+module_exit(fini);
diff -Nurp linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/af_packet.c
--- linux-2.6.22-510/net/packet/af_packet.c 2007-07-22 00:00:27.000000000 +0200
-+++ linux-2.6.22-520/net/packet/af_packet.c 2008-02-15 20:36:45.000000000 +0100
++++ linux-2.6.22-520/net/packet/af_packet.c 2008-02-15 22:28:15.000000000 +0100
@@ -78,6 +78,7 @@
#include <linux/poll.h>
#include <linux/module.h>
#ifdef CONFIG_INET
#include <net/inet_common.h>
-@@ -420,6 +421,10 @@ static inline unsigned int run_filter(st
+@@ -324,6 +325,9 @@ static int packet_sendmsg_spkt(struct ki
+ __be16 proto=0;
+ int err;
+
++ if (!nx_capable(CAP_NET_RAW, NXC_RAW_SEND))
++ return -EPERM;
++
+ /*
+ * Get and verify the address.
+ */
+@@ -420,6 +424,10 @@ static inline unsigned int run_filter(st
unsigned int res)
{
struct sk_filter *filter;
rcu_read_lock_bh();
filter = rcu_dereference(sk->sk_filter);
-@@ -984,7 +989,7 @@ static int packet_create(struct socket *
+@@ -711,6 +719,9 @@ static int packet_sendmsg(struct kiocb *
+ unsigned char *addr;
+ int ifindex, err, reserve = 0;
+
++ if (!nx_capable(CAP_NET_RAW, NXC_RAW_SEND))
++ return -EPERM;
++
+ /*
+ * Get and verify the address.
+ */
+@@ -984,7 +995,7 @@ static int packet_create(struct socket *
__be16 proto = (__force __be16)protocol; /* weird, but documented */
int err;
- if (!capable(CAP_NET_RAW))
-+ if (!nx_capable(CAP_NET_RAW, NXC_RAW_SEND))
++ if (!nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET))
return -EPERM;
if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&
sock->type != SOCK_PACKET)