aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/utils/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/utils/iptables')
-rw-r--r--package/network/utils/iptables/Makefile475
-rw-r--r--package/network/utils/iptables/files/l7/aim.pat28
-rw-r--r--package/network/utils/iptables/files/l7/bittorrent.pat25
-rw-r--r--package/network/utils/iptables/files/l7/edonkey.pat37
-rw-r--r--package/network/utils/iptables/files/l7/fasttrack.pat23
-rw-r--r--package/network/utils/iptables/files/l7/ftp.pat46
-rw-r--r--package/network/utils/iptables/files/l7/gnutella.pat34
-rw-r--r--package/network/utils/iptables/files/l7/http.pat28
-rw-r--r--package/network/utils/iptables/files/l7/ident.pat15
-rw-r--r--package/network/utils/iptables/files/l7/irc.pat20
-rw-r--r--package/network/utils/iptables/files/l7/jabber.pat24
-rw-r--r--package/network/utils/iptables/files/l7/msnmessenger.pat28
-rw-r--r--package/network/utils/iptables/files/l7/ntp.pat17
-rw-r--r--package/network/utils/iptables/files/l7/pop3.pat50
-rw-r--r--package/network/utils/iptables/files/l7/smtp.pat40
-rw-r--r--package/network/utils/iptables/files/l7/ssl.pat16
-rw-r--r--package/network/utils/iptables/files/l7/vnc.pat23
-rw-r--r--package/network/utils/iptables/patches/002-layer7_2.22.patch371
-rw-r--r--package/network/utils/iptables/patches/009-table-alignment.patch11
-rw-r--r--package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch265
-rw-r--r--package/network/utils/iptables/patches/011-recent-add-reap.patch116
-rw-r--r--package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch18
-rw-r--r--package/network/utils/iptables/patches/030-no-libnfnetlink.patch92
-rw-r--r--package/network/utils/iptables/patches/100-bash-location.patch16
-rw-r--r--package/network/utils/iptables/patches/110-linux_3.2_compat.patch12
-rw-r--r--package/network/utils/iptables/patches/200-configurable_builtin.patch56
26 files changed, 1886 insertions, 0 deletions
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
new file mode 100644
index 0000000000..ff7d428215
--- /dev/null
+++ b/package/network/utils/iptables/Makefile
@@ -0,0 +1,475 @@
+#
+# Copyright (C) 2006-2012 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=iptables
+PKG_VERSION:=1.4.10
+PKG_RELEASE:=4
+
+PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
+ ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
+ ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
+ ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+
+ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
+PATCH_DIR:=
+endif
+
+include $(INCLUDE_DIR)/package.mk
+ifeq ($(DUMP),)
+ -include $(LINUX_DIR)/.config
+ include $(INCLUDE_DIR)/netfilter.mk
+ STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
+endif
+
+
+define Package/iptables/Default
+ SECTION:=net
+ CATEGORY:=Network
+ SUBMENU:=Firewall
+ URL:=http://netfilter.org/
+endef
+
+define Package/iptables/Module
+$(call Package/iptables/Default)
+ DEPENDS:=iptables $(1)
+endef
+
+define Package/iptables
+$(call Package/iptables/Default)
+ TITLE:=IPv4 firewall administration tool
+ MENU:=1
+ DEPENDS+= +kmod-ipt-core +libip4tc +libxtables
+endef
+
+define Package/iptables/description
+IPv4 firewall administration tool.
+
+ Matches:
+ - icmp
+ - tcp
+ - udp
+ - comment
+ - limit
+ - mac
+ - multiport
+
+ Targets:
+ - ACCEPT
+ - DROP
+ - REJECT
+ - LOG
+ - TCPMSS
+
+ Tables:
+ - filter
+ - mangle
+
+endef
+
+define Package/iptables-mod-conntrack-extra
+$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
+ TITLE:=Extra connection tracking extensions
+endef
+
+define Package/iptables-mod-conntrack-extra/description
+Extra iptables extensions for connection tracking.
+
+ Matches:
+ - connbytes
+ - connmark
+ - recent
+ - helper
+
+ Targets:
+ - CONNMARK
+
+endef
+
+define Package/iptables-mod-filter
+$(call Package/iptables/Module, +kmod-ipt-filter)
+ TITLE:=Content inspection extensions
+endef
+
+define Package/iptables-mod-filter/description
+iptables extensions for packet content inspection.
+Includes support for:
+
+ Matches:
+ - layer7
+ - string
+
+endef
+
+define Package/iptables-mod-ipopt
+$(call Package/iptables/Module, +kmod-ipt-ipopt)
+ TITLE:=IP/Packet option extensions
+endef
+
+define Package/iptables-mod-ipopt/description
+iptables extensions for matching/changing IP packet options.
+
+ Matches:
+ - dscp
+ - ecn
+ - length
+ - mark
+ - statistic
+ - tcpmss
+ - time
+ - unclean
+ - hl
+
+ Targets:
+ - DSCP
+ - CLASSIFY
+ - ECN
+ - MARK
+ - HL
+
+endef
+
+define Package/iptables-mod-ipsec
+$(call Package/iptables/Module, +kmod-ipt-ipsec)
+ TITLE:=IPsec extensions
+endef
+
+define Package/iptables-mod-ipsec/description
+iptables extensions for matching ipsec traffic.
+
+ Matches:
+ - ah
+ - esp
+ - policy
+
+endef
+
+define Package/iptables-mod-ipset
+$(call Package/iptables/Module,)
+ TITLE:=IPset iptables extensions
+endef
+
+define Package/iptables-mod-ipset/description
+IPset iptables extensions.
+
+ Matches:
+ - set
+
+ Targets:
+ - SET
+
+endef
+
+define Package/iptables-mod-nat-extra
+$(call Package/iptables/Module, +kmod-ipt-nat-extra)
+ TITLE:=Extra NAT extensions
+endef
+
+define Package/iptables-mod-nat-extra/description
+iptables extensions for extra NAT targets.
+
+ Targets:
+ - MIRROR
+ - NETMAP
+ - REDIRECT
+endef
+
+define Package/iptables-mod-ulog
+$(call Package/iptables/Module, +kmod-ipt-ulog)
+ TITLE:=user-space packet logging
+endef
+
+define Package/iptables-mod-ulog/description
+iptables extensions for user-space packet logging.
+
+ Targets:
+ - ULOG
+
+endef
+
+define Package/iptables-mod-hashlimit
+$(call Package/iptables/Module, +kmod-ipt-hashlimit)
+ TITLE:=hashlimit matching
+endef
+
+define Package/iptables-mod-hashlimit/description
+iptables extensions for hashlimit matching
+
+ Matches:
+ - hashlimit
+
+endef
+
+define Package/iptables-mod-iprange
+$(call Package/iptables/Module, +kmod-ipt-iprange)
+ TITLE:=IP range extension
+endef
+
+define Package/iptables-mod-iprange/description
+iptables extensions for matching ip ranges.
+
+ Matches:
+ - iprange
+
+endef
+
+define Package/iptables-mod-extra
+$(call Package/iptables/Module, +kmod-ipt-extra)
+ TITLE:=Other extra iptables extensions
+endef
+
+define Package/iptables-mod-extra/description
+Other extra iptables extensions.
+
+ Matches:
+ - condition
+ - owner
+ - physdev (if ebtables is enabled)
+ - pkttype
+ - quota
+
+endef
+
+define Package/iptables-mod-led
+$(call Package/iptables/Module, +kmod-ipt-led)
+ TITLE:=LED trigger iptables extension
+endef
+
+define Package/iptables-mod-led/description
+iptables extension for triggering a LED.
+
+ Targets:
+ - LED
+
+endef
+
+define Package/iptables-mod-tproxy
+$(call Package/iptables/Module, +kmod-ipt-tproxy)
+ TITLE:=Transparent proxy iptables extensions
+endef
+
+define Package/iptables-mod-tproxy/description
+Transparent proxy iptables extensions.
+
+ Matches:
+ - socket
+
+ Targets:
+ - TPROXY
+
+endef
+
+define Package/iptables-mod-tee
+$(call Package/iptables/Module, +kmod-ipt-tee)
+ TITLE:=TEE iptables extensions
+endef
+
+define Package/iptables-mod-tee/description
+TEE iptables extensions.
+
+ Targets:
+ - TEE
+
+endef
+
+define Package/iptables-mod-u32
+$(call Package/iptables/Module, +kmod-ipt-u32)
+ TITLE:=U32 iptables extensions
+endef
+
+define Package/iptables-mod-u32/description
+U32 iptables extensions.
+
+ Matches:
+ - u32
+
+endef
+
+define Package/ip6tables
+$(call Package/iptables/Default)
+ DEPENDS:=+kmod-ip6tables +libip6tc +libxtables
+ CATEGORY:=IPv6
+ TITLE:=IPv6 firewall administration tool
+ MENU:=1
+endef
+
+define Package/libiptc
+$(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ DEPENDS:=+libip4tc +libip6tc
+ TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
+endef
+
+define Package/libip4tc
+$(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4 firewall - shared libiptc library
+endef
+
+define Package/libip6tc
+$(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv6 firewall - shared libiptc library
+endef
+
+define Package/libxtables
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4/IPv6 firewall - shared xtables library
+endef
+
+define Package/libipq
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4/IPv6 firewall - shared libipq library
+endef
+
+TARGET_CPPFLAGS := \
+ -I$(PKG_BUILD_DIR)/include \
+ -I$(LINUX_DIR)/user_headers/include \
+ $(TARGET_CPPFLAGS)
+
+TARGET_CFLAGS += \
+ -I$(PKG_BUILD_DIR)/include \
+ -I$(LINUX_DIR)/user_headers/include
+
+CONFIGURE_ARGS += \
+ --enable-shared \
+ --enable-devel \
+ $(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \
+ --enable-libipq \
+ --with-kernel="$(LINUX_DIR)/user_headers" \
+ --with-xtlibdir=/usr/lib/iptables \
+ --enable-static
+
+MAKE_FLAGS := \
+ $(TARGET_CONFIGURE_OPTS) \
+ COPT_FLAGS="$(TARGET_CFLAGS)" \
+ KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
+ KBUILD_OUTPUT="$(LINUX_DIR)" \
+ BUILTIN_MODULES="$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m)))"
+
+define Build/InstallDev
+ $(INSTALL_DIR) $(1)/usr/include
+ $(INSTALL_DIR) $(1)/usr/include/iptables
+ $(INSTALL_DIR) $(1)/usr/include/net/netfilter
+
+ # XXX: iptables header fixup, some headers are not installed by iptables anymore
+ $(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/
+ $(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
+ $(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
+ $(CP) $(PKG_BUILD_DIR)/include/libipq/libipq.h $(1)/usr/include/
+ $(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
+ $(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
+
+ $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
+ $(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/
+endef
+
+define Package/iptables/install
+ $(INSTALL_DIR) $(1)/usr/sbin
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
+ $(LN) iptables $(1)/usr/sbin/iptables-save
+ $(LN) iptables $(1)/usr/sbin/iptables-restore
+ $(INSTALL_DIR) $(1)/usr/lib/iptables
+endef
+
+define Package/ip6tables/install
+ $(INSTALL_DIR) $(1)/usr/sbin
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/
+ $(LN) ip6tables $(1)/usr/sbin/ip6tables-save
+ $(LN) ip6tables $(1)/usr/sbin/ip6tables-restore
+ $(INSTALL_DIR) $(1)/usr/lib/iptables
+ (cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
+ $(CP) libip6t_*.so $(1)/usr/lib/iptables/ \
+ )
+endef
+
+define Package/libiptc/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
+endef
+
+define Package/libip4tc/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
+endef
+
+define Package/libip6tc/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
+endef
+
+define Package/libxtables/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+endef
+
+define Package/libipq/install
+ $(INSTALL_DIR) $(1)/usr/lib
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
+endef
+
+define BuildPlugin
+ define Package/$(1)/install
+ $(INSTALL_DIR) $$(1)/usr/lib/iptables
+ for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \
+ if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+ fi; \
+ done
+ $(3)
+ endef
+
+ $$(eval $$(call BuildPackage,$(1)))
+endef
+
+L7_INSTALL:=\
+ $(INSTALL_DIR) $$(1)/etc/l7-protocols; \
+ $(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
+
+
+$(eval $(call BuildPackage,iptables))
+$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
+$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET))
+$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
+$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
+$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
+$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
+$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
+$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
+$(eval $(call BuildPackage,ip6tables))
+$(eval $(call BuildPackage,libiptc))
+$(eval $(call BuildPackage,libip4tc))
+$(eval $(call BuildPackage,libip6tc))
+$(eval $(call BuildPackage,libxtables))
+$(eval $(call BuildPackage,libipq))
diff --git a/package/network/utils/iptables/files/l7/aim.pat b/package/network/utils/iptables/files/l7/aim.pat
new file mode 100644
index 0000000000..5c43930fd3
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/aim.pat
@@ -0,0 +1,28 @@
+# AIM - AOL instant messenger (OSCAR and TOC)
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 5190
+#
+# This may also match ICQ traffic.
+#
+# This pattern has been tested and is believed to work well.
+
+aim
+# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
+# The first bit matches OSCAR signon and data commands, but not sure what
+# \x03\x0b matches, but it works apparently.
+# The next three bits match various parts of the TOC signon process.
+# The third one is the magic number "*", then 0x01 for "signon", then up to four
+# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
+# number (2 bytes) the data length (2 more) and 3 nulls (which don't count),
+# then 0x01 for the version number (not sure if there ever has been another
+# version)
+# The fourth one is a command string, followed by some stuff, then the
+# beginning of the "roasted" password
+
+# This pattern is too slow!
+
+^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
diff --git a/package/network/utils/iptables/files/l7/bittorrent.pat b/package/network/utils/iptables/files/l7/bittorrent.pat
new file mode 100644
index 0000000000..4a3ba88d58
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/bittorrent.pat
@@ -0,0 +1,25 @@
+# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
+# Pattern attributes: good slow594 notsofast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+# It will, however, not work on bittorrent streams that are encrypted, since
+# it's impossible to match (well) encrypted data.
+
+bittorrent
+
+# Does not attempt to match the HTTP download of the tracker
+# 0x13 is the length of "bittorrent protocol"
+# Second two bits match UDP wierdness
+# Next bit matches something Azureus does
+# Ditto on the next bit. Could also match on "user-agent: azureus", but that's in the next
+# packet and perhaps this will match multiple clients.
+# bitcomet-specific strings contributed by liangjun.
+
+# This is not a valid GNU basic regular expression (but that's ok).
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
+
+# This pattern is "fast", but won't catch as much
+#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/package/network/utils/iptables/files/l7/edonkey.pat b/package/network/utils/iptables/files/l7/edonkey.pat
new file mode 100644
index 0000000000..75807f8ebb
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/edonkey.pat
@@ -0,0 +1,37 @@
+# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
+# Pattern attributes: good veryfast fast overmatch
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/EDonkey
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
+# and a long time ago with something else.
+#
+# In addition to matching what you might expect, this matches much of
+# what eMule does when you tell it to only connect to the KAD network.
+# I don't quite know what to make of this.
+
+# Thanks to Matt Skidmore <fox AT woozle.org>
+
+edonkey
+
+# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
+#
+# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
+# As of April 2006, I also see some \xe4.
+#
+# God this is a mess. What an irritating protocol.
+# This will match about 2% of streams with random data in them!
+# (But fortunately much fewer than 2% of streams that are other protocols.
+# You can test this with the data in ../testing/)
+
+^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
+
+# matches everything and too much
+# ^(\xe3|\xc5|\xd4)
+
+# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
+
+# bandwidtharbitrator uses
+# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
+# no comments to explain what all the mush is, of course...
diff --git a/package/network/utils/iptables/files/l7/fasttrack.pat b/package/network/utils/iptables/files/l7/fasttrack.pat
new file mode 100644
index 0000000000..6ed8ff1d13
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/fasttrack.pat
@@ -0,0 +1,23 @@
+# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested with Kazaa Lite Resurrection 0.0.7.6F
+#
+# This appears to match the download connections well, but not the search
+# connections (I think they are encrypted :-( ).
+
+fasttrack
+# while this is a valid http request, this will be caught because
+# the http pattern matches the response (and therefore the next packet)
+# Even so, it's best to put this match earlier in the chain.
+# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
+
+# This pattern is kinda slow, but not too bad.
+^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
+# This isn't much faster:
+#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
diff --git a/package/network/utils/iptables/files/l7/ftp.pat b/package/network/utils/iptables/files/l7/ftp.pat
new file mode 100644
index 0000000000..44d97c467b
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ftp.pat
@@ -0,0 +1,46 @@
+# FTP - File Transfer Protocol - RFC 959
+# Pattern attributes: great notsofast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://protocolinfo.org/wiki/FTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 21. Note that the data stream is on a dynamically
+# assigned port, which means that you will need the FTP connection
+# tracking module in your kernel to usefully match FTP data transfers.
+#
+# This pattern is well tested.
+#
+# Handles the first two things a server should say:
+#
+# First, the server says it's ready by sending "220". Most servers say
+# something after 220, even though they don't have to, and it usually
+# includes the string "ftp" (l7-filter is case insensitive). This
+# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP
+# Server, and whatever ftp.microsoft.com uses. Almost all servers use only
+# ASCII printable characters between the "220" and the "FTP", but non-English
+# ones might use others.
+#
+# The next thing the server sends is a 331. All the above servers also
+# send something including "password" after this code. By default, we
+# do not match on this because it takes another packet and is more work
+# for regexec.
+
+ftp
+# by default, we allow only ASCII
+^220[\x09-\x0d -~]*ftp
+
+# This covers UTF-8 as well
+#^220[\x09-\x0d -~\x80-\xfd]*ftp
+
+# This allows any characters and is about 4x faster than either of the above
+# (which are about the same as each other)
+#^220.*ftp
+
+# This is much slower
+#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
+
+# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
+
+# same as above, but slightly less precise and only takes 2 packets.
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a
diff --git a/package/network/utils/iptables/files/l7/gnutella.pat b/package/network/utils/iptables/files/l7/gnutella.pat
new file mode 100644
index 0000000000..770ed43b36
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/gnutella.pat
@@ -0,0 +1,34 @@
+# Gnutella - P2P filesharing
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gnutella
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
+#
+# Various clients use this protocol including Mactella, Shareaza,
+# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
+#
+# This is tested with gtk-gnutella and Shareaza.
+
+# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
+# http://rfc-gnutella.sf.net/
+# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
+# http://en.wikipedia.org/wiki/Shareaza
+
+gnutella
+
+# The first part matches UDP messages - All start with "GND", then have
+# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
+# that can be anything, then a fragment number, which must start at 1.
+# The rest matches TCP first client message or first server message (in case
+# we can't see client messages). Some parts of this are empirical rather than
+# document based. Assumes version is between 0.0 and 2.9. (usually is
+# 0.4 or 0.6). I'm guessing at many of the user-agents.
+# The last bit is emprical and probably only matches Limewire.
+^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
+
+# Needlessly precise, at the expense of time
+#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
+
+
diff --git a/package/network/utils/iptables/files/l7/http.pat b/package/network/utils/iptables/files/l7/http.pat
new file mode 100644
index 0000000000..5122310d2f
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/http.pat
@@ -0,0 +1,28 @@
+# HTTP - HyperText Transfer Protocol - RFC 2616
+# Pattern attributes: great slow notsofast superset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.
+#
+# this intentionally catches the response from the server rather than
+# the request so that other protocols which use http (like kazaa) can be
+# caught based on specific http requests regardless of the ordering of
+# filters... also matches posts
+
+# Sites that serve really long cookies may break this by pushing the
+# server response too far away from the beginning of the connection. To
+# fix this, increase the kernel's data buffer length.
+
+http
+# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
+# As specified in rfc 2616 a status code is preceeded and followed by a
+# space.
+http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
+# A slightly faster version that might be good enough:
+#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
+# old pattern(s):
+#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)
diff --git a/package/network/utils/iptables/files/l7/ident.pat b/package/network/utils/iptables/files/l7/ident.pat
new file mode 100644
index 0000000000..3205e5e696
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ident.pat
@@ -0,0 +1,15 @@
+# Ident - Identification Protocol - RFC 1413
+# Pattern attributes: good fast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Ident
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 113
+#
+# This pattern is believed to work.
+
+ident
+# "number , numberCRLF" possibly without the CR and/or LF.
+# ^$ is appropriate because the first packet should never have anything
+# else in it.
+^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$
diff --git a/package/network/utils/iptables/files/l7/irc.pat b/package/network/utils/iptables/files/l7/irc.pat
new file mode 100644
index 0000000000..e25360cafb
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/irc.pat
@@ -0,0 +1,20 @@
+# IRC - Internet Relay Chat - RFC 1459
+# Pattern attributes: great veryfast fast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IRC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 6666 or 6667
+# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
+# can use much more bandwidth) uses a dynamically assigned port, so you
+# must have the IRC connection tracking module in your kernel to classify
+# this.
+#
+# This pattern has been tested and is believed to work well.
+
+irc
+# First thing that happens is that the client sends NICK and USER, in
+# either order. This allows MIRC color codes (\x02-\x0d instead of
+# \x09-\x0d).
+^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
+
diff --git a/package/network/utils/iptables/files/l7/jabber.pat b/package/network/utils/iptables/files/l7/jabber.pat
new file mode 100644
index 0000000000..7c328905ee
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/jabber.pat
@@ -0,0 +1,24 @@
+# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested with Gaim and Gabber. It is only tested
+# with non-SSL mode Jabber with no proxies.
+
+# Thanks to Jan Hudec for some improvements.
+
+# Jabber seems to take a long time to set up a connection. I'm
+# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
+# is this:
+# <stream:stream to='12jabber.com' xmlns='jabber:client'
+# xmlns:stream='http://etherx.jabber.org/streams'><?xml
+# version='1.0'?><stream:stream
+# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
+# xmlns='jabber:client' from='12jabber.com'>
+#
+# No mention of my username or password yet, you'll note.
+
+jabber
+<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber
diff --git a/package/network/utils/iptables/files/l7/msnmessenger.pat b/package/network/utils/iptables/files/l7/msnmessenger.pat
new file mode 100644
index 0000000000..11dfc10be2
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/msnmessenger.pat
@@ -0,0 +1,28 @@
+# MSN Messenger - Microsoft Network chat client
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually uses TCP port 1863
+# http://www.hypothetic.org/docs/msn/index.php
+# http://msnpiki.msnfanatic.com/
+#
+# This pattern has been tested and is believed to work well.
+
+msnmessenger
+
+# First branch: login
+# ver: allow versions up to 99.
+# I've never seen a cvr other than cvr0. Maybe this will be trouble later?
+# Can't anchor at the beginning because sometimes this is encapsulated in
+# HTTP. But either way, the first packet ends like this.
+# Second/Third branches: accepting/sending a message
+# I will assume that these can also be encapsulated in HTTP, although I have
+# not checked. Example of each direction:
+# ANS 1 quadong@hotmail.com 1139803431.29427 17522047
+# USR 1 quadong@hotmail.com 530423708.968145.366138
+
+# Branches are written entirely separately for better performance.
+ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
+
diff --git a/package/network/utils/iptables/files/l7/ntp.pat b/package/network/utils/iptables/files/l7/ntp.pat
new file mode 100644
index 0000000000..760cfdbe59
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ntp.pat
@@ -0,0 +1,17 @@
+# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
+# Pattern attributes: good fast fast overmatch
+# Protocol groups: time_synchronization ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/NTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is tested and is believed to work.
+
+# client|server
+# Requires the server's timestamp to be in the present or future (of 2005).
+# Tested with ntpdate on Linux.
+# Assumes version 2, 3 or 4.
+
+# Note that ntp packets are always 48 bytes, so you should match on that too.
+
+ntp
+^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])
diff --git a/package/network/utils/iptables/files/l7/pop3.pat b/package/network/utils/iptables/files/l7/pop3.pat
new file mode 100644
index 0000000000..3ae4c147bb
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/pop3.pat
@@ -0,0 +1,50 @@
+# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
+# Pattern attributes: great veryfast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/POP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested somewhat.
+
+# this is a difficult protocol to match because of the relative lack of
+# distinguishing information. Read on.
+pop3
+
+# this the most conservative pattern. It should definitely work.
+#^(\+ok|-err)
+
+# this pattern assumes that the server says _something_ after +ok or -err
+# I think this is probably the way to go.
+^(\+ok |-err )
+
+# more that 90% of servers seem to say "pop" after "+ok", but not all.
+#^(\+ok .*pop)
+
+# Here's another tack. I think this is my second favorite.
+#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
+
+# this matches the server saying "you have N messages that are M bytes",
+# which the client probably asks for early in the session (not tested)
+#\+ok [0-9]+ [0-9]+
+
+# some sample servers:
+# RFC example: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
+# mail.dreamhost.com: +OK Hello there.
+# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
+# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
+# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
+# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready
+# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready
+# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready
+# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
+# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting.
+# mail.mac.com: +OK Netscape Messaging Multiplexor ready
+
+# various error strings:
+#-ERR Invalid command.
+#-ERR invalid command
+#-ERR unimplemented
+#-ERR Invalid command, try one of: USER name, PASS string, QUIT
+#-ERR Unknown AUTHORIZATION state command
+#-ERR Unrecognized command
+#-ERR Unknown command: "sadf'".
diff --git a/package/network/utils/iptables/files/l7/smtp.pat b/package/network/utils/iptables/files/l7/smtp.pat
new file mode 100644
index 0000000000..2f5d1957f9
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/smtp.pat
@@ -0,0 +1,40 @@
+# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
+# Pattern attributes: great notsofast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SMTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 25
+#
+# This pattern has been tested and is believed to work well.
+
+# As usual, no text is required after "220", but all known servers have some
+# there. It (almost?) always has string "smtp" in it. The RFC examples
+# does not, so we match those too, just in case anyone has copied them
+# literally.
+#
+# Some examples:
+# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
+# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
+# 220 mail.ut.caldera.com ESMTP
+# 220 persephone.pmail.gen.nz ESMTP server ready.
+# 220 smtp1.superb.net ESMTP
+# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
+# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
+# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
+# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
+# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
+# 220-mail.email-scan.com ESMTP
+# 220 smaug.dreamhost.com ESMTP
+# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
+# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
+# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
+#
+# RFC examples:
+# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
+# 220 dbc.mtview.ca.us SMTP service ready
+
+smtp
+^220[\x09-\x0d -~]* (e?smtp|simple mail)
+userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
+userspace flags=REG_NOSUB REG_EXTENDED
diff --git a/package/network/utils/iptables/files/l7/ssl.pat b/package/network/utils/iptables/files/l7/ssl.pat
new file mode 100644
index 0000000000..ae30ee4400
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ssl.pat
@@ -0,0 +1,16 @@
+# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
+# Pattern attributes: good notsofast fast superset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 443
+#
+# This is a superset of validcertssl. For it to match, it must be first.
+#
+# This pattern has been tested and is believed to work well.
+
+ssl
+# Server Hello with certificate | Client Hello
+# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
diff --git a/package/network/utils/iptables/files/l7/vnc.pat b/package/network/utils/iptables/files/l7/vnc.pat
new file mode 100644
index 0000000000..79d0ae8a28
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/vnc.pat
@@ -0,0 +1,23 @@
+# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access
+# Wiki: http://www.protocolinfo.org/wiki/VNC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://www.realvnc.com/documentation.html
+#
+# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
+#
+# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
+
+vnc
+# Assumes single digit major and minor version numbers
+# This message should be all alone in the first packet, so ^$ is appropriate
+^rfb 00[1-9]\.00[0-9]\x0a$
+
+# This is a more restrictive version which assumes the version numbers
+# are ones actually in existance at the time of this writing, i.e. 3.3,
+# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be
+# slightly faster, but probably not worth the extra maintenance.
+# ^rfb 003\.00[3578]\x0a$
+
diff --git a/package/network/utils/iptables/patches/002-layer7_2.22.patch b/package/network/utils/iptables/patches/002-layer7_2.22.patch
new file mode 100644
index 0000000000..ba4531e3f3
--- /dev/null
+++ b/package/network/utils/iptables/patches/002-layer7_2.22.patch
@@ -0,0 +1,371 @@
+--- /dev/null
++++ b/extensions/libxt_layer7.c
+@@ -0,0 +1,368 @@
++/*
++ Shared library add-on to iptables for layer 7 matching support.
++
++ By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
++
++ http://l7-filter.sf.net
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License
++ as published by the Free Software Foundation; either version
++ 2 of the License, or (at your option) any later version.
++ http://www.gnu.org/licenses/gpl.txt
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <xtables.h>
++#include <linux/netfilter/xt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++ printf(
++ "layer7 match options:\n"
++ " --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++ " (--l7dir must be specified before --l7proto if used)\n"
++ "[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
++}
++
++static const struct option opts[] = {
++ { .name = "l7proto", .has_arg = 1, .val = 'p' },
++ { .name = "l7dir", .has_arg = 1, .val = 'd' },
++ { .name = NULL }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++{
++ FILE * f;
++ char * line = NULL;
++ size_t len = 0;
++
++ enum { protocol, pattern, done } datatype = protocol;
++
++ f = fopen(filename, "r");
++
++ if(!f)
++ return 0;
++
++ while(getline(&line, &len, f) != -1)
++ {
++ if(strlen(line) < 2 || line[0] == '#')
++ continue;
++
++ /* strip the pesky newline... */
++ if(line[strlen(line) - 1] == '\n')
++ line[strlen(line) - 1] = '\0';
++
++ if(datatype == protocol)
++ {
++ /* Ignore everything on the line beginning with the
++ first space or tab . For instance, this allows the
++ protocol line in http.pat to be "http " (or
++ "http I am so cool") instead of just "http". */
++ if(strchr(line, ' ')){
++ char * space = strchr(line, ' ');
++ space[0] = '\0';
++ }
++ if(strchr(line, '\t')){
++ char * space = strchr(line, '\t');
++ space[0] = '\0';
++ }
++
++ /* sanity check. First non-comment non-blank
++ line must be the same as the file name. */
++ if(strcmp(line, protoname))
++ xtables_error(OTHER_PROBLEM,
++ "Protocol name (%s) doesn't match file name (%s). Bailing out\n",
++ line, filename);
++
++ if(strlen(line) >= MAX_PROTOCOL_LEN)
++ xtables_error(PARAMETER_PROBLEM,
++ "Protocol name in %s too long!", filename);
++ strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++ datatype = pattern;
++ }
++ else if(datatype == pattern)
++ {
++ if(strlen(line) >= MAX_PATTERN_LEN)
++ xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++ strncpy(info->pattern, line, MAX_PATTERN_LEN);
++
++ datatype = done;
++ break;
++ }
++ else
++ xtables_error(OTHER_PROBLEM, "Internal error");
++ }
++
++ if(datatype != done)
++ xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++ if(line) free(line);
++ fclose(f);
++
++ return 1;
++}
++
++static int hex2dec(char c)
++{
++ switch (c)
++ {
++ case '0' ... '9':
++ return c - '0';
++ case 'a' ... 'f':
++ return c - 'a' + 10;
++ case 'A' ... 'F':
++ return c - 'A' + 10;
++ default:
++ xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++ return 0;
++ }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters
++they stand for */
++static char * pre_process(char * s)
++{
++ char * result = malloc(strlen(s) + 1);
++ int sindex = 0, rrindex = 0;
++ while( sindex < strlen(s) )
++ {
++ if( sindex + 3 < strlen(s) &&
++ s[sindex] == '\\' && s[sindex+1] == 'x' &&
++ isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) )
++ {
++ /* carefully remember to call tolower here... */
++ result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
++ hex2dec(s[sindex + 3] ) );
++
++ switch ( result[rrindex] )
++ {
++ case 0x24:
++ case 0x28:
++ case 0x29:
++ case 0x2a:
++ case 0x2b:
++ case 0x2e:
++ case 0x3f:
++ case 0x5b:
++ case 0x5c:
++ case 0x5d:
++ case 0x5e:
++ case 0x7c:
++ fprintf(stderr,
++ "Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++ "I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++ result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
++ break;
++ case 0x00:
++ fprintf(stderr,
++ "Warning: null (\\x00) in layer7 regexp. A null terminates the regexp string!\n");
++ break;
++ default:
++ break;
++ }
++
++
++ sindex += 3; /* 4 total */
++ }
++ else
++ result[rrindex] = tolower(s[sindex]);
++
++ sindex++;
++ rrindex++;
++ }
++ result[rrindex] = '\0';
++
++ return result;
++}
++
++#define MAX_SUBDIRS 128
++static char ** readl7dir(char * dirname)
++{
++ DIR * scratchdir;
++ struct dirent ** namelist;
++ char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++ int n, d = 1;
++ subdirs[0] = "";
++
++ n = scandir(dirname, &namelist, 0, alphasort);
++
++ if (n < 0)
++ {
++ perror("scandir");
++ xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++ }
++ else
++ {
++ while(n--)
++ {
++ char fulldirname[MAX_FN_LEN];
++
++ snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++ if((scratchdir = opendir(fulldirname)) != NULL)
++ {
++ closedir(scratchdir);
++
++ if(!strcmp(namelist[n]->d_name, ".") ||
++ !strcmp(namelist[n]->d_name, ".."))
++ /* do nothing */ ;
++ else
++ {
++ subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++ strcpy(subdirs[d], namelist[n]->d_name);
++ d++;
++ if(d >= MAX_SUBDIRS - 1)
++ {
++ fprintf(stderr,
++ "Too many subdirectories, skipping the rest!\n");
++ break;
++ }
++ }
++ }
++ free(namelist[n]);
++ }
++ free(namelist);
++ }
++
++ subdirs[d] = NULL;
++
++ return subdirs;
++}
++
++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++{
++ char filename[MAX_FN_LEN];
++ char * dir = NULL;
++ char ** subdirs;
++ int n = 0, done = 0;
++
++ if(strlen(l7dir) > 0) dir = l7dir;
++ else dir = "/etc/l7-protocols";
++
++ subdirs = readl7dir(dir);
++
++ while(subdirs[n] != NULL)
++ {
++ int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++ if(c > MAX_FN_LEN)
++ xtables_error(OTHER_PROBLEM,
++ "Filename beginning with %s is too long!\n", filename);
++
++ /* read in the pattern from the file */
++ if(parse_protocol_file(filename, s, info)){
++ done = 1;
++ break;
++ }
++
++ n++;
++ }
++
++ if(!done)
++ xtables_error(OTHER_PROBLEM,
++ "Couldn't find a pattern definition file for %s.\n", s);
++
++ /* process \xHH escapes and tolower everything. (our regex lib has no
++ case insensitivity option.) */
++ strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++ const void *entry, struct xt_entry_match **match)
++{
++ struct xt_layer7_info *layer7info =
++ (struct xt_layer7_info *)(*match)->data;
++
++ switch (c) {
++ case 'p':
++ parse_layer7_protocol(argv[optind-1], layer7info);
++ if (invert)
++ layer7info->invert = true;
++ *flags = 1;
++ break;
++
++ case 'd':
++ if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++ xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++ strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++ *flags = 1;
++ break;
++
++ default:
++ return 0;
++ }
++
++ return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++ if (!flags)
++ xtables_error(PARAMETER_PROBLEM,
++ "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++ fputs("l7proto ", stdout);
++ if (invert) fputc('!', stdout);
++ printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const void *ip,
++ const struct xt_entry_match *match,
++ int numeric)
++{
++ printf("LAYER7 ");
++ print_protocol(((struct xt_layer7_info *)match->data)->protocol,
++ ((struct xt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const void *ip, const struct xt_entry_match *match)
++{
++ const struct xt_layer7_info *info =
++ (const struct xt_layer7_info*) match->data;
++
++ printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
++}
++
++static struct xtables_match layer7 = {
++ .family = AF_INET,
++ .name = "layer7",
++ .version = XTABLES_VERSION,
++ .size = XT_ALIGN(sizeof(struct xt_layer7_info)),
++ .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
++ .help = &help,
++ .parse = &parse,
++ .final_check = &final_check,
++ .print = &print,
++ .save = &save,
++ .extra_opts = opts
++};
++
++void _init(void)
++{
++ xtables_register_match(&layer7);
++}
diff --git a/package/network/utils/iptables/patches/009-table-alignment.patch b/package/network/utils/iptables/patches/009-table-alignment.patch
new file mode 100644
index 0000000000..53012ab320
--- /dev/null
+++ b/package/network/utils/iptables/patches/009-table-alignment.patch
@@ -0,0 +1,11 @@
+--- a/libiptc/libiptc.c
++++ b/libiptc/libiptc.c
+@@ -69,7 +69,7 @@ static const char *hooknames[] = {
+ struct ipt_error_target
+ {
+ STRUCT_ENTRY_TARGET t;
+- char error[TABLE_MAXNAMELEN];
++ char error[FUNCTION_MAXNAMELEN];
+ };
+
+ struct chain_head;
diff --git a/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch
new file mode 100644
index 0000000000..3b35f7e3c6
--- /dev/null
+++ b/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch
@@ -0,0 +1,265 @@
+--- a/extensions/libxt_multiport.c
++++ b/extensions/libxt_multiport.c
+@@ -15,21 +15,6 @@
+ #include <linux/netfilter/xt_multiport.h>
+
+ /* Function which prints out usage message. */
+-static void multiport_help(void)
+-{
+- printf(
+-"multiport match options:\n"
+-" --source-ports port[,port,port...]\n"
+-" --sports ...\n"
+-" match source port(s)\n"
+-" --destination-ports port[,port,port...]\n"
+-" --dports ...\n"
+-" match destination port(s)\n"
+-" --ports port[,port,port]\n"
+-" match both source and destination port(s)\n"
+-" NOTE: this kernel does not support port ranges in multiport.\n");
+-}
+-
+ static void multiport_help_v1(void)
+ {
+ printf(
+@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto)
+ }
+ }
+
+-static unsigned int
+-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
+-{
+- char *buffer, *cp, *next;
+- unsigned int i;
+-
+- buffer = strdup(portstring);
+- if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+-
+- for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
+- {
+- next=strchr(cp, ',');
+- if (next) *next++='\0';
+- ports[i] = xtables_parse_port(cp, proto);
+- }
+- if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
+- free(buffer);
+- return i;
+-}
+-
+ static void
+ parse_multi_ports_v1(const char *portstring,
+ struct xt_multiport_v1 *multiinfo,
+@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
+ /* Function which parses command options; returns true if it
+ ate an option */
+ static int
+-__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+- struct xt_entry_match **match, u_int16_t pnum,
+- u_int8_t invflags)
+-{
+- const char *proto;
+- struct xt_multiport *multiinfo
+- = (struct xt_multiport *)(*match)->data;
+-
+- switch (c) {
+- case '1':
+- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(optarg,
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_SOURCE;
+- break;
+-
+- case '2':
+- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(optarg,
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_DESTINATION;
+- break;
+-
+- case '3':
+- xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+- proto = check_proto(pnum, invflags);
+- multiinfo->count = parse_multi_ports(optarg,
+- multiinfo->ports, proto);
+- multiinfo->flags = XT_MULTIPORT_EITHER;
+- break;
+-
+- default:
+- return 0;
+- }
+-
+- if (invert)
+- xtables_error(PARAMETER_PROBLEM,
+- "multiport does not support invert");
+-
+- if (*flags)
+- xtables_error(PARAMETER_PROBLEM,
+- "multiport can only have one option");
+- *flags = 1;
+- return 1;
+-}
+-
+-static int
+-multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+- const void *e, struct xt_entry_match **match)
+-{
+- const struct ipt_entry *entry = e;
+- return __multiport_parse(c, argv, invert, flags, match,
+- entry->ip.proto, entry->ip.invflags);
+-}
+-
+-static int
+-multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
+- const void *e, struct xt_entry_match **match)
+-{
+- const struct ip6t_entry *entry = e;
+- return __multiport_parse(c, argv, invert, flags, match,
+- entry->ipv6.proto, entry->ipv6.invflags);
+-}
+-
+-static int
+ __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+ struct xt_entry_match **match, u_int16_t pnum,
+ u_int8_t invflags)
+@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot
+ }
+
+ /* Prints out the matchinfo. */
+-static void
+-__multiport_print(const struct xt_entry_match *match, int numeric,
+- u_int16_t proto)
+-{
+- const struct xt_multiport *multiinfo
+- = (const struct xt_multiport *)match->data;
+- unsigned int i;
+-
+- printf("multiport ");
+-
+- switch (multiinfo->flags) {
+- case XT_MULTIPORT_SOURCE:
+- printf("sports ");
+- break;
+-
+- case XT_MULTIPORT_DESTINATION:
+- printf("dports ");
+- break;
+-
+- case XT_MULTIPORT_EITHER:
+- printf("ports ");
+- break;
+-
+- default:
+- printf("ERROR ");
+- break;
+- }
+-
+- for (i=0; i < multiinfo->count; i++) {
+- printf("%s", i ? "," : "");
+- print_port(multiinfo->ports[i], proto, numeric);
+- }
+- printf(" ");
+-}
+-
+-static void multiport_print(const void *ip_void,
+- const struct xt_entry_match *match, int numeric)
+-{
+- const struct ipt_ip *ip = ip_void;
+- __multiport_print(match, numeric, ip->proto);
+-}
+-
+-static void multiport_print6(const void *ip_void,
+- const struct xt_entry_match *match, int numeric)
+-{
+- const struct ip6t_ip6 *ip = ip_void;
+- __multiport_print(match, numeric, ip->proto);
+-}
+-
+ static void __multiport_print_v1(const struct xt_entry_match *match,
+ int numeric, u_int16_t proto)
+ {
+@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo
+ }
+
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+-static void __multiport_save(const struct xt_entry_match *match,
+- u_int16_t proto)
+-{
+- const struct xt_multiport *multiinfo
+- = (const struct xt_multiport *)match->data;
+- unsigned int i;
+-
+- switch (multiinfo->flags) {
+- case XT_MULTIPORT_SOURCE:
+- printf("--sports ");
+- break;
+-
+- case XT_MULTIPORT_DESTINATION:
+- printf("--dports ");
+- break;
+-
+- case XT_MULTIPORT_EITHER:
+- printf("--ports ");
+- break;
+- }
+-
+- for (i=0; i < multiinfo->count; i++) {
+- printf("%s", i ? "," : "");
+- print_port(multiinfo->ports[i], proto, 1);
+- }
+- printf(" ");
+-}
+-
+-static void multiport_save(const void *ip_void,
+- const struct xt_entry_match *match)
+-{
+- const struct ipt_ip *ip = ip_void;
+- __multiport_save(match, ip->proto);
+-}
+-
+-static void multiport_save6(const void *ip_void,
+- const struct xt_entry_match *match)
+-{
+- const struct ip6t_ip6 *ip = ip_void;
+- __multiport_save(match, ip->proto);
+-}
+-
+ static void __multiport_save_v1(const struct xt_entry_match *match,
+ u_int16_t proto)
+ {
+@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt
+ {
+ .family = NFPROTO_IPV4,
+ .name = "multiport",
+- .revision = 0,
+- .version = XTABLES_VERSION,
+- .size = XT_ALIGN(sizeof(struct xt_multiport)),
+- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+- .help = multiport_help,
+- .parse = multiport_parse,
+- .final_check = multiport_check,
+- .print = multiport_print,
+- .save = multiport_save,
+- .extra_opts = multiport_opts,
+- },
+- {
+- .family = NFPROTO_IPV6,
+- .name = "multiport",
+- .revision = 0,
+- .version = XTABLES_VERSION,
+- .size = XT_ALIGN(sizeof(struct xt_multiport)),
+- .userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+- .help = multiport_help,
+- .parse = multiport_parse6,
+- .final_check = multiport_check,
+- .print = multiport_print6,
+- .save = multiport_save6,
+- .extra_opts = multiport_opts,
+- },
+- {
+- .family = NFPROTO_IPV4,
+- .name = "multiport",
+ .version = XTABLES_VERSION,
+ .revision = 1,
+ .size = XT_ALIGN(sizeof(struct xt_multiport_v1)),
diff --git a/package/network/utils/iptables/patches/011-recent-add-reap.patch b/package/network/utils/iptables/patches/011-recent-add-reap.patch
new file mode 100644
index 0000000000..275265b99d
--- /dev/null
+++ b/package/network/utils/iptables/patches/011-recent-add-reap.patch
@@ -0,0 +1,116 @@
+From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
+From: Tim Gardner <tim.gardner@canonical.com>
+Date: Mon, 1 Mar 2010 19:00:29 -0700
+Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
+
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+---
+ extensions/libxt_recent.c | 20 ++++++++++++++++++++
+ extensions/libxt_recent.man | 5 +++++
+ include/linux/netfilter/xt_recent.h | 7 +++++++
+ 3 files changed, 32 insertions(+), 0 deletions(-)
+
+--- a/extensions/libxt_recent.c
++++ b/extensions/libxt_recent.c
+@@ -20,6 +20,7 @@ static const struct option recent_opts[]
+ {.name = "name", .has_arg = true, .val = 208},
+ {.name = "rsource", .has_arg = false, .val = 209},
+ {.name = "rdest", .has_arg = false, .val = 210},
++ {.name = "reap", .has_arg = false, .val = 211},
+ XT_GETOPT_TABLEEND,
+ };
+
+@@ -37,6 +38,7 @@ static void recent_help(void)
+ " --hitcount hits For check and update commands above.\n"
+ " Specifies that the match will only occur if source address seen hits times.\n"
+ " May be used in conjunction with the seconds option.\n"
++" --reap Remove entries that have expired. Can only be used with --seconds\n"
+ " --rttl For check and update commands above.\n"
+ " Specifies that the match will only occur if the source address and the TTL\n"
+ " match between this packet and the one which was set.\n"
+@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_
+ (XT_RECENT_SET | XT_RECENT_CHECK | \
+ XT_RECENT_UPDATE | XT_RECENT_REMOVE)
+
++#define XT_RECENT_SECONDS 1 << 31
++
+ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
+ const void *entry, struct xt_entry_match **match)
+ {
+@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar
+
+ case 204:
+ info->seconds = atoi(optarg);
++ *flags |= XT_RECENT_SECONDS;
+ break;
+
+ case 205:
+@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar
+ info->side = XT_RECENT_DEST;
+ break;
+
++ case 211:
++ info->check_set |= XT_RECENT_REAP;
++ *flags |= XT_RECENT_REAP;
++ break;
++
+ default:
+ return 0;
+ }
+@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl
+ xtables_error(PARAMETER_PROBLEM,
+ "recent: --rttl may only be used with --rcheck or "
+ "--update");
++ if ((flags & XT_RECENT_REAP) &&
++ ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
++ (!(flags & XT_RECENT_SECONDS))))
++ xtables_error(PARAMETER_PROBLEM,
++ "recent: --reap may only be used with --rcheck or "
++ "--update and --seconds");
+ }
+
+ static void recent_print(const void *ip, const struct xt_entry_match *match,
+@@ -185,6 +201,8 @@ static void recent_print(const void *ip,
+ printf("side: source ");
+ if (info->side == XT_RECENT_DEST)
+ printf("side: dest ");
++ if (info->check_set & XT_RECENT_REAP)
++ printf("reap ");
+ }
+
+ static void recent_save(const void *ip, const struct xt_entry_match *match)
+@@ -211,6 +229,8 @@ static void recent_save(const void *ip,
+ printf("--rsource ");
+ if (info->side == XT_RECENT_DEST)
+ printf("--rdest ");
++ if (info->check_set & XT_RECENT_REAP)
++ printf("--reap ");
+ }
+
+ static struct xtables_match recent_mt_reg = {
+--- a/extensions/libxt_recent.man
++++ b/extensions/libxt_recent.man
+@@ -41,6 +41,11 @@ This option must be used in conjunction
+ \fB\-\-update\fP. When used, this will narrow the match to only happen when the
+ address is in the list and was seen within the last given number of seconds.
+ .TP
++\fB\-\-reap\fP \fIreap\fP
++This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
++will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
++since the last packet was received.
++.TP
+ \fB\-\-hitcount\fP \fIhits\fP
+ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
+ \fB\-\-update\fP. When used, this will narrow the match to only happen when the
+--- a/include/linux/netfilter/xt_recent.h
++++ b/include/linux/netfilter/xt_recent.h
+@@ -23,6 +23,9 @@ enum {
+ #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+ XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+
++/* Only allowed with --rcheck and --update */
++#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
++
+ struct xt_recent_mtinfo {
+ __u32 seconds;
+ __u32 hit_count;
diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
new file mode 100644
index 0000000000..338962ffbe
--- /dev/null
+++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
@@ -0,0 +1,18 @@
+--- a/xtables.c
++++ b/xtables.c
+@@ -305,6 +305,7 @@ static char *get_modprobe(void)
+
+ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
+ {
++#if 0
+ char *buf = NULL;
+ char *argv[4];
+ int status;
+@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname,
+ free(buf);
+ if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ return 0;
++#endif
+ return -1;
+ }
+
diff --git a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
new file mode 100644
index 0000000000..cda9a7205b
--- /dev/null
+++ b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
@@ -0,0 +1,92 @@
+--- a/configure
++++ b/configure
+@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; }
+ fi
+ fi
+
+-pkg_failed=no
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
+-$as_echo_n "checking for libnfnetlink... " >&6; }
+-
+-if test -n "$libnfnetlink_CFLAGS"; then
+- pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
+- elif test -n "$PKG_CONFIG"; then
+- if test -n "$PKG_CONFIG" && \
+- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+- ac_status=$?
+- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+- test $ac_status = 0; }; then
+- pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
+-else
+- pkg_failed=yes
+-fi
+- else
+- pkg_failed=untried
+-fi
+-if test -n "$libnfnetlink_LIBS"; then
+- pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
+- elif test -n "$PKG_CONFIG"; then
+- if test -n "$PKG_CONFIG" && \
+- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+- ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+- ac_status=$?
+- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+- test $ac_status = 0; }; then
+- pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
+-else
+- pkg_failed=yes
+-fi
+- else
+- pkg_failed=untried
+-fi
+-
+-
+-
+-if test $pkg_failed = yes; then
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-
+-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+- _pkg_short_errors_supported=yes
+-else
+- _pkg_short_errors_supported=no
+-fi
+- if test $_pkg_short_errors_supported = yes; then
+- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1`
+- else
+- libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1`
+- fi
+- # Put the nasty error message in config.log where it belongs
+- echo "$libnfnetlink_PKG_ERRORS" >&5
+-
+- nfnetlink=0
+-elif test $pkg_failed = untried; then
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+- nfnetlink=0
+-else
+- libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
+- libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
+- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+-$as_echo "yes" >&6; }
+- nfnetlink=1
+-fi
+- if test "$nfnetlink" = 1; then
++if false; then
+ HAVE_LIBNFNETLINK_TRUE=
+ HAVE_LIBNFNETLINK_FALSE='#'
+ else
+--- a/configure.ac
++++ b/configure.ac
+@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
+ AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
+ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
+
+-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
+- [nfnetlink=1], [nfnetlink=0])
+-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
+
+ regular_CFLAGS="${largefile_cflags} \
+ -D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
diff --git a/package/network/utils/iptables/patches/100-bash-location.patch b/package/network/utils/iptables/patches/100-bash-location.patch
new file mode 100644
index 0000000000..818246e76b
--- /dev/null
+++ b/package/network/utils/iptables/patches/100-bash-location.patch
@@ -0,0 +1,16 @@
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+
+ autoreconf -fi;
+ rm -Rf autom4te*.cache;
+--- a/iptables-apply
++++ b/iptables-apply
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # iptables-apply -- a safer way to update iptables remotely
+ #
diff --git a/package/network/utils/iptables/patches/110-linux_3.2_compat.patch b/package/network/utils/iptables/patches/110-linux_3.2_compat.patch
new file mode 100644
index 0000000000..2cdd673d25
--- /dev/null
+++ b/package/network/utils/iptables/patches/110-linux_3.2_compat.patch
@@ -0,0 +1,12 @@
+--- iptables-1.4.10/include/linux/types.h.orig 2011-11-07 00:08:33.000000000 +0100
++++ iptables-1.4.10/include/linux/types.h 2011-11-07 00:09:25.000000000 +0100
+@@ -34,5 +34,9 @@
+ typedef __u16 __bitwise __sum16;
+ typedef __u32 __bitwise __wsum;
+
++#define __aligned_u64 __u64 __attribute__((aligned(8)))
++#define __aligned_be64 __be64 __attribute__((aligned(8)))
++#define __aligned_le64 __le64 __attribute__((aligned(8)))
++
+ #endif /* __ASSEMBLY__ */
+ #endif /* _LINUX_TYPES_H */
diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch
new file mode 100644
index 0000000000..9f9cc387c3
--- /dev/null
+++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch
@@ -0,0 +1,56 @@
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -40,9 +40,24 @@
+ pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+-pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_mod})
+-pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_mod})
++
++ifdef BUILTIN_MODULES
++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
++else
++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
++endif
++
++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
++
++pfx_objs := $(patsubst %,libxt_%.o,${pfx_build_static})
++pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
++pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
+ pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
+ pf4_solibs := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+@@ -54,10 +69,10 @@
+ targets := libext4.a libext6.a matches4.man matches6.man \
+ targets4.man targets6.man
+ targets_install :=
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++libext4_objs := ${pfx_objs} ${pf4_objs}
++libext6_objs := ${pfx_objs} ${pf6_objs}
++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
+
+ .SECONDARY:
+
+@@ -107,8 +122,8 @@
+ libext6.a: initext6.o ${libext6_objs}
+ ${AM_VERBOSE_AR} ${AR} crs $@ $^;
+
+-initext_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod})
++initext_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static})
+
+ .initext4.dd: FORCE
+ @echo "${initext_func}" >$@.tmp; \