diff -Nru linux-2.4.20/Documentation/Configure.help linux-2.4.20-pom2patch/Documentation/Configure.help
--- linux-2.4.20/Documentation/Configure.help	2002-11-28 17:53:08.000000000 -0600
+++ linux-2.4.20-pom2patch/Documentation/Configure.help	2003-05-02 12:55:05.000000000 -0500
@@ -2695,6 +2695,15 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+IPV4OPTSSTRIP target support
+CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP
+  This option adds an IPV4OPTSSTRIP target.
+  This target allows you to strip all IP options in a packet.
+ 
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
+
 REJECT target support
 CONFIG_IP_NF_TARGET_REJECT
   The REJECT target allows a filtering rule to specify that an ICMP
diff -Nru linux-2.4.20/net/ipv4/netfilter/Config.in linux-2.4.20-pom2patch/net/ipv4/netfilter/Config.in
--- linux-2.4.20/net/ipv4/netfilter/Config.in	2002-11-28 17:53:15.000000000 -0600
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/Config.in	2003-05-02 12:55:05.000000000 -0500
@@ -45,6 +45,7 @@
   dep_tristate '  Packet filtering' CONFIG_IP_NF_FILTER $CONFIG_IP_NF_IPTABLES 
   if [ "$CONFIG_IP_NF_FILTER" != "n" ]; then
     dep_tristate '    REJECT target support' CONFIG_IP_NF_TARGET_REJECT $CONFIG_IP_NF_FILTER
+    dep_tristate '    IPV4OPTSSTRIP target support' CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP $CONFIG_IP_NF_FILTER
     if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
       dep_tristate '    MIRROR target support (EXPERIMENTAL)' CONFIG_IP_NF_TARGET_MIRROR $CONFIG_IP_NF_FILTER
     fi
diff -Nru linux-2.4.20/net/ipv4/netfilter/Makefile linux-2.4.20-pom2patch/net/ipv4/netfilter/Makefile
--- linux-2.4.20/net/ipv4/netfilter/Makefile	2002-11-28 17:53:15.000000000 -0600
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/Makefile	2003-05-02 12:55:06.000000000 -0500
@@ -87,6 +87,8 @@
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
+
+obj-$(CONFIG_IP_NF_TARGET_IPV4OPTSSTRIP) += ipt_IPV4OPTSSTRIP.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
 
diff -Nru linux-2.4.20/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c linux-2.4.20-pom2patch/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
--- linux-2.4.20/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	1969-12-31 18:00:00.000000000 -0600
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c	2003-05-02 12:55:05.000000000 -0500
@@ -0,0 +1,84 @@
+/**
+ * Strip all IP options in the IP packet header.
+ *
+ * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
+ * This software is distributed under GNU GPL v2, 1991
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <net/checksum.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+MODULE_AUTHOR("Fabrice MARIE <fabrice@netfilter.org>");
+MODULE_DESCRIPTION("Strip all options in IPv4 packets");
+MODULE_LICENSE("GPL");
+
+static unsigned int
+target(struct sk_buff **pskb,
+       unsigned int hooknum,
+       const struct net_device *in,
+       const struct net_device *out,
+       const void *targinfo,
+       void *userinfo)
+{
+	struct iphdr *iph = (*pskb)->nh.iph;
+	struct sk_buff *skb = (*pskb);
+	struct ip_options * opt;
+	unsigned char * optiph = skb->nh.raw;
+	int l = ((struct ip_options *)(&(IPCB(skb)->opt)))->optlen;
+	
+
+	/* if no options in packet then nothing to clear. */
+	if (iph->ihl * 4 == sizeof(struct iphdr))
+		return IPT_CONTINUE;
+
+	/* else clear all options */
+	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+	memset(optiph+sizeof(struct iphdr), IPOPT_NOOP, l);
+	opt = &(IPCB(skb)->opt);
+	opt->is_data = 0;
+	opt->optlen = l;
+
+	skb->nfcache |= NFC_ALTERED;
+
+        return IPT_CONTINUE;
+}
+
+static int
+checkentry(const char *tablename,
+	   const struct ipt_entry *e,
+           void *targinfo,
+           unsigned int targinfosize,
+           unsigned int hook_mask)
+{
+	if (strcmp(tablename, "mangle")) {
+		printk(KERN_WARNING "IPV4OPTSSTRIP: can only be called from \"mangle\" table, not \"%s\"\n", tablename);
+		return 0;
+	}
+	/* nothing else to check because no parameters */
+	return 1;
+}
+
+static struct ipt_target ipt_ipv4optsstrip_reg
+= { { NULL, NULL }, "IPV4OPTSSTRIP", target, checkentry, NULL, THIS_MODULE };
+
+static int __init init(void)
+{
+	if (ipt_register_target(&ipt_ipv4optsstrip_reg))
+		return -EINVAL;
+	printk("ipt_IPV4OPTSSTRIP loaded\n");
+
+	return 0;
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_target(&ipt_ipv4optsstrip_reg);
+	printk("ipt_IPV4OPTSSTRIP unloaded\n");
+}
+
+module_init(init);
+module_exit(fini);
