break trunk temporary - upgrade to 2.6.21.1 and iptables 1.3.7

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@7315 3c298f89-4303-0410-b956-a3cf2f4a3e73

1 files changed, 196 insertions, 130 deletions

diff --git a/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch b/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch
index 46d48a5d0..aa665211b 100644
--- a/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch
+++ b/target/linux/generic-2.6/patches/170-netfilter_chaostables.patch
@@ -1,6 +1,33 @@
-diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h linux-2.6.19.1/include/linux/netfilter/xt_CHAOS.h
---- linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.19.1/include/linux/netfilter/xt_CHAOS.h	2007-01-11 13:28:07.656144799 +0100
+diff -Nur linux-2.6.21.1/include/linux/netfilter/oot_conntrack.h linux-2.6.21.1-owrt/include/linux/netfilter/oot_conntrack.h
+--- linux-2.6.21.1/include/linux/netfilter/oot_conntrack.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.1-owrt/include/linux/netfilter/oot_conntrack.h	2007-05-14 14:18:54.000000000 +0200
+@@ -0,0 +1,5 @@
++#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
++#	include <linux/netfilter_ipv4/ip_conntrack.h>
++#else /* linux-2.6.20+ */
++#	include <net/netfilter/nf_nat_rule.h>
++#endif
+diff -Nur linux-2.6.21.1/include/linux/netfilter/oot_trans.h linux-2.6.21.1-owrt/include/linux/netfilter/oot_trans.h
+--- linux-2.6.21.1/include/linux/netfilter/oot_trans.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.1-owrt/include/linux/netfilter/oot_trans.h	2007-05-14 14:18:54.000000000 +0200
+@@ -0,0 +1,14 @@
++/* Out of tree workarounds */
++#include <linux/version.h>
++#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
++#	define HAVE_MATCHINFOSIZE 1
++#	define HAVE_TARGUSERINFO 1
++#	define HAVE_TARGINFOSIZE 1
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
++#	define nfmark mark
++#endif
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21)
++#	define tcp_v4_check(tcph, tcph_sz, s, d, csp) \
++		tcp_v4_check((tcph_sz), (s), (d), (csp))
++#endif
+diff -Nur linux-2.6.21.1/include/linux/netfilter/xt_CHAOS.h linux-2.6.21.1-owrt/include/linux/netfilter/xt_CHAOS.h
+--- linux-2.6.21.1/include/linux/netfilter/xt_CHAOS.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.1-owrt/include/linux/netfilter/xt_CHAOS.h	2007-05-14 14:18:54.000000000 +0200
 @@ -0,0 +1,14 @@
 +#ifndef _LINUX_XT_CHAOS_H
 +#define _LINUX_XT_CHAOS_H 1
@@ -16,9 +43,9 @@ diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_CHAOS.h linux-2.6.19.1/
 +};
 +
 +#endif /* _LINUX_XT_CHAOS_H */
-diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h linux-2.6.19.1/include/linux/netfilter/xt_portscan.h
---- linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.19.1/include/linux/netfilter/xt_portscan.h	2007-01-11 13:28:07.656144799 +0100
+diff -Nur linux-2.6.21.1/include/linux/netfilter/xt_portscan.h linux-2.6.21.1-owrt/include/linux/netfilter/xt_portscan.h
+--- linux-2.6.21.1/include/linux/netfilter/xt_portscan.h	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.1-owrt/include/linux/netfilter/xt_portscan.h	2007-05-14 14:18:54.000000000 +0200
 @@ -0,0 +1,8 @@
 +#ifndef _LINUX_XT_PORTSCAN_H
 +#define _LINUX_XT_PORTSCAN_H 1
@@ -28,10 +55,10 @@ diff -ruN linux-2.6.19.1.orig/include/linux/netfilter/xt_portscan.h linux-2.6.19
 +};
 +
 +#endif /* _LINUX_XT_PORTSCAN_H */
-diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netfilter/find_match.c
---- linux-2.6.19.1.orig/net/netfilter/find_match.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.19.1/net/netfilter/find_match.c	2007-01-11 13:28:12.191994379 +0100
-@@ -0,0 +1,37 @@
+diff -Nur linux-2.6.21.1/net/netfilter/find_match.c linux-2.6.21.1-owrt/net/netfilter/find_match.c
+--- linux-2.6.21.1/net/netfilter/find_match.c	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.1-owrt/net/netfilter/find_match.c	2007-05-14 14:18:54.000000000 +0200
+@@ -0,0 +1,39 @@
 +/*
 +    xt_request_find_match
 +    by Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
@@ -42,7 +69,6 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf
 +    it under the terms of the GNU General Public License version 2 as
 +    published by the Free Software Foundation.
 +*/
-+
 +#include <linux/err.h>
 +#include <linux/netfilter_arp.h>
 +#include <linux/socket.h>
@@ -52,7 +78,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf
 + * Yeah this code is sub-optimal, but the function is missing in
 + * mainline so far. -jengelh
 + */
-+static struct xt_match *xt_request_find_match(int af, const char *name,
++static struct xt_match *xt_request_find_match_lo(int af, const char *name,
 +    u8 revision)
 +{
 +	static const char *const xt_prefix[] = {
@@ -69,10 +95,13 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/find_match.c linux-2.6.19.1/net/netf
 +
 +	return match;
 +}
-diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter/Kconfig
---- linux-2.6.19.1.orig/net/netfilter/Kconfig	2007-01-11 13:27:24.445577700 +0100
-+++ linux-2.6.19.1/net/netfilter/Kconfig	2007-01-11 13:28:09.092097179 +0100
-@@ -122,6 +122,14 @@
++
++/* In case it goes into mainline, let this out-of-tree package compile */
++#define xt_request_find_match xt_request_find_match_lo
+diff -Nur linux-2.6.21.1/net/netfilter/Kconfig linux-2.6.21.1-owrt/net/netfilter/Kconfig
+--- linux-2.6.21.1/net/netfilter/Kconfig	2007-04-27 23:49:26.000000000 +0200
++++ linux-2.6.21.1-owrt/net/netfilter/Kconfig	2007-05-14 14:30:47.000000000 +0200
+@@ -287,6 +287,14 @@
  
  # alphabetically ordered list of targets
  
@@ -87,7 +116,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter
  config NETFILTER_XT_TARGET_CLASSIFY
  	tristate '"CLASSIFY" target support'
  	depends on NETFILTER_XTABLES
-@@ -148,6 +156,14 @@
+@@ -315,6 +323,14 @@
  	  <file:Documentation/modules.txt>.  The module will be called
  	  ipt_CONNMARK.o.  If unsure, say `N'.
  
@@ -102,7 +131,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter
  config NETFILTER_XT_TARGET_DSCP
  	tristate '"DSCP" target support'
  	depends on NETFILTER_XTABLES
-@@ -355,6 +371,14 @@
+@@ -563,6 +579,14 @@
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
@@ -117,10 +146,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Kconfig linux-2.6.19.1/net/netfilter
  config NETFILTER_XT_MATCH_MULTIPORT
  	tristate "Multiple port match support"
  	depends on NETFILTER_XTABLES
-diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilter/Makefile
---- linux-2.6.19.1.orig/net/netfilter/Makefile	2007-01-11 13:27:24.445577700 +0100
-+++ linux-2.6.19.1/net/netfilter/Makefile	2007-01-11 13:28:07.656144799 +0100
-@@ -23,8 +23,10 @@
+diff -Nur linux-2.6.21.1/net/netfilter/Makefile linux-2.6.21.1-owrt/net/netfilter/Makefile
+--- linux-2.6.21.1/net/netfilter/Makefile	2007-04-27 23:49:26.000000000 +0200
++++ linux-2.6.21.1-owrt/net/netfilter/Makefile	2007-05-14 14:30:47.000000000 +0200
+@@ -37,8 +37,10 @@
  obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
  
  # targets
@@ -131,7 +160,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilte
  obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
  obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
  obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
-@@ -47,6 +49,7 @@
+@@ -63,6 +65,7 @@
  obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o
@@ -139,16 +168,17 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/Makefile linux-2.6.19.1/net/netfilte
  obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
-diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfilter/xt_CHAOS.c
---- linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.19.1/net/netfilter/xt_CHAOS.c	2007-01-11 13:28:14.407920893 +0100
-@@ -0,0 +1,180 @@
+diff -Nur linux-2.6.21.1/net/netfilter/xt_CHAOS.c linux-2.6.21.1-owrt/net/netfilter/xt_CHAOS.c
+--- linux-2.6.21.1/net/netfilter/xt_CHAOS.c	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.1-owrt/net/netfilter/xt_CHAOS.c	2007-05-14 14:36:58.000000000 +0200
+@@ -0,0 +1,204 @@
 +/*
-+    CHAOS target for netfilter
++	CHAOS target for netfilter
 +
-+    Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
-+    released under the terms of the GNU General Public
-+    License version 2.x and only versions 2.x.
++	Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2006 - 2007
++	This program is free software; you can redistribute it and/or modify
++	it under the terms of the GNU General Public License version 2 as
++	published by the Free Software Foundation.
 +*/
 +#include <linux/icmp.h>
 +#include <linux/in.h>
@@ -162,14 +192,9 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil
 +#include <net/ip.h>
 +#include <linux/netfilter/xt_CHAOS.h>
 +#include "find_match.c"
++#include <linux/netfilter/oot_trans.h>
 +#define PFX KBUILD_MODNAME ": "
 +
-+/* Out of tree workarounds */
-+#include <linux/version.h>
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-+#    define HAVE_TARGUSERINFO 1
-+#endif
-+
 +/* Module parameters */
 +static unsigned int reject_percentage = ~0U * .01;
 +static unsigned int delude_percentage = ~0U * .0101;
@@ -180,6 +205,8 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil
 +static struct xt_match *xm_tcp;
 +static struct xt_target *xt_delude, *xt_reject, *xt_tarpit;
 +
++static int have_delude, have_tarpit;
++
 +/* Static data for other matches/targets */
 +static const struct ipt_reject_info reject_params = {
 +	.with = ICMP_HOST_UNREACH,
@@ -226,7 +253,7 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil
 +	/* Equivalent to:
 +	 * -A chaos -m statistic --mode random --probability \
 +	 *         $reject_percentage -j REJECT --reject-with host-unreach;
-+	 * -A chaos -m statistic --mode random --probability \
++	 * -A chaos -p tcp -m statistic --mode random --probability \
 +	 *         $delude_percentage -j DELUDE;
 +	 * -A chaos -j DROP;
 +	 */
@@ -249,9 +276,31 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil
 +	return NF_DROP;
 +}
 +
++static int xt_chaos_checkentry(const char *tablename, const void *entry,
++    const struct xt_target *target, void *targinfo,
++#ifdef HAVE_TARGINFOSIZE
++    unsigned int targinfosize,
++#endif
++    unsigned int hook_mask)
++{
++	const struct xt_chaos_info *info = targinfo;
++	if(info->variant == XTCHAOS_DELUDE && !have_delude) {
++		printk(KERN_WARNING PFX "Error: Cannot use --delude when "
++		       "DELUDE module not available\n");
++		return 0;
++	}
++	if(info->variant == XTCHAOS_TARPIT && !have_tarpit) {
++		printk(KERN_WARNING PFX "Error: Cannot use --tarpit when "
++		       "TARPIT module not available\n");
++		return 0;
++	}
++	return 1;
++}
++
 +static struct xt_target xt_chaos_info = {
 +	.name       = "CHAOS",
 +	.target     = xt_chaos_target,
++	.checkentry = xt_chaos_checkentry,
 +	.table      = "filter",
 +	.targetsize = sizeof(struct xt_chaos_info),
 +	.hooks      = (1 << NF_IP_LOCAL_IN) | (1 << NF_IP_FORWARD) |
@@ -266,41 +315,43 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil
 +
 +	xm_tcp = xt_request_find_match(AF_INET, "tcp", 0);
 +	if(xm_tcp == NULL) {
-+		printk(KERN_WARNING PFX "Could not find \"tcp\" match\n");
++		printk(KERN_WARNING PFX "Error: Could not find or load "
++		       "\"tcp\" match\n");
 +		return -EINVAL;
 +	}
 +
 +	xt_reject = xt_request_find_target(AF_INET, "REJECT", 0);
 +	if(xt_reject == NULL) {
-+		printk(KERN_WARNING PFX "Could not find \"REJECT\" target\n");
++		printk(KERN_WARNING PFX "Error: Could not find or load "
++		       "\"REJECT\" target\n");
 +		goto out2;
 +	}
 +
-+	xt_tarpit = xt_request_find_target(AF_INET, "TARPIT", 0);
-+	if(xt_tarpit == NULL) {
-+		printk(KERN_WARNING PFX "Could not find \"TARPIT\" target\n");
-+		goto out3;
-+	}
++	xt_tarpit   = xt_request_find_target(AF_INET, "TARPIT", 0);
++	have_tarpit = xt_tarpit != NULL;
++	if(!have_tarpit)
++		printk(KERN_WARNING PFX "Warning: Could not find or load "
++		       "\"TARPIT\" target\n");
 +
-+	xt_delude = xt_request_find_target(AF_INET, "DELUDE", 0);
-+	if(xt_delude == NULL) {
-+		printk(KERN_WARNING PFX "Could not find \"DELUDE\" target\n");
-+		goto out4;
-+	}
++	xt_delude   = xt_request_find_target(AF_INET, "DELUDE", 0);
++	have_delude = xt_delude != NULL;
++	if(!have_delude)
++		printk(KERN_WARNING PFX "Warning: Could not find or load "
++		       "\"DELUDE\" target\n");
 +
 +	if((ret = xt_register_target(&xt_chaos_info)) != 0) {
 +		printk(KERN_WARNING PFX "xt_register_target returned "
 +		       "error %d\n", ret);
-+		goto out5;
++		goto out3;
 +	}
 +
 +	return 0;
 +
-+ out5:
-+ 	module_put(xt_delude->me);
-+ out4:
-+	module_put(xt_tarpit->me);
 + out3:
++ 	if(have_delude)
++ 		module_put(xt_delude->me);
++	if(have_tarpit)
++		module_put(xt_tarpit->me);
 +	module_put(xt_reject->me);
 + out2:
 +	module_put(xm_tcp->me);
@@ -312,8 +363,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil
 +	xt_unregister_target(&xt_chaos_info);
 +	module_put(xm_tcp->me);
 +	module_put(xt_reject->me);
-+	module_put(xt_delude->me);
-+	module_put(xt_tarpit->me);
++	if(have_delude)
++		module_put(xt_delude->me);
++	if(have_tarpit)
++		module_put(xt_tarpit->me);
 +	return;
 +}
 +
@@ -323,26 +376,28 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_CHAOS.c linux-2.6.19.1/net/netfil
 +MODULE_DESCRIPTION("netfilter CHAOS target");
 +MODULE_LICENSE("GPL");
 +MODULE_ALIAS("ipt_CHAOS");
-diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfilter/xt_DELUDE.c
---- linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.19.1/net/netfilter/xt_DELUDE.c	2007-01-11 13:28:07.656144799 +0100
-@@ -0,0 +1,265 @@
+diff -Nur linux-2.6.21.1/net/netfilter/xt_DELUDE.c linux-2.6.21.1-owrt/net/netfilter/xt_DELUDE.c
+--- linux-2.6.21.1/net/netfilter/xt_DELUDE.c	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.1-owrt/net/netfilter/xt_DELUDE.c	2007-05-14 14:53:12.000000000 +0200
+@@ -0,0 +1,288 @@
 +/*
-+    DELUDE target
-+    Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
++	DELUDE target
++	Copyright © Jan Engelhardt <jengelh [at] gmx de>, 2007
 +
-+    Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
-+    (C) 1999-2001 Paul `Rusty' Russell
-+    (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
++	Based upon linux-2.6.18.5/net/ipv4/netfilter/ipt_REJECT.c:
++	(C) 1999-2001 Paul `Rusty' Russell
++	(C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
 +
-+    This program is free software; you can redistribute it and/or modify
-+    it under the terms of the GNU General Public License version 2 as
-+    published by the Free Software Foundation.
-+*/
++	xt_DELUDE acts like REJECT, but does reply with SYN-ACK on SYN.
 +
++	This program is free software; you can redistribute it and/or modify
++	it under the terms of the GNU General Public License version 2 as
++	published by the Free Software Foundation.
++*/
 +#include <linux/module.h>
 +#include <linux/skbuff.h>
 +#include <linux/ip.h>
++#include <linux/random.h>
 +#include <linux/tcp.h>
 +#include <linux/udp.h>
 +#include <linux/icmp.h>
@@ -353,20 +408,11 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi
 +#include <net/dst.h>
 +#include <linux/netfilter_ipv4/ip_tables.h>
 +#ifdef CONFIG_BRIDGE_NETFILTER
-+#include <linux/netfilter_bridge.h>
++#	include <linux/netfilter_bridge.h>
 +#endif
++#include <linux/netfilter/oot_trans.h>
 +#define PFX KBUILD_MODNAME ": "
 +
-+/* Out of tree workarounds */
-+#include <linux/version.h>
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-+#    define HAVE_TARGINFOSIZE 1
-+#    define HAVE_TARGUSERINFO 1
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-+#    define nfmark mark
-+#endif
-+
 +static inline struct rtable *route_reverse(struct sk_buff *skb,
 +					   struct tcphdr *tcph, int hook)
 +{
@@ -430,10 +476,10 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi
 +	struct sk_buff *nskb;
 +	struct iphdr *iph = oldskb->nh.iph;
 +	struct tcphdr _otcph, *oth, *tcph;
-+	struct rtable *rt;
-+	u_int16_t tmp_port;
-+	u_int32_t tmp_addr;
-+	int hh_len;
++	__be16 tmp_port;
++	__be32 tmp_addr;
++	int needs_ack;
++	unsigned int addr_type;
 +
 +	/* IP header checks: fragment. */
 +	if (oldskb->nh.iph->frag_off & htons(IP_OFFSET))
@@ -442,39 +488,33 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi
 +	oth = skb_header_pointer(oldskb, oldskb->nh.iph->ihl * 4,
 +				 sizeof(_otcph), &_otcph);
 +	if (oth == NULL)
-+ 		return;
++		return;
 +
-+	/* DELUDE only answers SYN. */
-+	if(!oth->syn || oth->ack || oth->fin || oth->rst)
++	/* No RST for RST. */
++	if (oth->rst)
 +		return;
 +
 +	/* Check checksum */
 +	if (nf_ip_checksum(oldskb, hook, iph->ihl * 4, IPPROTO_TCP))
 +		return;
 +
-+	if ((rt = route_reverse(oldskb, oth, hook)) == NULL)
-+		return;
-+
-+	hh_len = LL_RESERVED_SPACE(rt->u.dst.dev);
-+
 +	/* We need a linear, writeable skb.  We also need to expand
 +	   headroom in case hh_len of incoming interface < hh_len of
 +	   outgoing interface */
-+	nskb = skb_copy_expand(oldskb, hh_len, skb_tailroom(oldskb),
++	nskb = skb_copy_expand(oldskb, LL_MAX_HEADER, skb_tailroom(oldskb),
 +			       GFP_ATOMIC);
-+	if (!nskb) {
-+		dst_release(&rt->u.dst);
++	if (!nskb)
 +		return;
-+	}
-+
-+	dst_release(nskb->dst);
-+	nskb->dst = &rt->u.dst;
 +
 +	/* This packet will not be the same as the other: clear nf fields */
 +	nf_reset(nskb);
 +	nskb->nfmark = 0;
 +	skb_init_secmark(nskb);
 +
++	skb_shinfo(nskb)->gso_size = 0;
++	skb_shinfo(nskb)->gso_segs = 0;
++	skb_shinfo(nskb)->gso_type = 0;
++
 +	tcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
 +
 +	/* Swap source and dest */
@@ -490,12 +530,34 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi
 +	skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
 +	nskb->nh.iph->tot_len = htons(nskb->len);
 +
-+	tcph->seq = oth->ack_seq;
-+	tcph->ack_seq = 0;
++	if(oth->syn && !oth->ack && !oth->rst && !oth->fin) {
++		/* DELUDE essential part */
++		tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
++		                oldskb->len - oldskb->nh.iph->ihl * 4 -
++		                (oth->doff << 2));
++		tcph->seq     = htonl(secure_tcp_sequence_number(
++		                nskb->nh.iph->saddr, nskb->nh.iph->daddr,
++			        tcph->source, tcph->dest));
++		tcph->ack     = 1;
++	} else {
++		if(!tcph->ack) {
++			needs_ack = 1;
++			tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin
++					      + oldskb->len - oldskb->nh.iph->ihl*4
++					      - (oth->doff<<2));
++			tcph->seq = 0;
++		} else {
++			needs_ack = 0;
++			tcph->seq = oth->ack_seq;
++			tcph->ack_seq = 0;
++		}
++
++		/* Reset flags */
++		((u_int8_t *)tcph)[13] = 0;
++		tcph->rst = 1;
++		tcph->ack = needs_ack;
++	}
 +
-+	/* Reset flags */
-+	((u_int8_t *)tcph)[13] = 0;
-+	tcph->syn = tcph->ack = 1;
 +
 +	tcph->window = 0;
 +	tcph->urg_ptr = 0;
@@ -508,12 +570,26 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi
 +				   csum_partial((char *)tcph,
 +						sizeof(struct tcphdr), 0));
 +
-+	/* Adjust IP TTL, DF */
-+	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
 +	/* Set DF, id = 0 */
 +	nskb->nh.iph->frag_off = htons(IP_DF);
 +	nskb->nh.iph->id = 0;
 +
++	addr_type = RTN_UNSPEC;
++	if (hook != NF_IP_FORWARD
++#ifdef CONFIG_BRIDGE_NETFILTER
++	    || (nskb->nf_bridge && nskb->nf_bridge->mask & BRNF_BRIDGED)
++#endif
++	   )
++		addr_type = RTN_LOCAL;
++
++	if (ip_route_me_harder(&nskb, addr_type))
++		goto free_nskb;
++
++	nskb->ip_summed = CHECKSUM_NONE;
++
++	/* Adjust IP TTL */
++	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
++
 +	/* Adjust IP checksum */
 +	nskb->nh.iph->check = 0;
 +	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
@@ -531,7 +607,6 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi
 +
 + free_nskb:
 +	kfree_skb(nskb);
-+	return;
 +}
 +
 +static unsigned int xt_delude_target(struct sk_buff **pskb,
@@ -589,19 +664,21 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_DELUDE.c linux-2.6.19.1/net/netfi
 +
 +module_init(xt_delude_init);
 +module_exit(xt_delude_exit);
-+MODULE_LICENSE("GPL");
 +MODULE_AUTHOR("Jan Engelhardt <jengelh@gmx.de>");
 +MODULE_DESCRIPTION("netfilter DELUDE target");
-diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_portscan.c linux-2.6.19.1/net/netfilter/xt_portscan.c
---- linux-2.6.19.1.orig/net/netfilter/xt_portscan.c	1970-01-01 01:00:00.000000000 +0100
-+++ linux-2.6.19.1/net/netfilter/xt_portscan.c	2007-01-11 13:28:14.407920893 +0100
-@@ -0,0 +1,282 @@
++MODULE_LICENSE("GPL");
++MODULE_ALIAS("ipt_DELUDE");
+diff -Nur linux-2.6.21.1/net/netfilter/xt_portscan.c linux-2.6.21.1-owrt/net/netfilter/xt_portscan.c
+--- linux-2.6.21.1/net/netfilter/xt_portscan.c	1970-01-01 01:00:00.000000000 +0100
++++ linux-2.6.21.1-owrt/net/netfilter/xt_portscan.c	2007-05-14 14:37:35.000000000 +0200
+@@ -0,0 +1,272 @@
 +/*
-+    portscan match for netfilter
++	portscan match for netfilter
 +
-+    Written by Jan Engelhardt, 2006 - 2007
-+    released under the terms of the GNU General Public
-+    License version 2.x and only versions 2.x.
++	Written by Jan Engelhardt, 2006 - 2007
++	This program is free software; you can redistribute it and/or modify
++	it under the terms of the GNU General Public License version 2 as
++	published by the Free Software Foundation.
 +*/
 +#include <linux/in.h>
 +#include <linux/ip.h>
@@ -614,22 +691,11 @@ diff -ruN linux-2.6.19.1.orig/net/netfilter/xt_portscan.c linux-2.6.19.1/net/net
 +#include <linux/version.h>
 +#include <linux/netfilter/x_tables.h>
 +#include <linux/netfilter/xt_tcpudp.h>
-+#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-+#    include <linux/netfilter_ipv4/ip_conntrack.h>
-+#else /* linux-2.6.20+ */
-+#    include <net/netfilter/nf_nat_rule.h>
-+#endif
++#include <linux/netfilter/oot_conntrack.h>
 +#include <linux/netfilter/xt_portscan.h>
++#include <linux/netfilter/oot_trans.h>
 +#define PFX KBUILD_MODNAME ": "
 +
-+/* Out of tree workarounds */
-+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 18)
-+#    define HAVE_MATCHINFOSIZE 1
-+#endif
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 20)
-+#    define nfmark mark
-+#endif
-+
 +enum {
 +	TCP_FLAGS_ALL3 = TCP_FLAG_FIN | TCP_FLAG_RST | TCP_FLAG_SYN,
 +	TCP_FLAGS_ALL4 = TCP_FLAGS_ALL3 | TCP_FLAG_ACK,