--- /usr/src/linux-2.6.16.19-vanilla/include/linux/netfilter/xt_limit.h	2006-05-31 02:31:44.000000000 +0200
+++ /usr/src/linux-2.6.16.19-patched/include/linux/netfilter/xt_limit.h	2006-06-05 21:34:06.942212274 +0200
@@ -4,11 +4,16 @@
 /* timings are in milliseconds. */
 #define XT_LIMIT_SCALE 10000
 
+/* invert match? */
+#define XT_LIMIT_MATCH_BELOW  0x00
+#define XT_LIMIT_MATCH_ABOVE  0x01
+
 /* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
    seconds, or one every 59 hours. */
 struct xt_rateinfo {
 	u_int32_t avg;    /* Average secs between packets * scale */
 	u_int32_t burst;  /* Period multiplier for upper limit. */
+	u_int8_t flags;   /* Match if, below or above limit? */
 
 	/* Used internally by the kernel */
 	unsigned long prev;
--- /usr/src/linux-2.6.16.19-vanilla/net/netfilter/xt_limit.c	2006-05-31 02:31:44.000000000 +0200
+++ /usr/src/linux-2.6.16.19-patched/net/netfilter/xt_limit.c	2006-06-05 21:34:42.631296000 +0200
@@ -3,7 +3,9 @@
  * 2 September 1999: Changed from the target RATE to the match
  *                   `limit', removed logging.  Did I mention that
  *                   Alexey is a fucking genius?
- *                   Rusty Russell (rusty@rustcorp.com.au).  */
+ *                   Rusty Russell (rusty@rustcorp.com.au).
+ * 8 September 2004: Added inversion, Sven Anders <anders@anduras.de>
+ */
 
 /* (C) 1999 Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr>
  * (C) 1999 Hervé Eychenne <eychenne@info.enserb.u-bordeaux.fr>
@@ -74,6 +76,7 @@
 		int *hotdrop)
 {
 	struct xt_rateinfo *r = ((struct xt_rateinfo *)matchinfo)->master;
+	struct xt_rateinfo *info = (struct xt_rateinfo *)matchinfo;
 	unsigned long now = jiffies;
 
 	spin_lock_bh(&limit_lock);
@@ -85,11 +88,11 @@
 		/* We're not limited. */
 		r->credit -= r->cost;
 		spin_unlock_bh(&limit_lock);
-		return 1;
+		return !(info->flags & XT_LIMIT_MATCH_ABOVE);
 	}
 
        	spin_unlock_bh(&limit_lock);
-	return 0;
+	return (info->flags & XT_LIMIT_MATCH_ABOVE);
 }
 
 /* Precision saver. */
--- /usr/src/linux-2.6.16.19-vanilla/include/linux/netfilter_ipv4/ipt_limit.h	2006-05-31 02:31:44.000000000 +0200
+++ /usr/src/linux-2.6.16.19-patched/include/linux/netfilter_ipv4/ipt_limit.h	2006-06-05 21:37:04.895726230 +0200
@@ -3,6 +3,8 @@
 
 #include <linux/netfilter/xt_limit.h>
 #define IPT_LIMIT_SCALE XT_LIMIT_SCALE
+#define IPT_LIMIT_MATCH_BELOW XT_LIMIT_MATCH_BELOW
+#define IPT_LIMIT_MATCH_ABOVE XT_LIMIT_MATCH_ABOVE
 #define ipt_rateinfo xt_rateinfo
 
 #endif /*_IPT_RATE_H*/
--- /usr/src/linux-2.6.16.19-vanilla/include/linux/netfilter_ipv6/ip6t_limit.h	2006-05-31 02:31:44.000000000 +0200
+++ /usr/src/linux-2.6.16.19-patched/include/linux/netfilter_ipv6/ip6t_limit.h	2006-06-05 21:38:36.307011415 +0200
@@ -3,6 +3,8 @@
 
 #include <linux/netfilter/xt_limit.h>
 #define IP6T_LIMIT_SCALE XT_LIMIT_SCALE
+#define IP6T_LIMIT_MATCH_BELOW XT_LIMIT_MATCH_BELOW
+#define IP6T_LIMIT_MATCH_ABOVE XT_LIMIT_MATCH_ABOVE
 #define ip6t_rateinfo xt_rateinfo
 
 #endif /*_IP6T_RATE_H*/