diff -Nru --exclude *.o --exclude *flags --exclude tags linuxppc-190102-nfpom/include/linux/netfilter_ipv4/ip_conntrack_tuple.h linuxppc-190102-esp/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
--- linuxppc-190102-nfpom/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	Thu Jan 17 21:43:05 2002
+++ linuxppc-190102-esp/include/linux/netfilter_ipv4/ip_conntrack_tuple.h	Mon Jan 21 21:37:23 2002
@@ -14,7 +14,7 @@
 union ip_conntrack_manip_proto
 {
 	/* Add other protocols here. */
-	u_int16_t all;
+	u_int32_t all;
 
 	struct {
 		u_int16_t port;
@@ -25,6 +25,12 @@
 	struct {
 		u_int16_t id;
 	} icmp;
+	struct {
+		u_int32_t spi;
+	} ah;
+	struct {
+		u_int32_t spi;
+	} esp;
 };
 
 /* The manipulable part of the tuple. */
@@ -44,7 +50,7 @@
 		u_int32_t ip;
 		union {
 			/* Add other protocols here. */
-			u_int16_t all;
+			u_int32_t all;
 
 			struct {
 				u_int16_t port;
@@ -55,6 +61,12 @@
 			struct {
 				u_int8_t type, code;
 			} icmp;
+			struct {
+				u_int32_t spi;
+			} ah;
+			struct {
+				u_int32_t spi;
+			} esp;
 		} u;
 
 		/* The protocol. */
diff -Nru --exclude *.o --exclude *flags --exclude tags linuxppc-190102-nfpom/net/ipv4/netfilter/Config.in linuxppc-190102-esp/net/ipv4/netfilter/Config.in
--- linuxppc-190102-nfpom/net/ipv4/netfilter/Config.in	Thu Jan 17 21:44:24 2002
+++ linuxppc-190102-esp/net/ipv4/netfilter/Config.in	Mon Jan 21 21:36:29 2002
@@ -6,6 +6,8 @@
 
 tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP_NF_CONNTRACK
 if [ "$CONFIG_IP_NF_CONNTRACK" != "n" ]; then
+  dep_tristate '  AH protocol support' CONFIG_IP_NF_CT_AH $CONFIG_IP_NF_CONNTRACK
+  dep_tristate '  ESP protocol support' CONFIG_IP_NF_CT_ESP $CONFIG_IP_NF_CONNTRACK
   dep_tristate '  FTP protocol support' CONFIG_IP_NF_FTP $CONFIG_IP_NF_CONNTRACK
   dep_tristate '  IRC protocol support' CONFIG_IP_NF_IRC $CONFIG_IP_NF_CONNTRACK
 fi
diff -Nru --exclude *.o --exclude *flags --exclude tags linuxppc-190102-nfpom/net/ipv4/netfilter/Makefile linuxppc-190102-esp/net/ipv4/netfilter/Makefile
--- linuxppc-190102-nfpom/net/ipv4/netfilter/Makefile	Thu Jan 17 21:47:25 2002
+++ linuxppc-190102-esp/net/ipv4/netfilter/Makefile	Tue Jan 22 18:36:30 2002
@@ -31,6 +31,10 @@
 # connection tracking
 obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
 
+# Protocol helpers 
+obj-$(CONFIG_IP_NF_CT_AH) += ip_conntrack_proto_ah.o
+obj-$(CONFIG_IP_NF_CT_ESP) += ip_conntrack_proto_esp.o
+
 # IRC support
 obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
 obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
diff -Nru --exclude *.o --exclude *flags --exclude tags linuxppc-190102-nfpom/net/ipv4/netfilter/ip_conntrack_proto_ah.c linuxppc-190102-esp/net/ipv4/netfilter/ip_conntrack_proto_ah.c
--- linuxppc-190102-nfpom/net/ipv4/netfilter/ip_conntrack_proto_ah.c	Thu Jan  1 01:00:00 1970
+++ linuxppc-190102-esp/net/ipv4/netfilter/ip_conntrack_proto_ah.c	Mon Jan 21 21:46:21 2002
@@ -0,0 +1,109 @@
+/* 
+ * ip_conntrack_proto_ah.c - Version $Revision$
+ *
+ * Connection tracking helper module for IPSEC AH
+ *
+ * Based on the existing UDP helper
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ */
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/sched.h>
+#include <linux/timer.h>
+#include <linux/netfilter.h>
+#include <linux/in.h>
+#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
+
+/* same timeouts as UDP */
+#define AH_TIMEOUT (30*HZ)
+#define AH_STREAM_TIMEOUT (180*HZ)
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
+MODULE_DESCRIPTION("netfilter connection tracking protocol helper for AH");
+
+static int ah_pkt_to_tuple(const void *datah, size_t datalen,
+			   struct ip_conntrack_tuple *tuple)
+{
+	const u_int32_t *spi = datah;
+
+	tuple->src.u.ah.spi = 0;
+	tuple->dst.u.ah.spi = *spi;
+
+	return 1;
+}
+
+static int ah_invert_tuple(struct ip_conntrack_tuple *tuple,
+			   const struct ip_conntrack_tuple *orig)
+{
+	tuple->src.u.ah.spi = orig->dst.u.ah.spi;
+	tuple->dst.u.ah.spi = orig->src.u.ah.spi;
+	return 1;
+}
+
+/* Print out the per-protocol part of the tuple. */
+static unsigned int ah_print_tuple(char *buffer,
+				   const struct ip_conntrack_tuple *tuple)
+{
+	return sprintf(buffer, "spi=%u ", ntohs(tuple->dst.u.ah.spi));
+}
+
+/* Print out the private part of the conntrack. */
+static unsigned int ah_print_conntrack(char *buffer,
+				       const struct ip_conntrack *conntrack)
+{
+	return 0;
+}
+
+/* Returns verdict for packet, and may modify conntracktype */
+static int ah_packet(struct ip_conntrack *conntrack,
+		     struct iphdr *iph, size_t len,
+		     enum ip_conntrack_info conntrackinfo)
+{
+	/* If we've seen traffic both ways, this is some kind of AH
+	   stream.  Extend timeout. */
+	if (conntrack->status & IPS_SEEN_REPLY) {
+		ip_ct_refresh(conntrack, AH_STREAM_TIMEOUT);
+		/* Also, more likely to be important, and not a probe */
+		set_bit(IPS_ASSURED_BIT, &conntrack->status);
+	} else
+		ip_ct_refresh(conntrack, AH_TIMEOUT);
+
+	return NF_ACCEPT;
+}
+
+/* Called when a new connection for this protocol found. */
+static int ah_new(struct ip_conntrack *conntrack,
+		  struct iphdr *iph, size_t len)
+{
+	return 1;
+}
+
+struct ip_conntrack_protocol ip_ct_p_ah
+= { { NULL, NULL }, IPPROTO_AH, "ah",
+    ah_pkt_to_tuple, ah_invert_tuple, ah_print_tuple, ah_print_conntrack,
+    ah_packet, ah_new, NULL };
+
+
+static int __init init(void)
+{
+	int ret;
+	if ((ret = ip_conntrack_protocol_register(&ip_ct_p_ah))) {
+		printk(KERN_ERR "unable to register conntrack protocol "
+				"helper for AH: %d\n", ret);
+		return -EIO;
+	}
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	ip_conntrack_protocol_unregister(&ip_ct_p_ah);
+}
+
+module_init(init);
+module_exit(fini);
+
diff -Nru --exclude *.o --exclude *flags --exclude tags linuxppc-190102-nfpom/net/ipv4/netfilter/ip_conntrack_proto_esp.c linuxppc-190102-esp/net/ipv4/netfilter/ip_conntrack_proto_esp.c
--- linuxppc-190102-nfpom/net/ipv4/netfilter/ip_conntrack_proto_esp.c	Thu Jan  1 01:00:00 1970
+++ linuxppc-190102-esp/net/ipv4/netfilter/ip_conntrack_proto_esp.c	Mon Jan 21 21:47:02 2002
@@ -0,0 +1,108 @@
+/* 
+ * ip_conntrack_proto_esp.c - Version $Revision$
+ *
+ * Connection tracking helper module for IPSEC ESP
+ *
+ * Based on the existing UDP helper
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ */
+
+#include <linux/config.h>
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/sched.h>
+#include <linux/timer.h>
+#include <linux/netfilter.h>
+#include <linux/in.h>
+#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
+
+/* same timeouts as UDP */
+#define ESP_TIMEOUT (30*HZ)
+#define ESP_STREAM_TIMEOUT (180*HZ)
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
+MODULE_DESCRIPTION("netfilter connection tracking protocol helper for ESP");
+
+static int esp_pkt_to_tuple(const void *datah, size_t datalen,
+			    struct ip_conntrack_tuple *tuple)
+{
+	const u_int32_t *spi = datah;
+
+	tuple->src.u.esp.spi = 0;
+	tuple->dst.u.esp.spi = *spi;
+
+	return 1;
+}
+
+static int esp_invert_tuple(struct ip_conntrack_tuple *tuple,
+			    const struct ip_conntrack_tuple *orig)
+{
+	tuple->src.u.esp.spi = orig->dst.u.esp.spi;
+	tuple->dst.u.esp.spi = orig->src.u.esp.spi;
+	return 1;
+}
+
+/* Print out the per-protocol part of the tuple. */
+static unsigned int esp_print_tuple(char *buffer,
+				    const struct ip_conntrack_tuple *tuple)
+{
+	return sprintf(buffer, "spi=%u ", ntohs(tuple->src.u.esp.spi));
+}
+
+/* Print out the private part of the conntrack. */
+static unsigned int esp_print_conntrack(char *buffer,
+					const struct ip_conntrack *conntrack)
+{
+	return 0;
+}
+
+/* Returns verdict for packet, and may modify conntracktype */
+static int esp_packet(struct ip_conntrack *conntrack,
+		      struct iphdr *iph, size_t len,
+		      enum ip_conntrack_info conntrackinfo)
+{
+	/* If we've seen traffic both ways, this is some kind of ESP
+	   stream.  Extend timeout. */
+	if (conntrack->status & IPS_SEEN_REPLY) {
+		ip_ct_refresh(conntrack, ESP_STREAM_TIMEOUT);
+		/* Also, more likely to be important, and not a probe */
+		set_bit(IPS_ASSURED_BIT, &conntrack->status);
+	} else
+		ip_ct_refresh(conntrack, ESP_TIMEOUT);
+
+	return NF_ACCEPT;
+}
+
+/* Called when a new connection for this protocol found. */
+static int esp_new(struct ip_conntrack *conntrack,
+			     struct iphdr *iph, size_t len)
+{
+	return 1;
+}
+
+struct ip_conntrack_protocol ip_ct_p_esp
+= { { NULL, NULL }, IPPROTO_ESP, "esp",
+    esp_pkt_to_tuple, esp_invert_tuple, esp_print_tuple, esp_print_conntrack,
+    esp_packet, esp_new, NULL };
+
+static int __init init(void)
+{
+	int ret;
+
+	if ((ret = ip_conntrack_protocol_register(&ip_ct_p_esp))) {
+		printk(KERN_ERR "unable to register conntrack protocol "
+				"helper for ESP: %d\n", ret);
+		return -EIO;
+	}
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	ip_conntrack_protocol_unregister(&ip_ct_p_esp);
+}
+
+module_init(init);
+module_exit(fini);