From 405e21d16731b2764ab82aaaadcf36a813b105f7 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Wed, 10 Oct 2012 12:32:29 +0000
Subject: packages: sort network related packages into package/network/

SVN-Revision: 33688
---
 package/network/utils/iptables/Makefile            | 475 +++++++++++++++++++++
 package/network/utils/iptables/files/l7/aim.pat    |  28 ++
 .../network/utils/iptables/files/l7/bittorrent.pat |  25 ++
 .../network/utils/iptables/files/l7/edonkey.pat    |  37 ++
 .../network/utils/iptables/files/l7/fasttrack.pat  |  23 +
 package/network/utils/iptables/files/l7/ftp.pat    |  46 ++
 .../network/utils/iptables/files/l7/gnutella.pat   |  34 ++
 package/network/utils/iptables/files/l7/http.pat   |  28 ++
 package/network/utils/iptables/files/l7/ident.pat  |  15 +
 package/network/utils/iptables/files/l7/irc.pat    |  20 +
 package/network/utils/iptables/files/l7/jabber.pat |  24 ++
 .../utils/iptables/files/l7/msnmessenger.pat       |  28 ++
 package/network/utils/iptables/files/l7/ntp.pat    |  17 +
 package/network/utils/iptables/files/l7/pop3.pat   |  50 +++
 package/network/utils/iptables/files/l7/smtp.pat   |  40 ++
 package/network/utils/iptables/files/l7/ssl.pat    |  16 +
 package/network/utils/iptables/files/l7/vnc.pat    |  23 +
 .../utils/iptables/patches/002-layer7_2.22.patch   | 371 ++++++++++++++++
 .../iptables/patches/009-table-alignment.patch     |  11 +
 .../patches/010-multiport-linux-2.4-compat.patch   | 265 ++++++++++++
 .../iptables/patches/011-recent-add-reap.patch     | 116 +++++
 .../patches/020-iptables-disable-modprobe.patch    |  18 +
 .../iptables/patches/030-no-libnfnetlink.patch     |  92 ++++
 .../utils/iptables/patches/100-bash-location.patch |  16 +
 .../iptables/patches/110-linux_3.2_compat.patch    |  12 +
 .../patches/200-configurable_builtin.patch         |  56 +++
 26 files changed, 1886 insertions(+)
 create mode 100644 package/network/utils/iptables/Makefile
 create mode 100644 package/network/utils/iptables/files/l7/aim.pat
 create mode 100644 package/network/utils/iptables/files/l7/bittorrent.pat
 create mode 100644 package/network/utils/iptables/files/l7/edonkey.pat
 create mode 100644 package/network/utils/iptables/files/l7/fasttrack.pat
 create mode 100644 package/network/utils/iptables/files/l7/ftp.pat
 create mode 100644 package/network/utils/iptables/files/l7/gnutella.pat
 create mode 100644 package/network/utils/iptables/files/l7/http.pat
 create mode 100644 package/network/utils/iptables/files/l7/ident.pat
 create mode 100644 package/network/utils/iptables/files/l7/irc.pat
 create mode 100644 package/network/utils/iptables/files/l7/jabber.pat
 create mode 100644 package/network/utils/iptables/files/l7/msnmessenger.pat
 create mode 100644 package/network/utils/iptables/files/l7/ntp.pat
 create mode 100644 package/network/utils/iptables/files/l7/pop3.pat
 create mode 100644 package/network/utils/iptables/files/l7/smtp.pat
 create mode 100644 package/network/utils/iptables/files/l7/ssl.pat
 create mode 100644 package/network/utils/iptables/files/l7/vnc.pat
 create mode 100644 package/network/utils/iptables/patches/002-layer7_2.22.patch
 create mode 100644 package/network/utils/iptables/patches/009-table-alignment.patch
 create mode 100644 package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch
 create mode 100644 package/network/utils/iptables/patches/011-recent-add-reap.patch
 create mode 100644 package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
 create mode 100644 package/network/utils/iptables/patches/030-no-libnfnetlink.patch
 create mode 100644 package/network/utils/iptables/patches/100-bash-location.patch
 create mode 100644 package/network/utils/iptables/patches/110-linux_3.2_compat.patch
 create mode 100644 package/network/utils/iptables/patches/200-configurable_builtin.patch

(limited to 'package/network/utils/iptables')

diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
new file mode 100644
index 0000000000..ff7d428215
--- /dev/null
+++ b/package/network/utils/iptables/Makefile
@@ -0,0 +1,475 @@
+#
+# Copyright (C) 2006-2012 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=iptables
+PKG_VERSION:=1.4.10
+PKG_RELEASE:=4
+
+PKG_MD5SUM:=f382fe693f0b59d87bd47bea65eca198
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
+	ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
+	ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
+	ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+
+ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
+PATCH_DIR:=
+endif
+
+include $(INCLUDE_DIR)/package.mk
+ifeq ($(DUMP),)
+  -include $(LINUX_DIR)/.config
+  include $(INCLUDE_DIR)/netfilter.mk
+  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
+endif
+
+
+define Package/iptables/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Firewall
+  URL:=http://netfilter.org/
+endef
+
+define Package/iptables/Module
+$(call Package/iptables/Default)
+  DEPENDS:=iptables $(1)
+endef
+
+define Package/iptables
+$(call Package/iptables/Default)
+  TITLE:=IPv4 firewall administration tool
+  MENU:=1
+  DEPENDS+= +kmod-ipt-core +libip4tc +libxtables
+endef
+
+define Package/iptables/description
+IPv4 firewall administration tool.
+
+ Matches:
+  - icmp
+  - tcp
+  - udp
+  - comment
+  - limit
+  - mac
+  - multiport
+
+ Targets:
+  - ACCEPT
+  - DROP
+  - REJECT
+  - LOG
+  - TCPMSS
+
+ Tables:
+  - filter
+  - mangle
+
+endef
+
+define Package/iptables-mod-conntrack-extra
+$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
+  TITLE:=Extra connection tracking extensions
+endef
+
+define Package/iptables-mod-conntrack-extra/description
+Extra iptables extensions for connection tracking.
+
+ Matches:
+  - connbytes
+  - connmark
+  - recent
+  - helper
+
+ Targets:
+  - CONNMARK
+
+endef
+
+define Package/iptables-mod-filter
+$(call Package/iptables/Module, +kmod-ipt-filter)
+  TITLE:=Content inspection extensions
+endef
+
+define Package/iptables-mod-filter/description
+iptables extensions for packet content inspection.
+Includes support for:
+
+ Matches:
+  - layer7
+  - string
+
+endef
+
+define Package/iptables-mod-ipopt
+$(call Package/iptables/Module, +kmod-ipt-ipopt)
+  TITLE:=IP/Packet option extensions
+endef
+
+define Package/iptables-mod-ipopt/description
+iptables extensions for matching/changing IP packet options.
+
+ Matches:
+  - dscp
+  - ecn
+  - length
+  - mark
+  - statistic
+  - tcpmss
+  - time
+  - unclean
+  - hl
+
+ Targets:
+  - DSCP
+  - CLASSIFY
+  - ECN
+  - MARK
+  - HL
+
+endef
+
+define Package/iptables-mod-ipsec
+$(call Package/iptables/Module, +kmod-ipt-ipsec)
+  TITLE:=IPsec extensions
+endef
+
+define Package/iptables-mod-ipsec/description
+iptables extensions for matching ipsec traffic.
+
+ Matches:
+  - ah
+  - esp
+  - policy
+
+endef
+
+define Package/iptables-mod-ipset
+$(call Package/iptables/Module,)
+  TITLE:=IPset iptables extensions
+endef
+
+define Package/iptables-mod-ipset/description
+IPset iptables extensions.
+
+ Matches:
+  - set
+
+ Targets:
+  - SET
+
+endef
+
+define Package/iptables-mod-nat-extra
+$(call Package/iptables/Module, +kmod-ipt-nat-extra)
+  TITLE:=Extra NAT extensions
+endef
+
+define Package/iptables-mod-nat-extra/description
+iptables extensions for extra NAT targets.
+
+ Targets:
+  - MIRROR
+  - NETMAP
+  - REDIRECT
+endef
+
+define Package/iptables-mod-ulog
+$(call Package/iptables/Module, +kmod-ipt-ulog)
+  TITLE:=user-space packet logging
+endef
+
+define Package/iptables-mod-ulog/description
+iptables extensions for user-space packet logging.
+
+ Targets:
+  - ULOG
+
+endef
+
+define Package/iptables-mod-hashlimit
+$(call Package/iptables/Module, +kmod-ipt-hashlimit)
+  TITLE:=hashlimit matching
+endef
+
+define Package/iptables-mod-hashlimit/description
+iptables extensions for hashlimit matching
+
+ Matches:
+  - hashlimit
+
+endef
+
+define Package/iptables-mod-iprange
+$(call Package/iptables/Module, +kmod-ipt-iprange)
+  TITLE:=IP range extension
+endef
+
+define Package/iptables-mod-iprange/description
+iptables extensions for matching ip ranges.
+
+ Matches:
+  - iprange
+
+endef
+
+define Package/iptables-mod-extra
+$(call Package/iptables/Module, +kmod-ipt-extra)
+  TITLE:=Other extra iptables extensions
+endef
+
+define Package/iptables-mod-extra/description
+Other extra iptables extensions.
+
+ Matches:
+  - condition
+  - owner
+  - physdev (if ebtables is enabled)
+  - pkttype
+  - quota
+
+endef
+
+define Package/iptables-mod-led
+$(call Package/iptables/Module, +kmod-ipt-led)
+  TITLE:=LED trigger iptables extension
+endef
+
+define Package/iptables-mod-led/description
+iptables extension for triggering a LED.
+
+ Targets:
+  - LED
+
+endef
+
+define Package/iptables-mod-tproxy
+$(call Package/iptables/Module, +kmod-ipt-tproxy)
+  TITLE:=Transparent proxy iptables extensions
+endef
+
+define Package/iptables-mod-tproxy/description
+Transparent proxy iptables extensions.
+
+ Matches:
+  - socket
+
+ Targets:
+  - TPROXY
+
+endef
+
+define Package/iptables-mod-tee
+$(call Package/iptables/Module, +kmod-ipt-tee)
+  TITLE:=TEE iptables extensions
+endef
+
+define Package/iptables-mod-tee/description
+TEE iptables extensions.
+
+ Targets:
+  - TEE
+
+endef
+
+define Package/iptables-mod-u32
+$(call Package/iptables/Module, +kmod-ipt-u32)
+  TITLE:=U32 iptables extensions
+endef
+
+define Package/iptables-mod-u32/description
+U32 iptables extensions.
+
+ Matches:
+  - u32
+
+endef
+
+define Package/ip6tables
+$(call Package/iptables/Default)
+  DEPENDS:=+kmod-ip6tables +libip6tc +libxtables
+  CATEGORY:=IPv6
+  TITLE:=IPv6 firewall administration tool
+  MENU:=1
+endef
+
+define Package/libiptc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  DEPENDS:=+libip4tc +libip6tc
+  TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
+endef
+
+define Package/libip4tc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv4 firewall - shared libiptc library
+endef
+
+define Package/libip6tc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv6 firewall - shared libiptc library
+endef
+
+define Package/libxtables
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4/IPv6 firewall - shared xtables library
+endef
+
+define Package/libipq
+  $(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv4/IPv6 firewall - shared libipq library
+endef
+
+TARGET_CPPFLAGS := \
+	-I$(PKG_BUILD_DIR)/include \
+	-I$(LINUX_DIR)/user_headers/include \
+	$(TARGET_CPPFLAGS)
+
+TARGET_CFLAGS += \
+	-I$(PKG_BUILD_DIR)/include \
+	-I$(LINUX_DIR)/user_headers/include
+
+CONFIGURE_ARGS += \
+	--enable-shared \
+	--enable-devel \
+	$(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \
+	--enable-libipq \
+	--with-kernel="$(LINUX_DIR)/user_headers" \
+	--with-xtlibdir=/usr/lib/iptables \
+	--enable-static
+
+MAKE_FLAGS := \
+	$(TARGET_CONFIGURE_OPTS) \
+	COPT_FLAGS="$(TARGET_CFLAGS)" \
+	KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
+	KBUILD_OUTPUT="$(LINUX_DIR)" \
+	BUILTIN_MODULES="$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m)))"
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include
+	$(INSTALL_DIR) $(1)/usr/include/iptables
+	$(INSTALL_DIR) $(1)/usr/include/net/netfilter
+
+	# XXX: iptables header fixup, some headers are not installed by iptables anymore
+	$(CP) $(PKG_BUILD_DIR)/include/net/netfilter/*.h $(1)/usr/include/net/netfilter/
+	$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
+	$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/libipq/libipq.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
+
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/
+endef
+
+define Package/iptables/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/iptables $(1)/usr/sbin/
+	$(LN) iptables $(1)/usr/sbin/iptables-save
+	$(LN) iptables $(1)/usr/sbin/iptables-restore
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+endef
+
+define Package/ip6tables/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables $(1)/usr/sbin/
+	$(LN) ip6tables $(1)/usr/sbin/ip6tables-save
+	$(LN) ip6tables $(1)/usr/sbin/ip6tables-restore
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	(cd $(PKG_INSTALL_DIR)/usr/lib/iptables ; \
+		$(CP) libip6t_*.so $(1)/usr/lib/iptables/ \
+	)
+endef
+
+define Package/libiptc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
+endef
+
+define Package/libip4tc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
+endef
+
+define Package/libip6tc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
+endef
+
+define Package/libxtables/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+endef
+
+define Package/libipq/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipq.so* $(1)/usr/lib/
+endef
+
+define BuildPlugin
+  define Package/$(1)/install
+	$(INSTALL_DIR) $$(1)/usr/lib/iptables
+	for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)); do \
+		if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
+			$(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+		fi; \
+	done
+	$(3)
+  endef
+
+  $$(eval $$(call BuildPackage,$(1)))
+endef
+
+L7_INSTALL:=\
+	$(INSTALL_DIR) $$(1)/etc/l7-protocols; \
+	$(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
+
+
+$(eval $(call BuildPackage,iptables))
+$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
+$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET))
+$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
+$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
+$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
+$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
+$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
+$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
+$(eval $(call BuildPackage,ip6tables))
+$(eval $(call BuildPackage,libiptc))
+$(eval $(call BuildPackage,libip4tc))
+$(eval $(call BuildPackage,libip6tc))
+$(eval $(call BuildPackage,libxtables))
+$(eval $(call BuildPackage,libipq))
diff --git a/package/network/utils/iptables/files/l7/aim.pat b/package/network/utils/iptables/files/l7/aim.pat
new file mode 100644
index 0000000000..5c43930fd3
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/aim.pat
@@ -0,0 +1,28 @@
+# AIM - AOL instant messenger (OSCAR and TOC)
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 5190
+#
+# This may also match ICQ traffic.
+# 
+# This pattern has been tested and is believed to work well.
+
+aim
+# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
+# The first bit matches OSCAR signon and data commands, but not sure what
+# \x03\x0b matches, but it works apparently.
+# The next three bits match various parts of the TOC signon process.
+# The third one is the magic number "*", then 0x01 for "signon", then up to four
+# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
+# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), 
+# then 0x01 for the version number (not sure if there ever has been another 
+# version)
+# The fourth one is a command string, followed by some stuff, then the
+# beginning of the "roasted" password
+
+# This pattern is too slow!
+
+^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
diff --git a/package/network/utils/iptables/files/l7/bittorrent.pat b/package/network/utils/iptables/files/l7/bittorrent.pat
new file mode 100644
index 0000000000..4a3ba88d58
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/bittorrent.pat
@@ -0,0 +1,25 @@
+# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
+# Pattern attributes: good slow594 notsofast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+# It will, however, not work on bittorrent streams that are encrypted, since
+# it's impossible to match (well) encrypted data.
+
+bittorrent
+
+# Does not attempt to match the HTTP download of the tracker
+# 0x13 is the length of "bittorrent protocol"
+# Second two bits match UDP wierdness
+# Next bit matches something Azureus does
+# Ditto on the next bit.  Could also match on "user-agent: azureus", but that's in the next
+# packet and perhaps this will match multiple clients.
+# bitcomet-specific strings contributed by liangjun.
+
+# This is not a valid GNU basic regular expression (but that's ok).
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
+
+# This pattern is "fast", but won't catch as much
+#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/package/network/utils/iptables/files/l7/edonkey.pat b/package/network/utils/iptables/files/l7/edonkey.pat
new file mode 100644
index 0000000000..75807f8ebb
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/edonkey.pat
@@ -0,0 +1,37 @@
+# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
+# Pattern attributes: good veryfast fast overmatch
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/EDonkey
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
+# and a long time ago with something else. 
+# 
+# In addition to matching what you might expect, this matches much of
+# what eMule does when you tell it to only connect to the KAD network. 
+# I don't quite know what to make of this.
+
+# Thanks to Matt Skidmore <fox AT woozle.org>
+
+edonkey
+
+# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
+#
+# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
+# As of April 2006, I also see some \xe4.
+#
+# God this is a mess.  What an irritating protocol.  
+# This will match about 2% of streams with random data in them!
+# (But fortunately much fewer than 2% of streams that are other protocols.
+# You can test this with the data in ../testing/)
+
+^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
+
+# matches everything and too much 
+# ^(\xe3|\xc5|\xd4)
+
+# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
+
+# bandwidtharbitrator uses 
+# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
+# no comments to explain what all the mush is, of course...
diff --git a/package/network/utils/iptables/files/l7/fasttrack.pat b/package/network/utils/iptables/files/l7/fasttrack.pat
new file mode 100644
index 0000000000..6ed8ff1d13
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/fasttrack.pat
@@ -0,0 +1,23 @@
+# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested with Kazaa Lite Resurrection 0.0.7.6F
+#
+# This appears to match the download connections well, but not the search
+# connections (I think they are encrypted :-( ).
+
+fasttrack
+# while this is a valid http request, this will be caught because
+# the http pattern matches the response (and therefore the next packet)
+# Even so, it's best to put this match earlier in the chain.
+# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
+
+# This pattern is kinda slow, but not too bad.
+^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
+# This isn't much faster:
+#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
diff --git a/package/network/utils/iptables/files/l7/ftp.pat b/package/network/utils/iptables/files/l7/ftp.pat
new file mode 100644
index 0000000000..44d97c467b
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ftp.pat
@@ -0,0 +1,46 @@
+# FTP - File Transfer Protocol - RFC 959
+# Pattern attributes: great notsofast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://protocolinfo.org/wiki/FTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 21.  Note that the data stream is on a dynamically
+# assigned port, which means that you will need the FTP connection 
+# tracking module in your kernel to usefully match FTP data transfers.
+# 
+# This pattern is well tested.
+#
+# Handles the first two things a server should say:
+#
+# First, the server says it's ready by sending "220".  Most servers say 
+# something after 220, even though they don't have to, and it usually 
+# includes the string "ftp" (l7-filter is case insensitive). This 
+# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP 
+# Server, and whatever ftp.microsoft.com uses.  Almost all servers use only 
+# ASCII printable characters between the "220" and the "FTP", but non-English
+# ones might use others.
+# 
+# The next thing the server sends is a 331.  All the above servers also 
+# send something including "password" after this code.  By default, we 
+# do not match on this because it takes another packet and is more work 
+# for regexec.
+
+ftp
+# by default, we allow only ASCII
+^220[\x09-\x0d -~]*ftp
+
+# This covers UTF-8 as well 
+#^220[\x09-\x0d -~\x80-\xfd]*ftp
+
+# This allows any characters and is about 4x faster than either of the above 
+# (which are about the same as each other)
+#^220.*ftp
+
+# This is much slower
+#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
+
+# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
+
+# same as above, but slightly less precise and only takes 2 packets.
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a
diff --git a/package/network/utils/iptables/files/l7/gnutella.pat b/package/network/utils/iptables/files/l7/gnutella.pat
new file mode 100644
index 0000000000..770ed43b36
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/gnutella.pat
@@ -0,0 +1,34 @@
+# Gnutella - P2P filesharing
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gnutella
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
+# 
+# Various clients use this protocol including Mactella, Shareaza,
+# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
+# 
+# This is tested with gtk-gnutella and Shareaza.
+
+# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
+# http://rfc-gnutella.sf.net/
+# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
+# http://en.wikipedia.org/wiki/Shareaza
+
+gnutella
+
+# The first part matches UDP messages - All start with "GND", then have
+# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
+# that can be anything, then a fragment number, which must start at 1.
+# The rest matches TCP first client message or first server message (in case 
+# we can't see client messages).  Some parts of this are empirical rather than 
+# document based.  Assumes version is between 0.0 and 2.9. (usually is
+# 0.4 or 0.6).  I'm guessing at many of the user-agents.
+# The last bit is emprical and probably only matches Limewire.
+^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
+
+# Needlessly precise, at the expense of time
+#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
+
+
diff --git a/package/network/utils/iptables/files/l7/http.pat b/package/network/utils/iptables/files/l7/http.pat
new file mode 100644
index 0000000000..5122310d2f
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/http.pat
@@ -0,0 +1,28 @@
+# HTTP - HyperText Transfer Protocol - RFC 2616
+# Pattern attributes: great slow notsofast superset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.
+#
+# this intentionally catches the response from the server rather than
+# the request so that other protocols which use http (like kazaa) can be
+# caught based on specific http requests regardless of the ordering of
+# filters... also matches posts
+
+# Sites that serve really long cookies may break this by pushing the
+# server response too far away from the beginning of the connection. To
+# fix this, increase the kernel's data buffer length.
+
+http
+# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
+# As specified in rfc 2616 a status code is preceeded and followed by a
+# space. 
+http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
+# A slightly faster version that might be good enough:
+#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
+# old pattern(s):
+#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)
diff --git a/package/network/utils/iptables/files/l7/ident.pat b/package/network/utils/iptables/files/l7/ident.pat
new file mode 100644
index 0000000000..3205e5e696
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ident.pat
@@ -0,0 +1,15 @@
+# Ident - Identification Protocol - RFC 1413
+# Pattern attributes: good fast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Ident
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 113
+#
+# This pattern is believed to work.
+
+ident
+# "number , numberCRLF" possibly without the CR and/or LF.
+# ^$ is appropriate because the first packet should never have anything
+# else in it.
+^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$
diff --git a/package/network/utils/iptables/files/l7/irc.pat b/package/network/utils/iptables/files/l7/irc.pat
new file mode 100644
index 0000000000..e25360cafb
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/irc.pat
@@ -0,0 +1,20 @@
+# IRC - Internet Relay Chat - RFC 1459
+# Pattern attributes: great veryfast fast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IRC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 6666 or 6667
+# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
+# can use much more bandwidth) uses a dynamically assigned port, so you 
+# must have the IRC connection tracking module in your kernel to classify
+# this.
+#
+# This pattern has been tested and is believed to work well.
+
+irc
+# First thing that happens is that the client sends NICK and USER, in 
+# either order.  This allows MIRC color codes (\x02-\x0d instead of
+# \x09-\x0d).
+^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
+
diff --git a/package/network/utils/iptables/files/l7/jabber.pat b/package/network/utils/iptables/files/l7/jabber.pat
new file mode 100644
index 0000000000..7c328905ee
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/jabber.pat
@@ -0,0 +1,24 @@
+# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested with Gaim and Gabber.  It is only tested 
+# with non-SSL mode Jabber with no proxies.
+
+# Thanks to Jan Hudec for some improvements.
+
+# Jabber seems to take a long time to set up a connection.  I'm
+# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
+# is this:
+# <stream:stream to='12jabber.com' xmlns='jabber:client'
+# xmlns:stream='http://etherx.jabber.org/streams'><?xml
+# version='1.0'?><stream:stream
+# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
+# xmlns='jabber:client' from='12jabber.com'>
+#
+# No mention of my username or password yet, you'll note.
+
+jabber
+<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber
diff --git a/package/network/utils/iptables/files/l7/msnmessenger.pat b/package/network/utils/iptables/files/l7/msnmessenger.pat
new file mode 100644
index 0000000000..11dfc10be2
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/msnmessenger.pat
@@ -0,0 +1,28 @@
+# MSN Messenger - Microsoft Network chat client
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually uses TCP port 1863
+# http://www.hypothetic.org/docs/msn/index.php
+# http://msnpiki.msnfanatic.com/
+#
+# This pattern has been tested and is believed to work well.
+
+msnmessenger
+
+# First branch: login
+#   ver: allow versions up to 99.
+#   I've never seen a cvr other than cvr0.  Maybe this will be trouble later?
+#   Can't anchor at the beginning because sometimes this is encapsulated in
+#   HTTP.  But either way, the first packet ends like this.
+# Second/Third branches: accepting/sending a message
+#   I will assume that these can also be encapsulated in HTTP, although I have
+#   not checked.  Example of each direction:
+#   ANS 1 quadong@hotmail.com 1139803431.29427 17522047
+#   USR 1 quadong@hotmail.com 530423708.968145.366138
+
+# Branches are written entirely separately for better performance.
+ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
+
diff --git a/package/network/utils/iptables/files/l7/ntp.pat b/package/network/utils/iptables/files/l7/ntp.pat
new file mode 100644
index 0000000000..760cfdbe59
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ntp.pat
@@ -0,0 +1,17 @@
+# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
+# Pattern attributes: good fast fast overmatch 
+# Protocol groups: time_synchronization ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/NTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is tested and is believed to work.
+
+# client|server
+# Requires the server's timestamp to be in the present or future (of 2005).
+# Tested with ntpdate on Linux.
+# Assumes version 2, 3 or 4.
+
+# Note that ntp packets are always 48 bytes, so you should match on that too.
+
+ntp
+^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])
diff --git a/package/network/utils/iptables/files/l7/pop3.pat b/package/network/utils/iptables/files/l7/pop3.pat
new file mode 100644
index 0000000000..3ae4c147bb
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/pop3.pat
@@ -0,0 +1,50 @@
+# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
+# Pattern attributes: great veryfast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/POP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested somewhat.
+
+# this is a difficult protocol to match because of the relative lack of 
+# distinguishing information.  Read on.
+pop3
+
+# this the most conservative pattern.  It should definitely work.
+#^(\+ok|-err)
+
+# this pattern assumes that the server says _something_ after +ok or -err
+# I think this is probably the way to go.
+^(\+ok |-err )
+
+# more that 90% of servers seem to say "pop" after "+ok", but not all.
+#^(\+ok .*pop)
+
+# Here's another tack. I think this is my second favorite.
+#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
+
+# this matches the server saying "you have N messages that are M bytes",
+# which the client probably asks for early in the session (not tested)
+#\+ok [0-9]+ [0-9]+
+
+# some sample servers:
+# RFC example:        +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
+# mail.dreamhost.com: +OK Hello there.
+# pop.carleton.edu:   +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
+# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
+# *.email.umn.edu:    +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
+# mail.yale.edu:      +OK POP3 pantheon-po01 v2002.81 server ready
+# mail.gustavus.edu:  +OK POP3 solen v2001.78 server ready
+# mail.reed.edu:      +OK POP3 letra.reed.edu v2002.81 server ready
+# mail.bowdoin.edu:   +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
+# pop.colby.edu:      +OK Qpopper (version 4.0.5) at basalt starting.
+# mail.mac.com:       +OK Netscape Messaging Multiplexor ready
+
+# various error strings:
+#-ERR Invalid command.
+#-ERR invalid command
+#-ERR unimplemented
+#-ERR Invalid command, try one of: USER name, PASS string, QUIT
+#-ERR Unknown AUTHORIZATION state command
+#-ERR Unrecognized command
+#-ERR Unknown command: "sadf'".
diff --git a/package/network/utils/iptables/files/l7/smtp.pat b/package/network/utils/iptables/files/l7/smtp.pat
new file mode 100644
index 0000000000..2f5d1957f9
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/smtp.pat
@@ -0,0 +1,40 @@
+# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
+# Pattern attributes: great notsofast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SMTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 25
+# 
+# This pattern has been tested and is believed to work well.
+
+# As usual, no text is required after "220", but all known servers have some
+# there.  It (almost?) always has string "smtp" in it.  The RFC examples
+# does not, so we match those too, just in case anyone has copied them 
+# literally.
+#
+# Some examples:
+# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
+# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
+# 220 mail.ut.caldera.com ESMTP
+# 220 persephone.pmail.gen.nz ESMTP server ready.
+# 220 smtp1.superb.net ESMTP
+# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
+# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
+# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
+# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
+# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
+# 220-mail.email-scan.com ESMTP
+# 220 smaug.dreamhost.com ESMTP
+# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
+# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
+# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
+# 
+# RFC examples:
+# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
+# 220 dbc.mtview.ca.us SMTP service ready
+
+smtp
+^220[\x09-\x0d -~]* (e?smtp|simple mail)
+userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
+userspace flags=REG_NOSUB REG_EXTENDED
diff --git a/package/network/utils/iptables/files/l7/ssl.pat b/package/network/utils/iptables/files/l7/ssl.pat
new file mode 100644
index 0000000000..ae30ee4400
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ssl.pat
@@ -0,0 +1,16 @@
+# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
+# Pattern attributes: good notsofast fast superset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 443
+#
+# This is a superset of validcertssl.  For it to match, it must be first.
+# 
+# This pattern has been tested and is believed to work well.
+
+ssl
+# Server Hello with certificate | Client Hello
+# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
diff --git a/package/network/utils/iptables/files/l7/vnc.pat b/package/network/utils/iptables/files/l7/vnc.pat
new file mode 100644
index 0000000000..79d0ae8a28
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/vnc.pat
@@ -0,0 +1,23 @@
+# VNC - Virtual Network Computing.  Also known as RFB - Remote Frame Buffer
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access
+# Wiki: http://www.protocolinfo.org/wiki/VNC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://www.realvnc.com/documentation.html
+# 
+# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
+#
+# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
+
+vnc
+# Assumes single digit major and minor version numbers 
+# This message should be all alone in the first packet, so ^$ is appropriate
+^rfb 00[1-9]\.00[0-9]\x0a$
+
+# This is a more restrictive version which assumes the version numbers
+# are ones actually in existance at the time of this writing, i.e. 3.3,
+# 3.7 and 3.8 (with some clients wrongly reporting 3.5).  It should be
+# slightly faster, but probably not worth the extra maintenance. 
+# ^rfb 003\.00[3578]\x0a$
+
diff --git a/package/network/utils/iptables/patches/002-layer7_2.22.patch b/package/network/utils/iptables/patches/002-layer7_2.22.patch
new file mode 100644
index 0000000000..ba4531e3f3
--- /dev/null
+++ b/package/network/utils/iptables/patches/002-layer7_2.22.patch
@@ -0,0 +1,371 @@
+--- /dev/null
++++ b/extensions/libxt_layer7.c
+@@ -0,0 +1,368 @@
++/* 
++   Shared library add-on to iptables for layer 7 matching support. 
++  
++   By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
++
++   http://l7-filter.sf.net 
++
++   This program is free software; you can redistribute it and/or
++   modify it under the terms of the GNU General Public License
++   as published by the Free Software Foundation; either version
++   2 of the License, or (at your option) any later version.
++   http://www.gnu.org/licenses/gpl.txt
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <xtables.h>
++#include <linux/netfilter/xt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++	printf(
++	"layer7 match options:\n"
++	"    --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++	"                          (--l7dir must be specified before --l7proto if used)\n"
++	"[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
++}
++
++static const struct option opts[] = {
++	{ .name = "l7proto", .has_arg = 1, .val = 'p' },
++	{ .name = "l7dir",   .has_arg = 1, .val = 'd' },
++	{ .name = NULL }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++{
++	FILE * f;
++	char * line = NULL;
++	size_t len = 0;
++
++	enum { protocol, pattern, done } datatype = protocol;
++
++	f = fopen(filename, "r");
++
++	if(!f)
++		return 0;
++
++	while(getline(&line, &len, f) != -1)
++	{
++		if(strlen(line) < 2 || line[0] == '#')
++			continue;
++
++		/* strip the pesky newline... */
++		if(line[strlen(line) - 1] == '\n')
++			line[strlen(line) - 1] = '\0';
++
++		if(datatype == protocol)
++		{
++			/* Ignore everything on the line beginning with the 
++			first space or tab . For instance, this allows the 
++			protocol line in http.pat to be "http " (or 
++			"http I am so cool") instead of just "http". */
++			if(strchr(line, ' ')){
++				char * space = strchr(line, ' ');
++				space[0] = '\0';
++			}
++			if(strchr(line, '\t')){
++				char * space = strchr(line, '\t');
++				space[0] = '\0';
++			}
++
++			/* sanity check.  First non-comment non-blank 
++			line must be the same as the file name. */
++			if(strcmp(line, protoname))
++				xtables_error(OTHER_PROBLEM, 
++					"Protocol name (%s) doesn't match file name (%s).  Bailing out\n",
++					line, filename);
++
++			if(strlen(line) >= MAX_PROTOCOL_LEN)
++				 xtables_error(PARAMETER_PROBLEM, 
++					"Protocol name in %s too long!", filename);
++			strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++			datatype = pattern; 
++		}
++		else if(datatype == pattern)
++		{
++			if(strlen(line) >= MAX_PATTERN_LEN)
++				 xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++			strncpy(info->pattern, line, MAX_PATTERN_LEN);
++			
++			datatype = done;			
++			break;
++		}
++		else
++			xtables_error(OTHER_PROBLEM, "Internal error");
++	}
++
++	if(datatype != done)
++		xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++	if(line) free(line);
++	fclose(f);
++
++	return 1;
++}
++
++static int hex2dec(char c)
++{
++        switch (c)
++        {
++                case '0' ... '9':
++                        return c - '0';
++                case 'a' ... 'f':
++                        return c - 'a' + 10;
++                case 'A' ... 'F':
++                        return c - 'A' + 10;
++                default:
++                        xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++                        return 0;
++        }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters 
++they stand for */
++static char * pre_process(char * s)
++{
++	char * result = malloc(strlen(s) + 1);
++	int sindex = 0, rrindex = 0;
++        while( sindex < strlen(s) )
++        {
++            if( sindex + 3 < strlen(s) &&
++                s[sindex] == '\\' && s[sindex+1] == 'x' && 
++                isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) 
++                {
++                        /* carefully remember to call tolower here... */
++                        result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
++                                                  hex2dec(s[sindex + 3] ) );
++
++			switch ( result[rrindex] )
++			{
++			case 0x24:
++			case 0x28:
++			case 0x29:
++			case 0x2a:
++			case 0x2b:
++			case 0x2e:
++			case 0x3f:
++			case 0x5b:
++			case 0x5c:
++			case 0x5d:
++			case 0x5e:
++			case 0x7c:
++				fprintf(stderr, 
++					"Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++					"I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++					result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
++				break;
++			case 0x00:
++				fprintf(stderr, 
++					"Warning: null (\\x00) in layer7 regexp.  A null terminates the regexp string!\n");
++				break;
++			default:
++				break;
++			}
++
++
++                        sindex += 3; /* 4 total */
++                }
++                else
++                        result[rrindex] = tolower(s[sindex]);
++
++		sindex++; 
++		rrindex++;
++        }
++	result[rrindex] = '\0';
++
++	return result;
++}
++
++#define MAX_SUBDIRS 128
++static char ** readl7dir(char * dirname)
++{
++        DIR             * scratchdir;
++        struct dirent   ** namelist;
++	char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++        int n, d = 1;
++	subdirs[0] = "";
++
++        n = scandir(dirname, &namelist, 0, alphasort);
++
++	if (n < 0)
++	{
++            perror("scandir");
++	    xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++	}
++        else 
++	{
++            	while(n--) 
++		{
++			char fulldirname[MAX_FN_LEN];
++
++			snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++                	if((scratchdir = opendir(fulldirname)) != NULL)
++			{
++				closedir(scratchdir);
++
++				if(!strcmp(namelist[n]->d_name, ".") || 
++				   !strcmp(namelist[n]->d_name, ".."))
++					/* do nothing */ ;
++				else
++				{
++					subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++					strcpy(subdirs[d], namelist[n]->d_name);
++					d++;
++					if(d >= MAX_SUBDIRS - 1)
++					{
++						fprintf(stderr, 
++						  "Too many subdirectories, skipping the rest!\n");
++						break;
++					}
++				}
++			}
++                	free(namelist[n]);
++            	}
++            	free(namelist);
++        }
++	
++	subdirs[d] = NULL;
++
++	return subdirs;
++}
++
++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++{
++	char filename[MAX_FN_LEN];
++	char * dir = NULL;
++	char ** subdirs;
++	int n = 0, done = 0;
++
++	if(strlen(l7dir) > 0) dir = l7dir;
++	else                  dir = "/etc/l7-protocols";
++
++	subdirs = readl7dir(dir);
++
++	while(subdirs[n] != NULL)
++	{
++		int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++		if(c > MAX_FN_LEN)
++			xtables_error(OTHER_PROBLEM, 
++				"Filename beginning with %s is too long!\n", filename);
++
++		/* read in the pattern from the file */
++		if(parse_protocol_file(filename, s, info)){
++			done = 1;
++			break;
++		}
++		
++		n++;
++	}
++
++	if(!done)
++		xtables_error(OTHER_PROBLEM, 
++			"Couldn't find a pattern definition file for %s.\n", s);
++
++	/* process \xHH escapes and tolower everything. (our regex lib has no
++	case insensitivity option.) */
++	strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++      const void *entry, struct xt_entry_match **match)
++{
++	struct xt_layer7_info *layer7info = 
++		(struct xt_layer7_info *)(*match)->data;
++
++	switch (c) {
++	case 'p':
++		parse_layer7_protocol(argv[optind-1], layer7info);
++		if (invert)
++			layer7info->invert = true;
++		*flags = 1;
++		break;
++
++	case 'd':
++		if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++			xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++		strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++		*flags = 1;
++		break;
++
++	default:
++		return 0;
++	}
++
++	return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++	if (!flags)
++		xtables_error(PARAMETER_PROBLEM,
++			   "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++	fputs("l7proto ", stdout);
++	if (invert) fputc('!', stdout);
++	printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const void *ip,
++      const struct xt_entry_match *match,
++      int numeric)
++{
++	printf("LAYER7 ");
++	print_protocol(((struct xt_layer7_info *)match->data)->protocol,
++		  ((struct xt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const void *ip, const struct xt_entry_match *match)
++{
++        const struct xt_layer7_info *info =
++            (const struct xt_layer7_info*) match->data;
++
++        printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
++}
++
++static struct xtables_match layer7 = { 
++    .family        = AF_INET,
++    .name          = "layer7",
++    .version       = XTABLES_VERSION,
++    .size          = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .help          = &help,
++    .parse         = &parse,
++    .final_check   = &final_check,
++    .print         = &print,
++    .save          = &save,
++    .extra_opts    = opts
++};
++
++void _init(void)
++{
++	xtables_register_match(&layer7);
++}
diff --git a/package/network/utils/iptables/patches/009-table-alignment.patch b/package/network/utils/iptables/patches/009-table-alignment.patch
new file mode 100644
index 0000000000..53012ab320
--- /dev/null
+++ b/package/network/utils/iptables/patches/009-table-alignment.patch
@@ -0,0 +1,11 @@
+--- a/libiptc/libiptc.c
++++ b/libiptc/libiptc.c
+@@ -69,7 +69,7 @@ static const char *hooknames[] = {
+ struct ipt_error_target
+ {
+ 	STRUCT_ENTRY_TARGET t;
+-	char error[TABLE_MAXNAMELEN];
++	char error[FUNCTION_MAXNAMELEN];
+ };
+ 
+ struct chain_head;
diff --git a/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch b/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch
new file mode 100644
index 0000000000..3b35f7e3c6
--- /dev/null
+++ b/package/network/utils/iptables/patches/010-multiport-linux-2.4-compat.patch
@@ -0,0 +1,265 @@
+--- a/extensions/libxt_multiport.c
++++ b/extensions/libxt_multiport.c
+@@ -15,21 +15,6 @@
+ #include <linux/netfilter/xt_multiport.h>
+ 
+ /* Function which prints out usage message. */
+-static void multiport_help(void)
+-{
+-	printf(
+-"multiport match options:\n"
+-" --source-ports port[,port,port...]\n"
+-" --sports ...\n"
+-"				match source port(s)\n"
+-" --destination-ports port[,port,port...]\n"
+-" --dports ...\n"
+-"				match destination port(s)\n"
+-" --ports port[,port,port]\n"
+-"				match both source and destination port(s)\n"
+-" NOTE: this kernel does not support port ranges in multiport.\n");
+-}
+-
+ static void multiport_help_v1(void)
+ {
+ 	printf(
+@@ -72,26 +57,6 @@ proto_to_name(u_int8_t proto)
+ 	}
+ }
+ 
+-static unsigned int
+-parse_multi_ports(const char *portstring, u_int16_t *ports, const char *proto)
+-{
+-	char *buffer, *cp, *next;
+-	unsigned int i;
+-
+-	buffer = strdup(portstring);
+-	if (!buffer) xtables_error(OTHER_PROBLEM, "strdup failed");
+-
+-	for (cp=buffer, i=0; cp && i<XT_MULTI_PORTS; cp=next,i++)
+-	{
+-		next=strchr(cp, ',');
+-		if (next) *next++='\0';
+-		ports[i] = xtables_parse_port(cp, proto);
+-	}
+-	if (cp) xtables_error(PARAMETER_PROBLEM, "too many ports specified");
+-	free(buffer);
+-	return i;
+-}
+-
+ static void
+ parse_multi_ports_v1(const char *portstring, 
+ 		     struct xt_multiport_v1 *multiinfo,
+@@ -155,73 +120,6 @@ check_proto(u_int16_t pnum, u_int8_t inv
+ /* Function which parses command options; returns true if it
+    ate an option */
+ static int
+-__multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+-                  struct xt_entry_match **match, u_int16_t pnum,
+-                  u_int8_t invflags)
+-{
+-	const char *proto;
+-	struct xt_multiport *multiinfo
+-		= (struct xt_multiport *)(*match)->data;
+-
+-	switch (c) {
+-	case '1':
+-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+-		proto = check_proto(pnum, invflags);
+-		multiinfo->count = parse_multi_ports(optarg,
+-						     multiinfo->ports, proto);
+-		multiinfo->flags = XT_MULTIPORT_SOURCE;
+-		break;
+-
+-	case '2':
+-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+-		proto = check_proto(pnum, invflags);
+-		multiinfo->count = parse_multi_ports(optarg,
+-						     multiinfo->ports, proto);
+-		multiinfo->flags = XT_MULTIPORT_DESTINATION;
+-		break;
+-
+-	case '3':
+-		xtables_check_inverse(optarg, &invert, &optind, 0, argv);
+-		proto = check_proto(pnum, invflags);
+-		multiinfo->count = parse_multi_ports(optarg,
+-						     multiinfo->ports, proto);
+-		multiinfo->flags = XT_MULTIPORT_EITHER;
+-		break;
+-
+-	default:
+-		return 0;
+-	}
+-
+-	if (invert)
+-		xtables_error(PARAMETER_PROBLEM,
+-			   "multiport does not support invert");
+-
+-	if (*flags)
+-		xtables_error(PARAMETER_PROBLEM,
+-			   "multiport can only have one option");
+-	*flags = 1;
+-	return 1;
+-}
+-
+-static int
+-multiport_parse(int c, char **argv, int invert, unsigned int *flags,
+-                const void *e, struct xt_entry_match **match)
+-{
+-	const struct ipt_entry *entry = e;
+-	return __multiport_parse(c, argv, invert, flags, match,
+-	       entry->ip.proto, entry->ip.invflags);
+-}
+-
+-static int
+-multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
+-                 const void *e, struct xt_entry_match **match)
+-{
+-	const struct ip6t_entry *entry = e;
+-	return __multiport_parse(c, argv, invert, flags, match,
+-	       entry->ipv6.proto, entry->ipv6.invflags);
+-}
+-
+-static int
+ __multiport_parse_v1(int c, char **argv, int invert, unsigned int *flags,
+                      struct xt_entry_match **match, u_int16_t pnum,
+                      u_int8_t invflags)
+@@ -314,55 +212,6 @@ print_port(u_int16_t port, u_int8_t prot
+ }
+ 
+ /* Prints out the matchinfo. */
+-static void
+-__multiport_print(const struct xt_entry_match *match, int numeric,
+-                  u_int16_t proto)
+-{
+-	const struct xt_multiport *multiinfo
+-		= (const struct xt_multiport *)match->data;
+-	unsigned int i;
+-
+-	printf("multiport ");
+-
+-	switch (multiinfo->flags) {
+-	case XT_MULTIPORT_SOURCE:
+-		printf("sports ");
+-		break;
+-
+-	case XT_MULTIPORT_DESTINATION:
+-		printf("dports ");
+-		break;
+-
+-	case XT_MULTIPORT_EITHER:
+-		printf("ports ");
+-		break;
+-
+-	default:
+-		printf("ERROR ");
+-		break;
+-	}
+-
+-	for (i=0; i < multiinfo->count; i++) {
+-		printf("%s", i ? "," : "");
+-		print_port(multiinfo->ports[i], proto, numeric);
+-	}
+-	printf(" ");
+-}
+-
+-static void multiport_print(const void *ip_void,
+-                            const struct xt_entry_match *match, int numeric)
+-{
+-	const struct ipt_ip *ip = ip_void;
+-	__multiport_print(match, numeric, ip->proto);
+-}
+-
+-static void multiport_print6(const void *ip_void,
+-                             const struct xt_entry_match *match, int numeric)
+-{
+-	const struct ip6t_ip6 *ip = ip_void;
+-	__multiport_print(match, numeric, ip->proto);
+-}
+-
+ static void __multiport_print_v1(const struct xt_entry_match *match,
+                                  int numeric, u_int16_t proto)
+ {
+@@ -419,48 +268,6 @@ static void multiport_print6_v1(const vo
+ }
+ 
+ /* Saves the union ipt_matchinfo in parsable form to stdout. */
+-static void __multiport_save(const struct xt_entry_match *match,
+-                             u_int16_t proto)
+-{
+-	const struct xt_multiport *multiinfo
+-		= (const struct xt_multiport *)match->data;
+-	unsigned int i;
+-
+-	switch (multiinfo->flags) {
+-	case XT_MULTIPORT_SOURCE:
+-		printf("--sports ");
+-		break;
+-
+-	case XT_MULTIPORT_DESTINATION:
+-		printf("--dports ");
+-		break;
+-
+-	case XT_MULTIPORT_EITHER:
+-		printf("--ports ");
+-		break;
+-	}
+-
+-	for (i=0; i < multiinfo->count; i++) {
+-		printf("%s", i ? "," : "");
+-		print_port(multiinfo->ports[i], proto, 1);
+-	}
+-	printf(" ");
+-}
+-
+-static void multiport_save(const void *ip_void,
+-                           const struct xt_entry_match *match)
+-{
+-	const struct ipt_ip *ip = ip_void;
+-	__multiport_save(match, ip->proto);
+-}
+-
+-static void multiport_save6(const void *ip_void,
+-                            const struct xt_entry_match *match)
+-{
+-	const struct ip6t_ip6 *ip = ip_void;
+-	__multiport_save(match, ip->proto);
+-}
+-
+ static void __multiport_save_v1(const struct xt_entry_match *match,
+                                 u_int16_t proto)
+ {
+@@ -514,34 +321,6 @@ static struct xtables_match multiport_mt
+ 	{
+ 		.family        = NFPROTO_IPV4,
+ 		.name          = "multiport",
+-		.revision      = 0,
+-		.version       = XTABLES_VERSION,
+-		.size          = XT_ALIGN(sizeof(struct xt_multiport)),
+-		.userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+-		.help          = multiport_help,
+-		.parse         = multiport_parse,
+-		.final_check   = multiport_check,
+-		.print         = multiport_print,
+-		.save          = multiport_save,
+-		.extra_opts    = multiport_opts,
+-	},
+-	{
+-		.family        = NFPROTO_IPV6,
+-		.name          = "multiport",
+-		.revision      = 0,
+-		.version       = XTABLES_VERSION,
+-		.size          = XT_ALIGN(sizeof(struct xt_multiport)),
+-		.userspacesize = XT_ALIGN(sizeof(struct xt_multiport)),
+-		.help          = multiport_help,
+-		.parse         = multiport_parse6,
+-		.final_check   = multiport_check,
+-		.print         = multiport_print6,
+-		.save          = multiport_save6,
+-		.extra_opts    = multiport_opts,
+-	},
+-	{
+-		.family        = NFPROTO_IPV4,
+-		.name          = "multiport",
+ 		.version       = XTABLES_VERSION,
+ 		.revision      = 1,
+ 		.size          = XT_ALIGN(sizeof(struct xt_multiport_v1)),
diff --git a/package/network/utils/iptables/patches/011-recent-add-reap.patch b/package/network/utils/iptables/patches/011-recent-add-reap.patch
new file mode 100644
index 0000000000..275265b99d
--- /dev/null
+++ b/package/network/utils/iptables/patches/011-recent-add-reap.patch
@@ -0,0 +1,116 @@
+From 20c706d4cba3227c9c44fb61c4d93b0ae84e1464 Mon Sep 17 00:00:00 2001
+From: Tim Gardner <tim.gardner@canonical.com>
+Date: Mon, 1 Mar 2010 19:00:29 -0700
+Subject: [PATCH] xt_recent: Added XT_RECENT_REAP logic and man page documentation
+
+Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
+---
+ extensions/libxt_recent.c           |   20 ++++++++++++++++++++
+ extensions/libxt_recent.man         |    5 +++++
+ include/linux/netfilter/xt_recent.h |    7 +++++++
+ 3 files changed, 32 insertions(+), 0 deletions(-)
+
+--- a/extensions/libxt_recent.c
++++ b/extensions/libxt_recent.c
+@@ -20,6 +20,7 @@ static const struct option recent_opts[]
+ 	{.name = "name",     .has_arg = true,  .val = 208},
+ 	{.name = "rsource",  .has_arg = false, .val = 209},
+ 	{.name = "rdest",    .has_arg = false, .val = 210},
++	{.name = "reap",     .has_arg = false, .val = 211},
+ 	XT_GETOPT_TABLEEND,
+ };
+ 
+@@ -37,6 +38,7 @@ static void recent_help(void)
+ "    --hitcount hits             For check and update commands above.\n"
+ "                                Specifies that the match will only occur if source address seen hits times.\n"
+ "                                May be used in conjunction with the seconds option.\n"
++"    --reap                      Remove entries that have expired. Can only be used with --seconds\n"
+ "    --rttl                      For check and update commands above.\n"
+ "                                Specifies that the match will only occur if the source address and the TTL\n"
+ "                                match between this packet and the one which was set.\n"
+@@ -63,6 +65,8 @@ static void recent_init(struct xt_entry_
+ 	(XT_RECENT_SET | XT_RECENT_CHECK | \
+ 	XT_RECENT_UPDATE | XT_RECENT_REMOVE)
+ 
++#define XT_RECENT_SECONDS 1 << 31
++
+ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
+                         const void *entry, struct xt_entry_match **match)
+ {
+@@ -104,6 +108,7 @@ static int recent_parse(int c, char **ar
+ 
+ 		case 204:
+ 			info->seconds = atoi(optarg);
++			*flags |= XT_RECENT_SECONDS;
+ 			break;
+ 
+ 		case 205:
+@@ -139,6 +144,11 @@ static int recent_parse(int c, char **ar
+ 			info->side = XT_RECENT_DEST;
+ 			break;
+ 
++		case 211:
++			info->check_set |= XT_RECENT_REAP;
++			*flags |= XT_RECENT_REAP;
++			break;
++
+ 		default:
+ 			return 0;
+ 	}
+@@ -157,6 +167,12 @@ static void recent_check(unsigned int fl
+ 		xtables_error(PARAMETER_PROBLEM,
+ 		           "recent: --rttl may only be used with --rcheck or "
+ 		           "--update");
++	if ((flags & XT_RECENT_REAP) &&
++	    ((flags & (XT_RECENT_SET | XT_RECENT_REMOVE)) ||
++	    (!(flags & XT_RECENT_SECONDS))))
++		xtables_error(PARAMETER_PROBLEM,
++		           "recent: --reap may only be used with --rcheck or "
++		           "--update and --seconds");
+ }
+ 
+ static void recent_print(const void *ip, const struct xt_entry_match *match,
+@@ -185,6 +201,8 @@ static void recent_print(const void *ip,
+ 		printf("side: source ");
+ 	if (info->side == XT_RECENT_DEST)
+ 		printf("side: dest ");
++	if (info->check_set & XT_RECENT_REAP)
++		printf("reap ");
+ }
+ 
+ static void recent_save(const void *ip, const struct xt_entry_match *match)
+@@ -211,6 +229,8 @@ static void recent_save(const void *ip, 
+ 		printf("--rsource ");
+ 	if (info->side == XT_RECENT_DEST)
+ 		printf("--rdest ");
++	if (info->check_set & XT_RECENT_REAP)
++		printf("--reap ");
+ }
+ 
+ static struct xtables_match recent_mt_reg = {
+--- a/extensions/libxt_recent.man
++++ b/extensions/libxt_recent.man
+@@ -41,6 +41,11 @@ This option must be used in conjunction 
+ \fB\-\-update\fP. When used, this will narrow the match to only happen when the
+ address is in the list and was seen within the last given number of seconds.
+ .TP
++\fB\-\-reap\fP \fIreap\fP
++This option must be used in conjunction with \fB\-\-seconds\fP. When used, this
++will remove entries with the most recent timestamp older then \fB\-\-seconds\fP
++since the last packet was received.
++.TP
+ \fB\-\-hitcount\fP \fIhits\fP
+ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
+ \fB\-\-update\fP. When used, this will narrow the match to only happen when the
+--- a/include/linux/netfilter/xt_recent.h
++++ b/include/linux/netfilter/xt_recent.h
+@@ -23,6 +23,9 @@ enum {
+ #define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+ 			       XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+ 
++/* Only allowed with --rcheck and --update */
++#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
++
+ struct xt_recent_mtinfo {
+ 	__u32 seconds;
+ 	__u32 hit_count;
diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
new file mode 100644
index 0000000000..338962ffbe
--- /dev/null
+++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
@@ -0,0 +1,18 @@
+--- a/xtables.c
++++ b/xtables.c
+@@ -305,6 +305,7 @@ static char *get_modprobe(void)
+ 
+ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
+ {
++#if 0
+ 	char *buf = NULL;
+ 	char *argv[4];
+ 	int status;
+@@ -348,6 +349,7 @@ int xtables_insmod(const char *modname, 
+ 	free(buf);
+ 	if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ 		return 0;
++#endif
+ 	return -1;
+ }
+ 
diff --git a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
new file mode 100644
index 0000000000..cda9a7205b
--- /dev/null
+++ b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
@@ -0,0 +1,92 @@
+--- a/configure
++++ b/configure
+@@ -10917,75 +10917,7 @@ $as_echo "no" >&6; }
+ 	fi
+ fi
+ 
+-pkg_failed=no
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
+-$as_echo_n "checking for libnfnetlink... " >&6; }
+-
+-if test -n "$libnfnetlink_CFLAGS"; then
+-    pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
+- elif test -n "$PKG_CONFIG"; then
+-    if test -n "$PKG_CONFIG" && \
+-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+-  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }; then
+-  pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
+-else
+-  pkg_failed=yes
+-fi
+- else
+-    pkg_failed=untried
+-fi
+-if test -n "$libnfnetlink_LIBS"; then
+-    pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
+- elif test -n "$PKG_CONFIG"; then
+-    if test -n "$PKG_CONFIG" && \
+-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+-  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }; then
+-  pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
+-else
+-  pkg_failed=yes
+-fi
+- else
+-    pkg_failed=untried
+-fi
+-
+-
+-
+-if test $pkg_failed = yes; then
+-   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-
+-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+-        _pkg_short_errors_supported=yes
+-else
+-        _pkg_short_errors_supported=no
+-fi
+-        if test $_pkg_short_errors_supported = yes; then
+-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libnfnetlink >= 1.0" 2>&1`
+-        else
+-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors "libnfnetlink >= 1.0" 2>&1`
+-        fi
+-	# Put the nasty error message in config.log where it belongs
+-	echo "$libnfnetlink_PKG_ERRORS" >&5
+-
+-	nfnetlink=0
+-elif test $pkg_failed = untried; then
+-     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-	nfnetlink=0
+-else
+-	libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
+-	libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
+-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+-$as_echo "yes" >&6; }
+-	nfnetlink=1
+-fi
+- if test "$nfnetlink" = 1; then
++if false; then
+   HAVE_LIBNFNETLINK_TRUE=
+   HAVE_LIBNFNETLINK_FALSE='#'
+ else
+--- a/configure.ac
++++ b/configure.ac
+@@ -79,9 +79,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
+ AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
+ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
+ 
+-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
+-	[nfnetlink=1], [nfnetlink=0])
+-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
+ 
+ regular_CFLAGS="${largefile_cflags} \
+ 	-D_REENTRANT -Wall -Waggregate-return -Wmissing-declarations \
diff --git a/package/network/utils/iptables/patches/100-bash-location.patch b/package/network/utils/iptables/patches/100-bash-location.patch
new file mode 100644
index 0000000000..818246e76b
--- /dev/null
+++ b/package/network/utils/iptables/patches/100-bash-location.patch
@@ -0,0 +1,16 @@
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ autoreconf -fi;
+ rm -Rf autom4te*.cache;
+--- a/iptables-apply
++++ b/iptables-apply
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # iptables-apply -- a safer way to update iptables remotely
+ #
diff --git a/package/network/utils/iptables/patches/110-linux_3.2_compat.patch b/package/network/utils/iptables/patches/110-linux_3.2_compat.patch
new file mode 100644
index 0000000000..2cdd673d25
--- /dev/null
+++ b/package/network/utils/iptables/patches/110-linux_3.2_compat.patch
@@ -0,0 +1,12 @@
+--- iptables-1.4.10/include/linux/types.h.orig	2011-11-07 00:08:33.000000000 +0100
++++ iptables-1.4.10/include/linux/types.h	2011-11-07 00:09:25.000000000 +0100
+@@ -34,5 +34,9 @@
+ typedef __u16 __bitwise __sum16;
+ typedef __u32 __bitwise __wsum;
+ 
++#define __aligned_u64 __u64 __attribute__((aligned(8)))
++#define __aligned_be64 __be64 __attribute__((aligned(8)))
++#define __aligned_le64 __le64 __attribute__((aligned(8)))
++
+ #endif /*  __ASSEMBLY__ */
+ #endif /* _LINUX_TYPES_H */
diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch
new file mode 100644
index 0000000000..9f9cc387c3
--- /dev/null
+++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch
@@ -0,0 +1,56 @@
+--- a/extensions/GNUmakefile.in
++++ b/extensions/GNUmakefile.in
+@@ -40,9 +40,24 @@
+ pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+-pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
+-pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
++
++ifdef BUILTIN_MODULES
++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
++else
++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
++endif
++
++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
++
++pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_static})
++pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
++pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
+ pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod})
+ pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+@@ -54,10 +69,10 @@
+ targets := libext4.a libext6.a matches4.man matches6.man \
+            targets4.man targets6.man
+ targets_install :=
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++libext4_objs := ${pfx_objs} ${pf4_objs}
++libext6_objs := ${pfx_objs} ${pf6_objs}
++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
+ 
+ .SECONDARY:
+ 
+@@ -107,8 +122,8 @@
+ libext6.a: initext6.o ${libext6_objs}
+ 	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+ 
+-initext_func  := $(addprefix xt_,${pfx_build_mod}) $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix xt_,${pfx_build_mod}) $(addprefix ip6t_,${pf6_build_mod})
++initext_func  := $(addprefix xt_,${pfx_build_static}) $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix xt_,${pfx_build_static}) $(addprefix ip6t_,${pf6_build_static})
+ 
+ .initext4.dd: FORCE
+ 	@echo "${initext_func}" >$@.tmp; \
-- 
cgit v1.2.3