--- ../patch-o-matic-ng/patchlets/TARPIT/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c.orig	2008-03-13 21:43:06.000000000 +0100
+++ ../patch-o-matic-ng/patchlets/TARPIT/linux-2.6/net/ipv4/netfilter/ipt_TARPIT.c	2008-03-26 13:00:28.000000000 +0100
@@ -42,7 +42,6 @@
 #include <net/ip.h>
 #include <net/tcp.h>
 #include <net/icmp.h>
-struct in_device;
 #include <net/route.h>
 #include <linux/random.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
@@ -83,13 +84,15 @@
 	unsigned int otcplen;
 	u_int16_t tmp;
 
+	struct iphdr *oiph = ip_hdr(oskb);
+
 	/* A truncated TCP header isn't going to be useful */
-	if (oskb->len < (oskb->nh.iph->ihl*4) + sizeof(struct tcphdr))
+	if (oskb->len < (oiph->ihl*4) + sizeof(struct tcphdr))
 		return;
-
-	otcph = (struct tcphdr *)((u_int32_t*)oskb->nh.iph
-				  + oskb->nh.iph->ihl);
-	otcplen = oskb->len - oskb->nh.iph->ihl*4;
+		
+	otcph = (struct tcphdr *)((u_int32_t*)oiph
+				  + oiph->ihl);
+	otcplen = oskb->len - oiph->ihl*4;
 
 	/* No replies for RST or FIN */
 	if (otcph->rst || otcph->fin)
@@ -100,8 +103,8 @@
 		return;
 
 	/* Check checksum. */
-	if (tcp_v4_check(otcplen, oskb->nh.iph->saddr,
-			 oskb->nh.iph->daddr,
+	if (tcp_v4_check(otcplen, oiph->saddr,
+			 oiph->daddr,
 			 csum_partial((char *)otcph, otcplen, 0)) != 0)
 		return;
 
@@ -119,25 +122,21 @@
 	nskb->nf_debug = 0;
 #endif
 
-	ntcph = (struct tcphdr *)((u_int32_t*)nskb->nh.iph + nskb->nh.iph->ihl);
+	ntcph = (struct tcphdr *)((u_int32_t*)oiph + oiph->ihl);
 
 	/* Truncate to length (no data) */
 	ntcph->doff = sizeof(struct tcphdr)/4;
-	skb_trim(nskb, nskb->nh.iph->ihl*4 + sizeof(struct tcphdr));
-	nskb->nh.iph->tot_len = htons(nskb->len);
+	skb_trim(nskb, oiph->ihl*4 + sizeof(struct tcphdr));
+	oiph->tot_len = htons(nskb->len);
 
 	/* Swap source and dest */
-	nskb->nh.iph->daddr = xchg(&nskb->nh.iph->saddr, nskb->nh.iph->daddr);
+	oiph->daddr = xchg(&oiph->saddr, oiph->daddr);
 	tmp = ntcph->source;
 	ntcph->source = ntcph->dest;
 	ntcph->dest = tmp;
 
 	/* Use supplied sequence number or make a new one */
-	ntcph->seq = otcph->ack ? otcph->ack_seq
-		: htonl(secure_tcp_sequence_number(nskb->nh.iph->saddr,
-						   nskb->nh.iph->daddr,
-						   ntcph->source,
-						   ntcph->dest));
+	otcph->ack ? ntcph->seq = otcph->ack_seq : get_random_bytes(&ntcph->seq ,sizeof(ntcph->seq));
 
 	/* Our SYN-ACKs must have a >0 window */
 	ntcph->window = (otcph->syn && !otcph->ack) ? htons(5) : 0;
@@ -159,14 +158,14 @@
 	/* Adjust TCP checksum */
 	ntcph->check = 0;
 	ntcph->check = tcp_v4_check(sizeof(struct tcphdr),
-				   nskb->nh.iph->saddr,
-				   nskb->nh.iph->daddr,
+				   oiph->saddr,
+				   oiph->daddr,
 				   csum_partial((char *)ntcph,
 						sizeof(struct tcphdr), 0));
 
-	fl.nl_u.ip4_u.daddr = nskb->nh.iph->daddr;
-	fl.nl_u.ip4_u.saddr = local ? nskb->nh.iph->saddr : 0;
-	fl.nl_u.ip4_u.tos = RT_TOS(nskb->nh.iph->tos) | RTO_CONN;
+	fl.nl_u.ip4_u.daddr = oiph->daddr;
+	fl.nl_u.ip4_u.saddr = local ? oiph->saddr : 0;
+	fl.nl_u.ip4_u.tos = RT_TOS(oiph->tos) | RTO_CONN;
 	fl.oif = 0;
 
 	if (ip_route_output_key(&nrt, &fl))
@@ -176,23 +175,18 @@
 	nskb->dst = &nrt->u.dst;
 
 	/* Adjust IP TTL */
-	nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
+	oiph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT);
 
 	/* Set DF, id = 0 */
-	nskb->nh.iph->frag_off = htons(IP_DF);
-	nskb->nh.iph->id = 0;
+	oiph->frag_off = htons(IP_DF);
+	oiph->id = 0;
 
 	/* Adjust IP checksum */
-	nskb->nh.iph->check = 0;
-	nskb->nh.iph->check = ip_fast_csum((unsigned char *)nskb->nh.iph,
-					   nskb->nh.iph->ihl);
-
+	oiph->check = 0;
+	oiph->check = ip_fast_csum((unsigned char *)oiph,
+					   oiph->ihl);
 	/* "Never happens" */
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,12)
 	if (nskb->len > dst_mtu(nskb->dst))
-#else
-	if (nskb->len > dst_pmtu(nskb->dst))
-#endif
 		goto free_nskb;
 
 	ip_direct_send (nskb);
@@ -204,15 +198,15 @@
 }
 
 
-static unsigned int tarpit(struct sk_buff **pskb,
+static unsigned int tarpit(struct sk_buff *skb,
 			   const struct net_device *in,
 			   const struct net_device *out,
 			   unsigned int hooknum,
 			   const struct xt_target *target,
 			   const void *targinfo)
 {
-	struct sk_buff *skb = *pskb;
 	struct rtable *rt = (struct rtable*)skb->dst;
+	struct iphdr *iph = ip_hdr(skb);
 
 	/* Do we have an input route cache entry? */
 	if (!rt)
@@ -228,11 +222,11 @@
 
 	/* Our naive response construction doesn't deal with IP
            options, and probably shouldn't try. */
-	if (skb->nh.iph->ihl*4 != sizeof(struct iphdr))
+	if (iph->ihl*4 != sizeof(struct iphdr))
 		return NF_DROP;
 
 	/* We aren't interested in fragments */
-	if (skb->nh.iph->frag_off & htons(IP_OFFSET))
+	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
 
 	tarpit_tcp(skb,rt,hooknum == NF_IP_LOCAL_IN);
@@ -241,7 +235,7 @@
 }
 
 
-static int check(const char *tablename,
+static bool check(const char *tablename,
 		 const void *e_void,
 		 const struct xt_target *target,
 		 void *targinfo,