We've been expecting you... */
-		IP_NF_ASSERT(master_ct(conntrack));
-		__set_bit(IPS_EXPECTED_BIT, &conntrack->status);
-		conntrack->master = expected;
-		expected->sibling = conntrack;
-		LIST_DELETE(&ip_conntrack_expect_list, expected);
-		expected->expectant->expecting--;
-		nf_conntrack_get(&master_ct(conntrack)->infos[0]);
-	}
-	atomic_inc(&ip_conntrack_count);
+		/* If master is not in hash table yet (ie. packet hasn't left
+		   this machine yet), how can other end know about expected?
+		   Hence these are not the droids you are looking for (if
+		   master ct never got confirmed, we'd hold a reference to it
+		   and weird things would happen to future packets). */
+		if (!is_confirmed(expected->expectant)) {
+			
+			conntrack->helper = ip_ct_find_helper(&repl_tuple);
+			goto end;
+		}
+
+		/* Expectation is dying... */
+		if (expected->expectant->helper->timeout
+		    && ! del_timer(&expected->timeout)) {
+			goto end;	
+		}
+
+                DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
+                       conntrack, expected);
+                /* Welcome, Mr. Bond.  We've been expecting you... */
+                IP_NF_ASSERT(master_ct(conntrack));
+                __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
+                conntrack->master = expected;
+                expected->sibling = conntrack;
+                LIST_DELETE(&ip_conntrack_expect_list, expected);
+                expected->expectant->expecting--;
+                nf_conntrack_get(&master_ct(conntrack)->infos[0]);
+
+		/* this is a braindead... --pablo */
+	        atomic_inc(&ip_conntrack_count);
+	        WRITE_UNLOCK(&ip_conntrack_lock);
+
+	        if (expected->expectfn)
+			expected->expectfn(conntrack);
+
+		goto ret;
+        } else 
+                conntrack->helper = ip_ct_find_helper(&repl_tuple);
+
+end:	atomic_inc(&ip_conntrack_count);
 	WRITE_UNLOCK(&ip_conntrack_lock);
 
-	if (expected && expected->expectfn)
-		expected->expectfn(conntrack);
-	return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
+ret:	return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
 }
 
 /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
@@ -917,11 +925,53 @@
 	WRITE_UNLOCK(&ip_conntrack_lock);
 }
 
+int
+ip_conntrack_expect_alloc(struct ip_conntrack_expect **new)
+{
+	*new = (struct ip_conntrack_expect *)
+		kmalloc(sizeof(struct ip_conntrack_expect), GFP_ATOMIC);
+	if (!*new) {
+		DEBUGP("expect_related: OOM allocating expect\n");
+		return -ENOMEM;
+	}
+
+	/* tuple_cmp compares whole union, we have to initialized cleanly */
+	memset(*new, 0, sizeof(struct ip_conntrack_expect));
+
+	return 1;
+}
+
+static void
+ip_conntrack_expect_insert(struct ip_conntrack_expect *new,
+			   struct ip_conntrack *related_to)
+{
+	DEBUGP("new expectation %p of conntrack %p\n", new, related_to);
+	new->expectant = related_to;
+	new->sibling = NULL;
+	atomic_set(&new->use, 1);
+
+	/* add to expected list for this connection */
+	list_add(&new->expected_list, &related_to->sibling_list);
+	/* add to global list of expectations */
+
+	list_prepend(&ip_conntrack_expect_list, &new->list);
+	/* add and start timer if required */
+	if (related_to->helper->timeout) {
+		init_timer(&new->timeout);
+		new->timeout.data = (unsigned long)new;
+		new->timeout.function = expectation_timed_out;
+		new->timeout.expires = jiffies +
+					related_to->helper->timeout * HZ;
+		add_timer(&new->timeout);
+	}
+	related_to->expecting++;
+}
+
 /* Add a related connection. */
-int ip_conntrack_expect_related(struct ip_conntrack *related_to,
-				struct ip_conntrack_expect *expect)
+int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
+				struct ip_conntrack *related_to)
 {
-	struct ip_conntrack_expect *old, *new;
+	struct ip_conntrack_expect *old;
 	int ret = 0;
 
 	WRITE_LOCK(&ip_conntrack_lock);
@@ -943,7 +993,7 @@
 		if (related_to->helper->timeout) {
 			if (!del_timer(&old->timeout)) {
 				/* expectation is dying. Fall through */
-				old = NULL;
+				goto out;
 			} else {
 				old->timeout.expires = jiffies + 
 					related_to->helper->timeout * HZ;
@@ -951,10 +1001,10 @@
 			}
 		}
 
-		if (old) {
-			WRITE_UNLOCK(&ip_conntrack_lock);
-			return -EEXIST;
-		}
+		WRITE_UNLOCK(&ip_conntrack_lock);
+		kfree(expect);
+		return -EEXIST;
+
 	} else if (related_to->helper->max_expected && 
 		   related_to->expecting >= related_to->helper->max_expected) {
 		struct list_head *cur_item;
@@ -971,6 +1021,7 @@
 				       related_to->helper->name,
  		    	       	       NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
  		    	       	       NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
+			kfree(expect);
 			return -EPERM;
 		}
 		DEBUGP("ip_conntrack: max number of expected "
@@ -1010,37 +1061,12 @@
 			     &expect->mask)) {
 		WRITE_UNLOCK(&ip_conntrack_lock);
 		DEBUGP("expect_related: busy!\n");
+
+		kfree(expect);
 		return -EBUSY;
 	}
-	
-	new = (struct ip_conntrack_expect *) 
-	      kmalloc(sizeof(struct ip_conntrack_expect), GFP_ATOMIC);
-	if (!new) {
-		WRITE_UNLOCK(&ip_conntrack_lock);
-		DEBUGP("expect_relaed: OOM allocating expect\n");
-		return -ENOMEM;
-	}
-	
-	DEBUGP("new expectation %p of conntrack %p\n", new, related_to);
-	memcpy(new, expect, sizeof(*expect));
-	new->expectant = related_to;
-	new->sibling = NULL;
-	atomic_set(&new->use, 1);
-	
-	/* add to expected list for this connection */	
-	list_add(&new->expected_list, &related_to->sibling_list);
-	/* add to global list of expectations */
-	list_prepend(&ip_conntrack_expect_list, &new->list);
-	/* add and start timer if required */
-	if (related_to->helper->timeout) {
-		init_timer(&new->timeout);
-		new->timeout.data = (unsigned long)new;
-		new->timeout.function = expectation_timed_out;
-		new->timeout.expires = jiffies + 
-					related_to->helper->timeout * HZ;
-		add_timer(&new->timeout);
-	}
-	related_to->expecting++;
+
+out:	ip_conntrack_expect_insert(expect, related_to);
 
 	WRITE_UNLOCK(&ip_conntrack_lock);
 
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_ftp.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_ftp.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_ftp.c	2004-03-04 06:16:55.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_ftp.c	2004-03-04 08:39:18.000000000 +0000
@@ -256,8 +256,8 @@
 	int dir = CTINFO2DIR(ctinfo);
 	unsigned int matchlen, matchoff;
 	struct ip_ct_ftp_master *ct_ftp_info = &ct->help.ct_ftp_info;
-	struct ip_conntrack_expect expect, *exp = &expect;
-	struct ip_ct_ftp_expect *exp_ftp_info = &exp->help.exp_ftp_info;
+	struct ip_conntrack_expect *exp;
+	struct ip_ct_ftp_expect *exp_ftp_info;
 
 	unsigned int i;
 	int found = 0;
@@ -346,8 +346,12 @@
 	DEBUGP("conntrack_ftp: match `%.*s' (%u bytes at %u)\n",
 	       (int)matchlen, data + matchoff,
 	       matchlen, ntohl(tcph.seq) + matchoff);
-	       
-	memset(&expect, 0, sizeof(expect));
+
+	/* Allocate expectation which will be inserted */
+	if (ip_conntrack_expect_alloc(&exp) < 0)
+		return -ENOMEM;
+
+	exp_ftp_info = &exp->help.exp_ftp_info;
 
 	/* Update the ftp info */
 	if (htonl((array[0] << 24) | (array[1] << 16) | (array[2] << 8) | array[3])
@@ -389,7 +393,7 @@
 	exp->expectfn = NULL;
 
 	/* Ignore failure; should only happen with NAT */
-	ip_conntrack_expect_related(ct, &expect);
+	ip_conntrack_expect_related(exp, ct);
 	ret = NF_ACCEPT;
  out:
 	UNLOCK_BH(&ip_ftp_lock);
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_irc.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_irc.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_irc.c	2004-03-04 06:16:55.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_irc.c	2004-03-04 08:39:18.000000000 +0000
@@ -106,8 +106,8 @@
 	struct tcphdr tcph;
 	char *data, *data_limit;
 	int dir = CTINFO2DIR(ctinfo);
-	struct ip_conntrack_expect expect, *exp = &expect;
-	struct ip_ct_irc_expect *exp_irc_info = &exp->help.exp_irc_info;
+	struct ip_conntrack_expect *exp;
+	struct ip_ct_irc_expect *exp_irc_info = NULL;
 
 	u_int32_t dcc_ip;
 	u_int16_t dcc_port;
@@ -190,8 +190,11 @@
 
 				continue;
 			}
-			
-			memset(&expect, 0, sizeof(expect));
+
+			if (ip_conntrack_expect_alloc(&exp) < 0)
+				return -ENOMEM;
+
+			exp_irc_info = &exp->help.exp_irc_info;
 
 			/* save position of address in dcc string,
 			 * necessary for NAT */
@@ -218,7 +221,7 @@
 				NIPQUAD(exp->tuple.dst.ip),
 				ntohs(exp->tuple.dst.u.tcp.port));
 
-			ip_conntrack_expect_related(ct, &expect);
+			ip_conntrack_expect_related(exp, ct);
 
 			goto out;
 		} /* for .. NUM_DCCPROTO */
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c	2004-03-04 06:16:44.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c	2004-03-04 08:39:18.000000000 +0000
@@ -591,6 +591,7 @@
 EXPORT_SYMBOL(ip_ct_find_proto);
 EXPORT_SYMBOL(__ip_ct_find_proto);
 EXPORT_SYMBOL(ip_ct_find_helper);
+EXPORT_SYMBOL(ip_conntrack_expect_alloc);
 EXPORT_SYMBOL(ip_conntrack_expect_related);
 EXPORT_SYMBOL(ip_conntrack_change_expect);
 EXPORT_SYMBOL(ip_conntrack_unexpect_related);
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c.orig linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c.orig
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_standalone.c.orig	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_standalone.c.orig	2004-03-04 06:16:44.000000000 +0000
@@ -0,0 +1,606 @@
+/* This file contains all the functions required for the standalone
+   ip_conntrack module.
+
+   These are not required by the compatibility layer.
+*/
+
+/* (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/config.h>
+#include <linux/types.h>
+#include <linux/ip.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/proc_fs.h>
+#ifdef CONFIG_SYSCTL
+#include <linux/sysctl.h>
+#endif
+#include <net/checksum.h>
+
+#define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_conntrack_lock)
+#define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_conntrack_lock)
+
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
+#include <linux/netfilter_ipv4/ip_conntrack_core.h>
+#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+#include <linux/netfilter_ipv4/listhelp.h>
+
+#if 0
+#define DEBUGP printk
+#else
+#define DEBUGP(format, args...)
+#endif
+
+MODULE_LICENSE("GPL");
+
+static int kill_proto(const struct ip_conntrack *i, void *data)
+{
+	return (i->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum == 
+			*((u_int8_t *) data));
+}
+
+static unsigned int
+print_tuple(char *buffer, const struct ip_conntrack_tuple *tuple,
+	    struct ip_conntrack_protocol *proto)
+{
+	int len;
+
+	len = sprintf(buffer, "src=%u.%u.%u.%u dst=%u.%u.%u.%u ",
+		      NIPQUAD(tuple->src.ip), NIPQUAD(tuple->dst.ip));
+
+	len += proto->print_tuple(buffer + len, tuple);
+
+	return len;
+}
+
+/* FIXME: Don't print source proto part. --RR */
+static unsigned int
+print_expect(char *buffer, const struct ip_conntrack_expect *expect)
+{
+	unsigned int len;
+
+	if (expect->expectant->helper->timeout)
+		len = sprintf(buffer, "EXPECTING: %lu ",
+			      timer_pending(&expect->timeout)
+			      ? (expect->timeout.expires - jiffies)/HZ : 0);
+	else
+		len = sprintf(buffer, "EXPECTING: - ");
+	len += sprintf(buffer + len, "use=%u proto=%u ",
+		      atomic_read(&expect->use), expect->tuple.dst.protonum);
+	len += print_tuple(buffer + len, &expect->tuple,
+			   __ip_ct_find_proto(expect->tuple.dst.protonum));
+	len += sprintf(buffer + len, "\n");
+	return len;
+}
+
+static unsigned int
+print_conntrack(char *buffer, struct ip_conntrack *conntrack)
+{
+	unsigned int len;
+	struct ip_conntrack_protocol *proto
+		= __ip_ct_find_proto(conntrack->tuplehash[IP_CT_DIR_ORIGINAL]
+			       .tuple.dst.protonum);
+
+	len = sprintf(buffer, "%-8s %u %lu ",
+		      proto->name,
+		      conntrack->tuplehash[IP_CT_DIR_ORIGINAL]
+		      .tuple.dst.protonum,
+		      timer_pending(&conntrack->timeout)
+		      ? (conntrack->timeout.expires - jiffies)/HZ : 0);
+
+	len += proto->print_conntrack(buffer + len, conntrack);
+	len += print_tuple(buffer + len,
+			   &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
+			   proto);
+	if (!(test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)))
+		len += sprintf(buffer + len, "[UNREPLIED] ");
+	len += print_tuple(buffer + len,
+			   &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple,
+			   proto);
+	if (test_bit(IPS_ASSURED_BIT, &conntrack->status))
+		len += sprintf(buffer + len, "[ASSURED] ");
+	len += sprintf(buffer + len, "use=%u ",
+		       atomic_read(&conntrack->ct_general.use));
+	len += sprintf(buffer + len, "\n");
+
+	return len;
+}
+
+/* Returns true when finished. */
+static inline int
+conntrack_iterate(const struct ip_conntrack_tuple_hash *hash,
+		  char *buffer, off_t offset, off_t *upto,
+		  unsigned int *len, unsigned int maxlen)
+{
+	unsigned int newlen;
+	IP_NF_ASSERT(hash->ctrack);
+
+	MUST_BE_READ_LOCKED(&ip_conntrack_lock);
+
+	/* Only count originals */
+	if (DIRECTION(hash))
+		return 0;
+
+	if ((*upto)++ < offset)
+		return 0;
+
+	newlen = print_conntrack(buffer + *len, hash->ctrack);
+	if (*len + newlen > maxlen)
+		return 1;
+	else *len += newlen;
+
+	return 0;
+}
+
+static int
+list_conntracks(char *buffer, char **start, off_t offset, int length)
+{
+	unsigned int i;
+	unsigned int len = 0;
+	off_t upto = 0;
+	struct list_head *e;
+
+	READ_LOCK(&ip_conntrack_lock);
+	/* Traverse hash; print originals then reply. */
+	for (i = 0; i < ip_conntrack_htable_size; i++) {
+		if (LIST_FIND(&ip_conntrack_hash[i], conntrack_iterate,
+			      struct ip_conntrack_tuple_hash *,
+			      buffer, offset, &upto, &len, length))
+			goto finished;
+	}
+
+	/* Now iterate through expecteds. */
+	READ_LOCK(&ip_conntrack_expect_tuple_lock);
+	list_for_each(e, &ip_conntrack_expect_list) {
+		unsigned int last_len;
+		struct ip_conntrack_expect *expect
+			= (struct ip_conntrack_expect *)e;
+		if (upto++ < offset) continue;
+
+		last_len = len;
+		len += print_expect(buffer + len, expect);
+		if (len > length) {
+			len = last_len;
+			goto finished_expects;
+		}
+	}
+
+ finished_expects:
+	READ_UNLOCK(&ip_conntrack_expect_tuple_lock);
+ finished:
+	READ_UNLOCK(&ip_conntrack_lock);
+
+	/* `start' hack - see fs/proc/generic.c line ~165 */
+	*start = (char *)((unsigned int)upto - offset);
+	return len;
+}
+
+static unsigned int ip_confirm(unsigned int hooknum,
+			       struct sk_buff **pskb,
+			       const struct net_device *in,
+			       const struct net_device *out,
+			       int (*okfn)(struct sk_buff *))
+{
+	/* We've seen it coming out the other side: confirm it */
+	return ip_conntrack_confirm(*pskb);
+}
+
+static unsigned int ip_refrag(unsigned int hooknum,
+			      struct sk_buff **pskb,
+			      const struct net_device *in,
+			      const struct net_device *out,
+			      int (*okfn)(struct sk_buff *))
+{
+	struct rtable *rt = (struct rtable *)(*pskb)->dst;
+
+	/* We've seen it coming out the other side: confirm */
+	if (ip_confirm(hooknum, pskb, in, out, okfn) != NF_ACCEPT)
+		return NF_DROP;
+
+	/* Local packets are never produced too large for their
+	   interface.  We degfragment them at LOCAL_OUT, however,
+	   so we have to refragment them here. */
+	if ((*pskb)->len > dst_pmtu(&rt->u.dst) &&
+	    !skb_shinfo(*pskb)->tso_size) {
+		/* No hook can be after us, so this should be OK. */
+		ip_fragment(*pskb, okfn);
+		return NF_STOLEN;
+	}
+	return NF_ACCEPT;
+}
+
+static unsigned int ip_conntrack_local(unsigned int hooknum,
+				       struct sk_buff **pskb,
+				       const struct net_device *in,
+				       const struct net_device *out,
+				       int (*okfn)(struct sk_buff *))
+{
+	/* root is playing with raw sockets. */
+	if ((*pskb)->len < sizeof(struct iphdr)
+	    || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) {
+		if (net_ratelimit())
+			printk("ipt_hook: happy cracking.\n");
+		return NF_ACCEPT;
+	}
+	return ip_conntrack_in(hooknum, pskb, in, out, okfn);
+}
+
+/* Connection tracking may drop packets, but never alters them, so
+   make it the first hook. */
+static struct nf_hook_ops ip_conntrack_in_ops = {
+	.hook		= ip_conntrack_in,
+	.owner		= THIS_MODULE,
+	.pf		= PF_INET,
+	.hooknum	= NF_IP_PRE_ROUTING,
+	.priority	= NF_IP_PRI_CONNTRACK,
+};
+
+static struct nf_hook_ops ip_conntrack_local_out_ops = {
+	.hook		= ip_conntrack_local,
+	.owner		= THIS_MODULE,
+	.pf		= PF_INET,
+	.hooknum	= NF_IP_LOCAL_OUT,
+	.priority	= NF_IP_PRI_CONNTRACK,
+};
+
+/* Refragmenter; last chance. */
+static struct nf_hook_ops ip_conntrack_out_ops = {
+	.hook		= ip_refrag,
+	.owner		= THIS_MODULE,
+	.pf		= PF_INET,
+	.hooknum	= NF_IP_POST_ROUTING,
+	.priority	= NF_IP_PRI_LAST,
+};
+
+static struct nf_hook_ops ip_conntrack_local_in_ops = {
+	.hook		= ip_confirm,
+	.owner		= THIS_MODULE,
+	.pf		= PF_INET,
+	.hooknum	= NF_IP_LOCAL_IN,
+	.priority	= NF_IP_PRI_LAST-1,
+};
+
+/* Sysctl support */
+
+#ifdef CONFIG_SYSCTL
+
+/* From ip_conntrack_core.c */
+extern int ip_conntrack_max;
+extern unsigned int ip_conntrack_htable_size;
+
+/* From ip_conntrack_proto_tcp.c */
+extern unsigned long ip_ct_tcp_timeout_syn_sent;
+extern unsigned long ip_ct_tcp_timeout_syn_recv;
+extern unsigned long ip_ct_tcp_timeout_established;
+extern unsigned long ip_ct_tcp_timeout_fin_wait;
+extern unsigned long ip_ct_tcp_timeout_close_wait;
+extern unsigned long ip_ct_tcp_timeout_last_ack;
+extern unsigned long ip_ct_tcp_timeout_time_wait;
+extern unsigned long ip_ct_tcp_timeout_close;
+
+/* From ip_conntrack_proto_udp.c */
+extern unsigned long ip_ct_udp_timeout;
+extern unsigned long ip_ct_udp_timeout_stream;
+
+/* From ip_conntrack_proto_icmp.c */
+extern unsigned long ip_ct_icmp_timeout;
+
+/* From ip_conntrack_proto_icmp.c */
+extern unsigned long ip_ct_generic_timeout;
+
+static struct ctl_table_header *ip_ct_sysctl_header;
+
+static ctl_table ip_ct_sysctl_table[] = {
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_MAX,
+		.procname	= "ip_conntrack_max",
+		.data		= &ip_conntrack_max,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_BUCKETS,
+		.procname	= "ip_conntrack_buckets",
+		.data		= &ip_conntrack_htable_size,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0444,
+		.proc_handler	= &proc_dointvec,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT,
+		.procname	= "ip_conntrack_tcp_timeout_syn_sent",
+		.data		= &ip_ct_tcp_timeout_syn_sent,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV,
+		.procname	= "ip_conntrack_tcp_timeout_syn_recv",
+		.data		= &ip_ct_tcp_timeout_syn_recv,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED,
+		.procname	= "ip_conntrack_tcp_timeout_established",
+		.data		= &ip_ct_tcp_timeout_established,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT,
+		.procname	= "ip_conntrack_tcp_timeout_fin_wait",
+		.data		= &ip_ct_tcp_timeout_fin_wait,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT,
+		.procname	= "ip_conntrack_tcp_timeout_close_wait",
+		.data		= &ip_ct_tcp_timeout_close_wait,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK,
+		.procname	= "ip_conntrack_tcp_timeout_last_ack",
+		.data		= &ip_ct_tcp_timeout_last_ack,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT,
+		.procname	= "ip_conntrack_tcp_timeout_time_wait",
+		.data		= &ip_ct_tcp_timeout_time_wait,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE,
+		.procname	= "ip_conntrack_tcp_timeout_close",
+		.data		= &ip_ct_tcp_timeout_close,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT,
+		.procname	= "ip_conntrack_udp_timeout",
+		.data		= &ip_ct_udp_timeout,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM,
+		.procname	= "ip_conntrack_udp_timeout_stream",
+		.data		= &ip_ct_udp_timeout_stream,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,
+		.procname	= "ip_conntrack_icmp_timeout",
+		.data		= &ip_ct_icmp_timeout,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{
+		.ctl_name	= NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT,
+		.procname	= "ip_conntrack_generic_timeout",
+		.data		= &ip_ct_generic_timeout,
+		.maxlen		= sizeof(unsigned int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_jiffies,
+	},
+	{ .ctl_name = 0 }
+};
+
+#define NET_IP_CONNTRACK_MAX 2089
+
+static ctl_table ip_ct_netfilter_table[] = {
+	{
+		.ctl_name	= NET_IPV4_NETFILTER,
+		.procname	= "netfilter",
+		.mode		= 0555,
+		.child		= ip_ct_sysctl_table,
+	},
+	{
+		.ctl_name	= NET_IP_CONNTRACK_MAX,
+		.procname	= "ip_conntrack_max",
+		.data		= &ip_conntrack_max,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec
+	},
+	{ .ctl_name = 0 }
+};
+
+static ctl_table ip_ct_ipv4_table[] = {
+	{
+		.ctl_name	= NET_IPV4,
+		.procname	= "ipv4",
+		.mode		= 0555,
+		.child		= ip_ct_netfilter_table,
+	},
+	{ .ctl_name = 0 }
+};
+
+static ctl_table ip_ct_net_table[] = {
+	{
+		.ctl_name	= CTL_NET,
+		.procname	= "net",
+		.mode		= 0555, 
+		.child		= ip_ct_ipv4_table,
+	},
+	{ .ctl_name = 0 }
+};
+#endif
+static int init_or_cleanup(int init)
+{
+	struct proc_dir_entry *proc;
+	int ret = 0;
+
+	if (!init) goto cleanup;
+
+	ret = ip_conntrack_init();
+	if (ret < 0)
+		goto cleanup_nothing;
+
+	proc = proc_net_create("ip_conntrack",0,list_conntracks);
+	if (!proc) goto cleanup_init;
+	proc->owner = THIS_MODULE;
+
+	ret = nf_register_hook(&ip_conntrack_in_ops);
+	if (ret < 0) {
+		printk("ip_conntrack: can't register pre-routing hook.\n");
+		goto cleanup_proc;
+	}
+	ret = nf_register_hook(&ip_conntrack_local_out_ops);
+	if (ret < 0) {
+		printk("ip_conntrack: can't register local out hook.\n");
+		goto cleanup_inops;
+	}
+	ret = nf_register_hook(&ip_conntrack_out_ops);
+	if (ret < 0) {
+		printk("ip_conntrack: can't register post-routing hook.\n");
+		goto cleanup_inandlocalops;
+	}
+	ret = nf_register_hook(&ip_conntrack_local_in_ops);
+	if (ret < 0) {
+		printk("ip_conntrack: can't register local in hook.\n");
+		goto cleanup_inoutandlocalops;
+	}
+#ifdef CONFIG_SYSCTL
+	ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0);
+	if (ip_ct_sysctl_header == NULL) {
+		printk("ip_conntrack: can't register to sysctl.\n");
+		goto cleanup;
+	}
+#endif
+
+	return ret;
+
+ cleanup:
+#ifdef CONFIG_SYSCTL
+ 	unregister_sysctl_table(ip_ct_sysctl_header);
+#endif
+	nf_unregister_hook(&ip_conntrack_local_in_ops);
+ cleanup_inoutandlocalops:
+	nf_unregister_hook(&ip_conntrack_out_ops);
+ cleanup_inandlocalops:
+	nf_unregister_hook(&ip_conntrack_local_out_ops);
+ cleanup_inops:
+	nf_unregister_hook(&ip_conntrack_in_ops);
+ cleanup_proc:
+	proc_net_remove("ip_conntrack");
+ cleanup_init:
+	ip_conntrack_cleanup();
+ cleanup_nothing:
+	return ret;
+}
+
+/* FIXME: Allow NULL functions and sub in pointers to generic for
+   them. --RR */
+int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
+{
+	int ret = 0;
+	struct list_head *i;
+
+	WRITE_LOCK(&ip_conntrack_lock);
+	list_for_each(i, &protocol_list) {
+		if (((struct ip_conntrack_protocol *)i)->proto
+		    == proto->proto) {
+			ret = -EBUSY;
+			goto out;
+		}
+	}
+
+	list_prepend(&protocol_list, proto);
+
+ out:
+	WRITE_UNLOCK(&ip_conntrack_lock);
+	return ret;
+}
+
+void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto)
+{
+	WRITE_LOCK(&ip_conntrack_lock);
+
+	/* ip_ct_find_proto() returns proto_generic in case there is no protocol 
+	 * helper. So this should be enough - HW */
+	LIST_DELETE(&protocol_list, proto);
+	WRITE_UNLOCK(&ip_conntrack_lock);
+	
+	/* Somebody could be still looking at the proto in bh. */
+	synchronize_net();
+
+	/* Remove all contrack entries for this protocol */
+	ip_ct_selective_cleanup(kill_proto, &proto->proto);
+}
+
+static int __init init(void)
+{
+	return init_or_cleanup(1);
+}
+
+static void __exit fini(void)
+{
+	init_or_cleanup(0);
+}
+
+module_init(init);
+module_exit(fini);
+
+/* Some modules need us, but don't depend directly on any symbol.
+   They should call this. */
+void need_ip_conntrack(void)
+{
+}
+
+EXPORT_SYMBOL(ip_conntrack_protocol_register);
+EXPORT_SYMBOL(ip_conntrack_protocol_unregister);
+EXPORT_SYMBOL(invert_tuplepr);
+EXPORT_SYMBOL(ip_conntrack_alter_reply);
+EXPORT_SYMBOL(ip_conntrack_destroyed);
+EXPORT_SYMBOL(ip_conntrack_get);
+EXPORT_SYMBOL(need_ip_conntrack);
+EXPORT_SYMBOL(ip_conntrack_helper_register);
+EXPORT_SYMBOL(ip_conntrack_helper_unregister);
+EXPORT_SYMBOL(ip_ct_selective_cleanup);
+EXPORT_SYMBOL(ip_ct_refresh);
+EXPORT_SYMBOL(ip_ct_find_proto);
+EXPORT_SYMBOL(__ip_ct_find_proto);
+EXPORT_SYMBOL(ip_ct_find_helper);
+EXPORT_SYMBOL(ip_conntrack_expect_related);
+EXPORT_SYMBOL(ip_conntrack_change_expect);
+EXPORT_SYMBOL(ip_conntrack_unexpect_related);
+EXPORT_SYMBOL_GPL(ip_conntrack_expect_find_get);
+EXPORT_SYMBOL_GPL(ip_conntrack_expect_put);
+EXPORT_SYMBOL(ip_conntrack_tuple_taken);
+EXPORT_SYMBOL(ip_ct_gather_frags);
+EXPORT_SYMBOL(ip_conntrack_htable_size);
+EXPORT_SYMBOL(ip_conntrack_expect_list);
+EXPORT_SYMBOL(ip_conntrack_lock);
+EXPORT_SYMBOL(ip_conntrack_hash);
+EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
+EXPORT_SYMBOL_GPL(ip_conntrack_put);
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_tftp.c linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_tftp.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ip_conntrack_tftp.c	2004-03-04 06:16:41.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ip_conntrack_tftp.c	2004-03-04 08:39:18.000000000 +0000
@@ -44,7 +44,7 @@
 		     enum ip_conntrack_info ctinfo)
 {
 	struct tftphdr tftph;
-	struct ip_conntrack_expect exp;
+	struct ip_conntrack_expect *exp;
 
 	if (skb_copy_bits(skb, skb->nh.iph->ihl * 4 + sizeof(struct udphdr),
 			  &tftph, sizeof(tftph)) != 0)
@@ -57,19 +57,21 @@
 		DEBUGP("");
 		DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
 		DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-		memset(&exp, 0, sizeof(exp));
 
-		exp.tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
-		exp.mask.src.ip = 0xffffffff;
-		exp.mask.dst.ip = 0xffffffff;
-		exp.mask.dst.u.udp.port = 0xffff;
-		exp.mask.dst.protonum = 0xffff;
-		exp.expectfn = NULL;
+		if (ip_conntrack_expect_alloc(&exp) < 0)
+			return -ENOMEM;
+
+		exp->tuple = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+		exp->mask.src.ip = 0xffffffff;
+		exp->mask.dst.ip = 0xffffffff;
+		exp->mask.dst.u.udp.port = 0xffff;
+		exp->mask.dst.protonum = 0xffff;
+		exp->expectfn = NULL;
 
 		DEBUGP("expect: ");
-		DUMP_TUPLE(&exp.tuple);
-		DUMP_TUPLE(&exp.mask);
-		ip_conntrack_expect_related(ct, &exp);
+		DUMP_TUPLE(&exp->tuple);
+		DUMP_TUPLE(&exp->mask);
+		ip_conntrack_expect_related(exp, ct);
 		break;
 	default:
 		DEBUGP("Unknown opcode\n");
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	2004-03-04 08:39:26.000000000 +0000
@@ -0,0 +1,89 @@
+/**
+ * Strip all IP options in the IP packet header.
+ *
+ * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
+ * This software is distributed under GNU GPL v2, 1991
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");
+MODULE_DESCRIPTION("Strip all options in IPv4 packets");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff **pskb,
+       const struct net_device *in,
+       const struct net_device *out,
+       unsigned int hooknum,
+       const void *targinfo,
+       void *userinfo)
+{
+	struct iphdr *iph;
+	struct sk_buff *skb;
+	struct ip_options *opt;
+	unsigned char *optiph;
+	int l;
+	
+	if (!skb_ip_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
+ 
+	skb = (*pskb);
+	iph = (*pskb)->nh.iph;
+	optiph = skb->nh.raw;
+	l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
+
+	/* if no options in packet then nothing to clear. */
+	if (iph->ihl * 4 == sizeof(struct iphdr))
+		return IPT_CONTINUE;
+
+	/* else clear all options */
+	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+	memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
+	opt = &(IPCB(skb)->opt);
+	opt->is_data = 0;
+	opt->optlen = l;
+
+	skb->nfcache |= NFC_ALTERED;
+
+        return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+           void *targinfo,
+           unsigned int targinfosize,
+           unsigned int hook_mask)
+{
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+	/* nothing else to check because no parameters */
+	return 1;
+}
+
+static struct ipt_target ipt_ipv4optsstrip_reg = { 
+	.name = "IPV4OPTSSTRIP",
+	.target = target,
+	.checkentry = checkentry,
+	.me = THIS_MODULE };
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_ipv4optsstrip_reg);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_ipv4optsstrip_reg);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_TTL.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_TTL.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_TTL.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_TTL.c	2004-03-04 08:39:28.000000000 +0000
@@ -0,0 +1,120 @@
+/* TTL modification target for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org>
+ *
+ * Version: $Revision$
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_TTL.h>
+
+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
+MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_LICENSE("GPL");
+
+static unsigned int 
+ipt_ttl_target(struct sk_buff **pskb, const struct net_device *in, 
+		const struct net_device *out, unsigned int hooknum, 
+		const void *targinfo, void *userinfo)
+{
+	struct iphdr *iph;
+	const struct ipt_TTL_info *info = targinfo;
+	u_int16_t diffs[2];
+	int new_ttl;
+
+	if (!skb_ip_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
+
+	iph = (*pskb)->nh.iph;
+			 
+	switch (info->mode) {
+		case IPT_TTL_SET:
+			new_ttl = info->ttl;
+			break;
+		case IPT_TTL_INC:
+			new_ttl = iph->ttl + info->ttl;
+			if (new_ttl > 255)
+				new_ttl = 255;
+			break;
+		case IPT_TTL_DEC:
+			new_ttl = iph->ttl + info->ttl;
+			if (new_ttl < 0)
+				new_ttl = 0;
+			break;
+		default:
+			new_ttl = iph->ttl;
+			break;
+	}
+
+	if (new_ttl != iph->ttl) {
+		diffs[0] = htons(((unsigned)iph->ttl) << 8) ^ 0xFFFF;
+		iph->ttl = new_ttl;
+		diffs[1] = htons(((unsigned)iph->ttl) << 8);
+		iph->check = csum_fold(csum_partial((char *)diffs,
+						    sizeof(diffs),
+				 	            iph->check^0xFFFF));
+									                	(*pskb)->nfcache |= NFC_ALTERED;
+	}
+
+	return IPT_CONTINUE;
+}
+
+static int ipt_ttl_checkentry(const char *tablename,
+		const struct ipt_entry *e,
+		void *targinfo,
+		unsigned int targinfosize,
+		unsigned int hook_mask)
+{
+	struct ipt_TTL_info *info = targinfo;
+
+	if (targinfosize != IPT_ALIGN(sizeof(struct ipt_TTL_info))) {
+		printk(KERN_WARNING "TTL: targinfosize %u != %Zu\n",
+				targinfosize,
+				IPT_ALIGN(sizeof(struct ipt_TTL_info)));
+		return 0;	
+	}	
+
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "TTL: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+
+	if (info->mode > IPT_TTL_MAXMODE) {
+		printk(KERN_WARNING "TTL: invalid or unknown Mode %u\n", 
+			info->mode);
+		return 0;
+	}
+
+	if ((info->mode != IPT_TTL_SET) && (info->ttl == 0)) {
+		printk(KERN_WARNING "TTL: increment/decrement doesn't make sense with value 0\n");
+		return 0;
+	}
+	
+	return 1;
+}
+
+static struct ipt_target ipt_TTL = { 
+	.name = "TTL",
+	.target = ipt_ttl_target, 
+	.checkentry = ipt_ttl_checkentry, 
+	.me = THIS_MODULE 
+};
+
+static int __init init(void)
+{
+	return ipt_register_target(&ipt_TTL);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_TTL);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_connlimit.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_connlimit.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_connlimit.c	2004-03-04 08:39:29.000000000 +0000
@@ -0,0 +1,230 @@
+/*
+ * netfilter module to limit the number of parallel tcp
+ * connections per IP address.
+ *   (c) 2000 Gerd Knorr <kraxel@bytesex.org>
+ *   Nov 2002: Martin Bene <martin.bene@icomedias.com>:
+ *		only ignore TIME_WAIT or gone connections
+ *
+ * based on ...
+ *
+ * Kernel module to match connection tracking information.
+ * GPL (C) 1999  Rusty Russell (rusty@rustcorp.com.au).
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/list.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_core.h>
+#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_connlimit.h>
+
+#define DEBUG 0
+
+MODULE_LICENSE("GPL");
+
+/* we'll save the tuples of all connections we care about */
+struct ipt_connlimit_conn
+{
+        struct list_head list;
+	struct ip_conntrack_tuple tuple;
+};
+
+struct ipt_connlimit_data {
+	spinlock_t lock;
+	struct list_head iphash[256];
+};
+
+static int ipt_iphash(u_int32_t addr)
+{
+	int hash;
+
+	hash  =  addr        & 0xff;
+	hash ^= (addr >>  8) & 0xff;
+	hash ^= (addr >> 16) & 0xff;
+	hash ^= (addr >> 24) & 0xff;
+	return hash;
+}
+
+static int count_them(struct ipt_connlimit_data *data,
+		      u_int32_t addr, u_int32_t mask,
+		      struct ip_conntrack *ct)
+{
+#if DEBUG
+	const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv",
+				     "fin_wait", "time_wait", "close", "close_wait",
+				     "last_ack", "listen" };
+#endif
+	int addit = 1, matches = 0;
+	struct ip_conntrack_tuple tuple;
+	struct ip_conntrack_tuple_hash *found;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash,*lh;
+
+	spin_lock(&data->lock);
+	tuple = ct->tuplehash[0].tuple;
+	hash = &data->iphash[ipt_iphash(addr & mask)];
+
+	/* check the saved connections */
+	for (lh = hash->next; lh != hash; lh = lh->next) {
+		conn = list_entry(lh,struct ipt_connlimit_conn,list);
+		found = ip_conntrack_find_get(&conn->tuple,ct);
+		if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
+		    found != NULL &&
+		    found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
+			/* Just to be sure we have it only once in the list.
+			   We should'nt see tuples twice unless someone hooks this
+			   into a table without "-p tcp --syn" */
+			addit = 0;
+		}
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port),
+		       NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port),
+		       (NULL != found) ? tcp[found->ctrack->proto.tcp.state] : "gone");
+#endif
+		if (NULL == found) {
+			/* this one is gone */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			continue;
+		}
+		if (found->ctrack->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) {
+			/* we don't care about connections which are
+			   closed already -> ditch it */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			nf_conntrack_put(&found->ctrack->infos[0]);
+			continue;
+		}
+		if ((addr & mask) == (conn->tuple.src.ip & mask)) {
+			/* same source IP address -> be counted! */
+			matches++;
+		}
+		nf_conntrack_put(&found->ctrack->infos[0]);
+	}
+	if (addit) {
+		/* save the new connection in our list */
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
+		       NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
+#endif
+		conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
+		if (NULL == conn)
+			return -1;
+		memset(conn,0,sizeof(*conn));
+		INIT_LIST_HEAD(&conn->list);
+		conn->tuple = tuple;
+		list_add(&conn->list,hash);
+		matches++;
+	}
+	spin_unlock(&data->lock);
+	return matches;
+}
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      int *hotdrop)
+{
+	const struct ipt_connlimit_info *info = matchinfo;
+	int connections, match;
+	struct ip_conntrack *ct;
+	enum ip_conntrack_info ctinfo;
+
+	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+	if (NULL == ct) {
+		printk("ipt_connlimit: Oops: invalid ct state ?\n");
+		*hotdrop = 1;
+		return 0;
+	}
+	connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct);
+	if (-1 == connections) {
+		printk("ipt_connlimit: Hmm, kmalloc failed :-(\n");
+		*hotdrop = 1; /* let's free some memory :-) */
+		return 0;
+	}
+        match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit);
+#if DEBUG
+	printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u "
+	       "connections=%d limit=%d match=%s\n",
+	       NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask),
+	       connections, info->limit, match ? "yes" : "no");
+#endif
+
+	return match;
+}
+
+static int check(const char *tablename,
+		 const struct ipt_ip *ip,
+		 void *matchinfo,
+		 unsigned int matchsize,
+		 unsigned int hook_mask)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	int i;
+
+	/* verify size */
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info)))
+		return 0;
+
+	/* refuse anything but tcp */
+	if (ip->proto != IPPROTO_TCP)
+		return 0;
+
+	/* init private data */
+	info->data = kmalloc(sizeof(struct ipt_connlimit_data),GFP_KERNEL);
+	spin_lock_init(&(info->data->lock));
+	for (i = 0; i < 256; i++)
+		INIT_LIST_HEAD(&(info->data->iphash[i]));
+	
+	return 1;
+}
+
+static void destroy(void *matchinfo, unsigned int matchinfosize)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash;
+	int i;
+
+	/* cleanup */
+	for (i = 0; i < 256; i++) {
+		hash = &(info->data->iphash[i]);
+		while (hash != hash->next) {
+			conn = list_entry(hash->next,struct ipt_connlimit_conn,list);
+			list_del(hash->next);
+			kfree(conn);
+		}
+	}
+	kfree(info->data);
+}
+
+static struct ipt_match connlimit_match = { 
+	.name = "connlimit",
+	.match = &match,
+	.checkentry = &check,
+	.destroy = &destroy,
+	.me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&connlimit_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&connlimit_match);
+}
+
+module_init(init);
+module_exit(fini);
diff -Nur linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_dstlimit.c linux-2.6.4-rc2/net/ipv4/netfilter/ipt_dstlimit.c
--- linux-2.6.4-rc2.org/net/ipv4/netfilter/ipt_dstlimit.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.4-rc2/net/ipv4/netfilter/ipt_dstlimit.c	2004-03-04 08:39:30.000000000 +0000
@@ -0,0 +1,690 @@
+/* iptables match extension to limit the number of packets per second
+ * seperately for each destination.
+ *
+ * (C) 2003 by Harald Welte <laforge@netfilter.org>
+ *
+ * $Id$
+ *
+ * Development of this code was funded by Astaro AG, http://www.astaro.com/
+ *
+ * based on ipt_limit.c by: