30 files changed, 546 insertions, 22 deletions
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h
index 314f6cc3..2e75b782 100644
--- a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -6,6 +6,7 @@
 
 #include <linux/config.h>
 #include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
+#include <linux/bitops.h>
 #include <asm/atomic.h>
 
 enum ip_conntrack_info
@@ -41,6 +42,10 @@ enum ip_conntrack_status {
 	/* Conntrack should never be early-expired. */
 	IPS_ASSURED_BIT = 2,
 	IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+
+	/* Connection is confirmed: originating packet has left box */
+	IPS_CONFIRMED_BIT = 3,
+	IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
 };
 
 #include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
@@ -62,31 +67,27 @@ union ip_conntrack_expect_proto {
 };
 
 /* Add protocol helper include file here */
+#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
 #include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_sip.h>
 #include <linux/netfilter_ipv4/ip_conntrack_mms.h>
-#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
-
 #include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
 #include <linux/netfilter_ipv4/ip_conntrack_irc.h>
-#ifdef CONFIG_IP_NF_NAT_RTSP
-#include <linux/netfilter_ipv4/ip_conntrack_rtsp.h>
-#endif
 #include <linux/netfilter_ipv4/ip_autofw.h>
+#include <linux/netfilter_ipv4/ip_conntrack_rtsp.h>
 
 /* per expectation: application helper private data */
 union ip_conntrack_expect_help {
 	/* insert conntrack helper private data (expect) here */
+	struct ip_ct_h225_expect exp_h225_info;
 	struct ip_ct_pptp_expect exp_pptp_info;
 	struct ip_ct_sip_expect exp_sip_info;
 	struct ip_ct_mms_expect exp_mms_info;
-	struct ip_ct_h225_expect exp_h225_info;
 	struct ip_ct_ftp_expect exp_ftp_info;
 	struct ip_ct_irc_expect exp_irc_info;
 	struct ip_autofw_expect exp_autofw_info;
-#ifdef CONFIG_IP_NF_NAT_RTSP
-        struct ip_ct_rtsp_expect exp_rtsp_info;
-#endif
+	struct ip_ct_rtsp_expect exp_rtsp_info;
+
 #ifdef CONFIG_IP_NF_NAT_NEEDED
 	union {
 		/* insert nat helper private data (expect) here */
@@ -97,15 +98,13 @@ union ip_conntrack_expect_help {
 /* per conntrack: application helper private data */
 union ip_conntrack_help {
 	/* insert conntrack helper private data (master) here */
+	struct ip_ct_h225_master ct_h225_info;
 	struct ip_ct_pptp_master ct_pptp_info;
 	struct ip_ct_sip_master ct_sip_info;
 	struct ip_ct_mms_master ct_mms_info;
-	struct ip_ct_h225_master ct_h225_info;
 	struct ip_ct_ftp_master ct_ftp_info;
 	struct ip_ct_irc_master ct_irc_info;
-#ifdef CONFIG_IP_NF_NAT_RTSP
-        struct ip_ct_rtsp_master ct_rtsp_info;
-#endif
+	struct ip_ct_rtsp_master ct_rtsp_info;
 };
 
 #ifdef CONFIG_IP_NF_NAT_NEEDED
@@ -188,7 +187,7 @@ struct ip_conntrack
 	struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
 
 	/* Have we seen traffic both ways yet? (bitset) */
-	volatile unsigned long status;
+	unsigned long status;
 
 	/* Timer function; drops refcnt when it goes off. */
 	struct timer_list timeout;
@@ -227,6 +226,29 @@ struct ip_conntrack
 	} nat;
 #endif /* CONFIG_IP_NF_NAT_NEEDED */
 
+#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
+	unsigned long mark;
+#endif
+
+#if defined(CONFIG_IP_NF_MATCH_LAYER7) || defined(CONFIG_IP_NF_MATCH_LAYER7_MODULE)
+	struct {
+		unsigned int numpackets; /* surely this is kept track of somewhere else, right? I can't find it... */
+		char * app_proto; /* "http", "ftp", etc.  NULL if unclassifed */
+		
+		/* the application layer data so far.  NULL if ->numpackets > numpackets */
+		char * app_data; 
+
+		unsigned int app_data_len;
+	} layer7;
+#endif
+
+#if defined(CONFIG_IP_NF_TARGET_BCOUNT) || defined(CONFIG_IP_NF_TARGET_BCOUNT_MODULE)
+	u_int32_t bcount;
+#endif
+
+#if	defined(CONFIG_IP_NF_TARGET_MACSAVE) || defined(CONFIG_IP_NF_TARGET_MACSAVE_MODULE)
+	unsigned char macsave[6];
+#endif
 };
 
 /* get master conntrack via master expectation */
@@ -283,7 +305,7 @@ ip_ct_selective_cleanup(int (*kill)(const struct ip_conntrack *i, void *data),
 /* It's confirmed if it is, or has been in the hash table. */
 static inline int is_confirmed(struct ip_conntrack *ct)
 {
-	return ct->tuplehash[IP_CT_DIR_ORIGINAL].list.next != NULL;
+	return test_bit(IPS_CONFIRMED_BIT, &ct->status);
 }
 
 extern unsigned int ip_conntrack_htable_size;
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h
index 10221fe9..3803c126 100644
--- a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_h323.h
@@ -4,6 +4,7 @@
 
 #ifdef __KERNEL__
 /* Protects H.323 related data */
+#include <linux/netfilter_ipv4/lockhelp.h>
 DECLARE_LOCK_EXTERN(ip_h323_lock);
 #endif
 
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_esp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_esp.h
index acb4d9ec..acb4d9ec 100755..100644
--- a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_esp.h
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_esp.h
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
index 738e99a2..07646857 100644
--- a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
@@ -77,13 +77,13 @@ struct ip_ct_gre_expect {
 };
 
 #ifdef __KERNEL__
+struct ip_conntrack_expect;
 
 /* structure for original <-> reply keymap */
 struct ip_ct_gre_keymap {
 	struct list_head list;
 
 	struct ip_conntrack_tuple tuple;
-	struct ip_conntrack_expect *master;
 };
 
 
@@ -96,6 +96,8 @@ int ip_ct_gre_keymap_add(struct ip_conntrack_expect *exp,
 void ip_ct_gre_keymap_change(struct ip_ct_gre_keymap *km,
 			     struct ip_conntrack_tuple *t);
 
+/* delete keymap entries */
+void ip_ct_gre_keymap_destroy(struct ip_conntrack_expect *exp);
 
 
 /* get pointer to gre key, if present */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
index 770935d3..0f103d35 100644
--- a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
@@ -57,7 +57,6 @@ struct ip_conntrack_tuple
 			} tcp;
 			struct {
 				u_int16_t port;
-				unsigned int init_cookie;//xiaoqin add for multi-ipsec passthrough,2005.12.19
 			} udp;
 			struct {
 				u_int8_t type, code;
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_tables.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_tables.h
index d2a7f4b4..11e0cfcf 100644
--- a/release/src/linux/linux/include/linux/netfilter_ipv4/ip_tables.h
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ip_tables.h
@@ -104,7 +104,8 @@ struct ipt_counters
 
 /* Values for "flag" field in struct ipt_ip (general ip structure). */
 #define IPT_F_FRAG		0x01	/* Set if rule is a fragment rule */
-#define IPT_F_MASK		0x01	/* All possible flag bits mask. */
+#define IPT_F_GOTO		0x02	/* Set if jump is a goto */
+#define IPT_F_MASK		0x03	/* All possible flag bits mask. */
 
 /* Values for "inv" field in struct ipt_ip. */
 #define IPT_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_BCOUNT.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_BCOUNT.h
new file mode 100644
index 00000000..34b56aef
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_BCOUNT.h
@@ -0,0 +1,16 @@
+/*
+
+	BCOUNT target
+	Copyright (C) 2006 Jonathan Zarate
+
+	Licensed under GNU GPL v2 or later.
+
+*/
+#ifndef _IPT_BCOUNT_TARGET_H
+#define _IPT_BCOUNT_TARGET_H
+
+struct ipt_BCOUNT_target {
+//	int debug;
+};
+
+#endif
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_CLASSIFY.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_CLASSIFY.h
new file mode 100644
index 00000000..7596e3dd
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_CLASSIFY.h
@@ -0,0 +1,8 @@
+#ifndef _IPT_CLASSIFY_H
+#define _IPT_CLASSIFY_H
+
+struct ipt_classify_target_info {
+	u_int32_t priority;
+};
+
+#endif /*_IPT_CLASSIFY_H */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h
new file mode 100644
index 00000000..f9099f92
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_CONNMARK.h
@@ -0,0 +1,26 @@
+#ifndef _IPT_CONNMARK_H_target
+#define _IPT_CONNMARK_H_target
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+	IPT_CONNMARK_SET = 0,
+	IPT_CONNMARK_SAVE,
+	IPT_CONNMARK_RESTORE,
+	IPT_CONNMARK_SET_RETURN
+};
+
+struct ipt_connmark_target_info {
+	unsigned long mark;
+	unsigned long mask;
+	u_int8_t mode;
+};
+
+#endif /*_IPT_CONNMARK_H_target*/
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_IMQ.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_IMQ.h
new file mode 100644
index 00000000..45d57713
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_IMQ.h
@@ -0,0 +1,8 @@
+#ifndef _IPT_IMQ_H
+#define _IPT_IMQ_H
+
+struct ipt_imq_info {
+	unsigned int todev;	/* target imq device */
+};
+
+#endif /* _IPT_IMQ_H */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_MACSAVE.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_MACSAVE.h
new file mode 100644
index 00000000..dc426893
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_MACSAVE.h
@@ -0,0 +1,16 @@
+/*
+
+	MACSAVE target
+	Copyright (C) 2006 Jonathan Zarate
+
+	Licensed under GNU GPL v2 or later.
+
+*/
+#ifndef _IPT_MACSAVE_TARGET_H
+#define _IPT_MACSAVE_TARGET_H
+
+struct ipt_MACSAVE_target_info {
+//	int debug;
+};
+
+#endif
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ROUTE.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ROUTE.h
new file mode 100644
index 00000000..41b1a9c8
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ROUTE.h
@@ -0,0 +1,23 @@
+/* Header file for iptables ipt_ROUTE target
+ *
+ * (C) 2002 by C�dric de Launois <delaunois@info.ucl.ac.be>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ */
+#ifndef _IPT_ROUTE_H_target
+#define _IPT_ROUTE_H_target
+
+#define IPT_ROUTE_IFNAMSIZ 16
+
+struct ipt_route_target_info {
+	char      oif[IPT_ROUTE_IFNAMSIZ];      /* Output Interface Name */
+	char      iif[IPT_ROUTE_IFNAMSIZ];      /* Input Interface Name  */
+	u_int32_t gw;                           /* IP address of gateway */
+	u_int8_t  flags;
+};
+
+/* Values for "flags" field */
+#define IPT_ROUTE_CONTINUE        0x01
+#define IPT_ROUTE_TEE             0x02
+
+#endif /*_IPT_ROUTE_H_target*/
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TTL.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TTL.h
new file mode 100644
index 00000000..edf49e80
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_TTL.h
@@ -0,0 +1,21 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+enum {
+	IPT_TTL_SET = 0,
+	IPT_TTL_INC,
+	IPT_TTL_DEC
+};
+
+#define IPT_TTL_MAXMODE	IPT_TTL_DEC
+
+struct ipt_TTL_info {
+	u_int8_t	mode;
+	u_int8_t	ttl;
+};
+
+
+#endif
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_account.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_account.h
new file mode 100644
index 00000000..6068d86d
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_account.h
@@ -0,0 +1,26 @@
+/* 
+ * accounting match (ipt_account.c)
+ * (C) 2003,2004 by Piotr Gasidlo (quaker@barbara.eu.org)
+ *
+ * Version: 0.1.7
+ *
+ * This software is distributed under the terms of GNU GPL
+ */
+
+#ifndef _IPT_ACCOUNT_H_
+#define _IPT_ACCOUNT_H_
+
+#define IPT_ACCOUNT_NAME_LEN 64
+
+#define IPT_ACCOUNT_NAME "ipt_account"
+#define IPT_ACCOUNT_VERSION  "0.1.7"
+
+struct t_ipt_account_info {
+	char name[IPT_ACCOUNT_NAME_LEN];
+	u_int32_t network;
+	u_int32_t netmask;
+	int shortlisting:1;
+};
+
+#endif
+
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_bcount.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_bcount.h
new file mode 100644
index 00000000..66f5ed9c
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_bcount.h
@@ -0,0 +1,18 @@
+/*
+
+	bcount match (experimental)
+	Copyright (C) 2006 Jonathan Zarate
+
+	Licensed under GNU GPL v2 or later.
+
+*/
+#ifndef _IPT_BCOUNT_H
+#define _IPT_BCOUNT_H
+
+struct ipt_bcount_match {
+	u_int32_t min;
+	u_int32_t max;
+	int invert;
+};
+
+#endif
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_condition.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_condition.h
new file mode 100644
index 00000000..2bc5b0c8
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_condition.h
@@ -0,0 +1,11 @@
+#ifndef __IPT_CONDITION_MATCH__
+#define __IPT_CONDITION_MATCH__
+
+#define CONDITION_NAME_LEN  32
+
+struct condition_info {
+	char name[CONDITION_NAME_LEN];
+	int  invert;
+};
+
+#endif
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_connlimit.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_connlimit.h
new file mode 100644
index 00000000..d99193b7
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_connlimit.h
@@ -0,0 +1,12 @@
+#ifndef _IPT_CONNLIMIT_H
+#define _IPT_CONNLIMIT_H
+
+struct ipt_connlimit_data;
+
+struct ipt_connlimit_info {
+	int limit;
+	int inverse;
+	u_int32_t mask;
+	struct ipt_connlimit_data *data;
+};
+#endif /* _IPT_CONNLIMIT_H */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_connmark.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_connmark.h
new file mode 100644
index 00000000..46573270
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_connmark.h
@@ -0,0 +1,18 @@
+#ifndef _IPT_CONNMARK_H
+#define _IPT_CONNMARK_H
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+struct ipt_connmark_info {
+	unsigned long mark, mask;
+	u_int8_t invert;
+};
+
+#endif /*_IPT_CONNMARK_H*/
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_exp.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_exp.h
new file mode 100644
index 00000000..51319cb2
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_exp.h
@@ -0,0 +1,15 @@
+/*
+
+	Experimental Netfilter Crap
+	Copyright (C) 2006 Jonathan Zarate
+
+*/
+
+#ifndef _IPT_EXP_H
+#define _IPT_EXP_H
+
+struct ipt_exp_info {
+	char dummy;
+};
+
+#endif
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_geoip.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_geoip.h
new file mode 100644
index 00000000..15764e8b
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_geoip.h
@@ -0,0 +1,51 @@
+/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
+ * 
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Copyright (c) 2004 Cookinglinux
+ */
+#ifndef _IPT_GEOIP_H
+#define _IPT_GEOIP_H
+
+#define IPT_GEOIP_SRC         0x01     /* Perform check on Source IP */
+#define IPT_GEOIP_DST         0x02     /* Perform check on Destination IP */
+#define IPT_GEOIP_INV         0x04     /* Negate the condition */
+
+#define IPT_GEOIP_MAX         15       /* Maximum of countries */
+
+struct geoip_subnet {
+   u_int32_t begin;
+   u_int32_t end;
+};
+
+struct geoip_info {
+   struct geoip_subnet *subnets;
+   u_int32_t count;
+   u_int32_t ref;
+   u_int16_t cc;
+   struct geoip_info *next;
+   struct geoip_info *prev;
+};
+
+struct ipt_geoip_info {
+   u_int8_t flags;
+   u_int8_t count;
+   u_int16_t cc[IPT_GEOIP_MAX];
+
+   /* Used internally by the kernel */
+   struct geoip_info *mem[IPT_GEOIP_MAX];
+   u_int8_t *refcount;
+
+   /* not implemented yet:
+   void *fini;
+   */
+};
+
+#define COUNTRY(cc) (cc >> 8), (cc & 0x00FF)
+
+#endif
+
+/* End of ipt_geoip.h */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ipp2p.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ipp2p.h
new file mode 100644
index 00000000..1bd3f649
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_ipp2p.h
@@ -0,0 +1,31 @@
+#ifndef __IPT_IPP2P_H
+#define __IPT_IPP2P_H
+#define IPP2P_VERSION "0.8.1_rc1"
+
+struct ipt_p2p_info {
+    int cmd;
+    int debug;
+};
+
+#endif //__IPT_IPP2P_H
+
+#define SHORT_HAND_IPP2P	1 /* --ipp2p switch*/
+//#define SHORT_HAND_DATA		4 /* --ipp2p-data switch*/
+#define SHORT_HAND_NONE		5 /* no short hand*/
+
+#define IPP2P_EDK		(1 << 1)
+#define IPP2P_DATA_KAZAA	(1 << 2)
+#define IPP2P_DATA_EDK		(1 << 3)
+#define IPP2P_DATA_DC		(1 << 4)
+#define IPP2P_DC		(1 << 5)
+#define IPP2P_DATA_GNU		(1 << 6)
+#define IPP2P_GNU		(1 << 7)
+#define IPP2P_KAZAA		(1 << 8)
+#define IPP2P_BIT		(1 << 9)
+#define IPP2P_APPLE		(1 << 10)
+#define IPP2P_SOUL		(1 << 11)
+#define IPP2P_WINMX		(1 << 12)
+#define IPP2P_ARES		(1 << 13)
+#define IPP2P_MUTE		(1 << 14)
+#define IPP2P_WASTE		(1 << 15)
+#define IPP2P_XDCC		(1 << 16)
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_iprange.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_iprange.h
new file mode 100644
index 00000000..3ecb3bd6
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_iprange.h
@@ -0,0 +1,23 @@
+#ifndef _IPT_IPRANGE_H
+#define _IPT_IPRANGE_H
+
+#define IPRANGE_SRC		0x01	/* Match source IP address */
+#define IPRANGE_DST		0x02	/* Match destination IP address */
+#define IPRANGE_SRC_INV		0x10	/* Negate the condition */
+#define IPRANGE_DST_INV		0x20	/* Negate the condition */
+
+struct ipt_iprange {
+	/* Inclusive: network order. */
+	u_int32_t min_ip, max_ip;
+};
+
+struct ipt_iprange_info
+{
+	struct ipt_iprange src;
+	struct ipt_iprange dst;
+
+	/* Flags from above */
+	u_int8_t flags;
+};
+
+#endif /* _IPT_IPRANGE_H */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_layer7.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_layer7.h
new file mode 100644
index 00000000..aee1f5d5
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_layer7.h
@@ -0,0 +1,26 @@
+/* 
+  By Matthew Strait <quadong@users.sf.net>, Dec 2003.
+  http://l7-filter.sf.net
+
+  This program is free software; you can redistribute it and/or
+  modify it under the terms of the GNU General Public License
+  as published by the Free Software Foundation; either version
+  2 of the License, or (at your option) any later version.
+  http://www.gnu.org/licenses/gpl.txt
+*/
+
+#ifndef _IPT_LAYER7_H
+#define _IPT_LAYER7_H
+
+#define MAX_PATTERN_LEN 8192
+#define MAX_PROTOCOL_LEN 256
+
+typedef char *(*proc_ipt_search) (char *, char, char *);
+
+struct ipt_layer7_info {
+    char protocol[MAX_PROTOCOL_LEN];
+    char invert:1;
+    char pattern[MAX_PATTERN_LEN];
+};
+
+#endif /* _IPT_LAYER7_H */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_macsave.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_macsave.h
new file mode 100644
index 00000000..9d5b218d
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_macsave.h
@@ -0,0 +1,17 @@
+/*
+
+	macsave match
+	Copyright (C) 2006 Jonathan Zarate
+
+	Licensed under GNU GPL v2 or later.
+
+*/
+#ifndef _IPT_MACSAVE_MATCH_H
+#define _IPT_MACSAVE_MATCH_H
+
+struct ipt_macsave_match_info {
+	int invert;
+	unsigned char mac[6];
+};
+
+#endif
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_quota.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_quota.h
new file mode 100644
index 00000000..f2a06716
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_quota.h
@@ -0,0 +1,12 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+        u_int64_t quota;
+	struct ipt_quota_info *master;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_recent.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_recent.h
new file mode 100644
index 00000000..eb008fb4
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_recent.h
@@ -0,0 +1,28 @@
+#ifndef _IPT_RECENT_H
+#define _IPT_RECENT_H
+
+#define RECENT_NAME	"ipt_recent"
+#define RECENT_VER	"v0.3.1"
+
+#define IPT_RECENT_CHECK  1
+#define IPT_RECENT_SET    2
+#define IPT_RECENT_UPDATE 4
+#define IPT_RECENT_REMOVE 8
+#define IPT_RECENT_TTL   16
+
+#define IPT_RECENT_SOURCE 0
+#define IPT_RECENT_DEST   1
+
+#define IPT_RECENT_NAME_LEN 200
+
+struct ipt_recent_info {
+	u_int32_t   seconds;
+	u_int32_t   hit_count;
+	u_int8_t    check_set;
+	u_int8_t    invert;
+	char        name[IPT_RECENT_NAME_LEN];
+	u_int8_t    side;
+};
+
+#endif /*_IPT_RECENT_H*/
+
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_string.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_string.h
new file mode 100644
index 00000000..17d71034
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_string.h
@@ -0,0 +1,21 @@
+#ifndef _IPT_STRING_H
+#define _IPT_STRING_H
+
+/* *** PERFORMANCE TWEAK ***
+ * Packet size and search string threshold,
+ * above which sublinear searches is used. */
+#define IPT_STRING_HAYSTACK_THRESH	100
+#define IPT_STRING_NEEDLE_THRESH	20
+
+#define BM_MAX_NLEN 256
+#define BM_MAX_HLEN 1024
+
+typedef char *(*proc_ipt_search) (char *, char *, int, int);
+
+struct ipt_string_info {
+    char string[BM_MAX_NLEN];
+    u_int16_t invert;
+    u_int16_t len;
+};
+
+#endif /* _IPT_STRING_H */
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_time.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_time.h
index 1ccdbb3d..277c6de5 100644
--- a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_time.h
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_time.h
@@ -3,10 +3,12 @@
 
 
 struct ipt_time_info {
-	unsigned int days_match;	/* 1 bit per day (bit 0 = Sunday) */
-	unsigned int time_start;	/* 0 < time_start < 24*60*60-1 = 86399 */
-	unsigned int time_stop;		/* 0 < time_end < 24*60*60-1 = 86399 */
-	int kerneltime;			/* ignore skb time (and use kerneltime) or not. */
+	u_int8_t  days_match;   /* 1 bit per day. -SMTWTFS                      */
+	u_int16_t time_start;   /* 0 < time_start < 23*60+59 = 1439             */
+	u_int16_t time_stop;    /* 0:0 < time_stat < 23:59                      */
+	u_int8_t  kerneltime;   /* ignore skb time (and use kerneltime) or not. */
+	time_t    date_start;
+	time_t    date_stop;
 };
 
 
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_u32.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_u32.h
new file mode 100644
index 00000000..694fdc08
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_u32.h
@@ -0,0 +1,40 @@
+#ifndef _IPT_U32_H
+#define _IPT_U32_H
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+enum ipt_u32_ops
+{
+	IPT_U32_AND,
+	IPT_U32_LEFTSH,
+	IPT_U32_RIGHTSH,
+	IPT_U32_AT
+};
+
+struct ipt_u32_location_element
+{
+	u_int32_t number;
+	u_int8_t nextop;
+};
+struct ipt_u32_value_element
+{
+	u_int32_t min;
+	u_int32_t max;
+};
+/* *** any way to allow for an arbitrary number of elements?
+   for now I settle for a limit of 10 of each */
+#define U32MAXSIZE 10
+struct ipt_u32_test
+{
+	u_int8_t nnums;
+	struct ipt_u32_location_element location[U32MAXSIZE+1];
+	u_int8_t nvalues;
+	struct ipt_u32_value_element value[U32MAXSIZE+1];
+};
+
+struct ipt_u32
+{
+	u_int8_t ntests;
+	struct ipt_u32_test tests[U32MAXSIZE+1];
+};
+
+#endif /*_IPT_U32_H*/
diff --git a/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_web.h b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_web.h
new file mode 100644
index 00000000..176208e2
--- /dev/null
+++ b/release/src/linux/linux/include/linux/netfilter_ipv4/ipt_web.h
@@ -0,0 +1,30 @@
+/*
+
+	web (experimental)
+	HTTP client match
+	Copyright (C) 2006 Jonathan Zarate
+
+	Licensed under GNU GPL v2 or later.
+
+*/
+#ifndef _IPT_WEB_H
+#define _IPT_WEB_H
+
+#define IPT_WEB_MAXTEXT	512
+
+typedef enum {
+	IPT_WEB_HTTP,
+	IPT_WEB_RURI,
+	IPT_WEB_PATH,
+	IPT_WEB_QUERY,
+	IPT_WEB_HOST,
+	IPT_WEB_HORE
+} ipt_web_mode_t;
+
+struct ipt_web_info {
+	ipt_web_mode_t mode;
+	int invert;
+	char text[IPT_WEB_MAXTEXT];
+};
+
+#endif