--- linux-2.6.19.7-vs2.2.0-z1/net/ipv4/raw.c	2007-04-24 05:57:54 +0200
+++ linux-2.6.19.7-vs2.2.0-z1/net/ipv4/raw.c	2007-04-24 05:57:54 +0200
@@ -113,8 +113,11 @@
 	struct nx_info *nxi,
 	uint32_t addr,
 	uint32_t saddr,
-	uint32_t baddr)
+	uint32_t baddr,
+	uint32_t tag)
 {
+	if (nxi && !((tag == 1) || (nxi->nx_id == tag)))
+		return 0;
 	if (addr && (saddr == addr || baddr == addr))
 		return 1;
 	if (!saddr)
@@ -124,7 +127,7 @@
 
 struct sock *__raw_v4_lookup(struct sock *sk, unsigned short num,
 			     __be32 raddr, __be32 laddr,
-			     int dif)
+			     int dif, int tag)
 {
 	struct hlist_node *node;
 
@@ -134,7 +137,7 @@
 		if (inet->num == num 					&&
 		    !(inet->daddr && inet->daddr != raddr) 		&&
 		    raw_addr_match(sk->sk_nx_info, laddr,
-			inet->rcv_saddr, inet->rcv_saddr2)		&&
+			inet->rcv_saddr, inet->rcv_saddr2, tag)		&&
 		    !(sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif))
 			goto found; /* gotcha */
 	}
@@ -183,7 +186,7 @@
 		goto out;
 	sk = __raw_v4_lookup(__sk_head(head), iph->protocol,
 			     iph->saddr, iph->daddr,
-			     skb->dev->ifindex);
+			     skb->dev->ifindex, skb->skb_tag);
 
 	while (sk) {
 		delivered = 1;
@@ -196,7 +199,7 @@
 		}
 		sk = __raw_v4_lookup(sk_next(sk), iph->protocol,
 				     iph->saddr, iph->daddr,
-				     skb->dev->ifindex);
+				     skb->dev->ifindex, skb->skb_tag);
 	}
 out:
 	read_unlock(&raw_v4_lock);
--- linux-2.6.19.7-vs2.2.0/include/linux/vs_network.h	2007-04-01 04:19:33 +0200
+++ linux-2.6.19.7-vs2.2.0-z1/include/linux/vs_network.h	2007-04-24 04:24:23 +0200
@@ -178,6 +176,12 @@ static inline void exit_nx_info(struct t
 }
 
 
+#ifdef CONFIG_NETWORK_SECMARK
+#define skb_tag secmark
+#else
+#define skb_tag nfmark
+#endif
+
 #else
 #warning duplicate inclusion
 #endif
--- linux-2.6.19.7-vs2.2.0/include/net/raw.h	2006-09-20 16:58:44 +0200
+++ linux-2.6.19.7-vs2.2.0-z1/include/net/raw.h	2007-04-24 03:50:47 +0200
@@ -36,7 +36,7 @@ extern rwlock_t raw_v4_lock;
 
 extern struct sock *__raw_v4_lookup(struct sock *sk, unsigned short num,
 				    __be32 raddr, __be32 laddr,
-				    int dif);
+				    int dif, int tag);
 
 extern int raw_v4_input(struct sk_buff *skb, struct iphdr *iph, int hash);
 
--- linux-2.6.19.7-vs2.2.0/net/ipv4/icmp.c	2006-11-30 21:19:45 +0100
+++ linux-2.6.19.7-vs2.2.0-z1/net/ipv4/icmp.c	2007-04-24 05:33:25 +0200
@@ -701,8 +701,8 @@ static void icmp_unreach(struct sk_buff 
 	read_lock(&raw_v4_lock);
 	if ((raw_sk = sk_head(&raw_v4_htable[hash])) != NULL) {
 		while ((raw_sk = __raw_v4_lookup(raw_sk, protocol, iph->daddr,
-						 iph->saddr,
-						 skb->dev->ifindex)) != NULL) {
+						 iph->saddr, skb->dev->ifindex,
+						 skb->skb_tag)) != NULL) {
 			raw_err(raw_sk, skb, info);
 			raw_sk = sk_next(raw_sk);
 			iph = (struct iphdr *)skb->data;