40 files changed, 712 insertions, 122 deletions

diff --git a/net/802/Makefile b/net/802/Makefile
index 01861929591a..977704a54f68 100644
--- a/net/802/Makefile
+++ b/net/802/Makefile
@@ -2,8 +2,6 @@
 # Makefile for the Linux 802.x protocol layers.
 #
 
-obj-y                   := p8023.o
-
 # Check the p8022 selections against net/core/Makefile.
 obj-$(CONFIG_SYSCTL)    += sysctl_net_802.o
 obj-$(CONFIG_LLC)       += p8022.o psnap.o
@@ -11,5 +9,5 @@ obj-$(CONFIG_TR)	+= p8022.o psnap.o tr.o sysctl_net_802.o
 obj-$(CONFIG_NET_FC)    +=                 fc.o
 obj-$(CONFIG_FDDI)      +=                 fddi.o
 obj-$(CONFIG_HIPPI)     +=                 hippi.o
-obj-$(CONFIG_IPX)       += p8022.o psnap.o
+obj-$(CONFIG_IPX)       += p8022.o psnap.o p8023.o
 obj-$(CONFIG_ATALK)     += p8022.o psnap.o
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 3f244670764a..00f983226672 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -986,6 +986,7 @@ int dccp_v4_rcv(struct sk_buff *skb)
 
         if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
                 goto discard_and_relse;
+        nf_reset(skb);
 
         return sk_receive_skb(sk, skb);
 
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index c609dc78f487..df074259f9c3 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -27,6 +27,7 @@
 #include <net/ipv6.h>
 #include <net/protocol.h>
 #include <net/transp_v6.h>
+#include <net/ip6_checksum.h>
 #include <net/xfrm.h>
 
 #include "dccp.h"
@@ -1028,7 +1029,7 @@ discard:
         return 0;
 }
 
-static int dccp_v6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
+static int dccp_v6_rcv(struct sk_buff **pskb)
 {
         const struct dccp_hdr *dh;
         struct sk_buff *skb = *pskb;
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 912c42f57c79..de16e944777f 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -832,6 +832,7 @@ static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
         skb->h.raw = skb->nh.raw;
         skb->nh.raw = skb_push(skb, gre_hlen);
         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
+        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE|IPSKB_XFRM_TRANSFORMED);
         dst_release(skb->dst);
         skb->dst = &rt->u.dst;
 
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index e45846ae570b..18d7fad474d7 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -185,7 +185,6 @@ int ip_call_ra_chain(struct sk_buff *skb)
                                         raw_rcv(last, skb2);
                         }
                         last = sk;
-                        nf_reset(skb);
                 }
         }
 
@@ -204,10 +203,6 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb)
 
         __skb_pull(skb, ihl);
 
-        /* Free reference early: we don't need it any more, and it may
-           hold ip_conntrack module loaded indefinitely. */
-        nf_reset(skb);
-
         /* Point into the IP datagram, just past the header. */
         skb->h.raw = skb->data;
 
@@ -232,10 +227,12 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb)
                 if ((ipprot = rcu_dereference(inet_protos[hash])) != NULL) {
                         int ret;
 
-                        if (!ipprot->no_policy &&
-                            !xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
-                                kfree_skb(skb);
-                                goto out;
+                        if (!ipprot->no_policy) {
+                                if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
+                                        kfree_skb(skb);
+                                        goto out;
+                                }
+                                nf_reset(skb);
                         }
                         ret = ipprot->handler(skb);
                         if (ret < 0) {
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 8b1c9bd0091e..c2169b47ddfd 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -85,6 +85,8 @@
 
 int sysctl_ip_default_ttl = IPDEFTTL;
 
+static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*));
+
 /* Generate a checksum for an outgoing IP datagram. */
 __inline__ void ip_send_check(struct iphdr *iph)
 {
@@ -202,6 +204,11 @@ static inline int ip_finish_output2(struct sk_buff *skb)
 
 static inline int ip_finish_output(struct sk_buff *skb)
 {
+#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
+        /* Policy lookup after SNAT yielded a new policy */
+        if (skb->dst->xfrm != NULL)
+                return xfrm4_output_finish(skb);
+#endif
         if (skb->len > dst_mtu(skb->dst) &&
             !(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
                 return ip_fragment(skb, ip_finish_output2);
@@ -409,7 +416,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
  *      single device frame, and queue such a frame for sending.
  */
 
-int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
+static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
 {
         struct iphdr *iph;
         int raw = 0;
@@ -1391,7 +1398,6 @@ void __init ip_init(void)
 #endif
 }
 
-EXPORT_SYMBOL(ip_fragment);
 EXPORT_SYMBOL(ip_generic_getfrag);
 EXPORT_SYMBOL(ip_queue_xmit);
 EXPORT_SYMBOL(ip_send_check);
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 35571cff81c6..bbd85f5ec985 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -621,6 +621,7 @@ static int ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
         skb->h.raw = skb->nh.raw;
         skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
+        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE|IPSKB_XFRM_TRANSFORMED);
         dst_release(skb->dst);
         skb->dst = &rt->u.dst;
 
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index ae0779d82c5d..3321092b0914 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -7,11 +7,13 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 
+#include <linux/ip.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/icmp.h>
 #include <net/route.h>
-#include <linux/ip.h>
+#include <net/xfrm.h>
+#include <net/ip.h>
 
 /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
 int ip_route_me_harder(struct sk_buff **pskb)
@@ -33,7 +35,6 @@ int ip_route_me_harder(struct sk_buff **pskb)
 #ifdef CONFIG_IP_ROUTE_FWMARK
                 fl.nl_u.ip4_u.fwmark = (*pskb)->nfmark;
 #endif
-                fl.proto = iph->protocol;
                 if (ip_route_output_key(&rt, &fl) != 0)
                         return -1;
 
@@ -60,6 +61,13 @@ int ip_route_me_harder(struct sk_buff **pskb)
         if ((*pskb)->dst->error)
                 return -1;
 
+#ifdef CONFIG_XFRM
+        if (!(IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED) &&
+            xfrm_decode_session(*pskb, &fl, AF_INET) == 0)
+                if (xfrm_lookup(&(*pskb)->dst, &fl, (*pskb)->sk, 0))
+                        return -1;
+#endif
+
         /* Change in oif may mean change in hh_len. */
         hh_len = (*pskb)->dst->dev->hard_header_len;
         if (skb_headroom(*pskb) < hh_len) {
@@ -78,6 +86,9 @@ int ip_route_me_harder(struct sk_buff **pskb)
 }
 EXPORT_SYMBOL(ip_route_me_harder);
 
+void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
+EXPORT_SYMBOL(ip_nat_decode_session);
+
 /*
  * Extra routing may needed on local out, as the QUEUE target never
  * returns control to the table.
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 88a60650e6b8..a9893ec03e02 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -487,6 +487,16 @@ config IP_NF_MATCH_STRING
 
           To compile it as a module, choose M here.  If unsure, say N.
 
+config IP_NF_MATCH_POLICY
+       tristate "IPsec policy match support"
+       depends on IP_NF_IPTABLES && XFRM
+       help
+         Policy matching allows you to match packets based on the
+         IPsec policy that was used during decapsulation/will
+         be used during encapsulation.
+
+         To compile it as a module, choose M here.  If unsure, say N.
+
 # `filter', generic and specific targets
 config IP_NF_FILTER
         tristate "Packet filtering"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index d0a447e520a2..549b01a648b3 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -72,6 +72,7 @@ obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
 obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
 obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
+obj-$(CONFIG_IP_NF_MATCH_POLICY) += ipt_policy.o
 obj-$(CONFIG_IP_NF_MATCH_COMMENT) += ipt_comment.o
 obj-$(CONFIG_IP_NF_MATCH_STRING) += ipt_string.o
 
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index 977fb59d4563..0b25050981a1 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -16,6 +16,7 @@
 #include <linux/types.h>
 #include <linux/sched.h>
 #include <linux/timer.h>
+#include <linux/interrupt.h>
 #include <linux/netfilter.h>
 #include <linux/module.h>
 #include <linux/in.h>
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index f04111f74e09..8b8a1f00bbf4 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -55,6 +55,44 @@
                                  : ((hooknum) == NF_IP_LOCAL_IN ? "LOCAL_IN"  \
                                     : "*ERROR*")))
 
+#ifdef CONFIG_XFRM
+static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
+{
+        struct ip_conntrack *ct;
+        struct ip_conntrack_tuple *t;
+        enum ip_conntrack_info ctinfo;
+        enum ip_conntrack_dir dir;
+        unsigned long statusbit;
+
+        ct = ip_conntrack_get(skb, &ctinfo);
+        if (ct == NULL)
+                return;
+        dir = CTINFO2DIR(ctinfo);
+        t = &ct->tuplehash[dir].tuple;
+
+        if (dir == IP_CT_DIR_ORIGINAL)
+                statusbit = IPS_DST_NAT;
+        else
+                statusbit = IPS_SRC_NAT;
+
+        if (ct->status & statusbit) {
+                fl->fl4_dst = t->dst.ip;
+                if (t->dst.protonum == IPPROTO_TCP ||
+                    t->dst.protonum == IPPROTO_UDP)
+                        fl->fl_ip_dport = t->dst.u.tcp.port;
+        }
+
+        statusbit ^= IPS_NAT_MASK;
+
+        if (ct->status & statusbit) {
+                fl->fl4_src = t->src.ip;
+                if (t->dst.protonum == IPPROTO_TCP ||
+                    t->dst.protonum == IPPROTO_UDP)
+                        fl->fl_ip_sport = t->src.u.tcp.port;
+        }
+}
+#endif
+                
 static unsigned int
 ip_nat_fn(unsigned int hooknum,
           struct sk_buff **pskb,
@@ -162,18 +200,20 @@ ip_nat_in(unsigned int hooknum,
           const struct net_device *out,
           int (*okfn)(struct sk_buff *))
 {
-        u_int32_t saddr, daddr;
+        struct ip_conntrack *ct;
+        enum ip_conntrack_info ctinfo;
         unsigned int ret;
 
-        saddr = (*pskb)->nh.iph->saddr;
-        daddr = (*pskb)->nh.iph->daddr;
-
         ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
         if (ret != NF_DROP && ret != NF_STOLEN
-            && ((*pskb)->nh.iph->saddr != saddr
-                || (*pskb)->nh.iph->daddr != daddr)) {
-                dst_release((*pskb)->dst);
-                (*pskb)->dst = NULL;
+            && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
+                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+
+                if (ct->tuplehash[dir].tuple.src.ip !=
+                    ct->tuplehash[!dir].tuple.dst.ip) {
+                        dst_release((*pskb)->dst);
+                        (*pskb)->dst = NULL;
+                }
         }
         return ret;
 }
@@ -185,12 +225,30 @@ ip_nat_out(unsigned int hooknum,
            const struct net_device *out,
            int (*okfn)(struct sk_buff *))
 {
+        struct ip_conntrack *ct;
+        enum ip_conntrack_info ctinfo;
+        unsigned int ret;
+
         /* root is playing with raw sockets. */
         if ((*pskb)->len < sizeof(struct iphdr)
             || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr))
                 return NF_ACCEPT;
 
-        return ip_nat_fn(hooknum, pskb, in, out, okfn);
+        ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
+        if (ret != NF_DROP && ret != NF_STOLEN
+            && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
+                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+
+                if (ct->tuplehash[dir].tuple.src.ip !=
+                    ct->tuplehash[!dir].tuple.dst.ip
+#ifdef CONFIG_XFRM
+                    || ct->tuplehash[dir].tuple.src.u.all !=
+                       ct->tuplehash[!dir].tuple.dst.u.all
+#endif
+                    )
+                        return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+        }
+        return ret;
 }
 
 static unsigned int
@@ -200,7 +258,8 @@ ip_nat_local_fn(unsigned int hooknum,
                 const struct net_device *out,
                 int (*okfn)(struct sk_buff *))
 {
-        u_int32_t saddr, daddr;
+        struct ip_conntrack *ct;
+        enum ip_conntrack_info ctinfo;
         unsigned int ret;
 
         /* root is playing with raw sockets. */
@@ -208,14 +267,20 @@ ip_nat_local_fn(unsigned int hooknum,
             || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr))
                 return NF_ACCEPT;
 
-        saddr = (*pskb)->nh.iph->saddr;
-        daddr = (*pskb)->nh.iph->daddr;
-
         ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
         if (ret != NF_DROP && ret != NF_STOLEN
-            && ((*pskb)->nh.iph->saddr != saddr
-                || (*pskb)->nh.iph->daddr != daddr))
-                return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+            && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
+                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+
+                if (ct->tuplehash[dir].tuple.dst.ip !=
+                    ct->tuplehash[!dir].tuple.src.ip
+#ifdef CONFIG_XFRM
+                    || ct->tuplehash[dir].tuple.dst.u.all !=
+                       ct->tuplehash[dir].tuple.src.u.all
+#endif
+                    )
+                        return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+        }
         return ret;
 }
 
@@ -303,10 +368,14 @@ static int init_or_cleanup(int init)
 
         if (!init) goto cleanup;
 
+#ifdef CONFIG_XFRM
+        BUG_ON(ip_nat_decode_session != NULL);
+        ip_nat_decode_session = nat_decode_session;
+#endif
         ret = ip_nat_rule_init();
         if (ret < 0) {
                 printk("ip_nat_init: can't setup rules.\n");
-                goto cleanup_nothing;
+                goto cleanup_decode_session;
         }
         ret = nf_register_hook(&ip_nat_in_ops);
         if (ret < 0) {
@@ -354,7 +423,11 @@ static int init_or_cleanup(int init)
         nf_unregister_hook(&ip_nat_in_ops);
  cleanup_rule_init:
         ip_nat_rule_cleanup();
- cleanup_nothing:
+ cleanup_decode_session:
+#ifdef CONFIG_XFRM
+        ip_nat_decode_session = NULL;
+        synchronize_net();
+#endif
         return ret;
 }
 
diff --git a/net/ipv4/netfilter/ipt_policy.c b/net/ipv4/netfilter/ipt_policy.c
new file mode 100644
index 000000000000..709debcc69c9
--- /dev/null
+++ b/net/ipv4/netfilter/ipt_policy.c
@@ -0,0 +1,170 @@
+/* IP tables module for matching IPsec policy
+ *
+ * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/kernel.h>
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/init.h>
+#include <net/xfrm.h>
+
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_policy.h>
+
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("IPtables IPsec policy matching module");
+MODULE_LICENSE("GPL");
+
+
+static inline int
+match_xfrm_state(struct xfrm_state *x, const struct ipt_policy_elem *e)
+{
+#define MATCH(x,y)      (!e->match.x || ((e->x == (y)) ^ e->invert.x))
+
+        return MATCH(saddr, x->props.saddr.a4 & e->smask) &&
+               MATCH(daddr, x->id.daddr.a4 & e->dmask) &&
+               MATCH(proto, x->id.proto) &&
+               MATCH(mode, x->props.mode) &&
+               MATCH(spi, x->id.spi) &&
+               MATCH(reqid, x->props.reqid);
+}
+
+static int
+match_policy_in(const struct sk_buff *skb, const struct ipt_policy_info *info)
+{
+        const struct ipt_policy_elem *e;
+        struct sec_path *sp = skb->sp;
+        int strict = info->flags & IPT_POLICY_MATCH_STRICT;
+        int i, pos;
+
+        if (sp == NULL)
+                return -1;
+        if (strict && info->len != sp->len)
+                return 0;
+
+        for (i = sp->len - 1; i >= 0; i--) {
+                pos = strict ? i - sp->len + 1 : 0;
+                if (pos >= info->len)
+                        return 0;
+                e = &info->pol[pos];
+
+                if (match_xfrm_state(sp->x[i].xvec, e)) {
+                        if (!strict)
+                                return 1;
+                } else if (strict)
+                        return 0;
+        }
+
+        return strict ? 1 : 0;
+}
+
+static int
+match_policy_out(const struct sk_buff *skb, const struct ipt_policy_info *info)
+{
+        const struct ipt_policy_elem *e;
+        struct dst_entry *dst = skb->dst;
+        int strict = info->flags & IPT_POLICY_MATCH_STRICT;
+        int i, pos;
+
+        if (dst->xfrm == NULL)
+                return -1;
+
+        for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
+                pos = strict ? i : 0;
+                if (pos >= info->len)
+                        return 0;
+                e = &info->pol[pos];
+
+                if (match_xfrm_state(dst->xfrm, e)) {
+                        if (!strict)
+                                return 1;
+                } else if (strict)
+                        return 0;
+        }
+
+        return strict ? 1 : 0;
+}
+
+static int match(const struct sk_buff *skb,
+                 const struct net_device *in,
+                 const struct net_device *out,
+                 const void *matchinfo, int offset, int *hotdrop)
+{
+        const struct ipt_policy_info *info = matchinfo;
+        int ret;
+
+        if (info->flags & IPT_POLICY_MATCH_IN)
+                ret = match_policy_in(skb, info);
+        else
+                ret = match_policy_out(skb, info);
+
+        if (ret < 0)
+                ret = info->flags & IPT_POLICY_MATCH_NONE ? 1 : 0;
+        else if (info->flags & IPT_POLICY_MATCH_NONE)
+                ret = 0;
+
+        return ret;
+}
+
+static int checkentry(const char *tablename, const struct ipt_ip *ip,
+                      void *matchinfo, unsigned int matchsize,
+                      unsigned int hook_mask)
+{
+        struct ipt_policy_info *info = matchinfo;
+
+        if (matchsize != IPT_ALIGN(sizeof(*info))) {
+                printk(KERN_ERR "ipt_policy: matchsize %u != %zu\n",
+                       matchsize, IPT_ALIGN(sizeof(*info)));
+                return 0;
+        }
+        if (!(info->flags & (IPT_POLICY_MATCH_IN|IPT_POLICY_MATCH_OUT))) {
+                printk(KERN_ERR "ipt_policy: neither incoming nor "
+                                "outgoing policy selected\n");
+                return 0;
+        }
+        if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
+            && info->flags & IPT_POLICY_MATCH_OUT) {
+                printk(KERN_ERR "ipt_policy: output policy not valid in "
+                                "PRE_ROUTING and INPUT\n");
+                return 0;
+        }
+        if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
+            && info->flags & IPT_POLICY_MATCH_IN) {
+                printk(KERN_ERR "ipt_policy: input policy not valid in "
+                                "POST_ROUTING and OUTPUT\n");
+                return 0;
+        }
+        if (info->len > IPT_POLICY_MAX_ELEM) {
+                printk(KERN_ERR "ipt_policy: too many policy elements\n");
+                return 0;
+        }
+
+        return 1;
+}
+
+static struct ipt_match policy_match = {
+        .name           = "policy",
+        .match          = match,
+        .checkentry     = checkentry,
+        .me             = THIS_MODULE,
+};
+
+static int __init init(void)
+{
+        return ipt_register_match(&policy_match);
+}
+
+static void __exit fini(void)
+{
+        ipt_unregister_match(&policy_match);
+}
+
+module_init(init);
+module_exit(fini);
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 4b0d7e4d6269..165a4d81efa4 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -255,6 +255,7 @@ int raw_rcv(struct sock *sk, struct sk_buff *skb)
                 kfree_skb(skb);
                 return NET_RX_DROP;
         }
+        nf_reset(skb);
 
         skb_push(skb, skb->data - skb->nh.raw);
 
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index e9f83e5b28ce..6ea353907af5 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1080,6 +1080,7 @@ process:
 
         if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
                 goto discard_and_relse;
+        nf_reset(skb);
 
         if (sk_filter(sk, skb, 0))
                 goto discard_and_relse;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 223abaa72bc5..00840474a449 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -989,6 +989,7 @@ static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
                 kfree_skb(skb);
                 return -1;
         }
+        nf_reset(skb);
 
         if (up->encap_type) {
                 /*
@@ -1149,6 +1150,7 @@ int udp_rcv(struct sk_buff *skb)
 
         if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
                 goto drop;
+        nf_reset(skb);
 
         /* No socket. Drop packet silently, if checksum is wrong */
         if (udp_checksum_complete(skb))
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index 2d3849c38a0f..850d919591d1 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -11,6 +11,8 @@
 
 #include <linux/module.h>
 #include <linux/string.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
 #include <net/inet_ecn.h>
 #include <net/ip.h>
 #include <net/xfrm.h>
@@ -45,6 +47,23 @@ static int xfrm4_parse_spi(struct sk_buff *skb, u8 nexthdr, u32 *spi, u32 *seq)
         return xfrm_parse_spi(skb, nexthdr, spi, seq);
 }
 
+#ifdef CONFIG_NETFILTER
+static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb)
+{
+        struct iphdr *iph = skb->nh.iph;
+
+        if (skb->dst == NULL) {
+                if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
+                                   skb->dev))
+                        goto drop;
+        }
+        return dst_input(skb);
+drop:
+        kfree_skb(skb);
+        return NET_RX_DROP;
+}
+#endif
+
 int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
 {
         int err;
@@ -137,6 +156,8 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
         memcpy(skb->sp->x+skb->sp->len, xfrm_vec, xfrm_nr*sizeof(struct sec_decap_state));
         skb->sp->len += xfrm_nr;
 
+        nf_reset(skb);
+
         if (decaps) {
                 if (!(skb->dev->flags&IFF_LOOPBACK)) {
                         dst_release(skb->dst);
@@ -145,7 +166,17 @@ int xfrm4_rcv_encap(struct sk_buff *skb, __u16 encap_type)
                 netif_rx(skb);
                 return 0;
         } else {
+#ifdef CONFIG_NETFILTER
+                __skb_push(skb, skb->data - skb->nh.raw);
+                skb->nh.iph->tot_len = htons(skb->len);
+                ip_send_check(skb->nh.iph);
+
+                NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, skb->dev, NULL,
+                        xfrm4_rcv_encap_finish);
+                return 0;
+#else
                 return -skb->nh.iph->protocol;
+#endif
         }
 
 drop_unlock:
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 66620a95942a..d4df0ddd424b 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -8,8 +8,10 @@
  * 2 of the License, or (at your option) any later version.
  */
 
+#include <linux/compiler.h>
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>
+#include <linux/netfilter_ipv4.h>
 #include <net/inet_ecn.h>
 #include <net/ip.h>
 #include <net/xfrm.h>
@@ -95,7 +97,7 @@ out:
         return ret;
 }
 
-int xfrm4_output(struct sk_buff *skb)
+static int xfrm4_output_one(struct sk_buff *skb)
 {
         struct dst_entry *dst = skb->dst;
         struct xfrm_state *x = dst->xfrm;
@@ -113,27 +115,33 @@ int xfrm4_output(struct sk_buff *skb)
                         goto error_nolock;
         }
 
-        spin_lock_bh(&x->lock);
-        err = xfrm_state_check(x, skb);
-        if (err)
-                goto error;
+        do {
+                spin_lock_bh(&x->lock);
+                err = xfrm_state_check(x, skb);
+                if (err)
+                        goto error;
 
-        xfrm4_encap(skb);
+                xfrm4_encap(skb);
 
-        err = x->type->output(x, skb);
-        if (err)
-                goto error;
+                err = x->type->output(x, skb);
+                if (err)
+                        goto error;
 
-        x->curlft.bytes += skb->len;
-        x->curlft.packets++;
+                x->curlft.bytes += skb->len;
+                x->curlft.packets++;
 
-        spin_unlock_bh(&x->lock);
+                spin_unlock_bh(&x->lock);
         
-        if (!(skb->dst = dst_pop(dst))) {
-                err = -EHOSTUNREACH;
-                goto error_nolock;
-        }
-        err = NET_XMIT_BYPASS;
+                if (!(skb->dst = dst_pop(dst))) {
+                        err = -EHOSTUNREACH;
+                        goto error_nolock;
+                }
+                dst = skb->dst;
+                x = dst->xfrm;
+        } while (x && !x->props.mode);
+
+        IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
+        err = 0;
 
 out_exit:
         return err;
@@ -143,3 +151,33 @@ error_nolock:
         kfree_skb(skb);
         goto out_exit;
 }
+
+int xfrm4_output_finish(struct sk_buff *skb)
+{
+        int err;
+
+        while (likely((err = xfrm4_output_one(skb)) == 0)) {
+                nf_reset(skb);
+
+                err = nf_hook(PF_INET, NF_IP_LOCAL_OUT, &skb, NULL,
+                              skb->dst->dev, dst_output);
+                if (unlikely(err != 1))
+                        break;
+
+                if (!skb->dst->xfrm)
+                        return dst_output(skb);
+
+                err = nf_hook(PF_INET, NF_IP_POST_ROUTING, &skb, NULL,
+                              skb->dst->dev, xfrm4_output_finish);
+                if (unlikely(err != 1))
+                        break;
+        }
+
+        return err;
+}
+
+int xfrm4_output(struct sk_buff *skb)
+{
+        return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
+                       xfrm4_output_finish);
+}
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 704fb73e6c5f..e53e421eeee9 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1228,7 +1228,7 @@ int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
 
 /* Gets referenced address, destroys ifaddr */
 
-void addrconf_dad_stop(struct inet6_ifaddr *ifp)
+static void addrconf_dad_stop(struct inet6_ifaddr *ifp)
 {
         if (ifp->flags&IFA_F_PERMANENT) {
                 spin_lock_bh(&ifp->lock);
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 68afc53be662..25c3fe5005d9 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -689,11 +689,11 @@ snmp6_mib_init(void *ptr[2], size_t mibsize, size_t mibalign)
         if (ptr == NULL)
                 return -EINVAL;
 
-        ptr[0] = __alloc_percpu(mibsize, mibalign);
+        ptr[0] = __alloc_percpu(mibsize);
         if (!ptr[0])
                 goto err0;
 
-        ptr[1] = __alloc_percpu(mibsize, mibalign);
+        ptr[1] = __alloc_percpu(mibsize);
         if (!ptr[1])
                 goto err1;
 
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 113374dc342c..2a1e7e45b890 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -152,7 +152,7 @@ static struct tlvtype_proc tlvprocdestopt_lst[] = {
         {-1,                    NULL}
 };
 
-static int ipv6_destopt_rcv(struct sk_buff **skbp, unsigned int *nhoffp)
+static int ipv6_destopt_rcv(struct sk_buff **skbp)
 {
         struct sk_buff *skb = *skbp;
         struct inet6_skb_parm *opt = IP6CB(skb);
@@ -169,7 +169,7 @@ static int ipv6_destopt_rcv(struct sk_buff **skbp, unsigned int *nhoffp)
 
         if (ip6_parse_tlv(tlvprocdestopt_lst, skb)) {
                 skb->h.raw += ((skb->h.raw[1]+1)<<3);
-                *nhoffp = opt->dst1;
+                opt->nhoff = opt->dst1;
                 return 1;
         }
 
@@ -192,7 +192,7 @@ void __init ipv6_destopt_init(void)
   NONE header. No data in packet.
  ********************************/
 
-static int ipv6_nodata_rcv(struct sk_buff **skbp, unsigned int *nhoffp)
+static int ipv6_nodata_rcv(struct sk_buff **skbp)
 {
         struct sk_buff *skb = *skbp;
 
@@ -215,7 +215,7 @@ void __init ipv6_nodata_init(void)
   Routing header.
  ********************************/
 
-static int ipv6_rthdr_rcv(struct sk_buff **skbp, unsigned int *nhoffp)
+static int ipv6_rthdr_rcv(struct sk_buff **skbp)
 {
         struct sk_buff *skb = *skbp;
         struct inet6_skb_parm *opt = IP6CB(skb);
@@ -249,7 +249,7 @@ looped_back:
                 skb->h.raw += (hdr->hdrlen + 1) << 3;
                 opt->dst0 = opt->dst1;
                 opt->dst1 = 0;
-                *nhoffp = (&hdr->nexthdr) - skb->nh.raw;
+                opt->nhoff = (&hdr->nexthdr) - skb->nh.raw;
                 return 1;
         }
 
@@ -487,9 +487,14 @@ static struct tlvtype_proc tlvprochopopt_lst[] = {
 
 int ipv6_parse_hopopts(struct sk_buff *skb, int nhoff)
 {
-        IP6CB(skb)->hop = sizeof(struct ipv6hdr);
-        if (ip6_parse_tlv(tlvprochopopt_lst, skb))
+        struct inet6_skb_parm *opt = IP6CB(skb);
+
+        opt->hop = sizeof(struct ipv6hdr);
+        if (ip6_parse_tlv(tlvprochopopt_lst, skb)) {
+                skb->h.raw += (skb->h.raw[1]+1)<<3;
+                opt->nhoff = sizeof(struct ipv6hdr);
                 return sizeof(struct ipv6hdr);
+        }
         return -1;
 }
 
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 6ec6a2b549bb..53c81fcd20ba 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -79,7 +79,7 @@ DEFINE_SNMP_STAT(struct icmpv6_mib, icmpv6_statistics) __read_mostly;
 static DEFINE_PER_CPU(struct socket *, __icmpv6_socket) = NULL;
 #define icmpv6_socket   __get_cpu_var(__icmpv6_socket)
 
-static int icmpv6_rcv(struct sk_buff **pskb, unsigned int *nhoffp);
+static int icmpv6_rcv(struct sk_buff **pskb);
 
 static struct inet6_protocol icmpv6_protocol = {
         .handler        =       icmpv6_rcv,
@@ -581,7 +581,7 @@ static void icmpv6_notify(struct sk_buff *skb, int type, int code, u32 info)
  *      Handle icmp messages
  */
 
-static int icmpv6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
+static int icmpv6_rcv(struct sk_buff **pskb)
 {
         struct sk_buff *skb = *pskb;
         struct net_device *dev = skb->dev;
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index 792f90f0f9ec..f8f3a37a1494 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -25,6 +25,7 @@
 #include <net/inet_hashtables.h>
 #include <net/ip6_route.h>
 #include <net/sock.h>
+#include <net/inet6_connection_sock.h>
 
 int inet6_csk_bind_conflict(const struct sock *sk,
                             const struct inet_bind_bucket *tb)
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index a6026d2787d2..29f73592e68e 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -48,7 +48,7 @@
 
 
 
-static inline int ip6_rcv_finish( struct sk_buff *skb) 
+inline int ip6_rcv_finish( struct sk_buff *skb) 
 {
         if (skb->dst == NULL)
                 ip6_route_input(skb);
@@ -97,6 +97,9 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
         if (hdr->version != 6)
                 goto err;
 
+        skb->h.raw = (u8 *)(hdr + 1);
+        IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
+
         pkt_len = ntohs(hdr->payload_len);
 
         /* pkt_len may be zero if Jumbo payload option is present */
@@ -111,8 +114,7 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
         }
 
         if (hdr->nexthdr == NEXTHDR_HOP) {
-                skb->h.raw = (u8*)(hdr+1);
-                if (ipv6_parse_hopopts(skb, offsetof(struct ipv6hdr, nexthdr)) < 0) {
+                if (ipv6_parse_hopopts(skb, IP6CB(skb)->nhoff) < 0) {
                         IP6_INC_STATS_BH(IPSTATS_MIB_INHDRERRORS);
                         return 0;
                 }
@@ -143,26 +145,15 @@ static inline int ip6_input_finish(struct sk_buff *skb)
         int nexthdr;
         u8 hash;
 
-        skb->h.raw = skb->nh.raw + sizeof(struct ipv6hdr);
-
         /*
          *      Parse extension headers
          */
 
-        nexthdr = skb->nh.ipv6h->nexthdr;
-        nhoff = offsetof(struct ipv6hdr, nexthdr);
-
-        /* Skip hop-by-hop options, they are already parsed. */
-        if (nexthdr == NEXTHDR_HOP) {
-                nhoff = sizeof(struct ipv6hdr);
-                nexthdr = skb->h.raw[0];
-                skb->h.raw += (skb->h.raw[1]+1)<<3;
-        }
-
         rcu_read_lock();
 resubmit:
         if (!pskb_pull(skb, skb->h.raw - skb->data))
                 goto discard;
+        nhoff = IP6CB(skb)->nhoff;
         nexthdr = skb->nh.raw[nhoff];
 
         raw_sk = sk_head(&raw_v6_htable[nexthdr & (MAX_INET_PROTOS - 1)]);
@@ -194,7 +185,7 @@ resubmit:
                     !xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) 
                         goto discard;
                 
-                ret = ipprot->handler(&skb, &nhoff);
+                ret = ipprot->handler(&skb);
                 if (ret > 0)
                         goto resubmit;
                 else if (ret == 0)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index e315d0f80af1..f079621c8b67 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -510,7 +510,7 @@ static inline void ip6ip6_ecn_decapsulate(struct ipv6hdr *outer_iph,
  **/
 
 static int 
-ip6ip6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
+ip6ip6_rcv(struct sk_buff **pskb)
 {
         struct sk_buff *skb = *pskb;
         struct ipv6hdr *ipv6h;
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index f8626ebf90fd..b63678328a3b 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -10,6 +10,7 @@
 #include <net/dst.h>
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
+#include <net/xfrm.h>
 
 int ip6_route_me_harder(struct sk_buff *skb)
 {
@@ -21,11 +22,17 @@ int ip6_route_me_harder(struct sk_buff *skb)
                 { .ip6_u =
                   { .daddr = iph->daddr,
                     .saddr = iph->saddr, } },
-                .proto = iph->nexthdr,
         };
 
         dst = ip6_route_output(skb->sk, &fl);
 
+#ifdef CONFIG_XFRM
+        if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
+            xfrm_decode_session(skb, &fl, AF_INET6) == 0)
+                if (xfrm_lookup(&skb->dst, &fl, skb->sk, 0))
+                        return -1;
+#endif
+
         if (dst->error) {
                 IP6_INC_STATS(IPSTATS_MIB_OUTNOROUTES);
                 LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 04912f9b35c3..105dd69ee9fb 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -179,6 +179,16 @@ config IP6_NF_MATCH_PHYSDEV
 
           To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_MATCH_POLICY
+        tristate "IPsec policy match support"
+        depends on IP6_NF_IPTABLES && XFRM
+        help
+          Policy matching allows you to match packets based on the
+          IPsec policy that was used during decapsulation/will
+          be used during encapsulation.
+
+          To compile it as a module, choose M here.  If unsure, say N.
+
 # The targets
 config IP6_NF_FILTER
         tristate "Packet filtering"
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 9ab5b2ca1f59..c0c809b426e8 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -13,6 +13,7 @@ obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o ip6t_dst.o
 obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
 obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
 obj-$(CONFIG_IP6_NF_MATCH_AHESP) += ip6t_esp.o ip6t_ah.o
+obj-$(CONFIG_IP6_NF_MATCH_POLICY) += ip6t_policy.o
 obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
 obj-$(CONFIG_IP6_NF_MATCH_MULTIPORT) += ip6t_multiport.o
 obj-$(CONFIG_IP6_NF_MATCH_OWNER) += ip6t_owner.o
diff --git a/net/ipv6/netfilter/ip6t_policy.c b/net/ipv6/netfilter/ip6t_policy.c
new file mode 100644
index 000000000000..13fedad48c1d
--- /dev/null
+++ b/net/ipv6/netfilter/ip6t_policy.c
@@ -0,0 +1,175 @@
+/* IP tables module for matching IPsec policy
+ *
+ * Copyright (c) 2004,2005 Patrick McHardy, <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/kernel.h>
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/init.h>
+#include <net/xfrm.h>
+
+#include <linux/netfilter_ipv6.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_policy.h>
+
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("IPtables IPsec policy matching module");
+MODULE_LICENSE("GPL");
+
+
+static inline int
+match_xfrm_state(struct xfrm_state *x, const struct ip6t_policy_elem *e)
+{
+#define MATCH_ADDR(x,y,z)       (!e->match.x || \
+                                 ((ip6_masked_addrcmp((z), &e->x, &e->y)) == 0) ^ e->invert.x)
+#define MATCH(x,y)              (!e->match.x || ((e->x == (y)) ^ e->invert.x))
+        
+        return MATCH_ADDR(saddr, smask, (struct in6_addr *)&x->props.saddr.a6) &&
+               MATCH_ADDR(daddr, dmask, (struct in6_addr *)&x->id.daddr.a6) &&
+               MATCH(proto, x->id.proto) &&
+               MATCH(mode, x->props.mode) &&
+               MATCH(spi, x->id.spi) &&
+               MATCH(reqid, x->props.reqid);
+}
+
+static int
+match_policy_in(const struct sk_buff *skb, const struct ip6t_policy_info *info)
+{
+        const struct ip6t_policy_elem *e;
+        struct sec_path *sp = skb->sp;
+        int strict = info->flags & IP6T_POLICY_MATCH_STRICT;
+        int i, pos;
+
+        if (sp == NULL)
+                return -1;
+        if (strict && info->len != sp->len)
+                return 0;
+
+        for (i = sp->len - 1; i >= 0; i--) {
+                pos = strict ? i - sp->len + 1 : 0;
+                if (pos >= info->len)
+                        return 0;
+                e = &info->pol[pos];
+
+                if (match_xfrm_state(sp->x[i].xvec, e)) {
+                        if (!strict)
+                                return 1;
+                } else if (strict)
+                        return 0;
+        }
+
+        return strict ? 1 : 0;
+}
+
+static int
+match_policy_out(const struct sk_buff *skb, const struct ip6t_policy_info *info)
+{
+        const struct ip6t_policy_elem *e;
+        struct dst_entry *dst = skb->dst;
+        int strict = info->flags & IP6T_POLICY_MATCH_STRICT;
+        int i, pos;
+
+        if (dst->xfrm == NULL)
+                return -1;
+
+        for (i = 0; dst && dst->xfrm; dst = dst->child, i++) {
+                pos = strict ? i : 0;
+                if (pos >= info->len)
+                        return 0;
+                e = &info->pol[pos];
+
+                if (match_xfrm_state(dst->xfrm, e)) {
+                        if (!strict)
+                                return 1;
+                } else if (strict)
+                        return 0;
+        }
+
+        return strict ? 1 : 0;
+}
+
+static int match(const struct sk_buff *skb,
+                 const struct net_device *in,
+                 const struct net_device *out,
+                 const void *matchinfo,
+                 int offset,
+                 unsigned int protoff,
+                 int *hotdrop)
+{
+        const struct ip6t_policy_info *info = matchinfo;
+        int ret;
+
+        if (info->flags & IP6T_POLICY_MATCH_IN)
+                ret = match_policy_in(skb, info);
+        else
+                ret = match_policy_out(skb, info);
+
+        if (ret < 0)
+                ret = info->flags & IP6T_POLICY_MATCH_NONE ? 1 : 0;
+        else if (info->flags & IP6T_POLICY_MATCH_NONE)
+                ret = 0;
+
+        return ret;
+}
+
+static int checkentry(const char *tablename, const struct ip6t_ip6 *ip,
+                      void *matchinfo, unsigned int matchsize,
+                      unsigned int hook_mask)
+{
+        struct ip6t_policy_info *info = matchinfo;
+
+        if (matchsize != IP6T_ALIGN(sizeof(*info))) {
+                printk(KERN_ERR "ip6t_policy: matchsize %u != %zu\n",
+                       matchsize, IP6T_ALIGN(sizeof(*info)));
+                return 0;
+        }
+        if (!(info->flags & (IP6T_POLICY_MATCH_IN|IP6T_POLICY_MATCH_OUT))) {
+                printk(KERN_ERR "ip6t_policy: neither incoming nor "
+                                "outgoing policy selected\n");
+                return 0;
+        }
+        if (hook_mask & (1 << NF_IP6_PRE_ROUTING | 1 << NF_IP6_LOCAL_IN)
+            && info->flags & IP6T_POLICY_MATCH_OUT) {
+                printk(KERN_ERR "ip6t_policy: output policy not valid in "
+                                "PRE_ROUTING and INPUT\n");
+                return 0;
+        }
+        if (hook_mask & (1 << NF_IP6_POST_ROUTING | 1 << NF_IP6_LOCAL_OUT)
+            && info->flags & IP6T_POLICY_MATCH_IN) {
+                printk(KERN_ERR "ip6t_policy: input policy not valid in "
+                                "POST_ROUTING and OUTPUT\n");
+                return 0;
+        }
+        if (info->len > IP6T_POLICY_MAX_ELEM) {
+                printk(KERN_ERR "ip6t_policy: too many policy elements\n");
+                return 0;
+        }
+
+        return 1;
+}
+
+static struct ip6t_match policy_match = {
+        .name           = "policy",
+        .match          = match,
+        .checkentry     = checkentry,
+        .me             = THIS_MODULE,
+};
+
+static int __init init(void)
+{
+        return ip6t_register_match(&policy_match);
+}
+
+static void __exit fini(void)
+{
+        ip6t_unregister_match(&policy_match);
+}
+
+module_init(init);
+module_exit(fini);
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 5d316cb72ec9..15e1456b3f18 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -581,7 +581,6 @@ err:
  *      the last and the first frames arrived and all the bits are here.
  */
 static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff **skb_in,
-                          unsigned int *nhoffp,
                           struct net_device *dev)
 {
         struct sk_buff *fp, *head = fq->fragments;
@@ -654,6 +653,7 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff **skb_in,
         head->dev = dev;
         skb_set_timestamp(head, &fq->stamp);
         head->nh.ipv6h->payload_len = htons(payload_len);
+        IP6CB(head)->nhoff = nhoff;
 
         *skb_in = head;
 
@@ -663,7 +663,6 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff **skb_in,
 
         IP6_INC_STATS_BH(IPSTATS_MIB_REASMOKS);
         fq->fragments = NULL;
-        *nhoffp = nhoff;
         return 1;
 
 out_oversize:
@@ -678,7 +677,7 @@ out_fail:
         return -1;
 }
 
-static int ipv6_frag_rcv(struct sk_buff **skbp, unsigned int *nhoffp)
+static int ipv6_frag_rcv(struct sk_buff **skbp)
 {
         struct sk_buff *skb = *skbp; 
         struct net_device *dev = skb->dev;
@@ -710,7 +709,7 @@ static int ipv6_frag_rcv(struct sk_buff **skbp, unsigned int *nhoffp)
                 skb->h.raw += sizeof(struct frag_hdr);
                 IP6_INC_STATS_BH(IPSTATS_MIB_REASMOKS);
 
-                *nhoffp = (u8*)fhdr - skb->nh.raw;
+                IP6CB(skb)->nhoff = (u8*)fhdr - skb->nh.raw;
                 return 1;
         }
 
@@ -722,11 +721,11 @@ static int ipv6_frag_rcv(struct sk_buff **skbp, unsigned int *nhoffp)
 
                 spin_lock(&fq->lock);
 
-                ip6_frag_queue(fq, skb, fhdr, *nhoffp);
+                ip6_frag_queue(fq, skb, fhdr, IP6CB(skb)->nhoff);
 
                 if (fq->last_in == (FIRST_IN|LAST_IN) &&
                     fq->meat == fq->len)
-                        ret = ip6_frag_reasm(fq, skbp, nhoffp, dev);
+                        ret = ip6_frag_reasm(fq, skbp, dev);
 
                 spin_unlock(&fq->lock);
                 fq_put(fq, NULL);
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 577d49732b0f..02872ae8a439 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -381,6 +381,7 @@ static int ipip6_rcv(struct sk_buff *skb)
                 skb->mac.raw = skb->nh.raw;
                 skb->nh.raw = skb->data;
                 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+                IPCB(skb)->flags = 0;
                 skb->protocol = htons(ETH_P_IPV6);
                 skb->pkt_type = PACKET_HOST;
                 tunnel->stat.rx_packets++;
@@ -552,6 +553,7 @@ static int ipip6_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
         skb->h.raw = skb->nh.raw;
         skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
+        IPCB(skb)->flags = 0;
         dst_release(skb->dst);
         skb->dst = &rt->u.dst;
 
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2947bc56d8a0..a25f4e8a8ada 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1153,7 +1153,7 @@ ipv6_pktoptions:
         return 0;
 }
 
-static int tcp_v6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
+static int tcp_v6_rcv(struct sk_buff **pskb)
 {
         struct sk_buff *skb = *pskb;
         struct tcphdr *th;      
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index d8538dcea813..c47648892c04 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -435,7 +435,7 @@ out:
         read_unlock(&udp_hash_lock);
 }
 
-static int udpv6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
+static int udpv6_rcv(struct sk_buff **pskb)
 {
         struct sk_buff *skb = *pskb;
         struct sock *sk;
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 28c29d78338e..1ca2da68ef69 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -11,6 +11,8 @@
 
 #include <linux/module.h>
 #include <linux/string.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv6.h>
 #include <net/dsfield.h>
 #include <net/inet_ecn.h>
 #include <net/ip.h>
@@ -26,7 +28,7 @@ static inline void ipip6_ecn_decapsulate(struct sk_buff *skb)
                 IP6_ECN_set_ce(inner_iph);
 }
 
-int xfrm6_rcv_spi(struct sk_buff **pskb, unsigned int *nhoffp, u32 spi)
+int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi)
 {
         struct sk_buff *skb = *pskb;
         int err;
@@ -38,7 +40,7 @@ int xfrm6_rcv_spi(struct sk_buff **pskb, unsigned int *nhoffp, u32 spi)
         int nexthdr;
         unsigned int nhoff;
 
-        nhoff = *nhoffp;
+        nhoff = IP6CB(skb)->nhoff;
         nexthdr = skb->nh.raw[nhoff];
 
         seq = 0;
@@ -121,6 +123,8 @@ int xfrm6_rcv_spi(struct sk_buff **pskb, unsigned int *nhoffp, u32 spi)
         skb->sp->len += xfrm_nr;
         skb->ip_summed = CHECKSUM_NONE;
 
+        nf_reset(skb);
+
         if (decaps) {
                 if (!(skb->dev->flags&IFF_LOOPBACK)) {
                         dst_release(skb->dst);
@@ -129,7 +133,16 @@ int xfrm6_rcv_spi(struct sk_buff **pskb, unsigned int *nhoffp, u32 spi)
                 netif_rx(skb);
                 return -1;
         } else {
+#ifdef CONFIG_NETFILTER
+                skb->nh.ipv6h->payload_len = htons(skb->len);
+                __skb_push(skb, skb->data - skb->nh.raw);
+
+                NF_HOOK(PF_INET6, NF_IP6_PRE_ROUTING, skb, skb->dev, NULL,
+                        ip6_rcv_finish);
+                return -1;
+#else
                 return 1;
+#endif
         }
 
 drop_unlock:
@@ -144,7 +157,7 @@ drop:
 
 EXPORT_SYMBOL(xfrm6_rcv_spi);
 
-int xfrm6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
+int xfrm6_rcv(struct sk_buff **pskb)
 {
-        return xfrm6_rcv_spi(pskb, nhoffp, 0);
+        return xfrm6_rcv_spi(pskb, 0);
 }
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 6b9867717d11..80242172a5df 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -9,9 +9,11 @@
  * 2 of the License, or (at your option) any later version.
  */
 
+#include <linux/compiler.h>
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>
 #include <linux/icmpv6.h>
+#include <linux/netfilter_ipv6.h>
 #include <net/dsfield.h>
 #include <net/inet_ecn.h>
 #include <net/ipv6.h>
@@ -92,7 +94,7 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb)
         return ret;
 }
 
-int xfrm6_output(struct sk_buff *skb)
+static int xfrm6_output_one(struct sk_buff *skb)
 {
         struct dst_entry *dst = skb->dst;
         struct xfrm_state *x = dst->xfrm;
@@ -110,29 +112,35 @@ int xfrm6_output(struct sk_buff *skb)
                         goto error_nolock;
         }
 
-        spin_lock_bh(&x->lock);
-        err = xfrm_state_check(x, skb);
-        if (err)
-                goto error;
+        do {
+                spin_lock_bh(&x->lock);
+                err = xfrm_state_check(x, skb);
+                if (err)
+                        goto error;
 
-        xfrm6_encap(skb);
+                xfrm6_encap(skb);
 
-        err = x->type->output(x, skb);
-        if (err)
-                goto error;
+                err = x->type->output(x, skb);
+                if (err)
+                        goto error;
 
-        x->curlft.bytes += skb->len;
-        x->curlft.packets++;
+                x->curlft.bytes += skb->len;
+                x->curlft.packets++;
 
-        spin_unlock_bh(&x->lock);
+                spin_unlock_bh(&x->lock);
 
-        skb->nh.raw = skb->data;
-        
-        if (!(skb->dst = dst_pop(dst))) {
-                err = -EHOSTUNREACH;
-                goto error_nolock;
-        }
-        err = NET_XMIT_BYPASS;
+                skb->nh.raw = skb->data;
+                
+                if (!(skb->dst = dst_pop(dst))) {
+                        err = -EHOSTUNREACH;
+                        goto error_nolock;
+                }
+                dst = skb->dst;
+                x = dst->xfrm;
+        } while (x && !x->props.mode);
+
+        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
+        err = 0;
 
 out_exit:
         return err;
@@ -142,3 +150,33 @@ error_nolock:
         kfree_skb(skb);
         goto out_exit;
 }
+
+static int xfrm6_output_finish(struct sk_buff *skb)
+{
+        int err;
+
+        while (likely((err = xfrm6_output_one(skb)) == 0)) {
+                nf_reset(skb);
+        
+                err = nf_hook(PF_INET6, NF_IP6_LOCAL_OUT, &skb, NULL,
+                              skb->dst->dev, dst_output);
+                if (unlikely(err != 1))
+                        break;
+
+                if (!skb->dst->xfrm)
+                        return dst_output(skb);
+
+                err = nf_hook(PF_INET6, NF_IP6_POST_ROUTING, &skb, NULL,
+                              skb->dst->dev, xfrm6_output_finish);
+                if (unlikely(err != 1))
+                        break;
+        }
+
+        return err;
+}
+
+int xfrm6_output(struct sk_buff *skb)
+{
+        return NF_HOOK(PF_INET6, NF_IP6_POST_ROUTING, skb, NULL, skb->dst->dev,
+                       xfrm6_output_finish);
+}
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index fbef7826a74f..da09ff258648 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -397,7 +397,7 @@ int xfrm6_tunnel_deregister(struct xfrm6_tunnel *handler)
 
 EXPORT_SYMBOL(xfrm6_tunnel_deregister);
 
-static int xfrm6_tunnel_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
+static int xfrm6_tunnel_rcv(struct sk_buff **pskb)
 {
         struct sk_buff *skb = *pskb;
         struct xfrm6_tunnel *handler = xfrm6_tunnel_handler;
@@ -405,11 +405,11 @@ static int xfrm6_tunnel_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
         u32 spi;
 
         /* device-like_ip6ip6_handler() */
-        if (handler && handler->handler(pskb, nhoffp) == 0)
+        if (handler && handler->handler(pskb) == 0)
                 return 0;
 
         spi = xfrm6_tunnel_spi_lookup((xfrm_address_t *)&iph->saddr);
-        return xfrm6_rcv_spi(pskb, nhoffp, spi);
+        return xfrm6_rcv_spi(pskb, spi);
 }
 
 static void xfrm6_tunnel_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 238f1bffa684..4aa6fc60357c 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -225,6 +225,7 @@ int sctp_rcv(struct sk_buff *skb)
 
         if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb, family))
                 goto discard_release;
+        nf_reset(skb);
 
         ret = sk_filter(sk, skb, 1);
         if (ret)
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 15c05165c905..04c7fab4edc4 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -905,7 +905,7 @@ static struct inet_protosw sctpv6_stream_protosw = {
         .flags         = SCTP_PROTOSW_FLAG,
 };
 
-static int sctp6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
+static int sctp6_rcv(struct sk_buff **pskb)
 {
         return sctp_rcv(*pskb) ? -1 : 0;
 }
diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index 24cc23af9b95..e14c1cae7460 100644
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -495,7 +495,7 @@ rpc_depopulate(struct dentry *parent)
 repeat:
         spin_lock(&dcache_lock);
         list_for_each_safe(pos, next, &parent->d_subdirs) {
-                dentry = list_entry(pos, struct dentry, d_child);
+                dentry = list_entry(pos, struct dentry, d_u.d_child);
                 spin_lock(&dentry->d_lock);
                 if (!d_unhashed(dentry)) {
                         dget_locked(dentry);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 64a447375fdb..59614a994b4e 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -22,6 +22,7 @@
 #include <linux/workqueue.h>
 #include <linux/notifier.h>
 #include <linux/netdevice.h>
+#include <linux/netfilter.h>
 #include <linux/module.h>
 #include <net/xfrm.h>
 #include <net/ip.h>
@@ -951,8 +952,8 @@ xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
         return start;
 }
 
-static int
-_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
+int
+xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
 {
         struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
 
@@ -963,6 +964,7 @@ _decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family)
         xfrm_policy_put_afinfo(afinfo);
         return 0;
 }
+EXPORT_SYMBOL(xfrm_decode_session);
 
 static inline int secpath_has_tunnel(struct sec_path *sp, int k)
 {
@@ -982,8 +984,9 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
         u8 fl_dir = policy_to_flow_dir(dir);
         u32 sk_sid;
 
-        if (_decode_session(skb, &fl, family) < 0)
+        if (xfrm_decode_session(skb, &fl, family) < 0)
                 return 0;
+        nf_nat_decode_session(skb, &fl, family);
 
         sk_sid = security_sk_sid(sk, &fl, fl_dir);
 
@@ -1055,7 +1058,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
 {
         struct flowi fl;
 
-        if (_decode_session(skb, &fl, family) < 0)
+        if (xfrm_decode_session(skb, &fl, family) < 0)
                 return 0;
 
         return xfrm_lookup(&skb->dst, &fl, NULL, 0) == 0;