--- zzzz-none-000/linux-2.6.28.10/net/netfilter/core.c	2009-05-02 18:54:43.000000000 +0000
+++ fusiv-7390-686/linux-2.6.28.10/net/netfilter/core.c	2012-02-14 14:37:49.000000000 +0000
@@ -24,6 +24,10 @@
 
 #include "nf_internals.h"
 
+#if defined(CONFIG_IFX_PPA_API) || defined(CONFIG_IFX_PPA_API_MODULE)
+  #include <net/ifx_ppa_api.h>
+#endif
+
 static DEFINE_MUTEX(afinfo_mutex);
 
 const struct nf_afinfo *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
@@ -176,6 +180,33 @@
 		ret = 1;
 		goto unlock;
 	} else if (verdict == NF_DROP) {
+#ifdef CONFIG_IPSEC_AP_SUPPORT
+            if((skb->apFlowData.flags1 & (1 << AP_FLAG1_IS_IPSEC_DECRYPTED_BIT ))) {
+                verdict = NF_ACCEPT;
+		ret = 1;
+		goto unlock;
+            }
+#endif
+
+#if defined(CONFIG_IFX_PPA_API) || defined(CONFIG_IFX_PPA_API_MODULE)
+		if ( ppa_hook_session_del_fn != NULL )
+		{
+  #ifdef CONFIG_NF_CONNTRACK
+			struct nf_conn *ct = NULL;
+  #else
+			struct ip_conntrack *ct = NULL;
+  #endif
+			enum ip_conntrack_info ctinfo;
+
+  #ifdef CONFIG_NF_CONNTRACK
+			ct = nf_ct_get(skb, &ctinfo);
+  #else
+			ct = ip_conntrack_get(skb, &ctinfo);
+  #endif
+
+			ppa_hook_session_del_fn(ct, PPA_F_SESSION_ORG_DIR | PPA_F_SESSION_REPLY_DIR);
+		}
+#endif		
 		kfree_skb(skb);
 		ret = -EPERM;
 	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {