diff -Nru linux-2.4.20/Documentation/Configure.help linux-2.4.20-pom2patch/Documentation/Configure.help
--- linux-2.4.20/Documentation/Configure.help	2003-05-02 12:56:02.000000000 -0500
+++ linux-2.4.20-pom2patch/Documentation/Configure.help	2003-05-02 12:56:04.000000000 -0500
@@ -2549,6 +2549,14 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+quota match support
+CONFIG_IP_NF_MATCH_QUOTA
+  This match implements network quotas.
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
+
 limit match support
 CONFIG_IP_NF_MATCH_LIMIT
   limit matching allows you to control the rate at which a rule can be
diff -Nru linux-2.4.20/include/linux/netfilter_ipv4/ipt_quota.h linux-2.4.20-pom2patch/include/linux/netfilter_ipv4/ipt_quota.h
--- linux-2.4.20/include/linux/netfilter_ipv4/ipt_quota.h	1969-12-31 18:00:00.000000000 -0600
+++ linux-2.4.20-pom2patch/include/linux/netfilter_ipv4/ipt_quota.h	2003-05-02 12:56:04.000000000 -0500
@@ -0,0 +1,11 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+
+/* print debug info in both kernel/netfilter module & iptable library */
+//#define DEBUG_IPT_QUOTA
+
+struct ipt_quota_info {
+        u_int64_t quota;
+};
+
+#endif /*_IPT_QUOTA_H*/
diff -Nru linux-2.4.20/net/ipv4/netfilter/Config.in linux-2.4.20-pom2patch/net/ipv4/netfilter/Config.in
--- linux-2.4.20/net/ipv4/netfilter/Config.in	2003-05-02 12:56:02.000000000 -0500
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/Config.in	2003-05-02 12:56:04.000000000 -0500
@@ -17,6 +17,7 @@
 if [ "$CONFIG_IP_NF_IPTABLES" != "n" ]; then
 # The simple matches.
   dep_tristate '  limit match support' CONFIG_IP_NF_MATCH_LIMIT $CONFIG_IP_NF_IPTABLES
+  dep_tristate '  quota match support' CONFIG_IP_NF_MATCH_QUOTA $CONFIG_IP_NF_IPTABLES
 
   dep_tristate '  IP address pool support' CONFIG_IP_NF_POOL $CONFIG_IP_NF_IPTABLES
   if [ "$CONFIG_IP_NF_POOL" = "y" -o "$CONFIG_IP_NF_POOL" = "m" ]; then
diff -Nru linux-2.4.20/net/ipv4/netfilter/Makefile linux-2.4.20-pom2patch/net/ipv4/netfilter/Makefile
--- linux-2.4.20/net/ipv4/netfilter/Makefile	2003-05-02 12:56:02.000000000 -0500
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/Makefile	2003-05-02 12:56:04.000000000 -0500
@@ -57,6 +57,7 @@
 # matches
 obj-$(CONFIG_IP_NF_MATCH_HELPER) += ipt_helper.o
 obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
+obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
 obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
 obj-$(CONFIG_IP_NF_MATCH_MARK) += ipt_mark.o
 obj-$(CONFIG_IP_NF_POOL) += ipt_pool.o ipt_POOL.o ip_pool.o
diff -Nru linux-2.4.20/net/ipv4/netfilter/ipt_quota.c linux-2.4.20-pom2patch/net/ipv4/netfilter/ipt_quota.c
--- linux-2.4.20/net/ipv4/netfilter/ipt_quota.c	1969-12-31 18:00:00.000000000 -0600
+++ linux-2.4.20-pom2patch/net/ipv4/netfilter/ipt_quota.c	2003-05-02 12:56:04.000000000 -0500
@@ -0,0 +1,81 @@
+/* 
+ * netfilter module to enforce network quotas
+ *
+ * Sam Johnston <samj@samj.net>
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/spinlock.h>
+#include <linux/interrupt.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_quota.h>
+
+MODULE_LICENSE("GPL");
+
+static spinlock_t quota_lock = SPIN_LOCK_UNLOCKED;
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset, const void *hdr, u_int16_t datalen, int *hotdrop)
+{
+
+        struct ipt_quota_info *q = (struct ipt_quota_info *) matchinfo;
+
+        spin_lock_bh(&quota_lock);
+
+        if (q->quota >= datalen) {
+                /* we can afford this one */
+                q->quota -= datalen;
+                spin_unlock_bh(&quota_lock);
+
+#ifdef DEBUG_IPT_QUOTA
+                printk("IPT Quota OK: %llu datlen %d \n", q->quota, datalen);
+#endif
+                return 1;
+        }
+
+        /* so we do not allow even small packets from now on */
+        q->quota = 0;
+
+#ifdef DEBUG_IPT_QUOTA
+        printk("IPT Quota Failed: %llu datlen %d \n", q->quota, datalen);
+#endif
+
+        spin_unlock_bh(&quota_lock);
+        return 0;
+}
+
+static int
+checkentry(const char *tablename,
+           const struct ipt_ip *ip,
+           void *matchinfo, unsigned int matchsize, unsigned int hook_mask)
+{
+        /* TODO: spinlocks? sanity checks? */
+        if (matchsize != IPT_ALIGN(sizeof (struct ipt_quota_info)))
+                return 0;
+
+        return 1;
+}
+
+static struct ipt_match quota_match
+    = { {NULL, NULL}, "quota", &match, &checkentry, NULL, THIS_MODULE };
+
+static int __init
+init(void)
+{
+        return ipt_register_match(&quota_match);
+}
+
+static void __exit
+fini(void)
+{
+        ipt_unregister_match(&quota_match);
+}
+
+module_init(init);
+module_exit(fini);
+
