Today I've released iptables-1.3.3. Among some minor fixes (such as for the extremely important feature to SNAT and DNAT to/from ICMP ID _ranges_), it contains one major fix for an embarrassing use-after-free problem that was only introduced with 1.3.2. What do we learn from this? I need to review patches more carefully.
It also includes the NFQUEUE target, which is basically an extension to QUEUE. QUEUE only supports one queue number (0), so there can only be one userspace process be attached to it. This lead to the ugly hack of ipqmpd, the IP QUEUE multiplex daemon. Combining NFQUEUE with nfnetlink_queue (which is already in DaveM's net-2.6.14 tree), you can now have 65535 different queues, each heading to a separate userspace process. This is again one step ahead towards supporting "100% userspace conntrack helpers" which are sort of a strange hybrid variant of transparent proxies.