===== net/ipv4/netfilter/ipt_owner.c 1.3 vs edited =====
--- 1.3/net/ipv4/netfilter/ipt_owner.c	Thu Aug  8 16:55:29 2002
+++ edited/net/ipv4/netfilter/ipt_owner.c	Mon Jul 14 19:25:36 2003
@@ -109,6 +109,49 @@
 }
 
 static int
+match_gid(const struct sk_buff *skb, gid_t gid)
+{
+	struct task_struct *p;
+	struct files_struct *files;
+	int i;
+
+	/* direct match */
+	if (gid == skb->sk->socket->file->f_gid)
+		return 1;
+
+	/* find owner of socket and check supplementary gids */
+	read_lock(&tasklist_lock);
+	for_each_task(p) {
+		/* racy, owner could have called setfsgid */
+		if (p->fsgid != skb->sk->socket->file->f_gid)
+			continue;
+
+		task_lock(p);
+		files = p->files;
+		if(files) {
+			read_lock(&files->file_lock);
+			for (i=0; i < files->max_fds; i++) {
+				if (fcheck_files(files, i) == skb->sk->socket->file) {
+					int j, ret = 0;
+					read_unlock(&files->file_lock);
+					for (j = 0; j < p->ngroups; j++)
+						if (p->groups[j] == gid) {
+							ret = 1;
+							break;
+						}
+					task_unlock(p);
+					read_unlock(&tasklist_lock);
+					return ret;
+				}
+			}
+			read_unlock(&files->file_lock);
+		}
+		task_unlock(p);
+	}
+	read_unlock(&tasklist_lock);
+	return 0;
+}
+static int
 match(const struct sk_buff *skb,
       const struct net_device *in,
       const struct net_device *out,
@@ -130,7 +173,7 @@
 	}
 
 	if(info->match & IPT_OWNER_GID) {
-		if((skb->sk->socket->file->f_gid != info->gid) ^
+		if(!match_gid(skb, info->gid) ^
 		    !!(info->invert & IPT_OWNER_GID))
 			return 0;
 	}