diff -ruN linux-2.6.23.1/include/linux/netfilter/xt_timeout.h /usr/src/linux-2.6.23.1/include/linux/netfilter/xt_timeout.h
--- linux-2.6.23.1/include/linux/netfilter/xt_timeout.h	1970-01-01 01:00:00.000000000 +0100
+++ /usr/src/linux-2.6.23.1/include/linux/netfilter/xt_timeout.h	2008-02-02 01:17:47.000000000 +0100
@@ -0,0 +1,10 @@
+#ifndef _XT_TIMEOUT_H
+#define _XT_TIMEOUT_H
+
+struct xt_timeout_info {
+	struct timespec match_from;
+	struct timespec match_upto;
+	int invert;
+};
+
+#endif /*_XT_TIMEOUT_H*/
diff -ruN linux-2.6.23.1/net/netfilter/Kconfig /usr/src/linux-2.6.23.1/net/netfilter/Kconfig
--- linux-2.6.23.1/net/netfilter/Kconfig	2007-10-12 18:43:44.000000000 +0200
+++ /usr/src/linux-2.6.23.1/net/netfilter/Kconfig	2008-01-27 00:38:48.000000000 +0100
@@ -692,5 +692,14 @@
 	  destination address' or `500pps from any given source address'
 	  with a single rule.
 
+config NETFILTER_XT_MATCH_TIMEOUT
+	tristate 'rule timeout "match" support'
+	depends on NETFILTER_XTABLES
+	help
+	  This match is used for creating rule that apply only for a period 
+	  of time. They can then be dropped automatically with iptables -C .
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 endmenu
 
diff -ruN linux-2.6.23.1/net/netfilter/Makefile /usr/src/linux-2.6.23.1/net/netfilter/Makefile
--- linux-2.6.23.1/net/netfilter/Makefile	2007-10-12 18:43:44.000000000 +0200
+++ /usr/src/linux-2.6.23.1/net/netfilter/Makefile	2008-01-27 00:41:07.000000000 +0100
@@ -77,3 +77,4 @@
 obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_TIMEOUT) += xt_timeout.o
diff -ruN linux-2.6.23.1/net/netfilter/xt_timeout.c /usr/src/linux-2.6.23.1/net/netfilter/xt_timeout.c
--- linux-2.6.23.1/net/netfilter/xt_timeout.c	1970-01-01 01:00:00.000000000 +0100
+++ /usr/src/linux-2.6.23.1/net/netfilter/xt_timeout.c	2008-02-02 01:17:14.000000000 +0100
@@ -0,0 +1,55 @@
+#include <linux/netfilter/xt_timeout.h>
+
+MODULE_AUTHOR("Benoit Peccatte <peccatte@enstb.com>");
+MODULE_DESCRIPTION("IP tables rule timeout module");
+MODULE_LICENSE("GPL");
+
+static bool
+xt_timeout_match(const struct sk_buff *skb,
+                 const struct net_device *in, const struct net_device *out,
+                 const struct xt_match *match, const void *matchinfo,
+                 int offset, unsigned int protoff, bool *hotdrop)
+{
+        const struct xt_timeout_info *info = matchinfo;
+
+        /* packet timestamp | current date */
+        struct timespec stamp = ktime_to_timespec(skb->tstamp);
+
+        if(timespec_compare(&info->match_upto, &stamp) >= 0)
+                if(timespec_compare(&info->match_from, &stamp) < 0)
+                        return !info->invert;
+        
+        return info->invert;
+}
+
+static struct xt_match xt_timeout_reg[] __read_mostly = {
+        {
+                .name       = "timeout",
+                .family     = AF_INET,
+                .match      = xt_timeout_match,
+                .matchsize  = sizeof(struct xt_timeout_info),
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "timeout",
+                .family     = AF_INET6,
+                .match      = xt_timeout_match,
+                .matchsize  = sizeof(struct xt_timeout_info),
+                .me         = THIS_MODULE,
+        },
+};
+
+static int __init xt_timeout_init(void)
+{
+        return xt_register_matches(xt_timeout_reg, ARRAY_SIZE(xt_timeout_reg));
+}
+
+static void __exit xt_timeout_exit(void)
+{
+        xt_unregister_matches(xt_timeout_reg, ARRAY_SIZE(xt_timeout_reg));
+}
+
+
+module_init(xt_timeout_init);
+module_exit(xt_timeout_exit);
+