fishHEADmaster

71 files changed, 4712 insertions, 0 deletions

diff --git a/package/network/utils/iptables/.svn/entries b/package/network/utils/iptables/.svn/entries
new file mode 100644
index 0000000..bdd1624
--- /dev/null
+++ b/package/network/utils/iptables/.svn/entries
@@ -0,0 +1,68 @@
+10
+
+dir
+36060
+svn://svn.openwrt.org/openwrt/trunk/package/network/utils/iptables
+svn://svn.openwrt.org/openwrt
+
+
+
+2013-03-07T08:48:41.905197Z
+35898
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+3c298f89-4303-0410-b956-a3cf2f4a3e73
+
+files
+dir
+
+patches
+dir
+
+Makefile
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+7f365c42ebe4096df97d25ee1c4f710e
+2013-03-07T08:48:41.905197Z
+35898
+cyrus
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+10534
+
diff --git a/package/network/utils/iptables/.svn/prop-base/Makefile.svn-base b/package/network/utils/iptables/.svn/prop-base/Makefile.svn-base
new file mode 100644
index 0000000..8e522ae
--- /dev/null
+++ b/package/network/utils/iptables/.svn/prop-base/Makefile.svn-base
@@ -0,0 +1,9 @@
+K 13
+svn:copyright
+V 30
+Copyright (C) 2006 OpenWrt.org
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/.svn/text-base/Makefile.svn-base b/package/network/utils/iptables/.svn/text-base/Makefile.svn-base
new file mode 100644
index 0000000..9d695c6
--- /dev/null
+++ b/package/network/utils/iptables/.svn/text-base/Makefile.svn-base
@@ -0,0 +1,453 @@
+#
+# Copyright (C) 2006-2013 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=iptables
+PKG_VERSION:=1.4.18
+PKG_RELEASE:=2
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
+	ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
+	ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
+	ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
+PKG_MD5SUM:=a819199d5ec013b82da13a8ffbba857e
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+
+ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
+PATCH_DIR:=
+endif
+
+include $(INCLUDE_DIR)/package.mk
+ifeq ($(DUMP),)
+  -include $(LINUX_DIR)/.config
+  include $(INCLUDE_DIR)/netfilter.mk
+  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
+endif
+
+
+define Package/iptables/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Firewall
+  URL:=http://netfilter.org/
+endef
+
+define Package/iptables/Module
+$(call Package/iptables/Default)
+  DEPENDS:=iptables $(1)
+endef
+
+define Package/iptables
+$(call Package/iptables/Default)
+  TITLE:=IP firewall administration tool
+  MENU:=1
+  DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
+endef
+
+define Package/iptables/description
+IP firewall administration tool.
+
+ Matches:
+  - icmp
+  - tcp
+  - udp
+  - comment
+  - limit
+  - mac
+  - multiport
+
+ Targets:
+  - ACCEPT
+  - DROP
+  - REJECT
+  - LOG
+  - TCPMSS
+
+ Tables:
+  - filter
+  - mangle
+
+endef
+
+define Package/iptables-mod-conntrack-extra
+$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
+  TITLE:=Extra connection tracking extensions
+endef
+
+define Package/iptables-mod-conntrack-extra/description
+Extra iptables extensions for connection tracking.
+
+ Matches:
+  - connbytes
+  - connmark
+  - recent
+  - helper
+
+ Targets:
+  - CONNMARK
+
+endef
+
+define Package/iptables-mod-filter
+$(call Package/iptables/Module, +kmod-ipt-filter)
+  TITLE:=Content inspection extensions
+endef
+
+define Package/iptables-mod-filter/description
+iptables extensions for packet content inspection.
+Includes support for:
+
+ Matches:
+  - layer7
+  - string
+
+endef
+
+define Package/iptables-mod-ipopt
+$(call Package/iptables/Module, +kmod-ipt-ipopt)
+  TITLE:=IP/Packet option extensions
+endef
+
+define Package/iptables-mod-ipopt/description
+iptables extensions for matching/changing IP packet options.
+
+ Matches:
+  - dscp
+  - ecn
+  - length
+  - mark
+  - statistic
+  - tcpmss
+  - time
+  - unclean
+  - hl
+
+ Targets:
+  - DSCP
+  - CLASSIFY
+  - ECN
+  - MARK
+  - HL
+
+endef
+
+define Package/iptables-mod-ipsec
+$(call Package/iptables/Module, +kmod-ipt-ipsec)
+  TITLE:=IPsec extensions
+endef
+
+define Package/iptables-mod-ipsec/description
+iptables extensions for matching ipsec traffic.
+
+ Matches:
+  - ah
+  - esp
+  - policy
+
+endef
+
+define Package/iptables-mod-ipset
+$(call Package/iptables/Module,)
+  TITLE:=IPset iptables extensions
+endef
+
+define Package/iptables-mod-ipset/description
+IPset iptables extensions.
+
+ Matches:
+  - set
+
+ Targets:
+  - SET
+
+endef
+
+define Package/iptables-mod-nat-extra
+$(call Package/iptables/Module, +kmod-ipt-nat-extra)
+  TITLE:=Extra NAT extensions
+endef
+
+define Package/iptables-mod-nat-extra/description
+iptables extensions for extra NAT targets.
+
+ Targets:
+  - MIRROR
+  - NETMAP
+  - REDIRECT
+endef
+
+define Package/iptables-mod-ulog
+$(call Package/iptables/Module, +kmod-ipt-ulog)
+  TITLE:=user-space packet logging
+endef
+
+define Package/iptables-mod-ulog/description
+iptables extensions for user-space packet logging.
+
+ Targets:
+  - ULOG
+
+endef
+
+define Package/iptables-mod-hashlimit
+$(call Package/iptables/Module, +kmod-ipt-hashlimit)
+  TITLE:=hashlimit matching
+endef
+
+define Package/iptables-mod-hashlimit/description
+iptables extensions for hashlimit matching
+
+ Matches:
+  - hashlimit
+
+endef
+
+define Package/iptables-mod-iprange
+$(call Package/iptables/Module, +kmod-ipt-iprange)
+  TITLE:=IP range extension
+endef
+
+define Package/iptables-mod-iprange/description
+iptables extensions for matching ip ranges.
+
+ Matches:
+  - iprange
+
+endef
+
+define Package/iptables-mod-extra
+$(call Package/iptables/Module, +kmod-ipt-extra)
+  TITLE:=Other extra iptables extensions
+endef
+
+define Package/iptables-mod-extra/description
+Other extra iptables extensions.
+
+ Matches:
+  - addrtype
+  - condition
+  - owner
+  - physdev (if ebtables is enabled)
+  - pkttype
+  - quota
+
+endef
+
+define Package/iptables-mod-led
+$(call Package/iptables/Module, +kmod-ipt-led)
+  TITLE:=LED trigger iptables extension
+endef
+
+define Package/iptables-mod-led/description
+iptables extension for triggering a LED.
+
+ Targets:
+  - LED
+
+endef
+
+define Package/iptables-mod-tproxy
+$(call Package/iptables/Module, +kmod-ipt-tproxy)
+  TITLE:=Transparent proxy iptables extensions
+endef
+
+define Package/iptables-mod-tproxy/description
+Transparent proxy iptables extensions.
+
+ Matches:
+  - socket
+
+ Targets:
+  - TPROXY
+
+endef
+
+define Package/iptables-mod-tee
+$(call Package/iptables/Module, +kmod-ipt-tee)
+  TITLE:=TEE iptables extensions
+endef
+
+define Package/iptables-mod-tee/description
+TEE iptables extensions.
+
+ Targets:
+  - TEE
+
+endef
+
+define Package/iptables-mod-u32
+$(call Package/iptables/Module, +kmod-ipt-u32)
+  TITLE:=U32 iptables extensions
+endef
+
+define Package/iptables-mod-u32/description
+U32 iptables extensions.
+
+ Matches:
+  - u32
+
+endef
+
+define Package/ip6tables
+$(call Package/iptables/Default)
+  DEPENDS:=@IPV6 +kmod-ip6tables +iptables
+  CATEGORY:=IPv6
+  TITLE:=IPv6 firewall administration tool
+  MENU:=1
+endef
+
+define Package/libiptc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  DEPENDS:=+libip4tc +libip6tc
+  TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
+endef
+
+define Package/libip4tc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv4 firewall - shared libiptc library
+endef
+
+define Package/libip6tc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv6 firewall - shared libiptc library
+endef
+
+define Package/libxtables
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4/IPv6 firewall - shared xtables library
+endef
+
+TARGET_CPPFLAGS := \
+	-I$(PKG_BUILD_DIR)/include \
+	-I$(LINUX_DIR)/user_headers/include \
+	$(TARGET_CPPFLAGS)
+
+TARGET_CFLAGS += \
+	-I$(PKG_BUILD_DIR)/include \
+	-I$(LINUX_DIR)/user_headers/include
+
+CONFIGURE_ARGS += \
+	--enable-shared \
+	--enable-devel \
+	$(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \
+	--with-kernel="$(LINUX_DIR)/user_headers" \
+	--with-xtlibdir=/usr/lib/iptables \
+	--enable-static
+
+MAKE_FLAGS := \
+	$(TARGET_CONFIGURE_OPTS) \
+	COPT_FLAGS="$(TARGET_CFLAGS)" \
+	KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
+	KBUILD_OUTPUT="$(LINUX_DIR)" \
+	BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include
+	$(INSTALL_DIR) $(1)/usr/include/iptables
+	$(INSTALL_DIR) $(1)/usr/include/net/netfilter
+
+	# XXX: iptables header fixup, some headers are not installed by iptables anymore
+	$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
+	$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
+
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/
+endef
+
+define Package/iptables/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+endef
+
+define Package/ip6tables/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
+endef
+
+define Package/libiptc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
+endef
+
+define Package/libip4tc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
+endef
+
+define Package/libip6tc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
+endef
+
+define Package/libxtables/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+endef
+
+define BuildPlugin
+  define Package/$(1)/install
+	$(INSTALL_DIR) $$(1)/usr/lib/iptables
+	for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
+		if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
+			$(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+		fi; \
+	done
+	$(3)
+  endef
+
+  $$(eval $$(call BuildPackage,$(1)))
+endef
+
+L7_INSTALL:=\
+	$(INSTALL_DIR) $$(1)/etc/l7-protocols; \
+	$(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
+
+
+$(eval $(call BuildPackage,iptables))
+$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
+$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET))
+$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
+$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
+$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
+$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
+$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
+$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
+$(eval $(call BuildPackage,ip6tables))
+$(eval $(call BuildPackage,libiptc))
+$(eval $(call BuildPackage,libip4tc))
+$(eval $(call BuildPackage,libip6tc))
+$(eval $(call BuildPackage,libxtables))
diff --git a/package/network/utils/iptables/Makefile b/package/network/utils/iptables/Makefile
new file mode 100644
index 0000000..9d695c6
--- /dev/null
+++ b/package/network/utils/iptables/Makefile
@@ -0,0 +1,453 @@
+#
+# Copyright (C) 2006-2013 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=iptables
+PKG_VERSION:=1.4.18
+PKG_RELEASE:=2
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://www.netfilter.org/projects/iptables/files \
+	ftp://ftp.be.netfilter.org/pub/netfilter/iptables/ \
+	ftp://ftp.de.netfilter.org/pub/netfilter/iptables/ \
+	ftp://ftp.no.netfilter.org/pub/netfilter/iptables/
+PKG_MD5SUM:=a819199d5ec013b82da13a8ffbba857e
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+
+ifneq ($(CONFIG_EXTERNAL_KERNEL_TREE),"")
+PATCH_DIR:=
+endif
+
+include $(INCLUDE_DIR)/package.mk
+ifeq ($(DUMP),)
+  -include $(LINUX_DIR)/.config
+  include $(INCLUDE_DIR)/netfilter.mk
+  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) grep 'NETFILTER' $(LINUX_DIR)/.config | md5s)
+endif
+
+
+define Package/iptables/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Firewall
+  URL:=http://netfilter.org/
+endef
+
+define Package/iptables/Module
+$(call Package/iptables/Default)
+  DEPENDS:=iptables $(1)
+endef
+
+define Package/iptables
+$(call Package/iptables/Default)
+  TITLE:=IP firewall administration tool
+  MENU:=1
+  DEPENDS+= +kmod-ipt-core +libip4tc +IPV6:libip6tc +libxtables
+endef
+
+define Package/iptables/description
+IP firewall administration tool.
+
+ Matches:
+  - icmp
+  - tcp
+  - udp
+  - comment
+  - limit
+  - mac
+  - multiport
+
+ Targets:
+  - ACCEPT
+  - DROP
+  - REJECT
+  - LOG
+  - TCPMSS
+
+ Tables:
+  - filter
+  - mangle
+
+endef
+
+define Package/iptables-mod-conntrack-extra
+$(call Package/iptables/Module, +kmod-ipt-conntrack-extra)
+  TITLE:=Extra connection tracking extensions
+endef
+
+define Package/iptables-mod-conntrack-extra/description
+Extra iptables extensions for connection tracking.
+
+ Matches:
+  - connbytes
+  - connmark
+  - recent
+  - helper
+
+ Targets:
+  - CONNMARK
+
+endef
+
+define Package/iptables-mod-filter
+$(call Package/iptables/Module, +kmod-ipt-filter)
+  TITLE:=Content inspection extensions
+endef
+
+define Package/iptables-mod-filter/description
+iptables extensions for packet content inspection.
+Includes support for:
+
+ Matches:
+  - layer7
+  - string
+
+endef
+
+define Package/iptables-mod-ipopt
+$(call Package/iptables/Module, +kmod-ipt-ipopt)
+  TITLE:=IP/Packet option extensions
+endef
+
+define Package/iptables-mod-ipopt/description
+iptables extensions for matching/changing IP packet options.
+
+ Matches:
+  - dscp
+  - ecn
+  - length
+  - mark
+  - statistic
+  - tcpmss
+  - time
+  - unclean
+  - hl
+
+ Targets:
+  - DSCP
+  - CLASSIFY
+  - ECN
+  - MARK
+  - HL
+
+endef
+
+define Package/iptables-mod-ipsec
+$(call Package/iptables/Module, +kmod-ipt-ipsec)
+  TITLE:=IPsec extensions
+endef
+
+define Package/iptables-mod-ipsec/description
+iptables extensions for matching ipsec traffic.
+
+ Matches:
+  - ah
+  - esp
+  - policy
+
+endef
+
+define Package/iptables-mod-ipset
+$(call Package/iptables/Module,)
+  TITLE:=IPset iptables extensions
+endef
+
+define Package/iptables-mod-ipset/description
+IPset iptables extensions.
+
+ Matches:
+  - set
+
+ Targets:
+  - SET
+
+endef
+
+define Package/iptables-mod-nat-extra
+$(call Package/iptables/Module, +kmod-ipt-nat-extra)
+  TITLE:=Extra NAT extensions
+endef
+
+define Package/iptables-mod-nat-extra/description
+iptables extensions for extra NAT targets.
+
+ Targets:
+  - MIRROR
+  - NETMAP
+  - REDIRECT
+endef
+
+define Package/iptables-mod-ulog
+$(call Package/iptables/Module, +kmod-ipt-ulog)
+  TITLE:=user-space packet logging
+endef
+
+define Package/iptables-mod-ulog/description
+iptables extensions for user-space packet logging.
+
+ Targets:
+  - ULOG
+
+endef
+
+define Package/iptables-mod-hashlimit
+$(call Package/iptables/Module, +kmod-ipt-hashlimit)
+  TITLE:=hashlimit matching
+endef
+
+define Package/iptables-mod-hashlimit/description
+iptables extensions for hashlimit matching
+
+ Matches:
+  - hashlimit
+
+endef
+
+define Package/iptables-mod-iprange
+$(call Package/iptables/Module, +kmod-ipt-iprange)
+  TITLE:=IP range extension
+endef
+
+define Package/iptables-mod-iprange/description
+iptables extensions for matching ip ranges.
+
+ Matches:
+  - iprange
+
+endef
+
+define Package/iptables-mod-extra
+$(call Package/iptables/Module, +kmod-ipt-extra)
+  TITLE:=Other extra iptables extensions
+endef
+
+define Package/iptables-mod-extra/description
+Other extra iptables extensions.
+
+ Matches:
+  - addrtype
+  - condition
+  - owner
+  - physdev (if ebtables is enabled)
+  - pkttype
+  - quota
+
+endef
+
+define Package/iptables-mod-led
+$(call Package/iptables/Module, +kmod-ipt-led)
+  TITLE:=LED trigger iptables extension
+endef
+
+define Package/iptables-mod-led/description
+iptables extension for triggering a LED.
+
+ Targets:
+  - LED
+
+endef
+
+define Package/iptables-mod-tproxy
+$(call Package/iptables/Module, +kmod-ipt-tproxy)
+  TITLE:=Transparent proxy iptables extensions
+endef
+
+define Package/iptables-mod-tproxy/description
+Transparent proxy iptables extensions.
+
+ Matches:
+  - socket
+
+ Targets:
+  - TPROXY
+
+endef
+
+define Package/iptables-mod-tee
+$(call Package/iptables/Module, +kmod-ipt-tee)
+  TITLE:=TEE iptables extensions
+endef
+
+define Package/iptables-mod-tee/description
+TEE iptables extensions.
+
+ Targets:
+  - TEE
+
+endef
+
+define Package/iptables-mod-u32
+$(call Package/iptables/Module, +kmod-ipt-u32)
+  TITLE:=U32 iptables extensions
+endef
+
+define Package/iptables-mod-u32/description
+U32 iptables extensions.
+
+ Matches:
+  - u32
+
+endef
+
+define Package/ip6tables
+$(call Package/iptables/Default)
+  DEPENDS:=@IPV6 +kmod-ip6tables +iptables
+  CATEGORY:=IPv6
+  TITLE:=IPv6 firewall administration tool
+  MENU:=1
+endef
+
+define Package/libiptc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  DEPENDS:=+libip4tc +libip6tc
+  TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
+endef
+
+define Package/libip4tc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv4 firewall - shared libiptc library
+endef
+
+define Package/libip6tc
+$(call Package/iptables/Default)
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=IPv6 firewall - shared libiptc library
+endef
+
+define Package/libxtables
+ $(call Package/iptables/Default)
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=IPv4/IPv6 firewall - shared xtables library
+endef
+
+TARGET_CPPFLAGS := \
+	-I$(PKG_BUILD_DIR)/include \
+	-I$(LINUX_DIR)/user_headers/include \
+	$(TARGET_CPPFLAGS)
+
+TARGET_CFLAGS += \
+	-I$(PKG_BUILD_DIR)/include \
+	-I$(LINUX_DIR)/user_headers/include
+
+CONFIGURE_ARGS += \
+	--enable-shared \
+	--enable-devel \
+	$(if $(CONFIG_IPV6),--enable-ipv6,--disable-ipv6) \
+	--with-kernel="$(LINUX_DIR)/user_headers" \
+	--with-xtlibdir=/usr/lib/iptables \
+	--enable-static
+
+MAKE_FLAGS := \
+	$(TARGET_CONFIGURE_OPTS) \
+	COPT_FLAGS="$(TARGET_CFLAGS)" \
+	KERNEL_DIR="$(LINUX_DIR)/user_headers/" PREFIX=/usr \
+	KBUILD_OUTPUT="$(LINUX_DIR)" \
+	BUILTIN_MODULES="$(patsubst ip6t_%,%,$(patsubst ipt_%,%,$(patsubst xt_%,%,$(IPT_BUILTIN) $(IPT_CONNTRACK-m) $(IPT_NAT-m))))"
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include
+	$(INSTALL_DIR) $(1)/usr/include/iptables
+	$(INSTALL_DIR) $(1)/usr/include/net/netfilter
+
+	# XXX: iptables header fixup, some headers are not installed by iptables anymore
+	$(CP) $(PKG_BUILD_DIR)/include/iptables/*.h $(1)/usr/include/iptables/
+	$(CP) $(PKG_BUILD_DIR)/include/iptables.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/ip6tables.h $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/libipulog $(1)/usr/include/
+	$(CP) $(PKG_BUILD_DIR)/include/libiptc $(1)/usr/include/
+
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip*tc.so* $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/xtables.pc $(1)/usr/lib/pkgconfig/
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libiptc.pc $(1)/usr/lib/pkgconfig/
+endef
+
+define Package/iptables/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/xtables-multi $(1)/usr/sbin/
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/iptables{,-restore,-save} $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+endef
+
+define Package/ip6tables/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore,-save} $(1)/usr/sbin/
+endef
+
+define Package/libiptc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
+endef
+
+define Package/libip4tc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
+endef
+
+define Package/libip6tc/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
+endef
+
+define Package/libxtables/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
+endef
+
+define BuildPlugin
+  define Package/$(1)/install
+	$(INSTALL_DIR) $$(1)/usr/lib/iptables
+	for m in $(patsubst xt_%,ipt_%,$(2)) $(patsubst ipt_%,xt_%,$(2)) $(patsubst xt_%,ip6t_%,$(2)) $(patsubst ip6t_%,xt_%,$(2)); do \
+		if [ -f $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so ]; then \
+			$(CP) $(PKG_INSTALL_DIR)/usr/lib/iptables/lib$$$$$$$${m}.so $$(1)/usr/lib/iptables/ ; \
+		fi; \
+	done
+	$(3)
+  endef
+
+  $$(eval $$(call BuildPackage,$(1)))
+endef
+
+L7_INSTALL:=\
+	$(INSTALL_DIR) $$(1)/etc/l7-protocols; \
+	$(CP) files/l7/*.pat $$(1)/etc/l7-protocols/
+
+
+$(eval $(call BuildPackage,iptables))
+$(eval $(call BuildPlugin,iptables-mod-conntrack-extra,$(IPT_CONNTRACK_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-extra,$(IPT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-filter,$(IPT_FILTER-m),$(L7_INSTALL)))
+$(eval $(call BuildPlugin,iptables-mod-ipopt,$(IPT_IPOPT-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipsec,$(IPT_IPSEC-m)))
+$(eval $(call BuildPlugin,iptables-mod-ipset,ipt_set ipt_SET))
+$(eval $(call BuildPlugin,iptables-mod-nat-extra,$(IPT_NAT_EXTRA-m)))
+$(eval $(call BuildPlugin,iptables-mod-iprange,$(IPT_IPRANGE-m)))
+$(eval $(call BuildPlugin,iptables-mod-ulog,$(IPT_ULOG-m)))
+$(eval $(call BuildPlugin,iptables-mod-hashlimit,$(IPT_HASHLIMIT-m)))
+$(eval $(call BuildPlugin,iptables-mod-led,$(IPT_LED-m)))
+$(eval $(call BuildPlugin,iptables-mod-tproxy,$(IPT_TPROXY-m)))
+$(eval $(call BuildPlugin,iptables-mod-tee,$(IPT_TEE-m)))
+$(eval $(call BuildPlugin,iptables-mod-u32,$(IPT_U32-m)))
+$(eval $(call BuildPackage,ip6tables))
+$(eval $(call BuildPackage,libiptc))
+$(eval $(call BuildPackage,libip4tc))
+$(eval $(call BuildPackage,libip6tc))
+$(eval $(call BuildPackage,libxtables))
diff --git a/package/network/utils/iptables/files/.svn/entries b/package/network/utils/iptables/files/.svn/entries
new file mode 100644
index 0000000..3317803
--- /dev/null
+++ b/package/network/utils/iptables/files/.svn/entries
@@ -0,0 +1,31 @@
+10
+
+dir
+36060
+svn://svn.openwrt.org/openwrt/trunk/package/network/utils/iptables/files
+svn://svn.openwrt.org/openwrt
+
+
+
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+3c298f89-4303-0410-b956-a3cf2f4a3e73
+
+l7
+dir
+
diff --git a/package/network/utils/iptables/files/l7/.svn/entries b/package/network/utils/iptables/files/l7/.svn/entries
new file mode 100644
index 0000000..40adf52
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/entries
@@ -0,0 +1,572 @@
+10
+
+dir
+36060
+svn://svn.openwrt.org/openwrt/trunk/package/network/utils/iptables/files/l7
+svn://svn.openwrt.org/openwrt
+
+
+
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+3c298f89-4303-0410-b956-a3cf2f4a3e73
+
+bittorrent.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+df5febf5627392a1e6cdcd7a11d5bb12
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1211
+
+edonkey.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+515ce55fca79d9ab254d70057b8d2d9c
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1656
+
+ssl.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+c6698421723f87db9fc6d9c43b5e07ea
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+631
+
+ntp.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+b3fae202057d0cbc090f23e3e80e7482
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+649
+
+ident.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+6526938d492d341160c3ea99002c6eb3
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+575
+
+msnmessenger.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+c410016ed85dabdbb07c284d02a1abc4
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1180
+
+aim.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+b087b770a3afc46d7bc638b66fd2c03c
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1170
+
+gnutella.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+70aa11c8fe9f286fe4e416453d7d56b9
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+2237
+
+irc.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+f404f0bb98e30ec52068aaa9b00a7aae
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+833
+
+http.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+d5795d2270a70c637deb473c570e71b1
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1386
+
+pop3.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+a645ae5e78b76044c3f70798b9b92401
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+2244
+
+fasttrack.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+e3449f58b0e3ca7de4327273098c7b76
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1336
+
+smtp.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+8be5298dde31912cbac136ef6c4aa15e
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1783
+
+jabber.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+7ec7c3038efb725b9e99bb5c40d9c4aa
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+984
+
+vnc.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+997e4932fe2cd8da707ec1dc8f15d4ae
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+927
+
+ftp.pat
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+e3191313469ad6ad2a0cda3048e64044
+2009-05-01T15:20:34.240067Z
+15544
+hauke
+has-props
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1851
+
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/aim.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/aim.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/aim.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/bittorrent.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/bittorrent.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/bittorrent.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/edonkey.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/edonkey.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/edonkey.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/fasttrack.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/fasttrack.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/fasttrack.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/ftp.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/ftp.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/ftp.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/gnutella.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/gnutella.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/gnutella.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/http.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/http.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/http.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/ident.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/ident.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/ident.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/irc.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/irc.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/irc.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/jabber.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/jabber.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/jabber.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/msnmessenger.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/msnmessenger.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/msnmessenger.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/ntp.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/ntp.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/ntp.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/pop3.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/pop3.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/pop3.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/smtp.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/smtp.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/smtp.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/ssl.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/ssl.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/ssl.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/prop-base/vnc.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/prop-base/vnc.pat.svn-base
new file mode 100644
index 0000000..bdbd305
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/prop-base/vnc.pat.svn-base
@@ -0,0 +1,5 @@
+K 13
+svn:eol-style
+V 6
+native
+END
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/aim.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/aim.pat.svn-base
new file mode 100644
index 0000000..5c43930
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/aim.pat.svn-base
@@ -0,0 +1,28 @@
+# AIM - AOL instant messenger (OSCAR and TOC)
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 5190
+#
+# This may also match ICQ traffic.
+# 
+# This pattern has been tested and is believed to work well.
+
+aim
+# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
+# The first bit matches OSCAR signon and data commands, but not sure what
+# \x03\x0b matches, but it works apparently.
+# The next three bits match various parts of the TOC signon process.
+# The third one is the magic number "*", then 0x01 for "signon", then up to four
+# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
+# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), 
+# then 0x01 for the version number (not sure if there ever has been another 
+# version)
+# The fourth one is a command string, followed by some stuff, then the
+# beginning of the "roasted" password
+
+# This pattern is too slow!
+
+^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/bittorrent.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/bittorrent.pat.svn-base
new file mode 100644
index 0000000..4a3ba88
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/bittorrent.pat.svn-base
@@ -0,0 +1,25 @@
+# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
+# Pattern attributes: good slow594 notsofast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+# It will, however, not work on bittorrent streams that are encrypted, since
+# it's impossible to match (well) encrypted data.
+
+bittorrent
+
+# Does not attempt to match the HTTP download of the tracker
+# 0x13 is the length of "bittorrent protocol"
+# Second two bits match UDP wierdness
+# Next bit matches something Azureus does
+# Ditto on the next bit.  Could also match on "user-agent: azureus", but that's in the next
+# packet and perhaps this will match multiple clients.
+# bitcomet-specific strings contributed by liangjun.
+
+# This is not a valid GNU basic regular expression (but that's ok).
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
+
+# This pattern is "fast", but won't catch as much
+#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/edonkey.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/edonkey.pat.svn-base
new file mode 100644
index 0000000..75807f8
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/edonkey.pat.svn-base
@@ -0,0 +1,37 @@
+# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
+# Pattern attributes: good veryfast fast overmatch
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/EDonkey
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
+# and a long time ago with something else. 
+# 
+# In addition to matching what you might expect, this matches much of
+# what eMule does when you tell it to only connect to the KAD network. 
+# I don't quite know what to make of this.
+
+# Thanks to Matt Skidmore <fox AT woozle.org>
+
+edonkey
+
+# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
+#
+# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
+# As of April 2006, I also see some \xe4.
+#
+# God this is a mess.  What an irritating protocol.  
+# This will match about 2% of streams with random data in them!
+# (But fortunately much fewer than 2% of streams that are other protocols.
+# You can test this with the data in ../testing/)
+
+^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
+
+# matches everything and too much 
+# ^(\xe3|\xc5|\xd4)
+
+# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
+
+# bandwidtharbitrator uses 
+# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
+# no comments to explain what all the mush is, of course...
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/fasttrack.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/fasttrack.pat.svn-base
new file mode 100644
index 0000000..6ed8ff1
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/fasttrack.pat.svn-base
@@ -0,0 +1,23 @@
+# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested with Kazaa Lite Resurrection 0.0.7.6F
+#
+# This appears to match the download connections well, but not the search
+# connections (I think they are encrypted :-( ).
+
+fasttrack
+# while this is a valid http request, this will be caught because
+# the http pattern matches the response (and therefore the next packet)
+# Even so, it's best to put this match earlier in the chain.
+# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
+
+# This pattern is kinda slow, but not too bad.
+^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
+# This isn't much faster:
+#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/ftp.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/ftp.pat.svn-base
new file mode 100644
index 0000000..44d97c4
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/ftp.pat.svn-base
@@ -0,0 +1,46 @@
+# FTP - File Transfer Protocol - RFC 959
+# Pattern attributes: great notsofast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://protocolinfo.org/wiki/FTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 21.  Note that the data stream is on a dynamically
+# assigned port, which means that you will need the FTP connection 
+# tracking module in your kernel to usefully match FTP data transfers.
+# 
+# This pattern is well tested.
+#
+# Handles the first two things a server should say:
+#
+# First, the server says it's ready by sending "220".  Most servers say 
+# something after 220, even though they don't have to, and it usually 
+# includes the string "ftp" (l7-filter is case insensitive). This 
+# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP 
+# Server, and whatever ftp.microsoft.com uses.  Almost all servers use only 
+# ASCII printable characters between the "220" and the "FTP", but non-English
+# ones might use others.
+# 
+# The next thing the server sends is a 331.  All the above servers also 
+# send something including "password" after this code.  By default, we 
+# do not match on this because it takes another packet and is more work 
+# for regexec.
+
+ftp
+# by default, we allow only ASCII
+^220[\x09-\x0d -~]*ftp
+
+# This covers UTF-8 as well 
+#^220[\x09-\x0d -~\x80-\xfd]*ftp
+
+# This allows any characters and is about 4x faster than either of the above 
+# (which are about the same as each other)
+#^220.*ftp
+
+# This is much slower
+#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
+
+# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
+
+# same as above, but slightly less precise and only takes 2 packets.
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/gnutella.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/gnutella.pat.svn-base
new file mode 100644
index 0000000..770ed43
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/gnutella.pat.svn-base
@@ -0,0 +1,34 @@
+# Gnutella - P2P filesharing
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gnutella
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
+# 
+# Various clients use this protocol including Mactella, Shareaza,
+# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
+# 
+# This is tested with gtk-gnutella and Shareaza.
+
+# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
+# http://rfc-gnutella.sf.net/
+# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
+# http://en.wikipedia.org/wiki/Shareaza
+
+gnutella
+
+# The first part matches UDP messages - All start with "GND", then have
+# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
+# that can be anything, then a fragment number, which must start at 1.
+# The rest matches TCP first client message or first server message (in case 
+# we can't see client messages).  Some parts of this are empirical rather than 
+# document based.  Assumes version is between 0.0 and 2.9. (usually is
+# 0.4 or 0.6).  I'm guessing at many of the user-agents.
+# The last bit is emprical and probably only matches Limewire.
+^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
+
+# Needlessly precise, at the expense of time
+#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
+
+
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/http.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/http.pat.svn-base
new file mode 100644
index 0000000..5122310
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/http.pat.svn-base
@@ -0,0 +1,28 @@
+# HTTP - HyperText Transfer Protocol - RFC 2616
+# Pattern attributes: great slow notsofast superset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.
+#
+# this intentionally catches the response from the server rather than
+# the request so that other protocols which use http (like kazaa) can be
+# caught based on specific http requests regardless of the ordering of
+# filters... also matches posts
+
+# Sites that serve really long cookies may break this by pushing the
+# server response too far away from the beginning of the connection. To
+# fix this, increase the kernel's data buffer length.
+
+http
+# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
+# As specified in rfc 2616 a status code is preceeded and followed by a
+# space. 
+http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
+# A slightly faster version that might be good enough:
+#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
+# old pattern(s):
+#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/ident.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/ident.pat.svn-base
new file mode 100644
index 0000000..3205e5e
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/ident.pat.svn-base
@@ -0,0 +1,15 @@
+# Ident - Identification Protocol - RFC 1413
+# Pattern attributes: good fast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Ident
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 113
+#
+# This pattern is believed to work.
+
+ident
+# "number , numberCRLF" possibly without the CR and/or LF.
+# ^$ is appropriate because the first packet should never have anything
+# else in it.
+^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/irc.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/irc.pat.svn-base
new file mode 100644
index 0000000..e25360c
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/irc.pat.svn-base
@@ -0,0 +1,20 @@
+# IRC - Internet Relay Chat - RFC 1459
+# Pattern attributes: great veryfast fast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IRC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 6666 or 6667
+# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
+# can use much more bandwidth) uses a dynamically assigned port, so you 
+# must have the IRC connection tracking module in your kernel to classify
+# this.
+#
+# This pattern has been tested and is believed to work well.
+
+irc
+# First thing that happens is that the client sends NICK and USER, in 
+# either order.  This allows MIRC color codes (\x02-\x0d instead of
+# \x09-\x0d).
+^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
+
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/jabber.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/jabber.pat.svn-base
new file mode 100644
index 0000000..7c32890
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/jabber.pat.svn-base
@@ -0,0 +1,24 @@
+# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested with Gaim and Gabber.  It is only tested 
+# with non-SSL mode Jabber with no proxies.
+
+# Thanks to Jan Hudec for some improvements.
+
+# Jabber seems to take a long time to set up a connection.  I'm
+# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
+# is this:
+# <stream:stream to='12jabber.com' xmlns='jabber:client'
+# xmlns:stream='http://etherx.jabber.org/streams'><?xml
+# version='1.0'?><stream:stream
+# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
+# xmlns='jabber:client' from='12jabber.com'>
+#
+# No mention of my username or password yet, you'll note.
+
+jabber
+<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/msnmessenger.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/msnmessenger.pat.svn-base
new file mode 100644
index 0000000..11dfc10
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/msnmessenger.pat.svn-base
@@ -0,0 +1,28 @@
+# MSN Messenger - Microsoft Network chat client
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually uses TCP port 1863
+# http://www.hypothetic.org/docs/msn/index.php
+# http://msnpiki.msnfanatic.com/
+#
+# This pattern has been tested and is believed to work well.
+
+msnmessenger
+
+# First branch: login
+#   ver: allow versions up to 99.
+#   I've never seen a cvr other than cvr0.  Maybe this will be trouble later?
+#   Can't anchor at the beginning because sometimes this is encapsulated in
+#   HTTP.  But either way, the first packet ends like this.
+# Second/Third branches: accepting/sending a message
+#   I will assume that these can also be encapsulated in HTTP, although I have
+#   not checked.  Example of each direction:
+#   ANS 1 quadong@hotmail.com 1139803431.29427 17522047
+#   USR 1 quadong@hotmail.com 530423708.968145.366138
+
+# Branches are written entirely separately for better performance.
+ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
+
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/ntp.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/ntp.pat.svn-base
new file mode 100644
index 0000000..760cfdb
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/ntp.pat.svn-base
@@ -0,0 +1,17 @@
+# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
+# Pattern attributes: good fast fast overmatch 
+# Protocol groups: time_synchronization ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/NTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is tested and is believed to work.
+
+# client|server
+# Requires the server's timestamp to be in the present or future (of 2005).
+# Tested with ntpdate on Linux.
+# Assumes version 2, 3 or 4.
+
+# Note that ntp packets are always 48 bytes, so you should match on that too.
+
+ntp
+^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/pop3.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/pop3.pat.svn-base
new file mode 100644
index 0000000..3ae4c14
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/pop3.pat.svn-base
@@ -0,0 +1,50 @@
+# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
+# Pattern attributes: great veryfast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/POP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested somewhat.
+
+# this is a difficult protocol to match because of the relative lack of 
+# distinguishing information.  Read on.
+pop3
+
+# this the most conservative pattern.  It should definitely work.
+#^(\+ok|-err)
+
+# this pattern assumes that the server says _something_ after +ok or -err
+# I think this is probably the way to go.
+^(\+ok |-err )
+
+# more that 90% of servers seem to say "pop" after "+ok", but not all.
+#^(\+ok .*pop)
+
+# Here's another tack. I think this is my second favorite.
+#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
+
+# this matches the server saying "you have N messages that are M bytes",
+# which the client probably asks for early in the session (not tested)
+#\+ok [0-9]+ [0-9]+
+
+# some sample servers:
+# RFC example:        +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
+# mail.dreamhost.com: +OK Hello there.
+# pop.carleton.edu:   +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
+# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
+# *.email.umn.edu:    +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
+# mail.yale.edu:      +OK POP3 pantheon-po01 v2002.81 server ready
+# mail.gustavus.edu:  +OK POP3 solen v2001.78 server ready
+# mail.reed.edu:      +OK POP3 letra.reed.edu v2002.81 server ready
+# mail.bowdoin.edu:   +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
+# pop.colby.edu:      +OK Qpopper (version 4.0.5) at basalt starting.
+# mail.mac.com:       +OK Netscape Messaging Multiplexor ready
+
+# various error strings:
+#-ERR Invalid command.
+#-ERR invalid command
+#-ERR unimplemented
+#-ERR Invalid command, try one of: USER name, PASS string, QUIT
+#-ERR Unknown AUTHORIZATION state command
+#-ERR Unrecognized command
+#-ERR Unknown command: "sadf'".
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/smtp.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/smtp.pat.svn-base
new file mode 100644
index 0000000..2f5d195
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/smtp.pat.svn-base
@@ -0,0 +1,40 @@
+# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
+# Pattern attributes: great notsofast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SMTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 25
+# 
+# This pattern has been tested and is believed to work well.
+
+# As usual, no text is required after "220", but all known servers have some
+# there.  It (almost?) always has string "smtp" in it.  The RFC examples
+# does not, so we match those too, just in case anyone has copied them 
+# literally.
+#
+# Some examples:
+# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
+# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
+# 220 mail.ut.caldera.com ESMTP
+# 220 persephone.pmail.gen.nz ESMTP server ready.
+# 220 smtp1.superb.net ESMTP
+# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
+# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
+# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
+# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
+# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
+# 220-mail.email-scan.com ESMTP
+# 220 smaug.dreamhost.com ESMTP
+# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
+# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
+# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
+# 
+# RFC examples:
+# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
+# 220 dbc.mtview.ca.us SMTP service ready
+
+smtp
+^220[\x09-\x0d -~]* (e?smtp|simple mail)
+userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
+userspace flags=REG_NOSUB REG_EXTENDED
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/ssl.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/ssl.pat.svn-base
new file mode 100644
index 0000000..ae30ee4
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/ssl.pat.svn-base
@@ -0,0 +1,16 @@
+# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
+# Pattern attributes: good notsofast fast superset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 443
+#
+# This is a superset of validcertssl.  For it to match, it must be first.
+# 
+# This pattern has been tested and is believed to work well.
+
+ssl
+# Server Hello with certificate | Client Hello
+# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
diff --git a/package/network/utils/iptables/files/l7/.svn/text-base/vnc.pat.svn-base b/package/network/utils/iptables/files/l7/.svn/text-base/vnc.pat.svn-base
new file mode 100644
index 0000000..79d0ae8
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/.svn/text-base/vnc.pat.svn-base
@@ -0,0 +1,23 @@
+# VNC - Virtual Network Computing.  Also known as RFB - Remote Frame Buffer
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access
+# Wiki: http://www.protocolinfo.org/wiki/VNC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://www.realvnc.com/documentation.html
+# 
+# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
+#
+# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
+
+vnc
+# Assumes single digit major and minor version numbers 
+# This message should be all alone in the first packet, so ^$ is appropriate
+^rfb 00[1-9]\.00[0-9]\x0a$
+
+# This is a more restrictive version which assumes the version numbers
+# are ones actually in existance at the time of this writing, i.e. 3.3,
+# 3.7 and 3.8 (with some clients wrongly reporting 3.5).  It should be
+# slightly faster, but probably not worth the extra maintenance. 
+# ^rfb 003\.00[3578]\x0a$
+
diff --git a/package/network/utils/iptables/files/l7/aim.pat b/package/network/utils/iptables/files/l7/aim.pat
new file mode 100644
index 0000000..5c43930
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/aim.pat
@@ -0,0 +1,28 @@
+# AIM - AOL instant messenger (OSCAR and TOC)
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/AIM
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 5190
+#
+# This may also match ICQ traffic.
+# 
+# This pattern has been tested and is believed to work well.
+
+aim
+# See http://gridley.res.carleton.edu/~straitm/final (and various other places)
+# The first bit matches OSCAR signon and data commands, but not sure what
+# \x03\x0b matches, but it works apparently.
+# The next three bits match various parts of the TOC signon process.
+# The third one is the magic number "*", then 0x01 for "signon", then up to four
+# bytes ("up to" because l7-filter strips out nulls) which contain a sequence
+# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), 
+# then 0x01 for the version number (not sure if there ever has been another 
+# version)
+# The fourth one is a command string, followed by some stuff, then the
+# beginning of the "roasted" password
+
+# This pattern is too slow!
+
+^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x
diff --git a/package/network/utils/iptables/files/l7/bittorrent.pat b/package/network/utils/iptables/files/l7/bittorrent.pat
new file mode 100644
index 0000000..4a3ba88
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/bittorrent.pat
@@ -0,0 +1,25 @@
+# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
+# Pattern attributes: good slow594 notsofast undermatch
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Bittorrent
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested and is believed to work well.
+# It will, however, not work on bittorrent streams that are encrypted, since
+# it's impossible to match (well) encrypted data.
+
+bittorrent
+
+# Does not attempt to match the HTTP download of the tracker
+# 0x13 is the length of "bittorrent protocol"
+# Second two bits match UDP wierdness
+# Next bit matches something Azureus does
+# Ditto on the next bit.  Could also match on "user-agent: azureus", but that's in the next
+# packet and perhaps this will match multiple clients.
+# bitcomet-specific strings contributed by liangjun.
+
+# This is not a valid GNU basic regular expression (but that's ok).
+^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]
+
+# This pattern is "fast", but won't catch as much
+#^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)
diff --git a/package/network/utils/iptables/files/l7/edonkey.pat b/package/network/utils/iptables/files/l7/edonkey.pat
new file mode 100644
index 0000000..75807f8
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/edonkey.pat
@@ -0,0 +1,37 @@
+# eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
+# Pattern attributes: good veryfast fast overmatch
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/EDonkey
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested recently (April/May 2006) with eMule 0.47a and eDonkey2000 1.4
+# and a long time ago with something else. 
+# 
+# In addition to matching what you might expect, this matches much of
+# what eMule does when you tell it to only connect to the KAD network. 
+# I don't quite know what to make of this.
+
+# Thanks to Matt Skidmore <fox AT woozle.org>
+
+edonkey
+
+# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6
+#
+# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5.
+# As of April 2006, I also see some \xe4.
+#
+# God this is a mess.  What an irritating protocol.  
+# This will match about 2% of streams with random data in them!
+# (But fortunately much fewer than 2% of streams that are other protocols.
+# You can test this with the data in ../testing/)
+
+^[\xc5\xd4\xe3-\xe5].?.?.?.?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58[\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$)
+
+# matches everything and too much 
+# ^(\xe3|\xc5|\xd4)
+
+# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me.
+
+# bandwidtharbitrator uses 
+# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey
+# no comments to explain what all the mush is, of course...
diff --git a/package/network/utils/iptables/files/l7/fasttrack.pat b/package/network/utils/iptables/files/l7/fasttrack.pat
new file mode 100644
index 0000000..6ed8ff1
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/fasttrack.pat
@@ -0,0 +1,23 @@
+# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)
+# Pattern attributes: good slow notsofast
+# Protocol groups: p2p
+# Wiki: http://www.protocolinfo.org/wiki/Fasttrack
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Tested with Kazaa Lite Resurrection 0.0.7.6F
+#
+# This appears to match the download connections well, but not the search
+# connections (I think they are encrypted :-( ).
+
+fasttrack
+# while this is a valid http request, this will be caught because
+# the http pattern matches the response (and therefore the next packet)
+# Even so, it's best to put this match earlier in the chain.
+# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup
+
+# This pattern is kinda slow, but not too bad.
+^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
+# This isn't much faster:
+#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]?
+
diff --git a/package/network/utils/iptables/files/l7/ftp.pat b/package/network/utils/iptables/files/l7/ftp.pat
new file mode 100644
index 0000000..44d97c4
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ftp.pat
@@ -0,0 +1,46 @@
+# FTP - File Transfer Protocol - RFC 959
+# Pattern attributes: great notsofast fast
+# Protocol groups: document_retrieval ietf_internet_standard
+# Wiki: http://protocolinfo.org/wiki/FTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 21.  Note that the data stream is on a dynamically
+# assigned port, which means that you will need the FTP connection 
+# tracking module in your kernel to usefully match FTP data transfers.
+# 
+# This pattern is well tested.
+#
+# Handles the first two things a server should say:
+#
+# First, the server says it's ready by sending "220".  Most servers say 
+# something after 220, even though they don't have to, and it usually 
+# includes the string "ftp" (l7-filter is case insensitive). This 
+# includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof FTP 
+# Server, and whatever ftp.microsoft.com uses.  Almost all servers use only 
+# ASCII printable characters between the "220" and the "FTP", but non-English
+# ones might use others.
+# 
+# The next thing the server sends is a 331.  All the above servers also 
+# send something including "password" after this code.  By default, we 
+# do not match on this because it takes another packet and is more work 
+# for regexec.
+
+ftp
+# by default, we allow only ASCII
+^220[\x09-\x0d -~]*ftp
+
+# This covers UTF-8 as well 
+#^220[\x09-\x0d -~\x80-\xfd]*ftp
+
+# This allows any characters and is about 4x faster than either of the above 
+# (which are about the same as each other)
+#^220.*ftp
+
+# This is much slower
+#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password
+
+# This pattern is more precise, but takes longer to match. (3 packets vs. 1)
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331
+
+# same as above, but slightly less precise and only takes 2 packets.
+#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a
diff --git a/package/network/utils/iptables/files/l7/gnutella.pat b/package/network/utils/iptables/files/l7/gnutella.pat
new file mode 100644
index 0000000..770ed43
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/gnutella.pat
@@ -0,0 +1,34 @@
+# Gnutella - P2P filesharing
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: p2p open_source
+# Wiki: http://www.protocolinfo.org/wiki/Gnutella
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This should match both Gnutella and "Gnutella2" ("Mike's protocol")
+# 
+# Various clients use this protocol including Mactella, Shareaza,
+# GTK-gnutella, Gnucleus, Gnotella, LimeWire, iMesh and BearShare.
+# 
+# This is tested with gtk-gnutella and Shareaza.
+
+# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver
+# http://rfc-gnutella.sf.net/
+# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification
+# http://en.wikipedia.org/wiki/Shareaza
+
+gnutella
+
+# The first part matches UDP messages - All start with "GND", then have
+# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes
+# that can be anything, then a fragment number, which must start at 1.
+# The rest matches TCP first client message or first server message (in case 
+# we can't see client messages).  Some parts of this are empirical rather than 
+# document based.  Assumes version is between 0.0 and 2.9. (usually is
+# 0.4 or 0.6).  I'm guessing at many of the user-agents.
+# The last bit is emprical and probably only matches Limewire.
+^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|...................?lime)
+
+# Needlessly precise, at the expense of time
+#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime)
+
+
diff --git a/package/network/utils/iptables/files/l7/http.pat b/package/network/utils/iptables/files/l7/http.pat
new file mode 100644
index 0000000..5122310
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/http.pat
@@ -0,0 +1,28 @@
+# HTTP - HyperText Transfer Protocol - RFC 2616
+# Pattern attributes: great slow notsofast superset
+# Protocol groups: document_retrieval ietf_draft_standard
+# Wiki: http://protocolinfo.org/wiki/HTTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 80
+#
+# This pattern has been tested and is believed to work well.
+#
+# this intentionally catches the response from the server rather than
+# the request so that other protocols which use http (like kazaa) can be
+# caught based on specific http requests regardless of the ordering of
+# filters... also matches posts
+
+# Sites that serve really long cookies may break this by pushing the
+# server response too far away from the beginning of the connection. To
+# fix this, increase the kernel's data buffer length.
+
+http
+# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616)
+# As specified in rfc 2616 a status code is preceeded and followed by a
+# space. 
+http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019]
+# A slightly faster version that might be good enough:
+#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019]
+# old pattern(s):
+#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/)
diff --git a/package/network/utils/iptables/files/l7/ident.pat b/package/network/utils/iptables/files/l7/ident.pat
new file mode 100644
index 0000000..3205e5e
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ident.pat
@@ -0,0 +1,15 @@
+# Ident - Identification Protocol - RFC 1413
+# Pattern attributes: good fast fast
+# Protocol groups: networking ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Ident
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 113
+#
+# This pattern is believed to work.
+
+ident
+# "number , numberCRLF" possibly without the CR and/or LF.
+# ^$ is appropriate because the first packet should never have anything
+# else in it.
+^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$
diff --git a/package/network/utils/iptables/files/l7/irc.pat b/package/network/utils/iptables/files/l7/irc.pat
new file mode 100644
index 0000000..e25360c
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/irc.pat
@@ -0,0 +1,20 @@
+# IRC - Internet Relay Chat - RFC 1459
+# Pattern attributes: great veryfast fast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/IRC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 6666 or 6667
+# Note that chat traffic runs on these ports, but IRC-DCC traffic (which
+# can use much more bandwidth) uses a dynamically assigned port, so you 
+# must have the IRC connection tracking module in your kernel to classify
+# this.
+#
+# This pattern has been tested and is believed to work well.
+
+irc
+# First thing that happens is that the client sends NICK and USER, in 
+# either order.  This allows MIRC color codes (\x02-\x0d instead of
+# \x09-\x0d).
+^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)
+
diff --git a/package/network/utils/iptables/files/l7/jabber.pat b/package/network/utils/iptables/files/l7/jabber.pat
new file mode 100644
index 0000000..7c32890
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/jabber.pat
@@ -0,0 +1,24 @@
+# Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org
+# Pattern attributes: good notsofast notsofast
+# Protocol groups: chat ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/Jabber
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested with Gaim and Gabber.  It is only tested 
+# with non-SSL mode Jabber with no proxies.
+
+# Thanks to Jan Hudec for some improvements.
+
+# Jabber seems to take a long time to set up a connection.  I'm
+# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets
+# is this:
+# <stream:stream to='12jabber.com' xmlns='jabber:client'
+# xmlns:stream='http://etherx.jabber.org/streams'><?xml
+# version='1.0'?><stream:stream
+# xmlns:stream='http://etherx.jabber.org/streams' id='3f73e951'
+# xmlns='jabber:client' from='12jabber.com'>
+#
+# No mention of my username or password yet, you'll note.
+
+jabber
+<stream:stream[\x09-\x0d ][ -~]*[\x09-\x0d ]xmlns=['"]jabber
diff --git a/package/network/utils/iptables/files/l7/msnmessenger.pat b/package/network/utils/iptables/files/l7/msnmessenger.pat
new file mode 100644
index 0000000..11dfc10
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/msnmessenger.pat
@@ -0,0 +1,28 @@
+# MSN Messenger - Microsoft Network chat client
+# Pattern attributes: good slow notsofast
+# Protocol groups: chat proprietary
+# Wiki: http://www.protocolinfo.org/wiki/MSN_Messenger
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually uses TCP port 1863
+# http://www.hypothetic.org/docs/msn/index.php
+# http://msnpiki.msnfanatic.com/
+#
+# This pattern has been tested and is believed to work well.
+
+msnmessenger
+
+# First branch: login
+#   ver: allow versions up to 99.
+#   I've never seen a cvr other than cvr0.  Maybe this will be trouble later?
+#   Can't anchor at the beginning because sometimes this is encapsulated in
+#   HTTP.  But either way, the first packet ends like this.
+# Second/Third branches: accepting/sending a message
+#   I will assume that these can also be encapsulated in HTTP, although I have
+#   not checked.  Example of each direction:
+#   ANS 1 quadong@hotmail.com 1139803431.29427 17522047
+#   USR 1 quadong@hotmail.com 530423708.968145.366138
+
+# Branches are written entirely separately for better performance.
+ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$
+
diff --git a/package/network/utils/iptables/files/l7/ntp.pat b/package/network/utils/iptables/files/l7/ntp.pat
new file mode 100644
index 0000000..760cfdb
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ntp.pat
@@ -0,0 +1,17 @@
+# (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030
+# Pattern attributes: good fast fast overmatch 
+# Protocol groups: time_synchronization ietf_draft_standard
+# Wiki: http://www.protocolinfo.org/wiki/NTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern is tested and is believed to work.
+
+# client|server
+# Requires the server's timestamp to be in the present or future (of 2005).
+# Tested with ntpdate on Linux.
+# Assumes version 2, 3 or 4.
+
+# Note that ntp packets are always 48 bytes, so you should match on that too.
+
+ntp
+^([\x13\x1b\x23\xd3\xdb\xe3]|[\x14\x1c$].......?.?.?.?.?.?.?.?.?[\xc6-\xff])
diff --git a/package/network/utils/iptables/files/l7/pop3.pat b/package/network/utils/iptables/files/l7/pop3.pat
new file mode 100644
index 0000000..3ae4c14
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/pop3.pat
@@ -0,0 +1,50 @@
+# POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939
+# Pattern attributes: great veryfast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/POP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# This pattern has been tested somewhat.
+
+# this is a difficult protocol to match because of the relative lack of 
+# distinguishing information.  Read on.
+pop3
+
+# this the most conservative pattern.  It should definitely work.
+#^(\+ok|-err)
+
+# this pattern assumes that the server says _something_ after +ok or -err
+# I think this is probably the way to go.
+^(\+ok |-err )
+
+# more that 90% of servers seem to say "pop" after "+ok", but not all.
+#^(\+ok .*pop)
+
+# Here's another tack. I think this is my second favorite.
+#^(\+ok [\x09-\x0d -~]*(ready|hello|pop|starting)|-err [\x09-\x0d -~]*(invalid|unknown|unimplemented|unrecognized|command))
+
+# this matches the server saying "you have N messages that are M bytes",
+# which the client probably asks for early in the session (not tested)
+#\+ok [0-9]+ [0-9]+
+
+# some sample servers:
+# RFC example:        +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us>
+# mail.dreamhost.com: +OK Hello there.
+# pop.carleton.edu:   +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled)
+# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon>
+# *.email.umn.edu:    +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu>
+# mail.yale.edu:      +OK POP3 pantheon-po01 v2002.81 server ready
+# mail.gustavus.edu:  +OK POP3 solen v2001.78 server ready
+# mail.reed.edu:      +OK POP3 letra.reed.edu v2002.81 server ready
+# mail.bowdoin.edu:   +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003))
+# pop.colby.edu:      +OK Qpopper (version 4.0.5) at basalt starting.
+# mail.mac.com:       +OK Netscape Messaging Multiplexor ready
+
+# various error strings:
+#-ERR Invalid command.
+#-ERR invalid command
+#-ERR unimplemented
+#-ERR Invalid command, try one of: USER name, PASS string, QUIT
+#-ERR Unknown AUTHORIZATION state command
+#-ERR Unrecognized command
+#-ERR Unknown command: "sadf'".
diff --git a/package/network/utils/iptables/files/l7/smtp.pat b/package/network/utils/iptables/files/l7/smtp.pat
new file mode 100644
index 0000000..2f5d195
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/smtp.pat
@@ -0,0 +1,40 @@
+# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869)
+# Pattern attributes: great notsofast fast
+# Protocol groups: mail ietf_internet_standard
+# Wiki: http://www.protocolinfo.org/wiki/SMTP
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# usually runs on port 25
+# 
+# This pattern has been tested and is believed to work well.
+
+# As usual, no text is required after "220", but all known servers have some
+# there.  It (almost?) always has string "smtp" in it.  The RFC examples
+# does not, so we match those too, just in case anyone has copied them 
+# literally.
+#
+# Some examples:
+# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3
+# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400
+# 220 mail.ut.caldera.com ESMTP
+# 220 persephone.pmail.gen.nz ESMTP server ready.
+# 220 smtp1.superb.net ESMTP
+# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready
+# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4
+# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500
+# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3)
+# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200
+# 220-mail.email-scan.com ESMTP
+# 220 smaug.dreamhost.com ESMTP
+# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648)
+# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT)
+# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700
+# 
+# RFC examples:
+# 220 xyz.com Simple Mail Transfer Service Ready (RFC example)
+# 220 dbc.mtview.ca.us SMTP service ready
+
+smtp
+^220[\x09-\x0d -~]* (e?smtp|simple mail)
+userspace pattern=^220[\x09-\x0d -~]* (E?SMTP|[Ss]imple [Mm]ail)
+userspace flags=REG_NOSUB REG_EXTENDED
diff --git a/package/network/utils/iptables/files/l7/ssl.pat b/package/network/utils/iptables/files/l7/ssl.pat
new file mode 100644
index 0000000..ae30ee4
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/ssl.pat
@@ -0,0 +1,16 @@
+# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246
+# Pattern attributes: good notsofast fast superset
+# Protocol groups: secure ietf_proposed_standard
+# Wiki: http://www.protocolinfo.org/wiki/SSL
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# Usually runs on port 443
+#
+# This is a superset of validcertssl.  For it to match, it must be first.
+# 
+# This pattern has been tested and is believed to work well.
+
+ssl
+# Server Hello with certificate | Client Hello
+# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1
+^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
diff --git a/package/network/utils/iptables/files/l7/vnc.pat b/package/network/utils/iptables/files/l7/vnc.pat
new file mode 100644
index 0000000..79d0ae8
--- /dev/null
+++ b/package/network/utils/iptables/files/l7/vnc.pat
@@ -0,0 +1,23 @@
+# VNC - Virtual Network Computing.  Also known as RFB - Remote Frame Buffer
+# Pattern attributes: great veryfast fast
+# Protocol groups: remote_access
+# Wiki: http://www.protocolinfo.org/wiki/VNC
+# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
+#
+# http://www.realvnc.com/documentation.html
+# 
+# This pattern has been verified with vnc v3.3.7 on WinXP and Linux
+#
+# Thanks to Trevor Paskett <tpaskett AT cymphonix.com> for this pattern.
+
+vnc
+# Assumes single digit major and minor version numbers 
+# This message should be all alone in the first packet, so ^$ is appropriate
+^rfb 00[1-9]\.00[0-9]\x0a$
+
+# This is a more restrictive version which assumes the version numbers
+# are ones actually in existance at the time of this writing, i.e. 3.3,
+# 3.7 and 3.8 (with some clients wrongly reporting 3.5).  It should be
+# slightly faster, but probably not worth the extra maintenance. 
+# ^rfb 003\.00[3578]\x0a$
+
diff --git a/package/network/utils/iptables/patches/.svn/entries b/package/network/utils/iptables/patches/.svn/entries
new file mode 100644
index 0000000..7dfa7cd
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/entries
@@ -0,0 +1,300 @@
+10
+
+dir
+36060
+svn://svn.openwrt.org/openwrt/trunk/package/network/utils/iptables/patches
+svn://svn.openwrt.org/openwrt
+
+
+
+2013-03-06T17:05:34.161606Z
+35896
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+3c298f89-4303-0410-b956-a3cf2f4a3e73
+
+100-bash-location.patch
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+20d2f34d73c618e3d8d29d291f5a202f
+2013-03-06T17:05:34.161606Z
+35896
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+177
+
+002-layer7_2.22.patch
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+3d064b3eae52b3e6d3bc25ad1265ccde
+2010-12-19T11:16:46.024141Z
+24719
+jow
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+9821
+
+200-configurable_builtin.patch
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+08d618081686e688ed020e9eddb60a23
+2013-03-06T17:05:34.161606Z
+35896
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+2854
+
+020-iptables-disable-modprobe.patch
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+91d944bf4a7839cc813caa21394b7ce3
+2013-03-06T17:05:34.161606Z
+35896
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+409
+
+030-no-libnfnetlink.patch
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+102f2220f30695d3ad8e8d227dd110e0
+2013-03-06T17:05:34.161606Z
+35896
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+3267
+
+300-musl_fixes.patch
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+6e388903e4e73c20f7134df4e3ff3fcd
+2013-03-06T17:05:34.161606Z
+35896
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+3001
+
+010-use-old-linking.patch
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+42c805097559addafb45a3a713b23d3e
+2013-03-06T17:05:34.161606Z
+35896
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1973
+
+400-lenient-restore.patch
+file
+
+
+
+
+2013-03-17T12:13:16.000000Z
+860aad2ebe209f4f1e6dc4eb6db6131c
+2013-03-06T17:05:34.161606Z
+35896
+cyrus
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+4867
+
diff --git a/package/network/utils/iptables/patches/.svn/text-base/002-layer7_2.22.patch.svn-base b/package/network/utils/iptables/patches/.svn/text-base/002-layer7_2.22.patch.svn-base
new file mode 100644
index 0000000..ba4531e
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/text-base/002-layer7_2.22.patch.svn-base
@@ -0,0 +1,371 @@
+--- /dev/null
++++ b/extensions/libxt_layer7.c
+@@ -0,0 +1,368 @@
++/* 
++   Shared library add-on to iptables for layer 7 matching support. 
++  
++   By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
++
++   http://l7-filter.sf.net 
++
++   This program is free software; you can redistribute it and/or
++   modify it under the terms of the GNU General Public License
++   as published by the Free Software Foundation; either version
++   2 of the License, or (at your option) any later version.
++   http://www.gnu.org/licenses/gpl.txt
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <xtables.h>
++#include <linux/netfilter/xt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++	printf(
++	"layer7 match options:\n"
++	"    --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++	"                          (--l7dir must be specified before --l7proto if used)\n"
++	"[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
++}
++
++static const struct option opts[] = {
++	{ .name = "l7proto", .has_arg = 1, .val = 'p' },
++	{ .name = "l7dir",   .has_arg = 1, .val = 'd' },
++	{ .name = NULL }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++{
++	FILE * f;
++	char * line = NULL;
++	size_t len = 0;
++
++	enum { protocol, pattern, done } datatype = protocol;
++
++	f = fopen(filename, "r");
++
++	if(!f)
++		return 0;
++
++	while(getline(&line, &len, f) != -1)
++	{
++		if(strlen(line) < 2 || line[0] == '#')
++			continue;
++
++		/* strip the pesky newline... */
++		if(line[strlen(line) - 1] == '\n')
++			line[strlen(line) - 1] = '\0';
++
++		if(datatype == protocol)
++		{
++			/* Ignore everything on the line beginning with the 
++			first space or tab . For instance, this allows the 
++			protocol line in http.pat to be "http " (or 
++			"http I am so cool") instead of just "http". */
++			if(strchr(line, ' ')){
++				char * space = strchr(line, ' ');
++				space[0] = '\0';
++			}
++			if(strchr(line, '\t')){
++				char * space = strchr(line, '\t');
++				space[0] = '\0';
++			}
++
++			/* sanity check.  First non-comment non-blank 
++			line must be the same as the file name. */
++			if(strcmp(line, protoname))
++				xtables_error(OTHER_PROBLEM, 
++					"Protocol name (%s) doesn't match file name (%s).  Bailing out\n",
++					line, filename);
++
++			if(strlen(line) >= MAX_PROTOCOL_LEN)
++				 xtables_error(PARAMETER_PROBLEM, 
++					"Protocol name in %s too long!", filename);
++			strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++			datatype = pattern; 
++		}
++		else if(datatype == pattern)
++		{
++			if(strlen(line) >= MAX_PATTERN_LEN)
++				 xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++			strncpy(info->pattern, line, MAX_PATTERN_LEN);
++			
++			datatype = done;			
++			break;
++		}
++		else
++			xtables_error(OTHER_PROBLEM, "Internal error");
++	}
++
++	if(datatype != done)
++		xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++	if(line) free(line);
++	fclose(f);
++
++	return 1;
++}
++
++static int hex2dec(char c)
++{
++        switch (c)
++        {
++                case '0' ... '9':
++                        return c - '0';
++                case 'a' ... 'f':
++                        return c - 'a' + 10;
++                case 'A' ... 'F':
++                        return c - 'A' + 10;
++                default:
++                        xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++                        return 0;
++        }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters 
++they stand for */
++static char * pre_process(char * s)
++{
++	char * result = malloc(strlen(s) + 1);
++	int sindex = 0, rrindex = 0;
++        while( sindex < strlen(s) )
++        {
++            if( sindex + 3 < strlen(s) &&
++                s[sindex] == '\\' && s[sindex+1] == 'x' && 
++                isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) 
++                {
++                        /* carefully remember to call tolower here... */
++                        result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
++                                                  hex2dec(s[sindex + 3] ) );
++
++			switch ( result[rrindex] )
++			{
++			case 0x24:
++			case 0x28:
++			case 0x29:
++			case 0x2a:
++			case 0x2b:
++			case 0x2e:
++			case 0x3f:
++			case 0x5b:
++			case 0x5c:
++			case 0x5d:
++			case 0x5e:
++			case 0x7c:
++				fprintf(stderr, 
++					"Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++					"I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++					result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
++				break;
++			case 0x00:
++				fprintf(stderr, 
++					"Warning: null (\\x00) in layer7 regexp.  A null terminates the regexp string!\n");
++				break;
++			default:
++				break;
++			}
++
++
++                        sindex += 3; /* 4 total */
++                }
++                else
++                        result[rrindex] = tolower(s[sindex]);
++
++		sindex++; 
++		rrindex++;
++        }
++	result[rrindex] = '\0';
++
++	return result;
++}
++
++#define MAX_SUBDIRS 128
++static char ** readl7dir(char * dirname)
++{
++        DIR             * scratchdir;
++        struct dirent   ** namelist;
++	char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++        int n, d = 1;
++	subdirs[0] = "";
++
++        n = scandir(dirname, &namelist, 0, alphasort);
++
++	if (n < 0)
++	{
++            perror("scandir");
++	    xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++	}
++        else 
++	{
++            	while(n--) 
++		{
++			char fulldirname[MAX_FN_LEN];
++
++			snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++                	if((scratchdir = opendir(fulldirname)) != NULL)
++			{
++				closedir(scratchdir);
++
++				if(!strcmp(namelist[n]->d_name, ".") || 
++				   !strcmp(namelist[n]->d_name, ".."))
++					/* do nothing */ ;
++				else
++				{
++					subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++					strcpy(subdirs[d], namelist[n]->d_name);
++					d++;
++					if(d >= MAX_SUBDIRS - 1)
++					{
++						fprintf(stderr, 
++						  "Too many subdirectories, skipping the rest!\n");
++						break;
++					}
++				}
++			}
++                	free(namelist[n]);
++            	}
++            	free(namelist);
++        }
++	
++	subdirs[d] = NULL;
++
++	return subdirs;
++}
++
++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++{
++	char filename[MAX_FN_LEN];
++	char * dir = NULL;
++	char ** subdirs;
++	int n = 0, done = 0;
++
++	if(strlen(l7dir) > 0) dir = l7dir;
++	else                  dir = "/etc/l7-protocols";
++
++	subdirs = readl7dir(dir);
++
++	while(subdirs[n] != NULL)
++	{
++		int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++		if(c > MAX_FN_LEN)
++			xtables_error(OTHER_PROBLEM, 
++				"Filename beginning with %s is too long!\n", filename);
++
++		/* read in the pattern from the file */
++		if(parse_protocol_file(filename, s, info)){
++			done = 1;
++			break;
++		}
++		
++		n++;
++	}
++
++	if(!done)
++		xtables_error(OTHER_PROBLEM, 
++			"Couldn't find a pattern definition file for %s.\n", s);
++
++	/* process \xHH escapes and tolower everything. (our regex lib has no
++	case insensitivity option.) */
++	strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++      const void *entry, struct xt_entry_match **match)
++{
++	struct xt_layer7_info *layer7info = 
++		(struct xt_layer7_info *)(*match)->data;
++
++	switch (c) {
++	case 'p':
++		parse_layer7_protocol(argv[optind-1], layer7info);
++		if (invert)
++			layer7info->invert = true;
++		*flags = 1;
++		break;
++
++	case 'd':
++		if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++			xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++		strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++		*flags = 1;
++		break;
++
++	default:
++		return 0;
++	}
++
++	return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++	if (!flags)
++		xtables_error(PARAMETER_PROBLEM,
++			   "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++	fputs("l7proto ", stdout);
++	if (invert) fputc('!', stdout);
++	printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const void *ip,
++      const struct xt_entry_match *match,
++      int numeric)
++{
++	printf("LAYER7 ");
++	print_protocol(((struct xt_layer7_info *)match->data)->protocol,
++		  ((struct xt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const void *ip, const struct xt_entry_match *match)
++{
++        const struct xt_layer7_info *info =
++            (const struct xt_layer7_info*) match->data;
++
++        printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
++}
++
++static struct xtables_match layer7 = { 
++    .family        = AF_INET,
++    .name          = "layer7",
++    .version       = XTABLES_VERSION,
++    .size          = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .help          = &help,
++    .parse         = &parse,
++    .final_check   = &final_check,
++    .print         = &print,
++    .save          = &save,
++    .extra_opts    = opts
++};
++
++void _init(void)
++{
++	xtables_register_match(&layer7);
++}
diff --git a/package/network/utils/iptables/patches/.svn/text-base/010-use-old-linking.patch.svn-base b/package/network/utils/iptables/patches/.svn/text-base/010-use-old-linking.patch.svn-base
new file mode 100644
index 0000000..a848e1e
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/text-base/010-use-old-linking.patch.svn-base
@@ -0,0 +1,51 @@
+Index: iptables-1.4.18/extensions/GNUmakefile.in
+===================================================================
+--- iptables-1.4.18.orig/extensions/GNUmakefile.in	2013-03-03 22:40:11.000000000 +0100
++++ iptables-1.4.18/extensions/GNUmakefile.in	2013-03-06 17:13:04.074584735 +0100
+@@ -33,7 +33,6 @@
+ AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
+ AM_VERBOSE_AR     = @echo "  AR      " $@;
+ AM_VERBOSE_GEN    = @echo "  GEN     " $@;
+-AM_VERBOSE_NULL   = @
+ endif
+ 
+ #
+@@ -76,7 +75,7 @@
+ 	if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
+ 
+ clean:
+-	rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
++	rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
+ 	rm -f .*.d .*.dd;
+ 
+ distclean: clean
+@@ -90,22 +89,19 @@
+ #
+ #	Shared libraries
+ #
+-lib%.so: lib%.la
+-	${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
++lib%.so: lib%.oo
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -L../libiptc/.libs -lxtables ${$*_LIBADD};
+ 
+-lib%.la: lib%.lo
+-	${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
+-
+-lib%.lo: ${srcdir}/lib%.c
+-	${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
++lib%.oo: ${srcdir}/lib%.c
++	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ 
+ libxt_NOTRACK.so: libxt_CT.so
+-	${AM_VERBOSE_GEN} ln -fs $< $@
++	ln -fs $< $@
+ libxt_state.so: libxt_conntrack.so
+-	${AM_VERBOSE_GEN} ln -fs $< $@
++	ln -fs $< $@
+ 
+ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+-ip6t_NETMAP_LIBADD  = ../libiptc/libip6tc.la
++ip6t_NETMAP_LIBADD  = -lip6tc
+ xt_RATEEST_LIBADD   = -lm
+ xt_statistic_LIBADD = -lm
+ 
diff --git a/package/network/utils/iptables/patches/.svn/text-base/020-iptables-disable-modprobe.patch.svn-base b/package/network/utils/iptables/patches/.svn/text-base/020-iptables-disable-modprobe.patch.svn-base
new file mode 100644
index 0000000..ad4889b
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/text-base/020-iptables-disable-modprobe.patch.svn-base
@@ -0,0 +1,18 @@
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -336,6 +336,7 @@ static char *get_modprobe(void)
+ 
+ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
+ {
++#if 0
+ 	char *buf = NULL;
+ 	char *argv[4];
+ 	int status;
+@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname,
+ 	free(buf);
+ 	if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ 		return 0;
++#endif
+ 	return -1;
+ }
+ 
diff --git a/package/network/utils/iptables/patches/.svn/text-base/030-no-libnfnetlink.patch.svn-base b/package/network/utils/iptables/patches/.svn/text-base/030-no-libnfnetlink.patch.svn-base
new file mode 100644
index 0000000..f795291
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/text-base/030-no-libnfnetlink.patch.svn-base
@@ -0,0 +1,94 @@
+--- a/configure
++++ b/configure
+@@ -12173,77 +12173,7 @@ $as_echo "no" >&6; }
+ 	fi
+ fi
+ 
+-pkg_failed=no
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
+-$as_echo_n "checking for libnfnetlink... " >&6; }
+-
+-if test -n "$libnfnetlink_CFLAGS"; then
+-    pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
+- elif test -n "$PKG_CONFIG"; then
+-    if test -n "$PKG_CONFIG" && \
+-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+-  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }; then
+-  pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
+-		      test "x$?" != "x0" && pkg_failed=yes
+-else
+-  pkg_failed=yes
+-fi
+- else
+-    pkg_failed=untried
+-fi
+-if test -n "$libnfnetlink_LIBS"; then
+-    pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
+- elif test -n "$PKG_CONFIG"; then
+-    if test -n "$PKG_CONFIG" && \
+-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+-  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }; then
+-  pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
+-		      test "x$?" != "x0" && pkg_failed=yes
+-else
+-  pkg_failed=yes
+-fi
+- else
+-    pkg_failed=untried
+-fi
+-
+-
+-
+-if test $pkg_failed = yes; then
+-   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-
+-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+-        _pkg_short_errors_supported=yes
+-else
+-        _pkg_short_errors_supported=no
+-fi
+-        if test $_pkg_short_errors_supported = yes; then
+-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
+-        else
+-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
+-        fi
+-	# Put the nasty error message in config.log where it belongs
+-	echo "$libnfnetlink_PKG_ERRORS" >&5
+-
+-	nfnetlink=0
+-elif test $pkg_failed = untried; then
+-     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-	nfnetlink=0
+-else
+-	libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
+-	libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
+-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+-$as_echo "yes" >&6; }
+-	nfnetlink=1
+-fi
+- if test "$nfnetlink" = 1; then
++if false; then
+   HAVE_LIBNFNETLINK_TRUE=
+   HAVE_LIBNFNETLINK_FALSE='#'
+ else
+--- a/configure.ac
++++ b/configure.ac
+@@ -89,9 +89,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
+ AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
+ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
+ 
+-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
+-	[nfnetlink=1], [nfnetlink=0])
+-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
+ 
+ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
+ 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
diff --git a/package/network/utils/iptables/patches/.svn/text-base/100-bash-location.patch.svn-base b/package/network/utils/iptables/patches/.svn/text-base/100-bash-location.patch.svn-base
new file mode 100644
index 0000000..02ee45b
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/text-base/100-bash-location.patch.svn-base
@@ -0,0 +1,8 @@
+--- a/iptables/iptables-apply
++++ b/iptables/iptables-apply
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # iptables-apply -- a safer way to update iptables remotely
+ #
diff --git a/package/network/utils/iptables/patches/.svn/text-base/200-configurable_builtin.patch.svn-base b/package/network/utils/iptables/patches/.svn/text-base/200-configurable_builtin.patch.svn-base
new file mode 100644
index 0000000..8f095c1
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/text-base/200-configurable_builtin.patch.svn-base
@@ -0,0 +1,62 @@
+Index: iptables-1.4.18/extensions/GNUmakefile.in
+===================================================================
+--- iptables-1.4.18.orig/extensions/GNUmakefile.in	2013-03-03 22:40:11.000000000 +0100
++++ iptables-1.4.18/extensions/GNUmakefile.in	2013-03-05 16:37:07.583256974 +0100
+@@ -46,9 +46,24 @@
+ pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+-pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
+-pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
++
++ifdef BUILTIN_MODULES
++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
++else
++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
++endif
++
++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
++
++pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_static})
++pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
++pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
+ pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+ pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+@@ -59,11 +74,11 @@
+ #
+ targets := libext.a libext4.a libext6.a matches.man targets.man
+ targets_install :=
+-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++libext_objs := ${pfx_objs}
++libext4_objs := ${pf4_objs}
++libext6_objs := ${pf6_objs}
++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
+ 
+ .SECONDARY:
+ 
+@@ -128,9 +143,9 @@
+ libext6.a: initext6.o ${libext6_objs}
+ 	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+ 
+-initext_func  := $(addprefix xt_,${pfx_build_mod})
+-initext4_func := $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix ip6t_,${pf6_build_mod})
++initext_func  := $(addprefix xt_,${pfx_build_static})
++initext4_func := $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix ip6t_,${pf6_build_static})
+ 
+ .initext.dd: FORCE
+ 	@echo "${initext_func}" >$@.tmp; \
diff --git a/package/network/utils/iptables/patches/.svn/text-base/300-musl_fixes.patch.svn-base b/package/network/utils/iptables/patches/.svn/text-base/300-musl_fixes.patch.svn-base
new file mode 100644
index 0000000..039af7c
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/text-base/300-musl_fixes.patch.svn-base
@@ -0,0 +1,139 @@
+--- a/extensions/libip6t_ipv6header.c
++++ b/extensions/libip6t_ipv6header.c
+@@ -10,6 +10,9 @@ on whether they contain certain headers
+ #include <netdb.h>
+ #include <xtables.h>
+ #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
++#ifndef IPPROTO_HOPOPTS
++#	define IPPROTO_HOPOPTS 0
++#endif
+ 
+ enum {
+ 	O_HEADER = 0,
+--- a/extensions/libxt_TCPOPTSTRIP.c
++++ b/extensions/libxt_TCPOPTSTRIP.c
+@@ -12,6 +12,21 @@
+ #ifndef TCPOPT_MD5SIG
+ #	define TCPOPT_MD5SIG 19
+ #endif
++#ifndef TCPOPT_MAXSEG
++#	define TCPOPT_MAXSEG 2
++#endif
++#ifndef TCPOPT_WINDOW
++#	define TCPOPT_WINDOW 3
++#endif
++#ifndef TCPOPT_SACK_PERMITTED
++#	define TCPOPT_SACK_PERMITTED 4
++#endif
++#ifndef TCPOPT_SACK
++#	define TCPOPT_SACK 5
++#endif
++#ifndef TCPOPT_TIMESTAMP
++#	define TCPOPT_TIMESTAMP 8
++#endif
+ 
+ enum {
+ 	O_STRIP_OPTION = 0,
+--- a/include/libiptc/ipt_kernel_headers.h
++++ b/include/libiptc/ipt_kernel_headers.h
+@@ -5,7 +5,6 @@
+ 
+ #include <limits.h>
+ 
+-#if defined(__GLIBC__) && __GLIBC__ == 2
+ #include <netinet/ip.h>
+ #include <netinet/in.h>
+ #include <netinet/ip_icmp.h>
+@@ -13,15 +12,4 @@
+ #include <netinet/udp.h>
+ #include <net/if.h>
+ #include <sys/types.h>
+-#else /* libc5 */
+-#include <sys/socket.h>
+-#include <linux/ip.h>
+-#include <linux/in.h>
+-#include <linux/if.h>
+-#include <linux/icmp.h>
+-#include <linux/tcp.h>
+-#include <linux/udp.h>
+-#include <linux/types.h>
+-#include <linux/in6.h>
+-#endif
+ #endif
+--- a/include/linux/netfilter/xt_osf.h
++++ b/include/linux/netfilter/xt_osf.h
+@@ -21,6 +21,9 @@
+ #define _XT_OSF_H
+ 
+ #include <linux/types.h>
++#if !defined(__UCLIBC__) && !defined(__GLIBC__)
++#include <linux/tcp.h>
++#endif
+ 
+ #define MAXGENRELEN		32
+ 
+--- a/include/linux/netfilter_ipv4/ip_tables.h
++++ b/include/linux/netfilter_ipv4/ip_tables.h
+@@ -16,6 +16,7 @@
+ #define _IPTABLES_H
+ 
+ #include <linux/types.h>
++#include <sys/types.h>
+ 
+ #include <linux/netfilter_ipv4.h>
+ 
+--- a/iptables/ip6tables-restore.c
++++ b/iptables/ip6tables-restore.c
+@@ -9,7 +9,7 @@
+  */
+ 
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdbool.h>
+ #include <string.h>
+ #include <stdio.h>
+--- a/iptables/ip6tables-save.c
++++ b/iptables/ip6tables-save.c
+@@ -6,7 +6,7 @@
+  * This code is distributed under the terms of GNU GPL v2
+  */
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -6,7 +6,7 @@
+  */
+ 
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdbool.h>
+ #include <string.h>
+ #include <stdio.h>
+--- a/iptables/iptables-save.c
++++ b/iptables/iptables-save.c
+@@ -6,7 +6,7 @@
+  *
+  */
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+--- a/iptables/iptables-xml.c
++++ b/iptables/iptables-xml.c
+@@ -7,7 +7,7 @@
+  */
+ 
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
diff --git a/package/network/utils/iptables/patches/.svn/text-base/400-lenient-restore.patch.svn-base b/package/network/utils/iptables/patches/.svn/text-base/400-lenient-restore.patch.svn-base
new file mode 100644
index 0000000..696d733
--- /dev/null
+++ b/package/network/utils/iptables/patches/.svn/text-base/400-lenient-restore.patch.svn-base
@@ -0,0 +1,176 @@
+Index: iptables-1.4.18/iptables/ip6tables-restore.c
+===================================================================
+--- iptables-1.4.18.orig/iptables/ip6tables-restore.c	2013-03-05 16:37:31.000000000 +0100
++++ iptables-1.4.18/iptables/ip6tables-restore.c	2013-03-05 16:42:57.475249794 +0100
+@@ -14,6 +14,8 @@
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdarg.h>
++#include <setjmp.h>
+ #include "ip6tables.h"
+ #include "xtables.h"
+ #include "libiptc/libip6tc.h"
+@@ -25,6 +27,7 @@
+ #define DEBUGP(x, args...)
+ #endif
+ 
++static jmp_buf jmp;
+ static int binary = 0, counters = 0, verbose = 0, noflush = 0;
+ 
+ /* Keeping track of external matches and targets.  */
+@@ -35,6 +38,7 @@
+ 	{.name = "test",     .has_arg = false, .val = 't'},
+ 	{.name = "help",     .has_arg = false, .val = 'h'},
+ 	{.name = "noflush",  .has_arg = false, .val = 'n'},
++	{.name = "lenient",  .has_arg = false, .val = 'l'},
+ 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
+ 	{.name = "table",    .has_arg = true,  .val = 'T'},
+ 	{NULL},
+@@ -51,6 +55,7 @@
+ 			"	   [ --test ]\n"
+ 			"	   [ --help ]\n"
+ 			"	   [ --noflush ]\n"
++			"	   [ --lenient ]\n"
+ 			"          [ --modprobe=<command>]\n", name);
+ 
+ 	exit(1);
+@@ -114,6 +119,17 @@
+ 		free(newargv[i]);
+ }
+ 
++static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
++{
++	va_list args;
++	fprintf(stderr, "line %d: ", line);
++	va_start(args, msg);
++	vfprintf(stderr, msg, args);
++	va_end(args);
++	fprintf(stderr, "\n");
++	longjmp(jmp, status);
++}
++
+ static void add_param_to_argv(char *parsestart)
+ {
+ 	int quote_open = 0, escaped = 0, param_len = 0;
+@@ -204,7 +220,7 @@
+ 	init_extensions6();
+ #endif
+ 
+-	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
++	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
+ 		switch (c) {
+ 			case 'b':
+ 				binary = 1;
+@@ -225,6 +241,9 @@
+ 			case 'n':
+ 				noflush = 1;
+ 				break;
++			case 'l':
++				ip6tables_globals.exit_err = catch_exit_error;
++				break;
+ 			case 'M':
+ 				xtables_modprobe_program = optarg;
+ 				break;
+@@ -437,8 +456,11 @@
+ 			for (a = 0; a < newargc; a++)
+ 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
+ 
+-			ret = do_command6(newargc, newargv,
+-					 &newargv[2], &handle);
++			if (!setjmp(jmp))
++				ret = do_command6(newargc, newargv,
++						 &newargv[2], &handle);
++			else
++				ret = 1;
+ 
+ 			free_argv();
+ 			fflush(stdout);
+Index: iptables-1.4.18/iptables/iptables-restore.c
+===================================================================
+--- iptables-1.4.18.orig/iptables/iptables-restore.c	2013-03-05 16:37:31.000000000 +0100
++++ iptables-1.4.18/iptables/iptables-restore.c	2013-03-05 16:44:56.303247355 +0100
+@@ -11,6 +11,8 @@
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdarg.h>
++#include <setjmp.h>
+ #include "iptables.h"
+ #include "xtables.h"
+ #include "libiptc/libiptc.h"
+@@ -22,6 +24,7 @@
+ #define DEBUGP(x, args...)
+ #endif
+ 
++static jmp_buf jmp;
+ static int binary = 0, counters = 0, verbose = 0, noflush = 0;
+ 
+ /* Keeping track of external matches and targets.  */
+@@ -32,6 +35,7 @@
+ 	{.name = "test",     .has_arg = false, .val = 't'},
+ 	{.name = "help",     .has_arg = false, .val = 'h'},
+ 	{.name = "noflush",  .has_arg = false, .val = 'n'},
++	{.name = "lenient",  .has_arg = false, .val = 'l'},
+ 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
+ 	{.name = "table",    .has_arg = true,  .val = 'T'},
+ 	{NULL},
+@@ -50,6 +54,7 @@
+ 			"	   [ --test ]\n"
+ 			"	   [ --help ]\n"
+ 			"	   [ --noflush ]\n"
++			"	   [ --lenient ]\n"
+ 			"	   [ --table=<TABLE> ]\n"
+ 			"          [ --modprobe=<command>]\n", name);
+ 
+@@ -113,6 +118,17 @@
+ 		free(newargv[i]);
+ }
+ 
++static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
++{
++	va_list args;
++	fprintf(stderr, "line %d: ", line);
++	va_start(args, msg);
++	vfprintf(stderr, msg, args);
++	va_end(args);
++	fprintf(stderr, "\n");
++	longjmp(jmp, status);
++}
++
+ static void add_param_to_argv(char *parsestart)
+ {
+ 	int quote_open = 0, escaped = 0, param_len = 0;
+@@ -204,7 +220,7 @@
+ 	init_extensions4();
+ #endif
+ 
+-	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
++	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
+ 		switch (c) {
+ 			case 'b':
+ 				binary = 1;
+@@ -225,6 +241,9 @@
+ 			case 'n':
+ 				noflush = 1;
+ 				break;
++			case 'l':
++				iptables_globals.exit_err = catch_exit_error;
++				break;
+ 			case 'M':
+ 				xtables_modprobe_program = optarg;
+ 				break;
+@@ -437,8 +456,11 @@
+ 			for (a = 0; a < newargc; a++)
+ 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
+ 
+-			ret = do_command4(newargc, newargv,
+-					 &newargv[2], &handle);
++			if (!setjmp(jmp))
++				ret = do_command4(newargc, newargv,
++						 &newargv[2], &handle);
++			else
++				ret = 1;
+ 
+ 			free_argv();
+ 			fflush(stdout);
diff --git a/package/network/utils/iptables/patches/002-layer7_2.22.patch b/package/network/utils/iptables/patches/002-layer7_2.22.patch
new file mode 100644
index 0000000..ba4531e
--- /dev/null
+++ b/package/network/utils/iptables/patches/002-layer7_2.22.patch
@@ -0,0 +1,371 @@
+--- /dev/null
++++ b/extensions/libxt_layer7.c
+@@ -0,0 +1,368 @@
++/* 
++   Shared library add-on to iptables for layer 7 matching support. 
++  
++   By Matthew Strait <quadong@users.sf.net>, Oct 2003-Aug 2008.
++
++   http://l7-filter.sf.net 
++
++   This program is free software; you can redistribute it and/or
++   modify it under the terms of the GNU General Public License
++   as published by the Free Software Foundation; either version
++   2 of the License, or (at your option) any later version.
++   http://www.gnu.org/licenses/gpl.txt
++*/
++
++#define _GNU_SOURCE
++#include <stdio.h>
++#include <netdb.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++#include <ctype.h>
++#include <dirent.h>
++
++#include <xtables.h>
++#include <linux/netfilter/xt_layer7.h>
++
++#define MAX_FN_LEN 256
++
++static char l7dir[MAX_FN_LEN] = "\0";
++
++/* Function which prints out usage message. */
++static void help(void)
++{
++	printf(
++	"layer7 match options:\n"
++	"    --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/\n"
++	"                          (--l7dir must be specified before --l7proto if used)\n"
++	"[!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat\n");
++}
++
++static const struct option opts[] = {
++	{ .name = "l7proto", .has_arg = 1, .val = 'p' },
++	{ .name = "l7dir",   .has_arg = 1, .val = 'd' },
++	{ .name = NULL }
++};
++
++/* reads filename, puts protocol info into layer7_protocol_info, number of protocols to numprotos */
++static int parse_protocol_file(char * filename, const char * protoname, struct xt_layer7_info *info)
++{
++	FILE * f;
++	char * line = NULL;
++	size_t len = 0;
++
++	enum { protocol, pattern, done } datatype = protocol;
++
++	f = fopen(filename, "r");
++
++	if(!f)
++		return 0;
++
++	while(getline(&line, &len, f) != -1)
++	{
++		if(strlen(line) < 2 || line[0] == '#')
++			continue;
++
++		/* strip the pesky newline... */
++		if(line[strlen(line) - 1] == '\n')
++			line[strlen(line) - 1] = '\0';
++
++		if(datatype == protocol)
++		{
++			/* Ignore everything on the line beginning with the 
++			first space or tab . For instance, this allows the 
++			protocol line in http.pat to be "http " (or 
++			"http I am so cool") instead of just "http". */
++			if(strchr(line, ' ')){
++				char * space = strchr(line, ' ');
++				space[0] = '\0';
++			}
++			if(strchr(line, '\t')){
++				char * space = strchr(line, '\t');
++				space[0] = '\0';
++			}
++
++			/* sanity check.  First non-comment non-blank 
++			line must be the same as the file name. */
++			if(strcmp(line, protoname))
++				xtables_error(OTHER_PROBLEM, 
++					"Protocol name (%s) doesn't match file name (%s).  Bailing out\n",
++					line, filename);
++
++			if(strlen(line) >= MAX_PROTOCOL_LEN)
++				 xtables_error(PARAMETER_PROBLEM, 
++					"Protocol name in %s too long!", filename);
++			strncpy(info->protocol, line, MAX_PROTOCOL_LEN);
++
++			datatype = pattern; 
++		}
++		else if(datatype == pattern)
++		{
++			if(strlen(line) >= MAX_PATTERN_LEN)
++				 xtables_error(PARAMETER_PROBLEM, "Pattern in %s too long!", filename);
++			strncpy(info->pattern, line, MAX_PATTERN_LEN);
++			
++			datatype = done;			
++			break;
++		}
++		else
++			xtables_error(OTHER_PROBLEM, "Internal error");
++	}
++
++	if(datatype != done)
++		xtables_error(OTHER_PROBLEM, "Failed to get all needed data from %s", filename);
++
++	if(line) free(line);
++	fclose(f);
++
++	return 1;
++}
++
++static int hex2dec(char c)
++{
++        switch (c)
++        {
++                case '0' ... '9':
++                        return c - '0';
++                case 'a' ... 'f':
++                        return c - 'a' + 10;
++                case 'A' ... 'F':
++                        return c - 'A' + 10;
++                default:
++                        xtables_error(OTHER_PROBLEM, "hex2dec: bad value!\n");
++                        return 0;
++        }
++}
++
++/* takes a string with \xHH escapes and returns one with the characters 
++they stand for */
++static char * pre_process(char * s)
++{
++	char * result = malloc(strlen(s) + 1);
++	int sindex = 0, rrindex = 0;
++        while( sindex < strlen(s) )
++        {
++            if( sindex + 3 < strlen(s) &&
++                s[sindex] == '\\' && s[sindex+1] == 'x' && 
++                isxdigit(s[sindex + 2]) && isxdigit(s[sindex + 3]) ) 
++                {
++                        /* carefully remember to call tolower here... */
++                        result[rrindex] = tolower( hex2dec(s[sindex + 2])*16 +
++                                                  hex2dec(s[sindex + 3] ) );
++
++			switch ( result[rrindex] )
++			{
++			case 0x24:
++			case 0x28:
++			case 0x29:
++			case 0x2a:
++			case 0x2b:
++			case 0x2e:
++			case 0x3f:
++			case 0x5b:
++			case 0x5c:
++			case 0x5d:
++			case 0x5e:
++			case 0x7c:
++				fprintf(stderr, 
++					"Warning: layer7 regexp contains a control character, %c, in hex (\\x%c%c).\n"
++					"I recommend that you write this as %c or \\%c, depending on what you meant.\n",
++					result[rrindex], s[sindex + 2], s[sindex + 3], result[rrindex], result[rrindex]);
++				break;
++			case 0x00:
++				fprintf(stderr, 
++					"Warning: null (\\x00) in layer7 regexp.  A null terminates the regexp string!\n");
++				break;
++			default:
++				break;
++			}
++
++
++                        sindex += 3; /* 4 total */
++                }
++                else
++                        result[rrindex] = tolower(s[sindex]);
++
++		sindex++; 
++		rrindex++;
++        }
++	result[rrindex] = '\0';
++
++	return result;
++}
++
++#define MAX_SUBDIRS 128
++static char ** readl7dir(char * dirname)
++{
++        DIR             * scratchdir;
++        struct dirent   ** namelist;
++	char ** subdirs = malloc(MAX_SUBDIRS * sizeof(char *));
++
++        int n, d = 1;
++	subdirs[0] = "";
++
++        n = scandir(dirname, &namelist, 0, alphasort);
++
++	if (n < 0)
++	{
++            perror("scandir");
++	    xtables_error(OTHER_PROBLEM, "Couldn't open %s\n", dirname);
++	}
++        else 
++	{
++            	while(n--) 
++		{
++			char fulldirname[MAX_FN_LEN];
++
++			snprintf(fulldirname, MAX_FN_LEN, "%s/%s", dirname, namelist[n]->d_name);
++
++                	if((scratchdir = opendir(fulldirname)) != NULL)
++			{
++				closedir(scratchdir);
++
++				if(!strcmp(namelist[n]->d_name, ".") || 
++				   !strcmp(namelist[n]->d_name, ".."))
++					/* do nothing */ ;
++				else
++				{
++					subdirs[d] = malloc(strlen(namelist[n]->d_name) + 1);
++					strcpy(subdirs[d], namelist[n]->d_name);
++					d++;
++					if(d >= MAX_SUBDIRS - 1)
++					{
++						fprintf(stderr, 
++						  "Too many subdirectories, skipping the rest!\n");
++						break;
++					}
++				}
++			}
++                	free(namelist[n]);
++            	}
++            	free(namelist);
++        }
++	
++	subdirs[d] = NULL;
++
++	return subdirs;
++}
++
++static void parse_layer7_protocol(const char *s, struct xt_layer7_info *info)
++{
++	char filename[MAX_FN_LEN];
++	char * dir = NULL;
++	char ** subdirs;
++	int n = 0, done = 0;
++
++	if(strlen(l7dir) > 0) dir = l7dir;
++	else                  dir = "/etc/l7-protocols";
++
++	subdirs = readl7dir(dir);
++
++	while(subdirs[n] != NULL)
++	{
++		int c = snprintf(filename, MAX_FN_LEN, "%s/%s/%s.pat", dir, subdirs[n], s);
++
++		if(c > MAX_FN_LEN)
++			xtables_error(OTHER_PROBLEM, 
++				"Filename beginning with %s is too long!\n", filename);
++
++		/* read in the pattern from the file */
++		if(parse_protocol_file(filename, s, info)){
++			done = 1;
++			break;
++		}
++		
++		n++;
++	}
++
++	if(!done)
++		xtables_error(OTHER_PROBLEM, 
++			"Couldn't find a pattern definition file for %s.\n", s);
++
++	/* process \xHH escapes and tolower everything. (our regex lib has no
++	case insensitivity option.) */
++	strncpy(info->pattern, pre_process(info->pattern), MAX_PATTERN_LEN);
++}
++
++/* Function which parses command options; returns true if it ate an option */
++static int parse(int c, char **argv, int invert, unsigned int *flags,
++      const void *entry, struct xt_entry_match **match)
++{
++	struct xt_layer7_info *layer7info = 
++		(struct xt_layer7_info *)(*match)->data;
++
++	switch (c) {
++	case 'p':
++		parse_layer7_protocol(argv[optind-1], layer7info);
++		if (invert)
++			layer7info->invert = true;
++		*flags = 1;
++		break;
++
++	case 'd':
++		if(strlen(argv[optind-1]) >= MAX_FN_LEN)
++			xtables_error(PARAMETER_PROBLEM, "directory name too long\n");
++
++		strncpy(l7dir, argv[optind-1], MAX_FN_LEN);
++
++		*flags = 1;
++		break;
++
++	default:
++		return 0;
++	}
++
++	return 1;
++}
++
++/* Final check; must have specified --l7proto */
++static void final_check(unsigned int flags)
++{
++	if (!flags)
++		xtables_error(PARAMETER_PROBLEM,
++			   "LAYER7 match: You must specify `--l7proto'");
++}
++
++static void print_protocol(char s[], int invert, int numeric)
++{
++	fputs("l7proto ", stdout);
++	if (invert) fputc('!', stdout);
++	printf("%s ", s);
++}
++
++/* Prints out the matchinfo. */
++static void print(const void *ip,
++      const struct xt_entry_match *match,
++      int numeric)
++{
++	printf("LAYER7 ");
++	print_protocol(((struct xt_layer7_info *)match->data)->protocol,
++		  ((struct xt_layer7_info *)match->data)->invert, numeric);
++}
++/* Saves the union ipt_matchinfo in parsable form to stdout. */
++static void save(const void *ip, const struct xt_entry_match *match)
++{
++        const struct xt_layer7_info *info =
++            (const struct xt_layer7_info*) match->data;
++
++        printf("--l7proto %s%s ", (info->invert)? "! ":"", info->protocol);
++}
++
++static struct xtables_match layer7 = { 
++    .family        = AF_INET,
++    .name          = "layer7",
++    .version       = XTABLES_VERSION,
++    .size          = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .userspacesize = XT_ALIGN(sizeof(struct xt_layer7_info)),
++    .help          = &help,
++    .parse         = &parse,
++    .final_check   = &final_check,
++    .print         = &print,
++    .save          = &save,
++    .extra_opts    = opts
++};
++
++void _init(void)
++{
++	xtables_register_match(&layer7);
++}
diff --git a/package/network/utils/iptables/patches/010-use-old-linking.patch b/package/network/utils/iptables/patches/010-use-old-linking.patch
new file mode 100644
index 0000000..a848e1e
--- /dev/null
+++ b/package/network/utils/iptables/patches/010-use-old-linking.patch
@@ -0,0 +1,51 @@
+Index: iptables-1.4.18/extensions/GNUmakefile.in
+===================================================================
+--- iptables-1.4.18.orig/extensions/GNUmakefile.in	2013-03-03 22:40:11.000000000 +0100
++++ iptables-1.4.18/extensions/GNUmakefile.in	2013-03-06 17:13:04.074584735 +0100
+@@ -33,7 +33,6 @@
+ AM_VERBOSE_CXXLD  = @echo "  CXXLD   " $@;
+ AM_VERBOSE_AR     = @echo "  AR      " $@;
+ AM_VERBOSE_GEN    = @echo "  GEN     " $@;
+-AM_VERBOSE_NULL   = @
+ endif
+ 
+ #
+@@ -76,7 +75,7 @@
+ 	if test -n "${targets_install}"; then install -pm0755 $^ "${DESTDIR}${xtlibdir}/"; fi;
+ 
+ clean:
+-	rm -f *.la *.o *.lo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
++	rm -f *.o *.oo *.so *.a {matches,targets}.man initext.c initext4.c initext6.c;
+ 	rm -f .*.d .*.dd;
+ 
+ distclean: clean
+@@ -90,22 +89,19 @@
+ #
+ #	Shared libraries
+ #
+-lib%.so: lib%.la
+-	${AM_VERBOSE_NULL} ln -fs .libs/$@ $@
++lib%.so: lib%.oo
++	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $< -L../libxtables/.libs -L../libiptc/.libs -lxtables ${$*_LIBADD};
+ 
+-lib%.la: lib%.lo
+-	${AM_VERBOSE_CCLD} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=link ${CCLD} ${AM_LDFLAGS} -module ${LDFLAGS} -o $@ $< ../libxtables/libxtables.la ${$*_LIBADD} -rpath ${xtlibdir}
+-
+-lib%.lo: ${srcdir}/lib%.c
+-	${AM_VERBOSE_CC} ../libtool ${AM_LIBTOOL_SILENT} --tag=CC --mode=compile ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<
++lib%.oo: ${srcdir}/lib%.c
++	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
+ 
+ libxt_NOTRACK.so: libxt_CT.so
+-	${AM_VERBOSE_GEN} ln -fs $< $@
++	ln -fs $< $@
+ libxt_state.so: libxt_conntrack.so
+-	${AM_VERBOSE_GEN} ln -fs $< $@
++	ln -fs $< $@
+ 
+ # Need the LIBADDs in iptables/Makefile.am too for libxtables_la_LIBADD
+-ip6t_NETMAP_LIBADD  = ../libiptc/libip6tc.la
++ip6t_NETMAP_LIBADD  = -lip6tc
+ xt_RATEEST_LIBADD   = -lm
+ xt_statistic_LIBADD = -lm
+ 
diff --git a/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
new file mode 100644
index 0000000..ad4889b
--- /dev/null
+++ b/package/network/utils/iptables/patches/020-iptables-disable-modprobe.patch
@@ -0,0 +1,18 @@
+--- a/libxtables/xtables.c
++++ b/libxtables/xtables.c
+@@ -336,6 +336,7 @@ static char *get_modprobe(void)
+ 
+ int xtables_insmod(const char *modname, const char *modprobe, bool quiet)
+ {
++#if 0
+ 	char *buf = NULL;
+ 	char *argv[4];
+ 	int status;
+@@ -380,6 +381,7 @@ int xtables_insmod(const char *modname,
+ 	free(buf);
+ 	if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
+ 		return 0;
++#endif
+ 	return -1;
+ }
+ 
diff --git a/package/network/utils/iptables/patches/030-no-libnfnetlink.patch b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
new file mode 100644
index 0000000..f795291
--- /dev/null
+++ b/package/network/utils/iptables/patches/030-no-libnfnetlink.patch
@@ -0,0 +1,94 @@
+--- a/configure
++++ b/configure
+@@ -12173,77 +12173,7 @@ $as_echo "no" >&6; }
+ 	fi
+ fi
+ 
+-pkg_failed=no
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libnfnetlink" >&5
+-$as_echo_n "checking for libnfnetlink... " >&6; }
+-
+-if test -n "$libnfnetlink_CFLAGS"; then
+-    pkg_cv_libnfnetlink_CFLAGS="$libnfnetlink_CFLAGS"
+- elif test -n "$PKG_CONFIG"; then
+-    if test -n "$PKG_CONFIG" && \
+-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+-  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }; then
+-  pkg_cv_libnfnetlink_CFLAGS=`$PKG_CONFIG --cflags "libnfnetlink >= 1.0" 2>/dev/null`
+-		      test "x$?" != "x0" && pkg_failed=yes
+-else
+-  pkg_failed=yes
+-fi
+- else
+-    pkg_failed=untried
+-fi
+-if test -n "$libnfnetlink_LIBS"; then
+-    pkg_cv_libnfnetlink_LIBS="$libnfnetlink_LIBS"
+- elif test -n "$PKG_CONFIG"; then
+-    if test -n "$PKG_CONFIG" && \
+-    { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfnetlink >= 1.0\""; } >&5
+-  ($PKG_CONFIG --exists --print-errors "libnfnetlink >= 1.0") 2>&5
+-  ac_status=$?
+-  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+-  test $ac_status = 0; }; then
+-  pkg_cv_libnfnetlink_LIBS=`$PKG_CONFIG --libs "libnfnetlink >= 1.0" 2>/dev/null`
+-		      test "x$?" != "x0" && pkg_failed=yes
+-else
+-  pkg_failed=yes
+-fi
+- else
+-    pkg_failed=untried
+-fi
+-
+-
+-
+-if test $pkg_failed = yes; then
+-   	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-
+-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+-        _pkg_short_errors_supported=yes
+-else
+-        _pkg_short_errors_supported=no
+-fi
+-        if test $_pkg_short_errors_supported = yes; then
+-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
+-        else
+-	        libnfnetlink_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libnfnetlink >= 1.0" 2>&1`
+-        fi
+-	# Put the nasty error message in config.log where it belongs
+-	echo "$libnfnetlink_PKG_ERRORS" >&5
+-
+-	nfnetlink=0
+-elif test $pkg_failed = untried; then
+-     	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-	nfnetlink=0
+-else
+-	libnfnetlink_CFLAGS=$pkg_cv_libnfnetlink_CFLAGS
+-	libnfnetlink_LIBS=$pkg_cv_libnfnetlink_LIBS
+-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+-$as_echo "yes" >&6; }
+-	nfnetlink=1
+-fi
+- if test "$nfnetlink" = 1; then
++if false; then
+   HAVE_LIBNFNETLINK_TRUE=
+   HAVE_LIBNFNETLINK_FALSE='#'
+ else
+--- a/configure.ac
++++ b/configure.ac
+@@ -89,9 +89,7 @@ AM_CONDITIONAL([ENABLE_LARGEFILE], [test
+ AM_CONDITIONAL([ENABLE_DEVEL], [test "$enable_devel" = "yes"])
+ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" = "yes"])
+ 
+-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
+-	[nfnetlink=1], [nfnetlink=0])
+-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
++AM_CONDITIONAL([HAVE_LIBNFNETLINK], [false])
+ 
+ regular_CFLAGS="-Wall -Waggregate-return -Wmissing-declarations \
+ 	-Wmissing-prototypes -Wredundant-decls -Wshadow -Wstrict-prototypes \
diff --git a/package/network/utils/iptables/patches/100-bash-location.patch b/package/network/utils/iptables/patches/100-bash-location.patch
new file mode 100644
index 0000000..02ee45b
--- /dev/null
+++ b/package/network/utils/iptables/patches/100-bash-location.patch
@@ -0,0 +1,8 @@
+--- a/iptables/iptables-apply
++++ b/iptables/iptables-apply
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # iptables-apply -- a safer way to update iptables remotely
+ #
diff --git a/package/network/utils/iptables/patches/200-configurable_builtin.patch b/package/network/utils/iptables/patches/200-configurable_builtin.patch
new file mode 100644
index 0000000..8f095c1
--- /dev/null
+++ b/package/network/utils/iptables/patches/200-configurable_builtin.patch
@@ -0,0 +1,62 @@
+Index: iptables-1.4.18/extensions/GNUmakefile.in
+===================================================================
+--- iptables-1.4.18.orig/extensions/GNUmakefile.in	2013-03-03 22:40:11.000000000 +0100
++++ iptables-1.4.18/extensions/GNUmakefile.in	2013-03-05 16:37:07.583256974 +0100
+@@ -46,9 +46,24 @@
+ pfx_build_mod := $(filter-out @blacklist_modules@,${pfx_build_mod})
+ pf4_build_mod := $(filter-out @blacklist_modules@,${pf4_build_mod})
+ pf6_build_mod := $(filter-out @blacklist_modules@,${pf6_build_mod})
+-pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_mod})
+-pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_mod})
+-pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_mod})
++
++ifdef BUILTIN_MODULES
++pfx_build_static := $(filter $(BUILTIN_MODULES),${pfx_build_mod})
++pf4_build_static := $(filter $(BUILTIN_MODULES),${pf4_build_mod})
++pf6_build_static := $(filter $(BUILTIN_MODULES),${pf6_build_mod})
++else
++@ENABLE_STATIC_TRUE@ pfx_build_static := $(pfx_build_mod)
++@ENABLE_STATIC_TRUE@ pf4_build_static := $(pf4_build_mod)
++@ENABLE_STATIC_TRUE@ pf6_build_static := $(pf6_build_mod)
++endif
++
++pfx_build_mod := $(filter-out $(pfx_build_static),$(pfx_build_mod))
++pf4_build_mod := $(filter-out $(pf4_build_static),$(pf4_build_mod))
++pf6_build_mod := $(filter-out $(pf6_build_static),$(pf6_build_mod))
++
++pfx_objs      := $(patsubst %,libxt_%.o,${pfx_build_static})
++pf4_objs      := $(patsubst %,libipt_%.o,${pf4_build_static})
++pf6_objs      := $(patsubst %,libip6t_%.o,${pf6_build_static})
+ pfx_solibs    := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
+ pf4_solibs    := $(patsubst %,libipt_%.so,${pf4_build_mod})
+ pf6_solibs    := $(patsubst %,libip6t_%.so,${pf6_build_mod})
+@@ -59,11 +74,11 @@
+ #
+ targets := libext.a libext4.a libext6.a matches.man targets.man
+ targets_install :=
+-@ENABLE_STATIC_TRUE@ libext_objs := ${pfx_objs}
+-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
+-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
+-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++libext_objs := ${pfx_objs}
++libext4_objs := ${pf4_objs}
++libext6_objs := ${pf6_objs}
++targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
++targets_install := $(strip ${targets_install} ${pfx_solibs} ${pf4_solibs} ${pf6_solibs})
+ 
+ .SECONDARY:
+ 
+@@ -128,9 +143,9 @@
+ libext6.a: initext6.o ${libext6_objs}
+ 	${AM_VERBOSE_AR} ${AR} crs $@ $^;
+ 
+-initext_func  := $(addprefix xt_,${pfx_build_mod})
+-initext4_func := $(addprefix ipt_,${pf4_build_mod})
+-initext6_func := $(addprefix ip6t_,${pf6_build_mod})
++initext_func  := $(addprefix xt_,${pfx_build_static})
++initext4_func := $(addprefix ipt_,${pf4_build_static})
++initext6_func := $(addprefix ip6t_,${pf6_build_static})
+ 
+ .initext.dd: FORCE
+ 	@echo "${initext_func}" >$@.tmp; \
diff --git a/package/network/utils/iptables/patches/300-musl_fixes.patch b/package/network/utils/iptables/patches/300-musl_fixes.patch
new file mode 100644
index 0000000..039af7c
--- /dev/null
+++ b/package/network/utils/iptables/patches/300-musl_fixes.patch
@@ -0,0 +1,139 @@
+--- a/extensions/libip6t_ipv6header.c
++++ b/extensions/libip6t_ipv6header.c
+@@ -10,6 +10,9 @@ on whether they contain certain headers
+ #include <netdb.h>
+ #include <xtables.h>
+ #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
++#ifndef IPPROTO_HOPOPTS
++#	define IPPROTO_HOPOPTS 0
++#endif
+ 
+ enum {
+ 	O_HEADER = 0,
+--- a/extensions/libxt_TCPOPTSTRIP.c
++++ b/extensions/libxt_TCPOPTSTRIP.c
+@@ -12,6 +12,21 @@
+ #ifndef TCPOPT_MD5SIG
+ #	define TCPOPT_MD5SIG 19
+ #endif
++#ifndef TCPOPT_MAXSEG
++#	define TCPOPT_MAXSEG 2
++#endif
++#ifndef TCPOPT_WINDOW
++#	define TCPOPT_WINDOW 3
++#endif
++#ifndef TCPOPT_SACK_PERMITTED
++#	define TCPOPT_SACK_PERMITTED 4
++#endif
++#ifndef TCPOPT_SACK
++#	define TCPOPT_SACK 5
++#endif
++#ifndef TCPOPT_TIMESTAMP
++#	define TCPOPT_TIMESTAMP 8
++#endif
+ 
+ enum {
+ 	O_STRIP_OPTION = 0,
+--- a/include/libiptc/ipt_kernel_headers.h
++++ b/include/libiptc/ipt_kernel_headers.h
+@@ -5,7 +5,6 @@
+ 
+ #include <limits.h>
+ 
+-#if defined(__GLIBC__) && __GLIBC__ == 2
+ #include <netinet/ip.h>
+ #include <netinet/in.h>
+ #include <netinet/ip_icmp.h>
+@@ -13,15 +12,4 @@
+ #include <netinet/udp.h>
+ #include <net/if.h>
+ #include <sys/types.h>
+-#else /* libc5 */
+-#include <sys/socket.h>
+-#include <linux/ip.h>
+-#include <linux/in.h>
+-#include <linux/if.h>
+-#include <linux/icmp.h>
+-#include <linux/tcp.h>
+-#include <linux/udp.h>
+-#include <linux/types.h>
+-#include <linux/in6.h>
+-#endif
+ #endif
+--- a/include/linux/netfilter/xt_osf.h
++++ b/include/linux/netfilter/xt_osf.h
+@@ -21,6 +21,9 @@
+ #define _XT_OSF_H
+ 
+ #include <linux/types.h>
++#if !defined(__UCLIBC__) && !defined(__GLIBC__)
++#include <linux/tcp.h>
++#endif
+ 
+ #define MAXGENRELEN		32
+ 
+--- a/include/linux/netfilter_ipv4/ip_tables.h
++++ b/include/linux/netfilter_ipv4/ip_tables.h
+@@ -16,6 +16,7 @@
+ #define _IPTABLES_H
+ 
+ #include <linux/types.h>
++#include <sys/types.h>
+ 
+ #include <linux/netfilter_ipv4.h>
+ 
+--- a/iptables/ip6tables-restore.c
++++ b/iptables/ip6tables-restore.c
+@@ -9,7 +9,7 @@
+  */
+ 
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdbool.h>
+ #include <string.h>
+ #include <stdio.h>
+--- a/iptables/ip6tables-save.c
++++ b/iptables/ip6tables-save.c
+@@ -6,7 +6,7 @@
+  * This code is distributed under the terms of GNU GPL v2
+  */
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -6,7 +6,7 @@
+  */
+ 
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdbool.h>
+ #include <string.h>
+ #include <stdio.h>
+--- a/iptables/iptables-save.c
++++ b/iptables/iptables-save.c
+@@ -6,7 +6,7 @@
+  *
+  */
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
+--- a/iptables/iptables-xml.c
++++ b/iptables/iptables-xml.c
+@@ -7,7 +7,7 @@
+  */
+ 
+ #include <getopt.h>
+-#include <sys/errno.h>
++#include <errno.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
diff --git a/package/network/utils/iptables/patches/400-lenient-restore.patch b/package/network/utils/iptables/patches/400-lenient-restore.patch
new file mode 100644
index 0000000..696d733
--- /dev/null
+++ b/package/network/utils/iptables/patches/400-lenient-restore.patch
@@ -0,0 +1,176 @@
+Index: iptables-1.4.18/iptables/ip6tables-restore.c
+===================================================================
+--- iptables-1.4.18.orig/iptables/ip6tables-restore.c	2013-03-05 16:37:31.000000000 +0100
++++ iptables-1.4.18/iptables/ip6tables-restore.c	2013-03-05 16:42:57.475249794 +0100
+@@ -14,6 +14,8 @@
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdarg.h>
++#include <setjmp.h>
+ #include "ip6tables.h"
+ #include "xtables.h"
+ #include "libiptc/libip6tc.h"
+@@ -25,6 +27,7 @@
+ #define DEBUGP(x, args...)
+ #endif
+ 
++static jmp_buf jmp;
+ static int binary = 0, counters = 0, verbose = 0, noflush = 0;
+ 
+ /* Keeping track of external matches and targets.  */
+@@ -35,6 +38,7 @@
+ 	{.name = "test",     .has_arg = false, .val = 't'},
+ 	{.name = "help",     .has_arg = false, .val = 'h'},
+ 	{.name = "noflush",  .has_arg = false, .val = 'n'},
++	{.name = "lenient",  .has_arg = false, .val = 'l'},
+ 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
+ 	{.name = "table",    .has_arg = true,  .val = 'T'},
+ 	{NULL},
+@@ -51,6 +55,7 @@
+ 			"	   [ --test ]\n"
+ 			"	   [ --help ]\n"
+ 			"	   [ --noflush ]\n"
++			"	   [ --lenient ]\n"
+ 			"          [ --modprobe=<command>]\n", name);
+ 
+ 	exit(1);
+@@ -114,6 +119,17 @@
+ 		free(newargv[i]);
+ }
+ 
++static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
++{
++	va_list args;
++	fprintf(stderr, "line %d: ", line);
++	va_start(args, msg);
++	vfprintf(stderr, msg, args);
++	va_end(args);
++	fprintf(stderr, "\n");
++	longjmp(jmp, status);
++}
++
+ static void add_param_to_argv(char *parsestart)
+ {
+ 	int quote_open = 0, escaped = 0, param_len = 0;
+@@ -204,7 +220,7 @@
+ 	init_extensions6();
+ #endif
+ 
+-	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
++	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
+ 		switch (c) {
+ 			case 'b':
+ 				binary = 1;
+@@ -225,6 +241,9 @@
+ 			case 'n':
+ 				noflush = 1;
+ 				break;
++			case 'l':
++				ip6tables_globals.exit_err = catch_exit_error;
++				break;
+ 			case 'M':
+ 				xtables_modprobe_program = optarg;
+ 				break;
+@@ -437,8 +456,11 @@
+ 			for (a = 0; a < newargc; a++)
+ 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
+ 
+-			ret = do_command6(newargc, newargv,
+-					 &newargv[2], &handle);
++			if (!setjmp(jmp))
++				ret = do_command6(newargc, newargv,
++						 &newargv[2], &handle);
++			else
++				ret = 1;
+ 
+ 			free_argv();
+ 			fflush(stdout);
+Index: iptables-1.4.18/iptables/iptables-restore.c
+===================================================================
+--- iptables-1.4.18.orig/iptables/iptables-restore.c	2013-03-05 16:37:31.000000000 +0100
++++ iptables-1.4.18/iptables/iptables-restore.c	2013-03-05 16:44:56.303247355 +0100
+@@ -11,6 +11,8 @@
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdarg.h>
++#include <setjmp.h>
+ #include "iptables.h"
+ #include "xtables.h"
+ #include "libiptc/libiptc.h"
+@@ -22,6 +24,7 @@
+ #define DEBUGP(x, args...)
+ #endif
+ 
++static jmp_buf jmp;
+ static int binary = 0, counters = 0, verbose = 0, noflush = 0;
+ 
+ /* Keeping track of external matches and targets.  */
+@@ -32,6 +35,7 @@
+ 	{.name = "test",     .has_arg = false, .val = 't'},
+ 	{.name = "help",     .has_arg = false, .val = 'h'},
+ 	{.name = "noflush",  .has_arg = false, .val = 'n'},
++	{.name = "lenient",  .has_arg = false, .val = 'l'},
+ 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
+ 	{.name = "table",    .has_arg = true,  .val = 'T'},
+ 	{NULL},
+@@ -50,6 +54,7 @@
+ 			"	   [ --test ]\n"
+ 			"	   [ --help ]\n"
+ 			"	   [ --noflush ]\n"
++			"	   [ --lenient ]\n"
+ 			"	   [ --table=<TABLE> ]\n"
+ 			"          [ --modprobe=<command>]\n", name);
+ 
+@@ -113,6 +118,17 @@
+ 		free(newargv[i]);
+ }
+ 
++static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
++{
++	va_list args;
++	fprintf(stderr, "line %d: ", line);
++	va_start(args, msg);
++	vfprintf(stderr, msg, args);
++	va_end(args);
++	fprintf(stderr, "\n");
++	longjmp(jmp, status);
++}
++
+ static void add_param_to_argv(char *parsestart)
+ {
+ 	int quote_open = 0, escaped = 0, param_len = 0;
+@@ -204,7 +220,7 @@
+ 	init_extensions4();
+ #endif
+ 
+-	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
++	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
+ 		switch (c) {
+ 			case 'b':
+ 				binary = 1;
+@@ -225,6 +241,9 @@
+ 			case 'n':
+ 				noflush = 1;
+ 				break;
++			case 'l':
++				iptables_globals.exit_err = catch_exit_error;
++				break;
+ 			case 'M':
+ 				xtables_modprobe_program = optarg;
+ 				break;
+@@ -437,8 +456,11 @@
+ 			for (a = 0; a < newargc; a++)
+ 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
+ 
+-			ret = do_command4(newargc, newargv,
+-					 &newargv[2], &handle);
++			if (!setjmp(jmp))
++				ret = do_command4(newargc, newargv,
++						 &newargv[2], &handle);
++			else
++				ret = 1;
+ 
+ 			free_argv();
+ 			fflush(stdout);