diff -Naur linux-2.6.24-gentoo-r3/include/linux/netfilter/xt_gateway.h linux-2.6.24-gentoo-r3-NEW/include/linux/netfilter/xt_gateway.h
--- linux-2.6.24-gentoo-r3/include/linux/netfilter/xt_gateway.h	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.24-gentoo-r3-NEW/include/linux/netfilter/xt_gateway.h	2008-08-01 17:57:21.000000000 +0000
@@ -0,0 +1,14 @@
+#ifndef _XT_GATEWAY_H
+#define _XT_GATEWAY_H
+
+#define XT_GATEWAY_INV		0x1	/* Negate the condition */
+#define XT_GATEWAY_ROUTE	0x2	/* ...and the gateway is not the final hop */
+
+struct xt_gateway_info {
+	/* Inclusive: network order. */
+	uint32_t gateway;
+	uint32_t mask;
+	uint8_t flags;
+};
+
+#endif /* _XT_GATEWAY_H */
diff -Naur linux-2.6.24-gentoo-r3/net/netfilter/Kconfig linux-2.6.24-gentoo-r3-NEW/net/netfilter/Kconfig
--- linux-2.6.24-gentoo-r3/net/netfilter/Kconfig	2008-08-01 17:46:49.000000000 +0000
+++ linux-2.6.24-gentoo-r3-NEW/net/netfilter/Kconfig	2008-08-01 17:55:18.000000000 +0000
@@ -498,6 +498,15 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_MATCH_GATEWAY
+	tristate '"gateway" match support'
+	depends on NETFILTER_XTABLES
+	---help---
+	  This option makes possible to match the IP address of the
+	  routed gateway for routed packets.
+
+	  To compile it as a module, choose M here. If unsure, say N.
+
 config NETFILTER_XT_MATCH_HELPER
 	tristate '"helper" match support'
 	depends on NETFILTER_XTABLES
diff -Naur linux-2.6.24-gentoo-r3/net/netfilter/Makefile linux-2.6.24-gentoo-r3-NEW/net/netfilter/Makefile
--- linux-2.6.24-gentoo-r3/net/netfilter/Makefile	2008-08-01 17:46:49.000000000 +0000
+++ linux-2.6.24-gentoo-r3-NEW/net/netfilter/Makefile	2008-08-01 17:56:05.000000000 +0000
@@ -59,6 +59,7 @@
 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_GATEWAY) += xt_gateway.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
diff -Naur linux-2.6.24-gentoo-r3/net/netfilter/xt_gateway.c linux-2.6.24-gentoo-r3-NEW/net/netfilter/xt_gateway.c
--- linux-2.6.24-gentoo-r3/net/netfilter/xt_gateway.c	1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.24-gentoo-r3-NEW/net/netfilter/xt_gateway.c	2008-08-01 17:57:21.000000000 +0000
@@ -0,0 +1,84 @@
+/*
+ * netfilter module to match nexthop router by IP address
+ * (C) 2007 UFO Mechanic <azez@ufomechanic.net>
+ * © Jan Engelhardt <jengelh@gmx.de>, 2007
+ *   to save time and bugs, based on ip_range by
+ *   (C) 2003 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/ip.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/types.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_gateway.h>
+#include <net/dst.h>
+#include <net/neighbour.h>
+
+static int xt_gateway_match1(const struct sk_buff *skb,
+			     const struct xt_gateway_info *info)
+{
+        const struct iphdr *iph;
+	const struct dst_entry *dst;
+	const struct neighbour *neigh;
+	const struct neigh_table *tbl;
+
+	if (skb == NULL) /* necessary? */
+		return false;
+	if ((dst = skb->dst) == NULL)
+		return false;
+	if ((neigh = dst->neighbour) == NULL)
+		return false;
+	if ((tbl = neigh->tbl) == NULL)
+		return false;
+	if (tbl->family != AF_INET)
+		return false;
+	if (memcmp(&info->gateway, &neigh->primary_key, tbl->key_len) == 0) {
+		return true;
+	}
+	iph = ip_hdr(skb);
+	if ((iph->daddr & info->mask) == (info->gateway & info->mask)) {
+		return true;
+	}
+	return false;
+}
+
+static int xt_gateway_match(const struct sk_buff *skb,
+			    const struct net_device *in,
+			    const struct net_device *out,
+			    const struct xt_match *match,
+			    const void *matchinfo, int offset,
+			    unsigned int protoff, int *hotdrop)
+{
+	const struct xt_gateway_info *info = matchinfo;
+	return !!(info->flags & XT_GATEWAY_INV) ^
+	       xt_gateway_match1(skb, info);
+}
+
+static struct xt_match xt_gateway_reg = {
+	.name      = "gateway",
+	.family    = AF_INET,
+	.match     = xt_gateway_match,
+	.matchsize = sizeof(struct xt_gateway_info),
+	.me        = THIS_MODULE
+};
+
+static int __init xt_gateway_init(void)
+{
+	return xt_register_match(&xt_gateway_reg);
+}
+
+static void __exit xt_gateway_exit(void)
+{
+	xt_unregister_match(&xt_gateway_reg);
+	return;
+}
+
+module_init(xt_gateway_init);
+module_exit(xt_gateway_exit);
+MODULE_AUTHOR("Sam Liddicott <azez@ufomechanic.net>");
+MODULE_DESCRIPTION("netfilter nexthop gateway match module");
+MODULE_LICENSE("GPL");